CCM-11496: lock templates when submitting routing config

Author: harrim91

infrastructure/terraform/modules/backend-api/module_submit_routing_config_lambda.tf

@@ -37,7 +37,20 @@ module "submit_routing_config_lambda" {
 
 data "aws_iam_policy_document" "submit_routing_config_lambda_policy" {
   statement {
-    sid    = "AllowDynamoAccess"
+    sid    = "AllowDynamoRoutingConfigRead"
+    effect = "Allow"
+
+    actions = [
+      "dynamodb:GetItem",
+    ]
+
+    resources = [
+      aws_dynamodb_table.routing_configuration.arn,
+    ]
+  }
+
+  statement {
+    sid    = "AllowDynamoTemplatesRoutingConfigWrite"
     effect = "Allow"
 
     actions = [
@@ -46,6 +59,7 @@ data "aws_iam_policy_document" "submit_routing_config_lambda_policy" {
 
     resources = [
       aws_dynamodb_table.routing_configuration.arn,
+      aws_dynamodb_table.templates.arn,
     ]
   }
 

infrastructure/terraform/modules/backend-api/module_update_routing_config_lambda.tf

@@ -13,7 +13,7 @@ module "update_routing_config_lambda" {
 
   function_module_name  = "update-routing-config"
   handler_function_name = "handler"
-  description           = "Submit Routing Config API endpoint"
+  description           = "Update Routing Config API endpoint"
 
   memory  = 2048
   timeout = 3

infrastructure/terraform/modules/backend-api/spec.tmpl.json

@@ -769,6 +769,7 @@
       "TemplateStatus": {
         "enum": [
           "DELETED",
+          "LOCKED",
           "NOT_YET_SUBMITTED",
           "PENDING_PROOF_REQUEST",
           "PENDING_UPLOAD",

lambdas/backend-api/src/__tests__/infra/routing-config-repository/query.test.ts

@@ -24,7 +24,7 @@ function setup() {
     // pass an actual doc client - it gets intercepted up by mockClient,
     // but paginateQuery needs the real deal
     DynamoDBDocumentClient.from(new DynamoDBClient({})),
-    TABLE_NAME
+    { routingConfigTableName: TABLE_NAME, templatesTableName: '' }
   );
 
   const mocks = { dynamo };