CCM-12995 adding event pub infra (#240)

* CCM-12995 Adding base eventPub Infra

* CCM-12995: Adding sns topic policy for sub

* CCM-12995: Adding sns topic policy for sub

* CCM-12995: Adding sns topic policy for sub

* CCM-12995 Adding base eventPub Infra

* CCM-12995 Adding base eventPub Infra

* CCM-12312: Fixing typo in kms policy

* CCM-12995: Fix comment

* CCM-12995: Update package-lock.json

* CCM-12995: Update package-lock.json

* CCM-12995: Revert python version back to 3.12

---------

Co-authored-by: sidnhs <[email protected]>
Co-authored-by: Mark Slowey <[email protected]>

Author: 3 people

infrastructure/terraform/components/api/README.md

@@ -15,6 +15,8 @@ No requirements.
 | <a name="input_default_tags"></a> [default\_tags](#input\_default\_tags) | A map of default tags to apply to all taggable resources within the component | `map(string)` | `{}` | no |
 | <a name="input_enable_backups"></a> [enable\_backups](#input\_enable\_backups) | Enable backups | `bool` | `false` | no |
 | <a name="input_environment"></a> [environment](#input\_environment) | The name of the tfscaffold environment | `string` | n/a | yes |
+| <a name="input_eventpub_control_plane_bus_arn"></a> [eventpub\_control\_plane\_bus\_arn](#input\_eventpub\_control\_plane\_bus\_arn) | ARN of the EventBridge control plane bus for eventpub | `string` | `""` | no |
+| <a name="input_eventpub_data_plane_bus_arn"></a> [eventpub\_data\_plane\_bus\_arn](#input\_eventpub\_data\_plane\_bus\_arn) | ARN of the EventBridge data plane bus for eventpub | `string` | `""` | no |
 | <a name="input_force_destroy"></a> [force\_destroy](#input\_force\_destroy) | Flag to force deletion of S3 buckets | `bool` | `false` | no |
 | <a name="input_force_lambda_code_deploy"></a> [force\_lambda\_code\_deploy](#input\_force\_lambda\_code\_deploy) | If the lambda package in s3 has the same commit id tag as the terraform build branch, the lambda will not update automatically. Set to True if making changes to Lambda code from on the same commit for example during development | `bool` | `false` | no |
 | <a name="input_group"></a> [group](#input\_group) | The group variables are being inherited from (often synonmous with account short-name) | `string` | n/a | yes |

infrastructure/terraform/components/api/lambda_event_source_mapping_upsert_letter.tf

@@ -0,0 +1,9 @@
+resource "aws_lambda_event_source_mapping" "upsert_letter" {
+  event_source_arn                   = module.sqs_letter_updates.sqs_queue_arn
+  function_name                      = module.upsert_letter.function_name
+  batch_size                         = 10
+  maximum_batching_window_in_seconds = 5
+  function_response_types = [
+    "ReportBatchItemFailures"
+  ]
+}

infrastructure/terraform/components/api/module_authorizer_lambda.tf

@@ -1,5 +1,5 @@
 module "authorizer_lambda" {
-  source = "https://github.com/NHSDigital/nhs-notify-shared-modules/releases/download/v2.0.24/terraform-lambda.zip"
+  source = "https://github.com/NHSDigital/nhs-notify-shared-modules/releases/download/v2.0.26/terraform-lambda.zip"
 
   aws_account_id = var.aws_account_id
   component      = var.component

infrastructure/terraform/components/api/module_domain_truststore.tf

@@ -1,5 +1,5 @@
 module "domain_truststore" {
-  source = "https://github.com/NHSDigital/nhs-notify-shared-modules/releases/download/v2.0.20/terraform-s3bucket.zip"
+  source = "https://github.com/NHSDigital/nhs-notify-shared-modules/releases/download/v2.0.26/terraform-s3bucket.zip"
 
   name           = "truststore"
   aws_account_id = var.aws_account_id

infrastructure/terraform/components/api/module_kms.tf

@@ -1,5 +1,5 @@
 module "kms" {
-  source = "https://github.com/NHSDigital/nhs-notify-shared-modules/releases/download/v2.0.20/terraform-kms.zip"
+  source = "https://github.com/NHSDigital/nhs-notify-shared-modules/releases/download/v2.0.26/terraform-kms.zip"
 
   providers = {
     aws           = aws
@@ -31,6 +31,7 @@ data "aws_iam_policy_document" "kms" {
       type = "Service"
 
