PRMDR-366 Connect to Splunk Publisher (#90)

* [PRMDR-366] refactor sandbox variables
* [PRMDR-366] migrate splunk access policy
* [PRMDR-366] added sqs permission to lambdas

Author: NogaNHS

infrastructure/README.md

@@ -8,7 +8,7 @@
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | 5.16.0 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | 5.14.0 |
 
 ## Modules
 
@@ -26,6 +26,7 @@
 | <a name="module_back_channel_logout_lambda"></a> [back\_channel\_logout\_lambda](#module\_back\_channel\_logout\_lambda) | ./modules/lambda | n/a |
 | <a name="module_bulk-upload-lambda"></a> [bulk-upload-lambda](#module\_bulk-upload-lambda) | ./modules/lambda | n/a |
 | <a name="module_bulk-upload-metadata-lambda"></a> [bulk-upload-metadata-lambda](#module\_bulk-upload-metadata-lambda) | ./modules/lambda | n/a |
+| <a name="module_bulk-upload-report-lambda"></a> [bulk-upload-report-lambda](#module\_bulk-upload-report-lambda) | ./modules/lambda | n/a |
 | <a name="module_bulk_upload_dynamodb_table"></a> [bulk\_upload\_dynamodb\_table](#module\_bulk\_upload\_dynamodb\_table) | ./modules/dynamo_db | n/a |
 | <a name="module_create-doc-ref-gateway"></a> [create-doc-ref-gateway](#module\_create-doc-ref-gateway) | ./modules/gateway | n/a |
 | <a name="module_create-doc-ref-lambda"></a> [create-doc-ref-lambda](#module\_create-doc-ref-lambda) | ./modules/lambda | n/a |
@@ -92,17 +93,28 @@
 | [aws_api_gateway_resource.auth_resource](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/api_gateway_resource) | resource |
 | [aws_api_gateway_resource.login_resource](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/api_gateway_resource) | resource |
 | [aws_api_gateway_rest_api.ndr_doc_store_api](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/api_gateway_rest_api) | resource |
+| [aws_cloudwatch_event_rule.bulk_upload_metadata_schedule](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_event_rule) | resource |
+| [aws_cloudwatch_event_rule.bulk_upload_report_schedule](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_event_rule) | resource |
+| [aws_cloudwatch_event_target.bulk_upload_metadata_schedule_event](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_event_target) | resource |
+| [aws_cloudwatch_event_target.bulk_upload_report_schedule_event](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_event_target) | resource |
 | [aws_cloudwatch_metric_alarm.repo_alarm](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_metric_alarm) | resource |
+| [aws_iam_policy.dynamodb_policy_scan_bulk_report](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
+| [aws_iam_policy.lambda_audit_splunk_sqs_queue_send_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
 | [aws_iam_policy.ssm_policy_authoriser](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
 | [aws_iam_policy.ssm_policy_oidc](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
 | [aws_iam_policy.ssm_policy_pds](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
 | [aws_iam_policy.ssm_policy_token](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
+| [aws_iam_role.splunk_sqs_forwarder](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
 | [aws_lambda_event_source_mapping.bulk_upload_lambda](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_event_source_mapping) | resource |
+| [aws_lambda_permission.bulk_upload_metadata_schedule_permission](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_permission) | resource |
+| [aws_lambda_permission.bulk_upload_report_schedule_permission](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_permission) | resource |
 | [aws_s3_bucket_lifecycle_configuration.doc-store-lifecycle-rules](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_lifecycle_configuration) | resource |
 | [aws_s3_bucket_lifecycle_configuration.lg-lifecycle-rules](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_lifecycle_configuration) | resource |
 | [aws_wafv2_web_acl_association.web_acl_association](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/wafv2_web_acl_association) | resource |
 | [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
 | [aws_iam_policy_document.alarm_notification_kms_key_policy_doc](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [aws_iam_policy_document.splunk_trust_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [aws_ssm_parameter.splunk_trusted_principal](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ssm_parameter) | data source |
 
