PRMDR Build Process Fixes

NogaNHS · web-flow · commit fa890528fb05 · 2023-11-06T19:34:56.000Z
* Changed the count in sqs instances to fix failing terraform
* Attaching the security policy outside the lambda
diff --git a/infrastructure/audit.tf b/infrastructure/audit.tf
@@ -24,26 +24,27 @@ resource "aws_iam_role" "splunk_sqs_forwarder" {
       Version = "2012-10-17"
       Statement = [
         {
-          effect = "Allow"
-          actions = [
+          Effect = "Allow"
+          Action = [
             "sqs:GetQueueAttributes",
             "sqs:ListQueues",
             "sqs:ReceiveMessage",
             "sqs:GetQueueUrl",
             "sqs:SendMessage",
             "sqs:DeleteMessage"
           ]
-          resources = [
-            module.sqs-splunk-queue.sqs_arn,
-            module.sqs-nems-queue.sqs_arn
+          Resource = [
+            module.sqs-splunk-queue[0].sqs_arn,
+            module.sqs-nems-queue[0].sqs_arn
           ]
-        }
+        },
       ]
     })
   }
 }
 
 resource "aws_iam_policy" "lambda_audit_splunk_sqs_queue_send_policy" {
+  count = local.is_sandbox ? 0 : 1
   policy = jsonencode({
     Version = "2012-10-17"
     Statement = [{
@@ -53,7 +54,7 @@ resource "aws_iam_policy" "lambda_audit_splunk_sqs_queue_send_policy" {
         "sqs:SendMessage",
       ],
       "Resource" = [
-        module.sqs-splunk-queue.sqs_arn
+        module.sqs-splunk-queue[0].sqs_arn
       ]
   }] })
 }
diff --git a/infrastructure/lambda-document-manifest-by-nhs-number.tf b/infrastructure/lambda-document-manifest-by-nhs-number.tf
@@ -72,7 +72,6 @@ module "document-manifest-by-nhs-number-lambda" {
     module.ndr-lloyd-george-store.s3_object_access_policy,
     module.zip_store_reference_dynamodb_table.dynamodb_policy,
     module.ndr-zip-request-store.s3_object_access_policy,
-    aws_iam_policy.lambda_audit_splunk_sqs_queue_send_policy.arn,
     "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole",
     "arn:aws:iam::aws:policy/CloudWatchLambdaInsightsExecutionRolePolicy"
   ]
@@ -87,11 +86,18 @@ module "document-manifest-by-nhs-number-lambda" {
     LLOYD_GEORGE_DYNAMODB_NAME   = "${terraform.workspace}_${var.lloyd_george_dynamodb_table_name}"
     ZIPPED_STORE_BUCKET_NAME     = "${terraform.workspace}-${var.zip_store_bucket_name}"
     ZIPPED_STORE_DYNAMODB_NAME   = "${terraform.workspace}_${var.zip_store_dynamodb_table_name}"
-    SPLUNK_SQS_QUEUE_URL         = module.sqs-splunk-queue.sqs_url
+    SPLUNK_SQS_QUEUE_URL         = try(module.sqs-splunk-queue[0].sqs_url, null)
 
