CCM-7939: pipe template table stream to fifo queue

harrim91 · harrim91 · commit 051d8c5f85b6 · 2025-06-03T16:09:46.000+01:00
diff --git a/infrastructure/terraform/components/sandbox/module_backend_api.tf b/infrastructure/terraform/components/sandbox/module_backend_api.tf
@@ -24,4 +24,6 @@ module "backend_api" {
   dynamodb_kms_key_arn = data.aws_kms_key.sandbox.arn
 
   send_to_firehose = false
+
+  enable_event_stream = true
 }
diff --git a/infrastructure/terraform/modules/backend-api/README.md b/infrastructure/terraform/modules/backend-api/README.md
@@ -16,6 +16,7 @@ No requirements.
 | <a name="input_csi"></a> [csi](#input\_csi) | CSI from the parent component | `string` | n/a | yes |
 | <a name="input_dynamodb_kms_key_arn"></a> [dynamodb\_kms\_key\_arn](#input\_dynamodb\_kms\_key\_arn) | KMS Key ARN for encrypting DynamoDB data. If not given, a key will be created. | `string` | `""` | no |
 | <a name="input_enable_backup"></a> [enable\_backup](#input\_enable\_backup) | Enable Backups for the DynamoDB table? | `bool` | `true` | no |
+| <a name="input_enable_event_stream"></a> [enable\_event\_stream](#input\_enable\_event\_stream) | Enable DynamoDB streaming to SQS? | `bool` | `false` | no |
 | <a name="input_enable_proofing"></a> [enable\_proofing](#input\_enable\_proofing) | Enable proofing feature flag | `bool` | n/a | yes |
 | <a name="input_environment"></a> [environment](#input\_environment) | The name of the tfscaffold environment | `string` | n/a | yes |
 | <a name="input_function_s3_bucket"></a> [function\_s3\_bucket](#input\_function\_s3\_bucket) | Name of S3 bucket to upload lambda artefacts to | `string` | n/a | yes |
@@ -52,6 +53,7 @@ No requirements.
 | <a name="module_s3bucket_internal"></a> [s3bucket\_internal](#module\_s3bucket\_internal) | git::https://github.com/NHSDigital/nhs-notify-shared-modules.git//infrastructure/modules/s3bucket | v1.0.8 |
 | <a name="module_s3bucket_quarantine"></a> [s3bucket\_quarantine](#module\_s3bucket\_quarantine) | git::https://github.com/NHSDigital/nhs-notify-shared-modules.git//infrastructure/modules/s3bucket | v1.0.8 |
 | <a name="module_sqs_sftp_upload"></a> [sqs\_sftp\_upload](#module\_sqs\_sftp\_upload) | git::https://github.com/NHSDigital/nhs-notify-shared-modules.git//infrastructure/modules/sqs | v2.0.1 |
+| <a name="module_sqs_template_table_events"></a> [sqs\_template\_table\_events](#module\_sqs\_template\_table\_events) | git::https://github.com/NHSDigital/nhs-notify-shared-modules.git//infrastructure/modules/sqs | v2.0.8 |
 | <a name="module_sqs_validate_letter_template_files"></a> [sqs\_validate\_letter\_template\_files](#module\_sqs\_validate\_letter\_template\_files) | git::https://github.com/NHSDigital/nhs-notify-shared-modules.git//infrastructure/modules/sqs | v2.0.1 |
 | <a name="module_submit_template_lambda"></a> [submit\_template\_lambda](#module\_submit\_template\_lambda) | git::https://github.com/NHSDigital/nhs-notify-shared-modules.git//infrastructure/modules/lambda | v2.0.4 |
 | <a name="module_update_template_lambda"></a> [update\_template\_lambda](#module\_update\_template\_lambda) | git::https://github.com/NHSDigital/nhs-notify-shared-modules.git//infrastructure/modules/lambda | v2.0.4 |
diff --git a/infrastructure/terraform/modules/backend-api/dynamodb_table_templates.tf b/infrastructure/terraform/modules/backend-api/dynamodb_table_templates.tf
@@ -45,4 +45,7 @@ resource "aws_dynamodb_table" "templates" {
     projection_type    = "INCLUDE"
     non_key_attributes = ["owner"]
   }
+
+  stream_enabled   = true
+  stream_view_type = "NEW_AND_OLD_IMAGES"
 }
diff --git a/infrastructure/terraform/modules/backend-api/module_sqs_template_table_events.tf b/infrastructure/terraform/modules/backend-api/module_sqs_template_table_events.tf
@@ -0,0 +1,14 @@
+module "sqs_template_table_events" {
+  source = "git::https://github.com/NHSDigital/nhs-notify-shared-modules.git//infrastructure/modules/sqs?ref=v2.0.8"
+
