Migrate supplier updates so that they pass through new topic

Author: stevebux

infrastructure/terraform/components/api/README.md

@@ -37,7 +37,7 @@ No requirements.
 | <a name="input_project"></a> [project](#input\_project) | The name of the tfscaffold project | `string` | n/a | yes |
 | <a name="input_region"></a> [region](#input\_region) | The AWS Region | `string` | n/a | yes |
 | <a name="input_shared_infra_account_id"></a> [shared\_infra\_account\_id](#input\_shared\_infra\_account\_id) | The AWS Account ID of the shared infrastructure account | `string` | `"000000000000"` | no |
-| <a name="input_sns_success_logging_sample_percent"></a> [sns\_success\_logging\_sample\_percent](#input\_sns\_success\_logging\_sample\_percent) | Enable SNS Delivery Successful Sample Percentage | `number` | `0` | no |
+| <a name="input_sns_success_logging_sample_percent"></a> [sns\_success\_logging\_sample\_percent](#input\_sns\_success\_logging\_sample\_percent) | Enable SNS Delivery Successful Sample Percentage | `number` | `100` | no |
 ## Modules
 
 | Name | Source | Version |

infrastructure/terraform/components/api/locals.tf

@@ -27,7 +27,7 @@ locals {
     SUPPLIER_ID_HEADER       = "nhsd-supplier-id",
     APIM_CORRELATION_HEADER  = "nhsd-correlation-id",
     DOWNLOAD_URL_TTL_SECONDS = 60
-    SNS_TOPIC_ARN            = "${module.eventsub.eventsub_topic.arn}",
+    AMENDMENTS_TOPIC_ARN     = "${module.eventsub.amendments_topic.arn}",
     EVENT_SOURCE             = "/data-plane/supplier-api/${var.group}/${var.environment}/letters"
   }
 

infrastructure/terraform/components/api/module_lambda_letter_status_update.tf

@@ -91,7 +91,7 @@ data "aws_iam_policy_document" "letter_status_update" {
     ]
 
     resources = [
-      module.eventsub.eventsub_topic.arn
+      module.eventsub.amendments_topic.arn
     ]
   }
 }

infrastructure/terraform/components/api/module_sqs_letter_updates.tf

@@ -18,29 +18,6 @@ module "sqs_letter_updates" {
 
 data "aws_iam_policy_document" "letter_updates_queue_policy" {
   version = "2012-10-17"
-  statement {
-    sid    = "AllowSNSToSendMessage"
-    effect = "Allow"
-
-    principals {
-      type        = "Service"
-      identifiers = ["sns.amazonaws.com"]
-    }
-
-    actions = [
-      "sqs:SendMessage"
-    ]
-
-    resources = [
-      "arn:aws:sqs:${var.region}:${var.aws_account_id}:${var.project}-${var.environment}-${var.component}-letter-updates-queue"
-    ]
-
-    condition {
-      test     = "ArnEquals"
-      variable = "aws:SourceArn"
-      values   = [module.eventsub.eventsub_topic.arn]
-    }
-  }
 
   statement {
     sid    = "AllowSNSPermissions"
@@ -65,7 +42,7 @@ data "aws_iam_policy_document" "letter_updates_queue_policy" {
     condition {
       test     = "ArnEquals"
       variable = "aws:SourceArn"
-      values   = [module.eventsub.eventsub_topic.arn]
+      values   = [module.eventsub.eventsub_topic.arn, module.eventsub.amendments_topic.arn]
     }
   }
 }

infrastructure/terraform/components/api/sns_topic_subscription_eventsub_sqs_letter_updates.tf

@@ -3,3 +3,9 @@ resource "aws_sns_topic_subscription" "eventsub_sqs_letter_updates" {
   protocol  = "sqs"
   endpoint  = module.sqs_letter_updates.sqs_queue_arn
 }
+
+resource "aws_sns_topic_subscription" "amendments_sqs_letter_updates" {
+  topic_arn = module.eventsub.amendments_topic.arn
+  protocol  = "sqs"
+  endpoint  = module.sqs_letter_updates.sqs_queue_arn
+}

infrastructure/terraform/components/api/variables.tf

@@ -179,7 +179,7 @@ variable "enable_sns_delivery_logging" {
 variable "sns_success_logging_sample_percent" {
   type        = number
   description = "Enable SNS Delivery Successful Sample Percentage"
-  default     = 0
+  default     = 100
 }
 
 variable "enable_api_data_trace" {

infrastructure/terraform/modules/eventsub/cloudwatch_log_group_sns_delivery_logging_failure.tf