 ## Inputs
 
@@ -113,6 +125,7 @@
 | <a name="input_availability_zones"></a> [availability\_zones](#input\_availability\_zones) | This is a list that specifies all the Availability Zones that will have a pair of public and private subnets | `list(string)` | <pre>[<br>  "eu-west-2a",<br>  "eu-west-2b",<br>  "eu-west-2c"<br>]</pre> | no |
 | <a name="input_bulk_upload_dynamodb_table_name"></a> [bulk\_upload\_dynamodb\_table\_name](#input\_bulk\_upload\_dynamodb\_table\_name) | The name of dynamodb table to store bulk upload status | `string` | `"BulkUploadReport"` | no |
 | <a name="input_certificate_domain"></a> [certificate\_domain](#input\_certificate\_domain) | n/a | `string` | n/a | yes |
+| <a name="input_cloud_only_service_instances"></a> [cloud\_only\_service\_instances](#input\_cloud\_only\_service\_instances) | n/a | `number` | `1` | no |
 | <a name="input_docstore_bucket_name"></a> [docstore\_bucket\_name](#input\_docstore\_bucket\_name) | The name of S3 bucket to store ARF documents | `string` | `"document-store"` | no |
 | <a name="input_docstore_dynamodb_table_name"></a> [docstore\_dynamodb\_table\_name](#input\_docstore\_dynamodb\_table\_name) | The name of dynamodb table to store the metadata of ARF documents | `string` | `"DocumentReferenceMetadata"` | no |
 | <a name="input_domain"></a> [domain](#input\_domain) | n/a | `string` | n/a | yes |

infrastructure/audit.tf

@@ -0,0 +1,59 @@
+data "aws_ssm_parameter" "splunk_trusted_principal" {
+  name  = "/prs/user-input/external/splunk-trusted-principal"
+  count = var.cloud_only_service_instances
+}
+
+data "aws_iam_policy_document" "splunk_trust_policy" {
+  statement {
+    actions = ["sts:AssumeRole"]
+    principals {
+      type        = "AWS"
+      identifiers = var.cloud_only_service_instances > 0 ? split(",", data.aws_ssm_parameter.splunk_trusted_principal[0].value) : []
+    }
+  }
+}
+
+resource "aws_iam_role" "splunk_sqs_forwarder" {
+  count              = local.is_sandbox ? 0 : 1
+  name               = "${terraform.workspace}_splunk_sqs_forwarder_role"
+  description        = "Role to allow ARF to integrate with Splunk"
+  assume_role_policy = data.aws_iam_policy_document.splunk_trust_policy.json
+  inline_policy {
+    name = "${terraform.workspace}_splunk_access_policy"
+    policy = jsonencode({
+      Version = "2012-10-17"
+      Statement = [
+        {
+          effect = "Allow"
+          actions = [
+            "sqs:GetQueueAttributes",
+            "sqs:ListQueues",
+            "sqs:ReceiveMessage",
+            "sqs:GetQueueUrl",
+            "sqs:SendMessage",
+            "sqs:DeleteMessage"
+          ]
+          resources = [
+            module.sqs-splunk-queue.sqs_arn,
+            module.sqs-nems-queue.sqs_arn
+          ]
+        }
+      ]
+    })
+  }
+}
+
+resource "aws_iam_policy" "lambda_audit_splunk_sqs_queue_send_policy" {
+  policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [{
+      "Sid"    = "shsqsstatement",
+      "Effect" = "Allow",
+      "Action" = [
+        "sqs:SendMessage",
+      ],
+      "Resource" = [
+        module.sqs-splunk-queue.sqs_arn
+      ]
+  }] })
+}

infrastructure/buckets.tf

@@ -5,7 +5,7 @@ module "ndr-document-store" {
   enable_cors_configuration = true
   environment               = var.environment
   owner                     = var.owner
-  force_destroy             = contains(["ndra", "ndrb", "ndrc", "ndrd", "ndr-test"], terraform.workspace)
+  force_destroy             = local.is_force_destroy
   cors_rules = [
     {
       allowed_headers = ["*"]
@@ -28,7 +28,7 @@ module "ndr-zip-request-store" {
   enable_cors_configuration = true
   environment               = var.environment
   owner                     = var.owner
-  force_destroy             = contains(["ndra", "ndrb", "ndrc", "ndrd", "ndr-test"], terraform.workspace)
+  force_destroy             = local.is_force_destroy
   cors_rules = [
     {
       allowed_methods = ["GET"]
@@ -44,7 +44,7 @@ module "ndr-lloyd-george-store" {
   enable_cors_configuration = true
   environment               = var.environment
   owner                     = var.owner
-  force_destroy             = contains(["ndra", "ndrb", "ndrc", "ndrd", "ndr-test"], terraform.workspace)
+  force_destroy             = local.is_force_destroy
   cors_rules = [
     {
       allowed_headers = ["*"]
@@ -164,6 +164,6 @@ module "ndr-bulk-staging-store" {
   bucket_name               = var.staging_store_bucket_name
   environment               = var.environment
   owner                     = var.owner
-  force_destroy             = contains(["ndra", "ndrb", "ndrc", "ndrd", "ndr-test"], terraform.workspace)
+  force_destroy             = local.is_force_destroy
   enable_cors_configuration = false
 }

