[PRMP-1188] Create Lambda to handle MNS notifications (#212)

Author: steph-torres-nhs

infrastructure/README.md

@@ -87,6 +87,10 @@
 | <a name="module_manage-nrl-pointer-alarm"></a> [manage-nrl-pointer-alarm](#module\_manage-nrl-pointer-alarm) | ./modules/lambda_alarms | n/a |
 | <a name="module_manage-nrl-pointer-alarm-topic"></a> [manage-nrl-pointer-alarm-topic](#module\_manage-nrl-pointer-alarm-topic) | ./modules/sns | n/a |
 | <a name="module_manage-nrl-pointer-lambda"></a> [manage-nrl-pointer-lambda](#module\_manage-nrl-pointer-lambda) | ./modules/lambda | n/a |
+| <a name="module_mns-notification-alarm"></a> [mns-notification-alarm](#module\_mns-notification-alarm) | ./modules/lambda_alarms | n/a |
+| <a name="module_mns-notification-alarm-topic"></a> [mns-notification-alarm-topic](#module\_mns-notification-alarm-topic) | ./modules/sns | n/a |
+| <a name="module_mns-notification-lambda"></a> [mns-notification-lambda](#module\_mns-notification-lambda) | ./modules/lambda | n/a |
+| <a name="module_mns_encryption_key"></a> [mns\_encryption\_key](#module\_mns\_encryption\_key) | ./modules/kms | n/a |
 | <a name="module_ndr-app-config"></a> [ndr-app-config](#module\_ndr-app-config) | ./modules/app_config | n/a |
 | <a name="module_ndr-bulk-staging-store"></a> [ndr-bulk-staging-store](#module\_ndr-bulk-staging-store) | ./modules/s3/ | n/a |
 | <a name="module_ndr-docker-ecr-ui"></a> [ndr-docker-ecr-ui](#module\_ndr-docker-ecr-ui) | ./modules/ecr/ | n/a |
@@ -119,6 +123,7 @@
 | <a name="module_sns_encryption_key"></a> [sns\_encryption\_key](#module\_sns\_encryption\_key) | ./modules/kms | n/a |
 | <a name="module_sqs-lg-bulk-upload-invalid-queue"></a> [sqs-lg-bulk-upload-invalid-queue](#module\_sqs-lg-bulk-upload-invalid-queue) | ./modules/sqs | n/a |
 | <a name="module_sqs-lg-bulk-upload-metadata-queue"></a> [sqs-lg-bulk-upload-metadata-queue](#module\_sqs-lg-bulk-upload-metadata-queue) | ./modules/sqs | n/a |
+| <a name="module_sqs-mns-notification-queue"></a> [sqs-mns-notification-queue](#module\_sqs-mns-notification-queue) | ./modules/sqs | n/a |
 | <a name="module_sqs-nems-queue"></a> [sqs-nems-queue](#module\_sqs-nems-queue) | ./modules/sqs | n/a |
 | <a name="module_sqs-nrl-queue"></a> [sqs-nrl-queue](#module\_sqs-nrl-queue) | ./modules/sqs | n/a |
 | <a name="module_sqs-splunk-queue"></a> [sqs-splunk-queue](#module\_sqs-splunk-queue) | ./modules/sqs | n/a |
@@ -181,6 +186,7 @@
 | [aws_iam_policy.dynamodb_policy_scan_bulk_report](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
 | [aws_iam_policy.dynamodb_stream_manifest](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
 | [aws_iam_policy.dynamodb_stream_stitch_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
+| [aws_iam_policy.kms_lambda_access](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
 | [aws_iam_policy.lambda_audit_splunk_sqs_queue_send_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
 | [aws_iam_policy.s3_document_data_policy_for_manifest_lambda](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
 | [aws_iam_policy.s3_document_data_policy_for_stitch_lambda](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
@@ -219,6 +225,7 @@
 | [aws_lambda_event_source_mapping.bulk_upload_lambda](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_event_source_mapping) | resource |
 | [aws_lambda_event_source_mapping.dynamodb_stream_manifest](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_event_source_mapping) | resource |
 | [aws_lambda_event_source_mapping.dynamodb_stream_stitch](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_event_source_mapping) | resource |
+| [aws_lambda_event_source_mapping.mns_notification_lambda](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_event_source_mapping) | resource |
 | [aws_lambda_event_source_mapping.nems_message_lambda](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_event_source_mapping) | resource |
 | [aws_lambda_event_source_mapping.nrl_pointer_lambda](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_event_source_mapping) | resource |
 | [aws_lambda_permission.bulk_upload_metadata_schedule_permission](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_permission) | resource |
@@ -232,6 +239,7 @@
 | [aws_security_group.ndr_mesh_sg](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group) | resource |
 | [aws_sns_topic.alarm_notifications_topic](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sns_topic) | resource |
 | [aws_sns_topic_subscription.alarm_notifications_sns_topic_subscription](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sns_topic_subscription) | resource |
+| [aws_sqs_queue_policy.mns_sqs_access](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sqs_queue_policy) | resource |
 | [aws_sqs_queue_policy.nems_events_subscription](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sqs_queue_policy) | resource |
 | [aws_ssm_parameter.nems_events_observability](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ssm_parameter) | resource |
 | [aws_ssm_parameter.nems_events_topic_arn](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ssm_parameter) | resource |
@@ -264,6 +272,7 @@
 | [aws_ssm_parameter.backup_target_account](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ssm_parameter) | data source |
 | [aws_ssm_parameter.cloud_security_notification_email_list](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ssm_parameter) | data source |
 | [aws_ssm_parameter.end_user_ods_code](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ssm_parameter) | data source |
+| [aws_ssm_parameter.mns_lambda_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ssm_parameter) | data source |
 | [aws_ssm_parameter.splunk_trusted_principal](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ssm_parameter) | data source |
 | [aws_ssm_parameter.target_backup_vault_arn](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ssm_parameter) | data source |
 