@@ -7,3 +7,13 @@ resource "aws_cloudwatch_log_group" "sns_delivery_logging_failure" {
   kms_key_id        = var.kms_key_arn
   retention_in_days = var.log_retention_in_days
 }
+
+resource "aws_cloudwatch_log_group" "amendments_sns_delivery_logging_failure" {
+  count = var.enable_sns_delivery_logging ? 1 : 0
+
+  # SNS doesn't allow specifying a log group and is derived as: sns/${region}/${account_id}/${name_of_sns_topic}/Failure
+  # (for failure logs)
+  name              = "sns/${var.region}/${var.aws_account_id}/${local.csi}-amendments/Failure"
+  kms_key_id        = var.kms_key_arn
+  retention_in_days = var.log_retention_in_days
+}

infrastructure/terraform/modules/eventsub/cloudwatch_log_group_sns_delivery_logging_success.tf

@@ -7,3 +7,13 @@ resource "aws_cloudwatch_log_group" "sns_delivery_logging_success" {
   kms_key_id        = var.kms_key_arn
   retention_in_days = var.log_retention_in_days
 }
+
+resource "aws_cloudwatch_log_group" "amendments_sns_delivery_logging_success" {
+  count = var.enable_sns_delivery_logging ? 1 : 0
+
+  # SNS doesn't allow specifying a log group and is derived as: sns/${region}/${account_id}/${name_of_sns_topic}
+  # (for success logs)
+  name              = "sns/${var.region}/${var.aws_account_id}/${local.csi}-amendments"
+  kms_key_id        = var.kms_key_arn
+  retention_in_days = var.log_retention_in_days
+}

infrastructure/terraform/modules/eventsub/iam_policy_sns_delivery_logging_cloudwatch.tf

@@ -39,6 +39,10 @@ data "aws_iam_policy_document" "sns_delivery_logging_cloudwatch" {
       "${aws_cloudwatch_log_group.sns_delivery_logging_success[0].arn}:log-stream:*",
       aws_cloudwatch_log_group.sns_delivery_logging_failure[0].arn,
       "${aws_cloudwatch_log_group.sns_delivery_logging_failure[0].arn}:log-stream:*",
+      aws_cloudwatch_log_group.amendments_sns_delivery_logging_success[0].arn,
+      "${aws_cloudwatch_log_group.amendments_sns_delivery_logging_success[0].arn}:log-stream:*",
+      aws_cloudwatch_log_group.amendments_sns_delivery_logging_failure[0].arn,
+      "${aws_cloudwatch_log_group.amendments_sns_delivery_logging_failure[0].arn}:log-stream:*",
     ]
   }
 }

lambdas/api-handler/src/config/__tests__/env.test.ts

@@ -26,7 +26,7 @@ describe("lambdaEnv", () => {
     process.env.MAX_LIMIT = "2500";
     process.env.QUEUE_URL = "url";
     process.env.EVENT_SOURCE = "supplier-api";
-    process.env.SNS_TOPIC_ARN = "sns-topic.arn";
+    process.env.AMENDMENTS_TOPIC_ARN = "sns-topic.arn";
 
     const { envVars } = require("../env");
 
@@ -41,7 +41,7 @@ describe("lambdaEnv", () => {
       MAX_LIMIT: 2500,
       QUEUE_URL: "url",
       EVENT_SOURCE: "supplier-api",
-      SNS_TOPIC_ARN: "sns-topic.arn",
+      AMENDMENTS_TOPIC_ARN: "sns-topic.arn",
     });
   });
 
@@ -66,7 +66,7 @@ describe("lambdaEnv", () => {
     process.env.MI_TTL_HOURS = "2160";
     process.env.DOWNLOAD_URL_TTL_SECONDS = "60";
     process.env.EVENT_SOURCE = "supplier-api";
-    process.env.SNS_TOPIC_ARN = "sns-topic.arn";
+    process.env.AMENDMENTS_TOPIC_ARN = "sns-topic.arn";
 
     const { envVars } = require("../env");
 
@@ -80,7 +80,7 @@ describe("lambdaEnv", () => {
       DOWNLOAD_URL_TTL_SECONDS: 60,
       MAX_LIMIT: undefined,
       EVENT_SOURCE: "supplier-api",
-      SNS_TOPIC_ARN: "sns-topic.arn",
+      AMENDMENTS_TOPIC_ARN: "sns-topic.arn",
     });
   });
 });