   }
   depends_on = [
     aws_api_gateway_rest_api.ndr_doc_store_api,
     module.document-manifest-by-nhs-gateway,
+    aws_iam_policy.lambda_audit_splunk_sqs_queue_send_policy[0]
   ]
 }
+
+resource "aws_iam_role_policy_attachment" "policy_manifest_lambda" {
+  count      = local.is_sandbox ? 0 : 1
+  role       = module.document-manifest-by-nhs-number-lambda.lambda_execution_role_name
+  policy_arn = try(aws_iam_policy.lambda_audit_splunk_sqs_queue_send_policy[0].arn, null)
+}
diff --git a/infrastructure/lambda-lloyd-george-record-stitch.tf b/infrastructure/lambda-lloyd-george-record-stitch.tf
@@ -69,7 +69,6 @@ module "lloyd-george-stitch-lambda" {
     module.ndr-lloyd-george-store.s3_object_access_policy,
     "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole",
     "arn:aws:iam::aws:policy/CloudWatchLambdaInsightsExecutionRolePolicy",
-    aws_iam_policy.lambda_audit_splunk_sqs_queue_send_policy.arn
   ]
   rest_api_id       = aws_api_gateway_rest_api.ndr_doc_store_api.id
   resource_id       = module.lloyd-george-stitch-gateway.gateway_resource_id
@@ -78,12 +77,19 @@ module "lloyd-george-stitch-lambda" {
   lambda_environment_variables = {
     LLOYD_GEORGE_BUCKET_NAME   = "${terraform.workspace}-${var.lloyd_george_bucket_name}"
     LLOYD_GEORGE_DYNAMODB_NAME = "${terraform.workspace}_${var.lloyd_george_dynamodb_table_name}"
-    SPLUNK_SQS_QUEUE_URL       = module.sqs-splunk-queue.sqs_url
+    SPLUNK_SQS_QUEUE_URL       = try(module.sqs-splunk-queue[0].sqs_url, null)
   }
   depends_on = [
     aws_api_gateway_rest_api.ndr_doc_store_api,
     module.ndr-lloyd-george-store,
     module.lloyd_george_reference_dynamodb_table,
-    module.lloyd-george-stitch-gateway
+    module.lloyd-george-stitch-gateway,
+    aws_iam_policy.lambda_audit_splunk_sqs_queue_send_policy[0]
   ]
 }
+
+resource "aws_iam_role_policy_attachment" "lambda_stitch-lambda" {
+  count      = local.is_sandbox ? 0 : 1
+  role       = module.lloyd-george-stitch-lambda.lambda_execution_role_name
+  policy_arn = try(aws_iam_policy.lambda_audit_splunk_sqs_queue_send_policy[0].arn, null)
+}
diff --git a/infrastructure/lambda-search-patient.tf b/infrastructure/lambda-search-patient.tf
@@ -67,20 +67,20 @@ module "search-patient-details-lambda" {
     "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole",
     "arn:aws:iam::aws:policy/CloudWatchLambdaInsightsExecutionRolePolicy",
     aws_iam_policy.ssm_policy_pds.arn,
-    aws_iam_policy.lambda_audit_splunk_sqs_queue_send_policy.arn
   ]
   rest_api_id = aws_api_gateway_rest_api.ndr_doc_store_api.id
   resource_id = module.search-patient-details-gateway.gateway_resource_id
   http_method = "GET"
   lambda_environment_variables = {
     SSM_PARAM_JWT_TOKEN_PUBLIC_KEY = "jwt_token_public_key"
     PDS_FHIR_IS_STUBBED            = local.is_sandbox,
-    SPLUNK_SQS_QUEUE_URL           = module.sqs-splunk-queue.sqs_url
+    SPLUNK_SQS_QUEUE_URL           = try(module.sqs-splunk-queue[0].sqs_url, null)
   }
   api_execution_arn = aws_api_gateway_rest_api.ndr_doc_store_api.execution_arn
   depends_on = [
     aws_api_gateway_rest_api.ndr_doc_store_api,
-    module.search-patient-details-gateway
+    module.search-patient-details-gateway,
+    aws_iam_policy.lambda_audit_splunk_sqs_queue_send_policy[0]
   ]
 }
 