infrastructure/kms_sns.tf

@@ -5,5 +5,5 @@ module "sns_encryption_key" {
   current_account_id  = data.aws_caller_identity.current.account_id
   environment         = var.environment
   owner               = var.owner
-  identifiers         = ["sns.amazonaws.com", "cloudwatch.amazonaws.com"]
+  service_identifiers = ["sns.amazonaws.com", "cloudwatch.amazonaws.com"]
 }

infrastructure/lambda-mns-notification.tf

@@ -0,0 +1,97 @@
+module "mns-notification-lambda" {
+  source  = "./modules/lambda"
+  name    = "MNSNotificationLambda"
+  handler = "handlers.mns_notification_handler.lambda_handler"
+  iam_role_policy_documents = [
+    module.sqs-mns-notification-queue.sqs_read_policy_document,
+    module.sqs-mns-notification-queue.sqs_write_policy_document,
+    module.lloyd_george_reference_dynamodb_table.dynamodb_write_policy_document,
+    module.lloyd_george_reference_dynamodb_table.dynamodb_read_policy_document,
+    aws_iam_policy.ssm_access_policy.policy,
+    module.ndr-app-config.app_config_policy,
+    aws_iam_policy.kms_lambda_access.policy,
+  ]
+  rest_api_id       = null
+  api_execution_arn = null
+
+  lambda_environment_variables = {
+    APPCONFIG_APPLICATION      = module.ndr-app-config.app_config_application_id
+    APPCONFIG_ENVIRONMENT      = module.ndr-app-config.app_config_environment_id
+    APPCONFIG_CONFIGURATION    = module.ndr-app-config.app_config_configuration_profile_id
+    WORKSPACE                  = terraform.workspace
+    LLOYD_GEORGE_DYNAMODB_NAME = "${terraform.workspace}_${var.lloyd_george_dynamodb_table_name}"
+    MNS_NOTIFICATION_QUEUE_URL = module.sqs-mns-notification-queue.sqs_url
+    PDS_FHIR_IS_STUBBED        = local.is_sandbox
+  }
+
+  is_gateway_integration_needed  = false
+  is_invoked_from_gateway        = false
+  lambda_timeout                 = 900
+  reserved_concurrent_executions = local.mns_notification_lambda_concurrent_limit
+}
+
+resource "aws_lambda_event_source_mapping" "mns_notification_lambda" {
+  event_source_arn = module.sqs-mns-notification-queue.endpoint
+  function_name    = module.mns-notification-lambda.lambda_arn
+
+  scaling_config {
+    maximum_concurrency = local.mns_notification_lambda_concurrent_limit
+  }
+}
+
+module "mns-notification-alarm" {
+  source               = "./modules/lambda_alarms"
+  lambda_function_name = module.mns-notification-lambda.function_name
+  lambda_timeout       = module.mns-notification-lambda.timeout
+  lambda_name          = "mns_notification_handler"
+  namespace            = "AWS/Lambda"
+  alarm_actions        = [module.mns-notification-alarm-topic.arn]
+  ok_actions           = [module.mns-notification-alarm-topic.arn]
+}
+
+module "mns-notification-alarm-topic" {
+  source                = "./modules/sns"
+  sns_encryption_key_id = module.sns_encryption_key.id
