Merge branch 'main' into PRMP-1292

Author: abid-nhs

.github/workflows/terraform-daily-healthcheck-deploy-and-destroy.yml

@@ -165,6 +165,7 @@ jobs:
       sandbox: ${{ needs.set_workspace.outputs.workspace }}
       environment: development
       python_version: "3.11"
+      is_sandbox: true
     secrets:
       AWS_ASSUME_ROLE: ${{ secrets.AWS_ASSUME_ROLE }}
 

.github/workflows/terraform-dev-to-main-ci.yml

@@ -9,6 +9,7 @@ on:
     branches:
     - main
 
+
 permissions:
   pull-requests: write
   id-token: write # This is required for requesting the JWT
@@ -75,24 +76,17 @@ jobs:
     name: Deploy Lambdas on NDR Functional Repo
     needs: ['terraform_process']
     if: github.ref == 'refs/heads/main'
-    uses: nhsconnect/national-document-repository/.github/workflows/lambdas-deploy-feature-to-sandbox.yml@main
-    with:
-      build_branch: main
-      sandbox: ndr-dev
-      environment: development
+    uses: nhsconnect/national-document-repository/.github/workflows/lambdas-dev-to-main-ci.yml@main
     secrets:
       AWS_ASSUME_ROLE: ${{ secrets.AWS_ASSUME_ROLE }}
 
   run_main_repo_deploy_ui:
-    name: Deploy Lambdas on NDR Functional Repo
+    name: Deploy UI on NDR Functional Repo
     needs: ['terraform_process']
     if: github.ref == 'refs/heads/main'
-    uses: nhsconnect/national-document-repository/.github/workflows/ui-deploy-feature-to-sandbox-manual.yml@main
-    with:
-      build_branch: main
-      sandbox: ndr-dev
-      environment: development
+    uses: nhsconnect/national-document-repository/.github/workflows/ui-dev-to-main-ci.yml@main
     secrets:
       AWS_ASSUME_ROLE: ${{ secrets.AWS_ASSUME_ROLE }}
+
 
 

