Merge branch 'main' into feature/CCM-12952-Publish-MI-Events

Author: masl2

infrastructure/terraform/components/api/event_source_mapping_letter_updates.tf

@@ -1,11 +1,11 @@
 resource "aws_lambda_event_source_mapping" "letter_updates_transformer_kinesis" {
-  event_source_arn                     = aws_kinesis_stream.letter_change_stream.arn
-  function_name                        = module.letter_updates_transformer.function_arn
-  starting_position                    = "LATEST"
-  batch_size                           = 10
-  maximum_batching_window_in_seconds   = 1
+  event_source_arn                   = aws_kinesis_stream.letter_change_stream.arn
+  function_name                      = module.letter_updates_transformer.function_arn
+  starting_position                  = "LATEST"
+  batch_size                         = 10
+  maximum_batching_window_in_seconds = 1
 
   depends_on = [
-    module.letter_updates_transformer    # ensures updates transformer exists
+    module.letter_updates_transformer # ensures updates transformer exists
   ]
 }

infrastructure/terraform/components/api/locals.tf

@@ -28,4 +28,7 @@ locals {
     APIM_CORRELATION_HEADER  = "nhsd-correlation-id",
     DOWNLOAD_URL_TTL_SECONDS = 60
   }
+
+  core_pdf_bucket_arn        = "arn:aws:s3:::comms-${var.core_account_id}-eu-west-2-${var.core_environment}-api-stg-pdf-pipeline"
+  core_s3_kms_key_alias_name = "alias/comms-${var.core_environment}-api-s3"
 }

infrastructure/terraform/components/api/module_lambda_get_letter_data.tf

@@ -68,11 +68,43 @@ data "aws_iam_policy_document" "get_letter_data_lambda" {
     ]
   }
 
+  statement {
+    sid = "S3ListBucketForPresign"
+    actions = [
+      "s3:ListBucket"
+    ]
+    resources = [
+      module.s3bucket_test_letters.arn,
+      local.core_pdf_bucket_arn
+    ]
+  }
+
   statement {
     sid = "S3GetObjectForPresign"
     actions = [
       "s3:GetObject",
-    "s3:ListBucket"] # allows 404 response instead of 403 if object missing
-    resources = ["${module.s3bucket_test_letters.arn}/*"]
+      "s3:PutObject",
+    ] # allows 404 response instead of 403 if object missing
+    resources = [
+      "${module.s3bucket_test_letters.arn}/*",
+      "${local.core_pdf_bucket_arn}/*",
+    ]
+  }
+
+  statement {
+    sid = "KMSForCoreS3Access"
+    actions = [
+      "kms:Decrypt",
+      "kms:GenerateDataKey",
+      "kms:DescribeKey"
+    ]
+    resources = [
+      "arn:aws:kms:${var.region}:${var.core_account_id}:key/*"
+    ]
+    condition {
+      test     = "ForAnyValue:StringEquals"
+      variable = "kms:ResourceAliases"
+      values   = [local.core_s3_kms_key_alias_name]
+    }
   }
 }

infrastructure/terraform/components/api/variables.tf

@@ -134,3 +134,15 @@ variable "eventpub_control_plane_bus_arn" {
   description = "ARN of the EventBridge control plane bus for eventpub"
   default     = ""
 }
+
+variable "core_account_id" {
+  type        = string
+  description = "AWS Account ID for Core"
+  default     = "000000000000"
+}
+
+variable "core_environment" {
+  type        = string
+  description = "Environment of Core"
+  default     = "prod"
+}