infrastructure/lambda-bulk-upload.tf

@@ -23,7 +23,7 @@ module "bulk-upload-lambda" {
     BULK_UPLOAD_DYNAMODB_NAME  = "${terraform.workspace}_${var.bulk_upload_dynamodb_table_name}"
     METADATA_SQS_QUEUE_URL     = module.sqs-lg-bulk-upload-metadata-queue.sqs_url
     INVALID_SQS_QUEUE_URL      = module.sqs-lg-bulk-upload-invalid-queue.sqs_url
-    PDS_FHIR_IS_STUBBED        = contains(["ndra", "ndrb", "ndrc", "ndrd"], terraform.workspace)
+    PDS_FHIR_IS_STUBBED        = local.is_sandbox
   }
 
   is_gateway_integration_needed = false

infrastructure/lambda-document-manifest-by-nhs-number.tf

@@ -72,6 +72,7 @@ module "document-manifest-by-nhs-number-lambda" {
     module.ndr-lloyd-george-store.s3_object_access_policy,
     module.zip_store_reference_dynamodb_table.dynamodb_policy,
     module.ndr-zip-request-store.s3_object_access_policy,
+    aws_iam_policy.lambda_audit_splunk_sqs_queue_send_policy.arn,
     "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole",
     "arn:aws:iam::aws:policy/CloudWatchLambdaInsightsExecutionRolePolicy"
   ]
@@ -86,6 +87,8 @@ module "document-manifest-by-nhs-number-lambda" {
     LLOYD_GEORGE_DYNAMODB_NAME   = "${terraform.workspace}_${var.lloyd_george_dynamodb_table_name}"
     ZIPPED_STORE_BUCKET_NAME     = "${terraform.workspace}-${var.zip_store_bucket_name}"
     ZIPPED_STORE_DYNAMODB_NAME   = "${terraform.workspace}_${var.zip_store_dynamodb_table_name}"
+    SPLUNK_SQS_QUEUE_URL         = module.sqs-splunk-queue.sqs_url
+
   }
   depends_on = [
     aws_api_gateway_rest_api.ndr_doc_store_api,

infrastructure/lambda-lloyd-george-record-stitch.tf

@@ -68,15 +68,18 @@ module "lloyd-george-stitch-lambda" {
     module.lloyd_george_reference_dynamodb_table.dynamodb_policy,
     module.ndr-lloyd-george-store.s3_object_access_policy,
     "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole",
-    "arn:aws:iam::aws:policy/CloudWatchLambdaInsightsExecutionRolePolicy"
+    "arn:aws:iam::aws:policy/CloudWatchLambdaInsightsExecutionRolePolicy",
+    aws_iam_policy.lambda_audit_splunk_sqs_queue_send_policy.arn
   ]
   rest_api_id       = aws_api_gateway_rest_api.ndr_doc_store_api.id
   resource_id       = module.lloyd-george-stitch-gateway.gateway_resource_id
   http_method       = "GET"
   api_execution_arn = aws_api_gateway_rest_api.ndr_doc_store_api.execution_arn
   lambda_environment_variables = {
-    LLOYD_GEORGE_BUCKET_NAME = "${terraform.workspace}-${var.lloyd_george_bucket_name}"
-  LLOYD_GEORGE_DYNAMODB_NAME = "${terraform.workspace}_${var.lloyd_george_dynamodb_table_name}" }
+    LLOYD_GEORGE_BUCKET_NAME   = "${terraform.workspace}-${var.lloyd_george_bucket_name}"
+    LLOYD_GEORGE_DYNAMODB_NAME = "${terraform.workspace}_${var.lloyd_george_dynamodb_table_name}"
+    SPLUNK_SQS_QUEUE_URL       = module.sqs-splunk-queue.sqs_url
+  }
   depends_on = [
     aws_api_gateway_rest_api.ndr_doc_store_api,
     module.ndr-lloyd-george-store,

infrastructure/lambda-search-patient.tf

@@ -66,14 +66,16 @@ module "search-patient-details-lambda" {
   iam_role_policies = [
     "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole",
     "arn:aws:iam::aws:policy/CloudWatchLambdaInsightsExecutionRolePolicy",
-    aws_iam_policy.ssm_policy_pds.arn
+    aws_iam_policy.ssm_policy_pds.arn,
+    aws_iam_policy.lambda_audit_splunk_sqs_queue_send_policy.arn
   ]
   rest_api_id = aws_api_gateway_rest_api.ndr_doc_store_api.id
   resource_id = module.search-patient-details-gateway.gateway_resource_id
   http_method = "GET"
   lambda_environment_variables = {
-    "PDS_FHIR_IS_STUBBED"            = contains(["ndra", "ndrb", "ndrc", "ndrd"], terraform.workspace)
-    "SSM_PARAM_JWT_TOKEN_PUBLIC_KEY" = "jwt_token_public_key"
+    SSM_PARAM_JWT_TOKEN_PUBLIC_KEY = "jwt_token_public_key"
+    PDS_FHIR_IS_STUBBED            = local.is_sandbox,
+    SPLUNK_SQS_QUEUE_URL           = module.sqs-splunk-queue.sqs_url
   }
   api_execution_arn = aws_api_gateway_rest_api.ndr_doc_store_api.execution_arn
   depends_on = [