infrastructure/README.md

@@ -87,6 +87,10 @@
 | <a name="module_manage-nrl-pointer-alarm"></a> [manage-nrl-pointer-alarm](#module\_manage-nrl-pointer-alarm) | ./modules/lambda_alarms | n/a |
 | <a name="module_manage-nrl-pointer-alarm-topic"></a> [manage-nrl-pointer-alarm-topic](#module\_manage-nrl-pointer-alarm-topic) | ./modules/sns | n/a |
 | <a name="module_manage-nrl-pointer-lambda"></a> [manage-nrl-pointer-lambda](#module\_manage-nrl-pointer-lambda) | ./modules/lambda | n/a |
+| <a name="module_mns-notification-alarm"></a> [mns-notification-alarm](#module\_mns-notification-alarm) | ./modules/lambda_alarms | n/a |
+| <a name="module_mns-notification-alarm-topic"></a> [mns-notification-alarm-topic](#module\_mns-notification-alarm-topic) | ./modules/sns | n/a |
+| <a name="module_mns-notification-lambda"></a> [mns-notification-lambda](#module\_mns-notification-lambda) | ./modules/lambda | n/a |
+| <a name="module_mns_encryption_key"></a> [mns\_encryption\_key](#module\_mns\_encryption\_key) | ./modules/kms | n/a |
 | <a name="module_ndr-app-config"></a> [ndr-app-config](#module\_ndr-app-config) | ./modules/app_config | n/a |
 | <a name="module_ndr-bulk-staging-store"></a> [ndr-bulk-staging-store](#module\_ndr-bulk-staging-store) | ./modules/s3/ | n/a |
 | <a name="module_ndr-docker-ecr-ui"></a> [ndr-docker-ecr-ui](#module\_ndr-docker-ecr-ui) | ./modules/ecr/ | n/a |
@@ -119,6 +123,7 @@
 | <a name="module_sns_encryption_key"></a> [sns\_encryption\_key](#module\_sns\_encryption\_key) | ./modules/kms | n/a |
 | <a name="module_sqs-lg-bulk-upload-invalid-queue"></a> [sqs-lg-bulk-upload-invalid-queue](#module\_sqs-lg-bulk-upload-invalid-queue) | ./modules/sqs | n/a |
 | <a name="module_sqs-lg-bulk-upload-metadata-queue"></a> [sqs-lg-bulk-upload-metadata-queue](#module\_sqs-lg-bulk-upload-metadata-queue) | ./modules/sqs | n/a |
+| <a name="module_sqs-mns-notification-queue"></a> [sqs-mns-notification-queue](#module\_sqs-mns-notification-queue) | ./modules/sqs | n/a |
 | <a name="module_sqs-nems-queue"></a> [sqs-nems-queue](#module\_sqs-nems-queue) | ./modules/sqs | n/a |
 | <a name="module_sqs-nrl-queue"></a> [sqs-nrl-queue](#module\_sqs-nrl-queue) | ./modules/sqs | n/a |
 | <a name="module_sqs-splunk-queue"></a> [sqs-splunk-queue](#module\_sqs-splunk-queue) | ./modules/sqs | n/a |
@@ -181,6 +186,7 @@
 | [aws_iam_policy.dynamodb_policy_scan_bulk_report](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
 | [aws_iam_policy.dynamodb_stream_manifest](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
 | [aws_iam_policy.dynamodb_stream_stitch_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
+| [aws_iam_policy.kms_mns_lambda_access](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
 | [aws_iam_policy.lambda_audit_splunk_sqs_queue_send_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
 | [aws_iam_policy.s3_document_data_policy_for_manifest_lambda](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
 | [aws_iam_policy.s3_document_data_policy_for_stitch_lambda](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
@@ -219,6 +225,7 @@
 | [aws_lambda_event_source_mapping.bulk_upload_lambda](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_event_source_mapping) | resource |
 | [aws_lambda_event_source_mapping.dynamodb_stream_manifest](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_event_source_mapping) | resource |
 | [aws_lambda_event_source_mapping.dynamodb_stream_stitch](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_event_source_mapping) | resource |
+| [aws_lambda_event_source_mapping.mns_notification_lambda](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_event_source_mapping) | resource |
 | [aws_lambda_event_source_mapping.nems_message_lambda](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_event_source_mapping) | resource |
 | [aws_lambda_event_source_mapping.nrl_pointer_lambda](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_event_source_mapping) | resource |
 | [aws_lambda_permission.bulk_upload_metadata_schedule_permission](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_permission) | resource |
@@ -232,6 +239,7 @@
 | [aws_security_group.ndr_mesh_sg](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group) | resource |
 | [aws_sns_topic.alarm_notifications_topic](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sns_topic) | resource |
 | [aws_sns_topic_subscription.alarm_notifications_sns_topic_subscription](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sns_topic_subscription) | resource |
+| [aws_sqs_queue_policy.mns_sqs_access](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sqs_queue_policy) | resource |
 | [aws_sqs_queue_policy.nems_events_subscription](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sqs_queue_policy) | resource |
 | [aws_ssm_parameter.nems_events_observability](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ssm_parameter) | resource |
 | [aws_ssm_parameter.nems_events_topic_arn](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ssm_parameter) | resource |
@@ -264,6 +272,7 @@
 | [aws_ssm_parameter.backup_target_account](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ssm_parameter) | data source |
 | [aws_ssm_parameter.cloud_security_notification_email_list](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ssm_parameter) | data source |
 | [aws_ssm_parameter.end_user_ods_code](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ssm_parameter) | data source |
+| [aws_ssm_parameter.mns_lambda_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ssm_parameter) | data source |
 | [aws_ssm_parameter.splunk_trusted_principal](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ssm_parameter) | data source |
 | [aws_ssm_parameter.target_backup_vault_arn](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ssm_parameter) | data source |
 