+  current_account_id    = data.aws_caller_identity.current.account_id
+  topic_name            = "mns-notification-topic"
+  topic_protocol        = "lambda"
+  topic_endpoint        = module.mns-notification-lambda.lambda_arn
+  delivery_policy = jsonencode({
+    "Version" : "2012-10-17",
+    "Statement" : [
+      {
+        "Effect" : "Allow",
+        "Principal" : {
+          "Service" : "cloudwatch.amazonaws.com"
+        },
+        "Action" : [
+          "SNS:Publish",
+        ],
+        "Condition" : {
+          "ArnLike" : {
+            "aws:SourceArn" : "arn:aws:cloudwatch:eu-west-2:${data.aws_caller_identity.current.account_id}:alarm:*"
+          }
+        }
+        "Resource" : "*"
+      }
+    ]
+  })
+}
+
+resource "aws_iam_policy" "kms_lambda_access" {
+  name        = "mns_notification_lambda_access_policy"
+  description = "KMS policy to allow lambda to read MNS SQS messages"
+
+  policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [
+      {
+        Action = [
+          "kms:Decrypt",
+        ]
+        Effect   = "Allow"
+        Resource = module.mns_encryption_key.kms_arn
+      },
+    ]
+  })
+}

infrastructure/mns.tf

@@ -0,0 +1,47 @@
+data "aws_ssm_parameter" "mns_lambda_role" {
+  name = "/ndr/${var.environment}/mns/lambda_role"
+}
+
+
+module "mns_encryption_key" {
+  source                = "./modules/kms"
+  kms_key_name          = "alias/mns-notification-encryption-key-kms-${terraform.workspace}"
+  kms_key_description   = "Custom KMS Key to enable server side encryption for mns subscriptions"
+  current_account_id    = data.aws_caller_identity.current.account_id
+  environment           = var.environment
+  owner                 = var.owner
+  service_identifiers   = ["sns.amazonaws.com"]
+  aws_identifiers       = [data.aws_ssm_parameter.mns_lambda_role.value]
+  allow_decrypt_for_arn = true
+}
+
+module "sqs-mns-notification-queue" {
+  source            = "./modules/sqs"
+  name              = "mns-notification-queue"
+  max_size_message  = 256 * 1024        # allow message size up to 256 KB
+  message_retention = 60 * 60 * 24 * 14 # 14 days
+  environment       = var.environment
+  owner             = var.owner
+  max_visibility    = 1020
+  delay             = 60
+  enable_sse        = null
+  kms_master_key_id = module.mns_encryption_key.id
+}
+
+resource "aws_sqs_queue_policy" "mns_sqs_access" {
+  queue_url = module.sqs-mns-notification-queue.sqs_url
+
+  policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [
+      {
+        Effect = "Allow",
+        Principal = {
+          AWS = data.aws_ssm_parameter.mns_lambda_role.value
+        },
+        Action   = "SQS:SendMessage",
+        Resource = module.sqs-mns-notification-queue.sqs_arn
+      }
+    ]
+  })
+}

