CCM-7939: pipe template table stream to fifo queue (#506)

Author: harrim91

infrastructure/terraform/components/acct/module_sandbox_kms.tf

@@ -54,4 +54,35 @@ data "aws_iam_policy_document" "kms" {
       ]
     }
   }
+
+  statement {
+    sid    = "AllowLogDeliveryEncrypt"
+    effect = "Allow"
+
+    principals {
+      type = "Service"
+
+      identifiers = [
+        "delivery.logs.amazonaws.com"
+      ]
+    }
+
+    actions = [
+      "kms:Decrypt",
+      "kms:GenerateDataKey*",
+    ]
+
+    resources = [
+      "*",
+    ]
+
+    condition {
+      test     = "StringLike"
+      variable = "kms:EncryptionContext:SourceArn"
+
+      values = [
+        "arn:aws:logs:${var.region}:${var.aws_account_id}:*",
+      ]
+    }
+  }
 }

infrastructure/terraform/components/app/module_kms.tf

@@ -75,4 +75,35 @@ data "aws_iam_policy_document" "kms" {
       ]
     }
   }
+
+  statement {
+    sid    = "AllowLogDeliveryEncrypt"
+    effect = "Allow"
+
+    principals {
+      type = "Service"
+
+      identifiers = [
+        "delivery.logs.amazonaws.com"
+      ]
+    }
+
+    actions = [
+      "kms:Decrypt",
+      "kms:GenerateDataKey*",
+    ]
+
+    resources = [
+      "*",
+    ]
+
+    condition {
+      test     = "StringLike"
+      variable = "kms:EncryptionContext:SourceArn"
+
+      values = [
+        "arn:aws:logs:${var.region}:${var.aws_account_id}:*",
+      ]
+    }
+  }
 }

infrastructure/terraform/components/sandbox/module_backend_api.tf

@@ -23,4 +23,6 @@ module "backend_api" {
   kms_key_arn          = data.aws_kms_key.sandbox.arn
 
   send_to_firehose = false
+
+  enable_event_stream = true
 }

infrastructure/terraform/modules/backend-api/README.md

@@ -15,6 +15,7 @@ No requirements.
 | <a name="input_component"></a> [component](#input\_component) | The variable encapsulating the name of this component | `string` | n/a | yes |
 | <a name="input_csi"></a> [csi](#input\_csi) | CSI from the parent component | `string` | n/a | yes |
 | <a name="input_enable_backup"></a> [enable\_backup](#input\_enable\_backup) | Enable Backups for the DynamoDB table? | `bool` | `true` | no |
+| <a name="input_enable_event_stream"></a> [enable\_event\_stream](#input\_enable\_event\_stream) | Enable DynamoDB streaming to SQS? | `bool` | `false` | no |
 | <a name="input_enable_proofing"></a> [enable\_proofing](#input\_enable\_proofing) | Enable proofing feature flag | `bool` | n/a | yes |
 | <a name="input_environment"></a> [environment](#input\_environment) | The name of the tfscaffold environment | `string` | n/a | yes |
 | <a name="input_function_s3_bucket"></a> [function\_s3\_bucket](#input\_function\_s3\_bucket) | Name of S3 bucket to upload lambda artefacts to | `string` | n/a | yes |
@@ -51,6 +52,8 @@ No requirements.
 | <a name="module_s3bucket_internal"></a> [s3bucket\_internal](#module\_s3bucket\_internal) | git::https://github.com/NHSDigital/nhs-notify-shared-modules.git//infrastructure/modules/s3bucket | v1.0.8 |
 | <a name="module_s3bucket_quarantine"></a> [s3bucket\_quarantine](#module\_s3bucket\_quarantine) | git::https://github.com/NHSDigital/nhs-notify-shared-modules.git//infrastructure/modules/s3bucket | v1.0.8 |
 | <a name="module_sqs_sftp_upload"></a> [sqs\_sftp\_upload](#module\_sqs\_sftp\_upload) | git::https://github.com/NHSDigital/nhs-notify-shared-modules.git//infrastructure/modules/sqs | v2.0.1 |
+| <a name="module_sqs_template_mgmt_events"></a> [sqs\_template\_mgmt\_events](#module\_sqs\_template\_mgmt\_events) | git::https://github.com/NHSDigital/nhs-notify-shared-modules.git//infrastructure/modules/sqs | v2.0.8 |
+| <a name="module_sqs_template_table_events_pipe_dlq"></a> [sqs\_template\_table\_events\_pipe\_dlq](#module\_sqs\_template\_table\_events\_pipe\_dlq) | git::https://github.com/NHSDigital/nhs-notify-shared-modules.git//infrastructure/modules/sqs | v2.0.8 |
 | <a name="module_sqs_validate_letter_template_files"></a> [sqs\_validate\_letter\_template\_files](#module\_sqs\_validate\_letter\_template\_files) | git::https://github.com/NHSDigital/nhs-notify-shared-modules.git//infrastructure/modules/sqs | v2.0.1 |
 | <a name="module_submit_template_lambda"></a> [submit\_template\_lambda](#module\_submit\_template\_lambda) | git::https://github.com/NHSDigital/nhs-notify-shared-modules.git//infrastructure/modules/lambda | v2.0.4 |
 | <a name="module_update_template_lambda"></a> [update\_template\_lambda](#module\_update\_template\_lambda) | git::https://github.com/NHSDigital/nhs-notify-shared-modules.git//infrastructure/modules/lambda | v2.0.4 |