infrastructure/dynamo_db.tf

@@ -3,7 +3,8 @@ module "document_reference_dynamodb_table" {
   table_name                     = var.docstore_dynamodb_table_name
   hash_key                       = "ID"
   deletion_protection_enabled    = local.is_production
-  stream_enabled                 = false
+  stream_enabled                 = true
+  stream_view_type               = "OLD_IMAGE"
   ttl_enabled                    = true
   ttl_attribute_name             = "TTL"
   point_in_time_recovery_enabled = !local.is_sandbox
@@ -66,7 +67,8 @@ module "lloyd_george_reference_dynamodb_table" {
   table_name                     = var.lloyd_george_dynamodb_table_name
   hash_key                       = "ID"
   deletion_protection_enabled    = local.is_production
-  stream_enabled                 = false
+  stream_enabled                 = true
+  stream_view_type               = "OLD_IMAGE"
   ttl_enabled                    = true
   ttl_attribute_name             = "TTL"
   point_in_time_recovery_enabled = !local.is_sandbox

infrastructure/ecs.tf

@@ -90,10 +90,10 @@ module "ndr-ecs-fargate-ods-update" {
       "value" : terraform.workspace
     }
   ]
-  ecs_container_definition_memory = 512
-  ecs_container_definition_cpu    = 256
-  ecs_task_definition_memory      = 512
-  ecs_task_definition_cpu         = 256
+  ecs_container_definition_memory = 5120
+  ecs_container_definition_cpu    = 1024
+  ecs_task_definition_memory      = 5120
+  ecs_task_definition_cpu         = 1024
 }
 
 resource "aws_iam_role" "ods_weekly_update_task_role" {

infrastructure/kms_sns.tf

@@ -5,5 +5,5 @@ module "sns_encryption_key" {
   current_account_id  = data.aws_caller_identity.current.account_id
   environment         = var.environment
   owner               = var.owner
-  identifiers         = ["sns.amazonaws.com", "cloudwatch.amazonaws.com"]
+  service_identifiers = ["sns.amazonaws.com", "cloudwatch.amazonaws.com"]
 }

infrastructure/lambda-data-collection.tf

@@ -41,10 +41,12 @@ module "data-collection-alarm-topic" {
 }
 
 module "data-collection-lambda" {
-  source         = "./modules/lambda"
-  name           = "DataCollectionLambda"
-  handler        = "handlers.data_collection_handler.lambda_handler"
-  lambda_timeout = 900
+  source                   = "./modules/lambda"
+  name                     = "DataCollectionLambda"
+  handler                  = "handlers.data_collection_handler.lambda_handler"
+  lambda_timeout           = 900
+  lambda_ephemeral_storage = local.is_production ? 10240 : 1769
+  memory_size              = local.is_production ? 10240 : 1769
   iam_role_policy_documents = [
     module.ndr-app-config.app_config_policy,
     module.statistics_dynamodb_table.dynamodb_read_policy_document,