infrastructure/modules/dynamo_db/main.tf

@@ -53,8 +53,8 @@ resource "aws_iam_policy" "dynamodb_policy" {
     Statement = concat(
       [
         {
-          "Effect" : "Allow",
-          "Action" : [
+          Effect : "Allow",
+          Action : [
             "dynamodb:Query",
             "dynamodb:Scan",
             "dynamodb:GetItem",
@@ -63,18 +63,18 @@ resource "aws_iam_policy" "dynamodb_policy" {
             "dynamodb:DeleteItem",
             "dynamodb:BatchWriteItem",
           ],
-          "Resource" : [
+          Resource : [
             aws_dynamodb_table.ndr_dynamodb_table.arn,
           ]
         }
       ],
       length(coalesce(var.global_secondary_indexes, [])) > 0 ? [
         {
-          "Effect" : "Allow",
-          "Action" : [
+          Effect : "Allow",
+          Action : [
             "dynamodb:Query",
           ],
-          "Resource" : [
+          Resource : [
             for index in var.global_secondary_indexes :
             "${aws_dynamodb_table.ndr_dynamodb_table.arn}/index/${index.name}"
           ]

infrastructure/modules/kms/README.md

@@ -18,19 +18,24 @@ No modules.
 |------|------|
 | [aws_kms_alias.encryption_key_alias](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_alias) | resource |
 | [aws_kms_key.encryption_key](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_key) | resource |
-| [aws_iam_policy_document.kms_key_policy_doc](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [aws_iam_policy_document.combined_policy_documents](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [aws_iam_policy_document.kms_key_base](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [aws_iam_policy_document.kms_key_generate](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 
 ## Inputs
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
+| <a name="input_allow_decrypt_for_arn"></a> [allow\_decrypt\_for\_arn](#input\_allow\_decrypt\_for\_arn) | n/a | `bool` | `false` | no |
+| <a name="input_allowed_arn"></a> [allowed\_arn](#input\_allowed\_arn) | n/a | `list(string)` | `[]` | no |
+| <a name="input_aws_identifiers"></a> [aws\_identifiers](#input\_aws\_identifiers) | n/a | `list(string)` | `[]` | no |
 | <a name="input_current_account_id"></a> [current\_account\_id](#input\_current\_account\_id) | n/a | `string` | n/a | yes |
 | <a name="input_environment"></a> [environment](#input\_environment) | n/a | `string` | n/a | yes |
-| <a name="input_identifiers"></a> [identifiers](#input\_identifiers) | n/a | `list(string)` | n/a | yes |
 | <a name="input_kms_key_description"></a> [kms\_key\_description](#input\_kms\_key\_description) | n/a | `string` | n/a | yes |
 | <a name="input_kms_key_name"></a> [kms\_key\_name](#input\_kms\_key\_name) | n/a | `string` | n/a | yes |
 | <a name="input_kms_key_rotation_enabled"></a> [kms\_key\_rotation\_enabled](#input\_kms\_key\_rotation\_enabled) | n/a | `bool` | `true` | no |
 | <a name="input_owner"></a> [owner](#input\_owner) | n/a | `string` | n/a | yes |
+| <a name="input_service_identifiers"></a> [service\_identifiers](#input\_service\_identifiers) | n/a | `list(string)` | n/a | yes |
 