       identifiers = [
+        "sns.amazonaws.com",
         "logs.${var.region}.amazonaws.com",
       ]
     }
@@ -46,4 +47,24 @@ data "aws_iam_policy_document" "kms" {
       "*",
     ]
   }
+
+  statement {
+    sid    = "AllowEventsFromSharedInfraAccount"
+    effect = "Allow"
+
+    principals {
+      type        = "AWS"
+      identifiers = ["arn:aws:iam::${var.shared_infra_account_id}:root"]
+    }
+
+    actions = [
+      "kms:Encrypt",
+      "kms:Decrypt",
+      "kms:GenerateDataKey"
+    ]
+
+    resources = [
+      "*",
+    ]
+  }
 }

infrastructure/terraform/components/api/module_lambda_get_letter.tf

@@ -1,5 +1,5 @@
 module "get_letter" {
-  source = "https://github.com/NHSDigital/nhs-notify-shared-modules/releases/download/v2.0.24/terraform-lambda.zip"
+  source = "https://github.com/NHSDigital/nhs-notify-shared-modules/releases/download/v2.0.26/terraform-lambda.zip"
 
   function_name = "get_letter"
   description   = "Get letter status"

infrastructure/terraform/components/api/module_lambda_get_letter_data.tf

@@ -1,5 +1,5 @@
 module "get_letter_data" {
-  source = "https://github.com/NHSDigital/nhs-notify-shared-modules/releases/download/v2.0.24/terraform-lambda.zip"
+  source = "https://github.com/NHSDigital/nhs-notify-shared-modules/releases/download/v2.0.26/terraform-lambda.zip"
 
   function_name = "get_letter_data"
   description   = "Get the letter data"

infrastructure/terraform/components/api/module_lambda_get_letters.tf

@@ -1,5 +1,5 @@
 module "get_letters" {
-  source = "https://github.com/NHSDigital/nhs-notify-shared-modules/releases/download/v2.0.24/terraform-lambda.zip"
+  source = "https://github.com/NHSDigital/nhs-notify-shared-modules/releases/download/v2.0.26/terraform-lambda.zip"
 
   function_name = "get_letters"
   description   = "Get paginated letter ids"

infrastructure/terraform/components/api/module_lambda_letter_updates_transformer.tf

@@ -0,0 +1,70 @@
+module "letter_updates_transformer" {
+  source = "https://github.com/NHSDigital/nhs-notify-shared-modules/releases/download/v2.0.26/terraform-lambda.zip"
+
+  function_name = "letter-updates-transformer"
+  description   = "Letter Update Filter/Producer"
+
+  aws_account_id = var.aws_account_id
+  component      = var.component
+  environment    = var.environment
+  project        = var.project
+  region         = var.region
+  group          = var.group
+
+  log_retention_in_days = var.log_retention_in_days
+  kms_key_arn           = module.kms.key_arn
+
+  iam_policy_document = {
+    body = data.aws_iam_policy_document.letter_updates_transformer_lambda.json
+  }
+
+  function_s3_bucket      = local.acct.s3_buckets["lambda_function_artefacts"]["id"]
+  function_code_base_path = local.aws_lambda_functions_dir_path
+  function_code_dir       = "letter-updates-transformer/dist"
+  function_include_common = true
+  handler_function_name   = "handler"
+  runtime                 = "nodejs22.x"
+  memory                  = 128
+  timeout                 = 5
+  log_level               = var.log_level
+
+  force_lambda_code_deploy = var.force_lambda_code_deploy
+  enable_lambda_insights   = false
+
+  send_to_firehose          = true
+  log_destination_arn       = local.destination_arn
+  log_subscription_role_arn = local.acct.log_subscription_role_arn
+
+  lambda_env_vars = merge(local.common_lambda_env_vars, {
+    EVENTPUB_SNS_TOPIC_ARN = module.eventpub.sns_topic.arn
+  })
+}
+
+data "aws_iam_policy_document" "letter_updates_transformer_lambda" {
+  statement {
+    sid    = "KMSPermissions"
+    effect = "Allow"
+
+    actions = [
+      "kms:Decrypt",
+      "kms:GenerateDataKey",
+    ]
+
+    resources = [
+      module.kms.key_arn,
+    ]
+  }
+
+  statement {
+    sid    = "AllowSNSPublish"
+    effect = "Allow"
+
+    actions = [
+      "sns:Publish"
+    ]
+
+    resources = [
+      module.eventpub.sns_topic.arn
+    ]
+  }
+}

infrastructure/terraform/components/api/module_lambda_patch_letter.tf

@@ -1,5 +1,5 @@
 module "patch_letter" {
-  source = "https://github.com/NHSDigital/nhs-notify-shared-modules/releases/download/v2.0.24/terraform-lambda.zip"
+  source = "https://github.com/NHSDigital/nhs-notify-shared-modules/releases/download/v2.0.26/terraform-lambda.zip"
 
   function_name = "patch_letter"
   description   = "Update the status of a letter"