infrastructure/lambda-delete-doc-object.tf

@@ -0,0 +1,119 @@
+module "delete-document-object-alarm" {
+  source               = "./modules/lambda_alarms"
+  lambda_function_name = module.delete-document-object-lambda.function_name
+  lambda_timeout       = module.delete-document-object-lambda.timeout
+  lambda_name          = "delete_document_object_handler"
+  namespace            = "AWS/Lambda"
+  alarm_actions        = [module.delete-document-object-alarm-topic.arn]
+  ok_actions           = [module.delete-document-object-alarm-topic.arn]
+}
+
+module "delete-document-object-alarm-topic" {
+  source                = "./modules/sns"
+  sns_encryption_key_id = module.sns_encryption_key.id
+  current_account_id    = data.aws_caller_identity.current.account_id
+  topic_name            = "delete-document-object-topic"
+  topic_protocol        = "lambda"
+  topic_endpoint        = module.delete-document-object-lambda.lambda_arn
+  delivery_policy = jsonencode({
+    "Version" : "2012-10-17",
+    "Statement" : [
+      {
+        "Effect" : "Allow",
+        "Principal" : {
+          "Service" : "cloudwatch.amazonaws.com"
+        },
+        "Action" : [
+          "SNS:Publish",
+        ],
+        "Condition" : {
+          "ArnLike" : {
+            "aws:SourceArn" : "arn:aws:cloudwatch:eu-west-2:${data.aws_caller_identity.current.account_id}:alarm:*"
+          }
+        }
+        "Resource" : "*"
+      }
+    ]
+  })
+}
+
+module "delete-document-object-lambda" {
+  source         = "./modules/lambda"
+  name           = "DeleteDocumentObjectS3"
+  handler        = "handlers.delete_document_object_handler.lambda_handler"
+  lambda_timeout = 900
+  iam_role_policy_documents = [
+    module.document_reference_dynamodb_table.dynamodb_read_policy_document,
+    module.document_reference_dynamodb_table.dynamodb_write_policy_document,
+    module.ndr-document-store.s3_read_policy_document,
+    module.ndr-document-store.s3_write_policy_document,
+    module.lloyd_george_reference_dynamodb_table.dynamodb_read_policy_document,
+    module.lloyd_george_reference_dynamodb_table.dynamodb_write_policy_document,
+    module.ndr-lloyd-george-store.s3_read_policy_document,
+    module.ndr-lloyd-george-store.s3_write_policy_document,
+    module.ndr-app-config.app_config_policy,
+    aws_iam_policy.dynamodb_stream_delete_object_policy.policy
+  ]
+  rest_api_id       = null
+  api_execution_arn = null
+  lambda_environment_variables = {
+    APPCONFIG_APPLICATION   = module.ndr-app-config.app_config_application_id
+    APPCONFIG_ENVIRONMENT   = module.ndr-app-config.app_config_environment_id
+    APPCONFIG_CONFIGURATION = module.ndr-app-config.app_config_configuration_profile_id
+    WORKSPACE               = terraform.workspace
+  }
+  is_gateway_integration_needed = false
+  is_invoked_from_gateway       = false
+}
+
+resource "aws_iam_policy" "dynamodb_stream_delete_object_policy" {
+  name = "${terraform.workspace}_dynamodb_stream_to_delete_records_policy"
+
+  policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [
+      {
+        Action = ["dynamodb:GetRecords", "dynamodb:GetShardIterator", "dynamodb:DescribeStream", "dynamodb:ListStreams"]
+        Effect = "Allow"
+        Resource = [
+          module.lloyd_george_reference_dynamodb_table.dynamodb_stream_arn,
+          module.document_reference_dynamodb_table.dynamodb_stream_arn
+        ]
+      },
+    ]
+  })
+}
+
+resource "aws_lambda_event_source_mapping" "lloyd_george_dynamodb_stream" {
+  event_source_arn  = module.lloyd_george_reference_dynamodb_table.dynamodb_stream_arn
+  function_name     = module.delete-document-object-lambda.lambda_arn
+  batch_size        = 1
+  starting_position = "LATEST"
+
+  filter_criteria {
+    filter {
+      pattern = jsonencode({
+        "eventName" : [
+          "REMOVE"
+        ]
+      })
+    }
+  }
+}
+
+resource "aws_lambda_event_source_mapping" "document_reference_dynamodb_stream" {
+  event_source_arn  = module.document_reference_dynamodb_table.dynamodb_stream_arn
+  function_name     = module.delete-document-object-lambda.lambda_arn
+  batch_size        = 1
+  starting_position = "LATEST"
+
+  filter_criteria {
+    filter {
+      pattern = jsonencode({
+        "eventName" : [
+          "REMOVE"
+        ]
+      })
+    }
+  }
+}