@@ -102,4 +102,10 @@ resource "aws_iam_policy" "ssm_policy_pds" {
       }
     ]
   })
+}
+
+resource "aws_iam_role_policy_attachment" "policy_audit_search-patient-details-lambda" {
+  count      = local.is_sandbox ? 0 : 1
+  role       = module.search-patient-details-lambda.lambda_execution_role_name
+  policy_arn = try(aws_iam_policy.lambda_audit_splunk_sqs_queue_send_policy[0].arn, null)
 }
diff --git a/infrastructure/lambda-token.tf b/infrastructure/lambda-token.tf
@@ -29,9 +29,7 @@ module "create-token-lambda" {
     aws_iam_policy.ssm_policy_token.arn,
     module.auth_session_dynamodb_table.dynamodb_policy,
     module.auth_state_dynamodb_table.dynamodb_policy,
-    aws_iam_policy.lambda_audit_splunk_sqs_queue_send_policy.arn
   ]
-
   rest_api_id       = aws_api_gateway_rest_api.ndr_doc_store_api.id
   resource_id       = module.token-gateway.gateway_resource_id
   http_method       = "GET"
@@ -42,15 +40,16 @@ module "create-token-lambda" {
     OIDC_CALLBACK_URL               = "https://${terraform.workspace}.${var.domain}/auth-callback"
     AUTH_STATE_TABLE_NAME           = "${terraform.workspace}_${var.auth_state_dynamodb_table_name}"
     AUTH_SESSION_TABLE_NAME         = "${terraform.workspace}_${var.auth_session_dynamodb_table_name}"
-    SPLUNK_SQS_QUEUE_URL            = module.sqs-splunk-queue.sqs_url
+    SPLUNK_SQS_QUEUE_URL            = try(module.sqs-splunk-queue[0].sqs_url, null)
 
   }
   depends_on = [
     aws_api_gateway_rest_api.ndr_doc_store_api,
     aws_iam_policy.ssm_policy_token,
     module.auth_session_dynamodb_table,
     module.auth_state_dynamodb_table,
-    module.token-gateway
+    module.token-gateway,
+    aws_iam_policy.lambda_audit_splunk_sqs_queue_send_policy[0]
   ]
   memory_size = 256
 }
@@ -114,4 +113,10 @@ resource "aws_iam_policy" "ssm_policy_token" {
       }
     ]
   })
+}
+
+resource "aws_iam_role_policy_attachment" "policy_audit_token_lambda" {
+  count      = local.is_sandbox ? 0 : 1
+  role       = module.create-token-lambda.lambda_execution_role_name
+  policy_arn = try(aws_iam_policy.lambda_audit_splunk_sqs_queue_send_policy[0].arn, null)
 }
diff --git a/infrastructure/modules/lambda/variable.tf b/infrastructure/modules/lambda/variable.tf
@@ -74,4 +74,8 @@ output "timeout" {
 
 output "endpoint" {
   value = aws_lambda_function.lambda.arn
+}
+
+output "lambda_execution_role_name" {
+  value = aws_iam_role.lambda_execution_role.name
 }
diff --git a/infrastructure/modules/sqs/main.tf b/infrastructure/modules/sqs/main.tf
@@ -1,5 +1,4 @@
 resource "aws_sqs_queue" "sqs_queue" {
-  count                       = var.enable_in_sandbox ? 1 : 0
   name                        = "${terraform.workspace}-${var.name}"
   delay_seconds               = var.delay
   visibility_timeout_seconds  = var.max_visibility
@@ -30,7 +29,7 @@ resource "aws_iam_policy" "sqs_queue_policy" {
         "sqs:GetQueueAttributes"
       ],
       "Resource" = [
-        aws_sqs_queue.sqs_queue[0].arn
+        aws_sqs_queue.sqs_queue.arn
       ]
   }] })
 }
diff --git a/infrastructure/modules/sqs/variable.tf b/infrastructure/modules/sqs/variable.tf
@@ -2,10 +2,6 @@ variable "name" {
   type = string
 }
 
-variable "enable_in_sandbox" {
-  type    = bool
-  default = true
-}
 variable "delay" {
   description = "The time in seconds that the delivery of all messages in the queue will be delayed"
   type        = number
@@ -65,12 +61,12 @@ variable "owner" {
 }
 
 output "endpoint" {
-  value       = aws_sqs_queue.sqs_queue[0].arn
+  value       = aws_sqs_queue.sqs_queue.arn
   description = "Same as sqs queue arn. For use when setting the queue as endpoint of sns topic"
 }
 
 output "sqs_arn" {
-  value = aws_sqs_queue.sqs_queue[0].arn
+  value = aws_sqs_queue.sqs_queue.arn
 }
 