infrastructure/lambda-token.tf

@@ -28,7 +28,8 @@ module "create-token-lambda" {
     "arn:aws:iam::aws:policy/CloudWatchLambdaInsightsExecutionRolePolicy",
     aws_iam_policy.ssm_policy_token.arn,
     module.auth_session_dynamodb_table.dynamodb_policy,
-    module.auth_state_dynamodb_table.dynamodb_policy
+    module.auth_state_dynamodb_table.dynamodb_policy,
+    aws_iam_policy.lambda_audit_splunk_sqs_queue_send_policy.arn
   ]
 
   rest_api_id       = aws_api_gateway_rest_api.ndr_doc_store_api.id
@@ -41,6 +42,8 @@ module "create-token-lambda" {
     OIDC_CALLBACK_URL               = "https://${terraform.workspace}.${var.domain}/auth-callback"
     AUTH_STATE_TABLE_NAME           = "${terraform.workspace}_${var.auth_state_dynamodb_table_name}"
     AUTH_SESSION_TABLE_NAME         = "${terraform.workspace}_${var.auth_session_dynamodb_table_name}"
+    SPLUNK_SQS_QUEUE_URL            = module.sqs-splunk-queue.sqs_url
+
   }
   depends_on = [
     aws_api_gateway_rest_api.ndr_doc_store_api,

infrastructure/modules/sqs/README.md

@@ -26,11 +26,14 @@ No modules.
 | <a name="input_delay"></a> [delay](#input\_delay) | The time in seconds that the delivery of all messages in the queue will be delayed | `number` | `0` | no |
 | <a name="input_enable_deduplication"></a> [enable\_deduplication](#input\_enable\_deduplication) | Prevent content based duplication in queue | `bool` | `false` | no |
 | <a name="input_enable_fifo"></a> [enable\_fifo](#input\_enable\_fifo) | Attach first in first out policy to sqs | `bool` | `false` | no |
+| <a name="input_enable_in_sandbox"></a> [enable\_in\_sandbox](#input\_enable\_in\_sandbox) | n/a | `bool` | `true` | no |
 | <a name="input_enable_sse"></a> [enable\_sse](#input\_enable\_sse) | Enable server-side encryption (SSE) of message content with SQS-owned encryption keys, requires kms resource for queue | `bool` | `true` | no |
+| <a name="input_environment"></a> [environment](#input\_environment) | Tags | `string` | n/a | yes |
 | <a name="input_max_message"></a> [max\_message](#input\_max\_message) | Max message size in bytes before sqs rejects the message | `number` | `2048` | no |
 | <a name="input_max_visibility"></a> [max\_visibility](#input\_max\_visibility) | Time in seconds during which Amazon SQS prevents all consumers from receiving and processing the message | `number` | `30` | no |
 | <a name="input_message_retention"></a> [message\_retention](#input\_message\_retention) | Number of seconds sqs keeps a message | `number` | `86400` | no |
 | <a name="input_name"></a> [name](#input\_name) | n/a | `string` | n/a | yes |
+| <a name="input_owner"></a> [owner](#input\_owner) | n/a | `string` | n/a | yes |
 | <a name="input_receive_wait"></a> [receive\_wait](#input\_receive\_wait) | Number of seconds sqs will wait for a message when ReceiveMessage is received | `number` | `2` | no |
 
 ## Outputs

infrastructure/modules/sqs/main.tf

@@ -1,4 +1,5 @@
 resource "aws_sqs_queue" "sqs_queue" {
+  count                       = var.enable_in_sandbox ? 1 : 0
   name                        = "${terraform.workspace}-${var.name}"
   delay_seconds               = var.delay
   visibility_timeout_seconds  = var.max_visibility
@@ -8,6 +9,12 @@ resource "aws_sqs_queue" "sqs_queue" {
   sqs_managed_sse_enabled     = var.enable_sse
   fifo_queue                  = var.enable_fifo
   content_based_deduplication = var.enable_deduplication
+  tags = {
+    Name        = "${terraform.workspace}-${var.name}"
+    Owner       = var.owner
+    Environment = var.environment
+    Workspace   = terraform.workspace
+  }
 }
 
 resource "aws_iam_policy" "sqs_queue_policy" {
@@ -23,7 +30,7 @@ resource "aws_iam_policy" "sqs_queue_policy" {
         "sqs:GetQueueAttributes"
       ],
       "Resource" = [
-        aws_sqs_queue.sqs_queue.arn
+        aws_sqs_queue.sqs_queue[0].arn
       ]
   }] })
 }