infrastructure/lambda-mns-notification.tf

@@ -0,0 +1,103 @@
+module "mns-notification-lambda" {
+  count   = local.is_sandbox ? 0 : 1
+  source  = "./modules/lambda"
+  name    = "MNSNotificationLambda"
+  handler = "handlers.mns_notification_handler.lambda_handler"
+  iam_role_policy_documents = [
+    module.sqs-mns-notification-queue[0].sqs_read_policy_document,
+    module.sqs-mns-notification-queue[0].sqs_write_policy_document,
+    module.lloyd_george_reference_dynamodb_table.dynamodb_write_policy_document,
+    module.lloyd_george_reference_dynamodb_table.dynamodb_read_policy_document,
+    aws_iam_policy.ssm_access_policy.policy,
+    module.ndr-app-config.app_config_policy,
+    aws_iam_policy.kms_mns_lambda_access[0].policy,
+  ]
+  rest_api_id       = null
+  api_execution_arn = null
+
+  lambda_environment_variables = {
+    APPCONFIG_APPLICATION      = module.ndr-app-config.app_config_application_id
+    APPCONFIG_ENVIRONMENT      = module.ndr-app-config.app_config_environment_id
+    APPCONFIG_CONFIGURATION    = module.ndr-app-config.app_config_configuration_profile_id
+    WORKSPACE                  = terraform.workspace
+    LLOYD_GEORGE_DYNAMODB_NAME = "${terraform.workspace}_${var.lloyd_george_dynamodb_table_name}"
+    MNS_NOTIFICATION_QUEUE_URL = module.sqs-mns-notification-queue[0].sqs_url
+    PDS_FHIR_IS_STUBBED        = local.is_sandbox
+  }
+
+  is_gateway_integration_needed  = false
+  is_invoked_from_gateway        = false
+  lambda_timeout                 = 900
+  reserved_concurrent_executions = local.mns_notification_lambda_concurrent_limit
+}
+
+resource "aws_lambda_event_source_mapping" "mns_notification_lambda" {
+  count            = local.is_sandbox ? 0 : 1
+  event_source_arn = module.sqs-mns-notification-queue[0].endpoint
+  function_name    = module.mns-notification-lambda[0].lambda_arn
+
+  scaling_config {
+    maximum_concurrency = local.mns_notification_lambda_concurrent_limit
+  }
+}
+
+module "mns-notification-alarm" {
+  count                = local.is_sandbox ? 0 : 1
+  source               = "./modules/lambda_alarms"
+  lambda_function_name = module.mns-notification-lambda[0].function_name
+  lambda_timeout       = module.mns-notification-lambda[0].timeout
+  lambda_name          = "mns_notification_handler"
+  namespace            = "AWS/Lambda"
+  alarm_actions        = [module.mns-notification-alarm-topic[0].arn]
+  ok_actions           = [module.mns-notification-alarm-topic[0].arn]
+}
+
+module "mns-notification-alarm-topic" {
+  count                 = local.is_sandbox ? 0 : 1
+  source                = "./modules/sns"
+  sns_encryption_key_id = module.sns_encryption_key.id
+  current_account_id    = data.aws_caller_identity.current.account_id
+  topic_name            = "mns-notification-topic"
+  topic_protocol        = "lambda"
+  topic_endpoint        = module.mns-notification-lambda[0].lambda_arn
+  delivery_policy = jsonencode({
+    "Version" : "2012-10-17",
+    "Statement" : [
+      {
+        "Effect" : "Allow",
+        "Principal" : {
+          "Service" : "cloudwatch.amazonaws.com"
+        },
+        "Action" : [
+          "SNS:Publish",
+        ],
+        "Condition" : {
+          "ArnLike" : {
+            "aws:SourceArn" : "arn:aws:cloudwatch:eu-west-2:${data.aws_caller_identity.current.account_id}:alarm:*"
+          }
+        }
+        "Resource" : "*"
+      }
+    ]
+  })
+}
+
+resource "aws_iam_policy" "kms_mns_lambda_access" {
+  count = local.is_sandbox ? 0 : 1
+
+  name        = "${terraform.workspace}_mns_notification_lambda_access_policy"
+  description = "KMS policy to allow lambda to read MNS SQS messages"
+
+  policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [
+      {
+        Action = [
+          "kms:Decrypt",
+        ]
+        Effect   = "Allow"
+        Resource = module.mns_encryption_key[0].kms_arn
+      },
+    ]
+  })
+}

infrastructure/lambda-statistical-report.tf

@@ -41,10 +41,12 @@ module "statistical-report-alarm-topic" {
 }
 
 module "statistical-report-lambda" {
-  source         = "./modules/lambda"
-  name           = "StatisticalReportLambda"
-  handler        = "handlers.statistical_report_handler.lambda_handler"
-  lambda_timeout = 900
+  source                   = "./modules/lambda"
+  name                     = "StatisticalReportLambda"
+  handler                  = "handlers.statistical_report_handler.lambda_handler"
+  lambda_timeout           = 900
+  lambda_ephemeral_storage = local.is_production ? 10240 : 1769
+  memory_size              = local.is_production ? 10240 : 1769
   iam_role_policy_documents = [
     module.ndr-app-config.app_config_policy,
     module.statistics_dynamodb_table.dynamodb_read_policy_document,