 output "sqs_policy" {
@@ -79,5 +75,5 @@ output "sqs_policy" {
 }
 
 output "sqs_url" {
-  value = aws_sqs_queue.sqs_queue[0].url
+  value = aws_sqs_queue.sqs_queue.url
 }
diff --git a/infrastructure/queues.tf b/infrastructure/queues.tf
@@ -1,17 +1,17 @@
 module "sqs-splunk-queue" {
-  source            = "./modules/sqs"
-  name              = "splunk-queue"
-  enable_in_sandbox = !local.is_sandbox
-  environment       = var.environment
-  owner             = var.owner
+  source      = "./modules/sqs"
+  name        = "splunk-queue"
+  count       = local.is_sandbox ? 0 : 1
+  environment = var.environment
+  owner       = var.owner
 }
 
 module "sqs-nems-queue" {
-  source            = "./modules/sqs"
-  name              = "nems-queue"
-  enable_in_sandbox = !local.is_sandbox
-  environment       = var.environment
-  owner             = var.owner
+  source      = "./modules/sqs"
+  name        = "nems-queue"
+  count       = local.is_sandbox ? 0 : 1
+  environment = var.environment
+  owner       = var.owner
 }
 
 module "sqs-lg-bulk-upload-metadata-queue" {
@@ -33,10 +33,11 @@ module "sqs-lg-bulk-upload-invalid-queue" {
 }
 
 module "sqs-nems-queue-topic" {
+  count          = local.is_sandbox ? 0 : 1
   source         = "./modules/sns"
   topic_name     = "nems-queue-topic"
   topic_protocol = "sqs"
-  topic_endpoint = module.sqs-nems-queue.endpoint
+  topic_endpoint = module.sqs-nems-queue[0].endpoint
   delivery_policy = jsonencode({
     "Version" : "2012-10-17",
     "Statement" : [