+  aws_account_id              = var.aws_account_id
+  component                   = var.component
+  environment                 = var.environment
+  project                     = var.project
+  region                      = var.region
+  name                        = "template-table-events"
+  fifo_queue                  = true
+  content_based_deduplication = true
+
+  sqs_kms_key_arn = var.kms_key_arn
+}
diff --git a/infrastructure/terraform/modules/backend-api/pipes_pipe_template_table_events.tf b/infrastructure/terraform/modules/backend-api/pipes_pipe_template_table_events.tf
@@ -0,0 +1,84 @@
+resource "aws_pipes_pipe" "template_table_events" {
+  name          = "${local.csi}-template-table-events"
+  role_arn      = aws_iam_role.pipe_template_table_events.arn
+  source        = aws_dynamodb_table.templates.stream_arn
+  target        = module.sqs_template_table_events.sqs_queue_arn
+  desired_state = var.enable_event_stream ? "RUNNING" : "STOPPED"
+
+  source_parameters {
+    dynamodb_stream_parameters {
+      starting_position = "TRIM_HORIZON"
+    }
+  }
+
+  target_parameters {
+    sqs_queue_parameters {
+      message_group_id = "$.dynamodb.Keys.id.S"
+    }
+  }
+}
+
+resource "aws_iam_role" "pipe_template_table_events" {
+  name               = "${local.csi}-pipe-template-table-events"
+  description        = "IAM Role for Pipe forward template table stream events to SQS"
+  assume_role_policy = data.aws_iam_policy_document.pipes_trust_policy.json
+}
+
+data "aws_iam_policy_document" "pipes_trust_policy" {
+  statement {
+    sid     = "PipesAssumeRole"
+    effect  = "Allow"
+    actions = ["sts:AssumeRole"]
+
+    principals {
+      type        = "Service"
+      identifiers = ["pipes.amazonaws.com"]
+    }
+  }
+}
+
+resource "aws_iam_role_policy" "pipe_template_table_events" {
+  name   = "${local.csi}-pipe-template-table-events"
+  role   = aws_iam_role.pipe_template_table_events.id
+  policy = data.aws_iam_policy_document.pipe_template_table_events.json
+}
+
+data "aws_iam_policy_document" "pipe_template_table_events" {
+  version = "2012-10-17"
+
+  statement {
+    sid    = "AllowDDBStreamRead"
+    effect = "Allow"
+    actions = [
+      "dynamodb:DescribeStream",
+      "dynamodb:GetRecords",
+      "dynamodb:GetShardIterator",
+      "dynamodb:ListStreams",
+    ]
+    resources = [aws_dynamodb_table.templates.stream_arn]
+  }
+
+  statement {
+    sid       = "AllowSQSSendMessage"
+    effect    = "Allow"
+    actions   = ["sqs:SendMessage"]
+    resources = [module.sqs_template_table_events.sqs_queue_arn]
+  }
+
+  statement {
+    sid    = "AllowSqsKMS"
+    effect = "Allow"
+    actions = [
+      "kms:Decrypt",
+      "kms:GenerateDataKey"
+    ]
+    resources = [var.kms_key_arn]
+  }
+
+  statement {
+    sid       = "AllowDynamoKMS"
+    effect    = "Allow"
+    actions   = ["kms:Decrypt"]
+    resources = [local.dynamodb_kms_key_arn]
+  }
+}
diff --git a/infrastructure/terraform/modules/backend-api/variables.tf b/infrastructure/terraform/modules/backend-api/variables.tf
@@ -76,6 +76,12 @@ variable "enable_proofing" {
   description = "Enable proofing feature flag"
 }
 
+variable "enable_event_stream" {
+  type        = bool
+  description = "Enable DynamoDB streaming to SQS?"
+  default     = false
+}
+
 variable "kms_key_arn" {
   type        = string
   description = "KMS Key ARN"

Original file line number	Diff line number	Diff line change
`@@ -24,4 +24,6 @@ module "backend_api" {`
`24`	`24`	`dynamodb_kms_key_arn = data.aws_kms_key.sandbox.arn`
`25`	`25`
`26`	`26`	`send_to_firehose = false`
	`27`	`+`
	`28`	`+ enable_event_stream = true`
`27`	`29`	`}`
Original file line number	Diff line number	Diff line change
`@@ -45,4 +45,7 @@ resource "aws_dynamodb_table" "templates" {`
`45`	`45`	`projection_type = "INCLUDE"`
`46`	`46`	`non_key_attributes = ["owner"]`
`47`	`47`	`}`
	`48`	`+`
	`49`	`+ stream_enabled = true`
	`50`	`+ stream_view_type = "NEW_AND_OLD_IMAGES"`
`48`	`51`	`}`