 ## Outputs
 

infrastructure/modules/kms/main.tf

@@ -1,6 +1,6 @@
 resource "aws_kms_key" "encryption_key" {
   description         = var.kms_key_description
-  policy              = data.aws_iam_policy_document.kms_key_policy_doc.json
+  policy              = data.aws_iam_policy_document.combined_policy_documents.json
   enable_key_rotation = var.kms_key_rotation_enabled
 
   tags = {
@@ -17,7 +17,7 @@ resource "aws_kms_alias" "encryption_key_alias" {
 }
 
 
-data "aws_iam_policy_document" "kms_key_policy_doc" {
+data "aws_iam_policy_document" "kms_key_base" {
   statement {
     effect = "Allow"
     principals {
@@ -30,13 +30,42 @@ data "aws_iam_policy_document" "kms_key_policy_doc" {
   statement {
     effect = "Allow"
     principals {
-      identifiers = var.identifiers
+      identifiers = var.service_identifiers
       type        = "Service"
     }
     actions = [
       "kms:Decrypt",
       "kms:GenerateDataKey*"
     ]
     resources = ["*"]
+    dynamic "condition" {
+      for_each = var.allow_decrypt_for_arn ? [1] : []
+      content {
+        test     = "ArnEquals"
+        values   = var.allowed_arn
+        variable = "aws:SourceArn"
+      }
+    }
+  }
+}
+
+data "aws_iam_policy_document" "kms_key_generate" {
+  count = length(var.aws_identifiers) > 0 ? 1 : 0
+  statement {
+    effect = "Allow"
+    principals {
+      identifiers = var.aws_identifiers
+      type        = "AWS"
+    }
+    actions   = ["kms:GenerateDataKey"]
+    resources = ["*"]
   }
-}
+}
+
+data "aws_iam_policy_document" "combined_policy_documents" {
+  source_policy_documents = flatten([
+    data.aws_iam_policy_document.kms_key_base.json,
+    length(var.aws_identifiers) > 0 ? [data.aws_iam_policy_document.kms_key_generate[0].json] : []
+  ])
+}
+

infrastructure/modules/kms/variable.tf

@@ -23,14 +23,29 @@ variable "owner" {
   type = string
 }
 
-variable "identifiers" {
+variable "service_identifiers" {
   type = list(string)
 }
 
+variable "aws_identifiers" {
+  type    = list(string)
+  default = []
+}
+
+variable "allow_decrypt_for_arn" {
+  type    = bool
+  default = false
+}
+
+variable "allowed_arn" {
+  type    = list(string)
+  default = []
+}
+
 output "kms_arn" {
   value = aws_kms_key.encryption_key.arn
 }
 
 output "id" {
   value = aws_kms_key.encryption_key.id
-}
+}

infrastructure/queues.tf

@@ -29,4 +29,3 @@ module "sqs-lg-bulk-upload-invalid-queue" {
   owner             = var.owner
   max_visibility    = 1020
 }
-

infrastructure/variable.tf

@@ -226,7 +226,8 @@ locals {
   is_force_destroy   = contains(["ndr-dev", "ndra", "ndrb", "ndrc", "ndrd", "ndr-test"], terraform.workspace)
   is_sandbox_or_test = contains(["ndra", "ndrb", "ndrc", "ndrd", "ndr-test"], terraform.workspace)
 
-  bulk_upload_lambda_concurrent_limit = 5
+  bulk_upload_lambda_concurrent_limit      = 5
+  mns_notification_lambda_concurrent_limit = 3
 
   api_gateway_subdomain_name   = contains(["prod"], terraform.workspace) ? "${var.certificate_subdomain_name_prefix}" : "${var.certificate_subdomain_name_prefix}${terraform.workspace}"
   api_gateway_full_domain_name = contains(["prod"], terraform.workspace) ? "${var.certificate_subdomain_name_prefix}${var.domain}" : "${var.certificate_subdomain_name_prefix}${terraform.workspace}.${var.domain}"