Original file line number	Diff line number	Diff line change
`@@ -24,26 +24,27 @@ resource "aws_iam_role" "splunk_sqs_forwarder" {`
`24`	`24`	`Version = "2012-10-17"`
`25`	`25`	`Statement = [`
`26`	`26`	`{`
`27`		`- effect = "Allow"`
`28`		`- actions = [`
	`27`	`+ Effect = "Allow"`
	`28`	`+ Action = [`
`29`	`29`	`"sqs:GetQueueAttributes",`
`30`	`30`	`"sqs:ListQueues",`
`31`	`31`	`"sqs:ReceiveMessage",`
`32`	`32`	`"sqs:GetQueueUrl",`
`33`	`33`	`"sqs:SendMessage",`
`34`	`34`	`"sqs:DeleteMessage"`
`35`	`35`	`]`
`36`		`- resources = [`
`37`		`- module.sqs-splunk-queue.sqs_arn,`
`38`		`- module.sqs-nems-queue.sqs_arn`
	`36`	`+ Resource = [`
	`37`	`+ module.sqs-splunk-queue[0].sqs_arn,`
	`38`	`+ module.sqs-nems-queue[0].sqs_arn`
`39`	`39`	`]`
`40`		`- }`
	`40`	`+ },`
`41`	`41`	`]`
`42`	`42`	`})`
`43`	`43`	`}`
`44`	`44`	`}`
`45`	`45`
`46`	`46`	`resource "aws_iam_policy" "lambda_audit_splunk_sqs_queue_send_policy" {`
	`47`	`+ count = local.is_sandbox ? 0 : 1`
`47`	`48`	`policy = jsonencode({`
`48`	`49`	`Version = "2012-10-17"`
`49`	`50`	`Statement = [{`
`@@ -53,7 +54,7 @@ resource "aws_iam_policy" "lambda_audit_splunk_sqs_queue_send_policy" {`
`53`	`54`	`"sqs:SendMessage",`
`54`	`55`	`],`
`55`	`56`	`"Resource" = [`
`56`		`- module.sqs-splunk-queue.sqs_arn`
	`57`	`+ module.sqs-splunk-queue[0].sqs_arn`
`57`	`58`	`]`
`58`	`59`	`}] })`
`59`	`60`	`}`
Original file line number	Diff line number	Diff line change
`@@ -67,20 +67,20 @@ module "search-patient-details-lambda" {`
`67`	`67`	`"arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole",`
`68`	`68`	`"arn:aws:iam::aws:policy/CloudWatchLambdaInsightsExecutionRolePolicy",`
`69`	`69`	`aws_iam_policy.ssm_policy_pds.arn,`
`70`		`- aws_iam_policy.lambda_audit_splunk_sqs_queue_send_policy.arn`
`71`	`70`	`]`
`72`	`71`	`rest_api_id = aws_api_gateway_rest_api.ndr_doc_store_api.id`
`73`	`72`	`resource_id = module.search-patient-details-gateway.gateway_resource_id`
`74`	`73`	`http_method = "GET"`
`75`	`74`	`lambda_environment_variables = {`
`76`	`75`	`SSM_PARAM_JWT_TOKEN_PUBLIC_KEY = "jwt_token_public_key"`
`77`	`76`	`PDS_FHIR_IS_STUBBED = local.is_sandbox,`
`78`		`- SPLUNK_SQS_QUEUE_URL = module.sqs-splunk-queue.sqs_url`
	`77`	`+ SPLUNK_SQS_QUEUE_URL = try(module.sqs-splunk-queue[0].sqs_url, null)`
`79`	`78`	`}`
`80`	`79`	`api_execution_arn = aws_api_gateway_rest_api.ndr_doc_store_api.execution_arn`
`81`	`80`	`depends_on = [`
`82`	`81`	`aws_api_gateway_rest_api.ndr_doc_store_api,`
`83`		`- module.search-patient-details-gateway`
	`82`	`+ module.search-patient-details-gateway,`
	`83`	`+ aws_iam_policy.lambda_audit_splunk_sqs_queue_send_policy[0]`
`84`	`84`	`]`
`85`	`85`	`}`
`86`	`86`
`@@ -102,4 +102,10 @@ resource "aws_iam_policy" "ssm_policy_pds" {`
`102`	`102`	`}`
`103`	`103`	`]`
`104`	`104`	`})`
	`105`	`+}`
	`106`	`+`
	`107`	`+resource "aws_iam_role_policy_attachment" "policy_audit_search-patient-details-lambda" {`
	`108`	`+ count = local.is_sandbox ? 0 : 1`
	`109`	`+ role = module.search-patient-details-lambda.lambda_execution_role_name`
	`110`	`+ policy_arn = try(aws_iam_policy.lambda_audit_splunk_sqs_queue_send_policy[0].arn, null)`
`105`	`111`	`}`
Original file line number	Diff line number	Diff line change
`@@ -29,9 +29,7 @@ module "create-token-lambda" {`
`29`	`29`	`aws_iam_policy.ssm_policy_token.arn,`
`30`	`30`	`module.auth_session_dynamodb_table.dynamodb_policy,`
`31`	`31`	`module.auth_state_dynamodb_table.dynamodb_policy,`
`32`		`- aws_iam_policy.lambda_audit_splunk_sqs_queue_send_policy.arn`
`33`	`32`	`]`
`34`		`-`
`35`	`33`	`rest_api_id = aws_api_gateway_rest_api.ndr_doc_store_api.id`
`36`	`34`	`resource_id = module.token-gateway.gateway_resource_id`
`37`	`35`	`http_method = "GET"`
`@@ -42,15 +40,16 @@ module "create-token-lambda" {`
`42`	`40`	`OIDC_CALLBACK_URL = "https://${terraform.workspace}.${var.domain}/auth-callback"`
`43`	`41`	`AUTH_STATE_TABLE_NAME = "${terraform.workspace}_${var.auth_state_dynamodb_table_name}"`
`44`	`42`	`AUTH_SESSION_TABLE_NAME = "${terraform.workspace}_${var.auth_session_dynamodb_table_name}"`
`45`		`- SPLUNK_SQS_QUEUE_URL = module.sqs-splunk-queue.sqs_url`
	`43`	`+ SPLUNK_SQS_QUEUE_URL = try(module.sqs-splunk-queue[0].sqs_url, null)`
`46`	`44`
`47`	`45`	`}`
`48`	`46`	`depends_on = [`
`49`	`47`	`aws_api_gateway_rest_api.ndr_doc_store_api,`
`50`	`48`	`aws_iam_policy.ssm_policy_token,`
`51`	`49`	`module.auth_session_dynamodb_table,`
`52`	`50`	`module.auth_state_dynamodb_table,`
`53`		`- module.token-gateway`
	`51`	`+ module.token-gateway,`
	`52`	`+ aws_iam_policy.lambda_audit_splunk_sqs_queue_send_policy[0]`
`54`	`53`	`]`
`55`	`54`	`memory_size = 256`
`56`	`55`	`}`
`@@ -114,4 +113,10 @@ resource "aws_iam_policy" "ssm_policy_token" {`
`114`	`113`	`}`
`115`	`114`	`]`
`116`	`115`	`})`
	`116`	`+}`
	`117`	`+`
	`118`	`+resource "aws_iam_role_policy_attachment" "policy_audit_token_lambda" {`
	`119`	`+ count = local.is_sandbox ? 0 : 1`
	`120`	`+ role = module.create-token-lambda.lambda_execution_role_name`
	`121`	`+ policy_arn = try(aws_iam_policy.lambda_audit_splunk_sqs_queue_send_policy[0].arn, null)`
`117`	`122`	`}`
Original file line number	Diff line number	Diff line change
`@@ -74,4 +74,8 @@ output "timeout" {`
`74`	`74`
`75`	`75`	`output "endpoint" {`
`76`	`76`	`value = aws_lambda_function.lambda.arn`
	`77`	`+}`
	`78`	`+`
	`79`	`+output "lambda_execution_role_name" {`
	`80`	`+ value = aws_iam_role.lambda_execution_role.name`
`77`	`81`	`}`
Original file line number	Diff line number	Diff line change
`@@ -1,5 +1,4 @@`
`1`	`1`	`resource "aws_sqs_queue" "sqs_queue" {`
`2`		`- count = var.enable_in_sandbox ? 1 : 0`
`3`	`2`	`name = "${terraform.workspace}-${var.name}"`
`4`	`3`	`delay_seconds = var.delay`
`5`	`4`	`visibility_timeout_seconds = var.max_visibility`
`@@ -30,7 +29,7 @@ resource "aws_iam_policy" "sqs_queue_policy" {`
`30`	`29`	`"sqs:GetQueueAttributes"`
`31`	`30`	`],`
`32`	`31`	`"Resource" = [`
`33`		`- aws_sqs_queue.sqs_queue[0].arn`
	`32`	`+ aws_sqs_queue.sqs_queue.arn`
`34`	`33`	`]`
`35`	`34`	`}] })`
`36`	`35`	`}`
Original file line number	Diff line number	Diff line change
`@@ -2,10 +2,6 @@ variable "name" {`
`2`	`2`	`type = string`
`3`	`3`	`}`
`4`	`4`
`5`		`-variable "enable_in_sandbox" {`
`6`		`- type = bool`
`7`		`- default = true`
`8`		`-}`
`9`	`5`	`variable "delay" {`
`10`	`6`	`description = "The time in seconds that the delivery of all messages in the queue will be delayed"`
`11`	`7`	`type = number`
`@@ -65,12 +61,12 @@ variable "owner" {`
`65`	`61`	`}`
`66`	`62`
`67`	`63`	`output "endpoint" {`
`68`		`- value = aws_sqs_queue.sqs_queue[0].arn`
	`64`	`+ value = aws_sqs_queue.sqs_queue.arn`
`69`	`65`	`description = "Same as sqs queue arn. For use when setting the queue as endpoint of sns topic"`
`70`	`66`	`}`
`71`	`67`
`72`	`68`	`output "sqs_arn" {`
`73`		`- value = aws_sqs_queue.sqs_queue[0].arn`
	`69`	`+ value = aws_sqs_queue.sqs_queue.arn`
`74`	`70`	`}`
`75`	`71`
`76`	`72`	`output "sqs_policy" {`
`@@ -79,5 +75,5 @@ output "sqs_policy" {`
`79`	`75`	`}`
`80`	`76`
`81`	`77`	`output "sqs_url" {`
`82`		`- value = aws_sqs_queue.sqs_queue[0].url`
	`78`	`+ value = aws_sqs_queue.sqs_queue.url`
`83`	`79`	`}`