infrastructure/terraform/modules/backend-api/cloudwatch_log_group_pipe_template_table_events.tf

@@ -0,0 +1,5 @@
+resource "aws_cloudwatch_log_group" "pipe_template_table_events" {
+  name              = "/aws/vendedlogs/pipes/${local.csi}-template-table-events"
+  kms_key_id        = var.kms_key_arn
+  retention_in_days = var.log_retention_in_days
+}

infrastructure/terraform/modules/backend-api/dynamodb_table_templates.tf

@@ -45,4 +45,7 @@ resource "aws_dynamodb_table" "templates" {
     projection_type    = "INCLUDE"
     non_key_attributes = ["owner"]
   }
+
+  stream_enabled   = true
+  stream_view_type = "NEW_AND_OLD_IMAGES"
 }

infrastructure/terraform/modules/backend-api/module_sqs_template_mgmt_events.tf

@@ -0,0 +1,12 @@
+module "sqs_template_mgmt_events" {
+  source = "git::https://github.com/NHSDigital/nhs-notify-shared-modules.git//infrastructure/modules/sqs?ref=v2.0.8"
+
+  aws_account_id  = var.aws_account_id
+  component       = var.component
+  environment     = var.environment
+  project         = var.project
+  region          = var.region
+  name            = "template-mgmt-events"
+  fifo_queue      = true
+  sqs_kms_key_arn = var.kms_key_arn
+}

infrastructure/terraform/modules/backend-api/module_sqs_template_table_events_pipe_dlq.tf

@@ -0,0 +1,11 @@
+module "sqs_template_table_events_pipe_dlq" {
+  source = "git::https://github.com/NHSDigital/nhs-notify-shared-modules.git//infrastructure/modules/sqs?ref=v2.0.8"
+
+  aws_account_id  = var.aws_account_id
+  component       = var.component
+  environment     = var.environment
+  project         = var.project
+  region          = var.region
+  name            = "template-table-events-pipe-dead-letter"
+  sqs_kms_key_arn = var.kms_key_arn
+}

infrastructure/terraform/modules/backend-api/pipes_pipe_template_table_events.tf

@@ -0,0 +1,101 @@
+resource "aws_pipes_pipe" "template_table_events" {
+  name               = "${local.csi}-template-table-events"
+  role_arn           = aws_iam_role.pipe_template_table_events.arn
+  source             = aws_dynamodb_table.templates.stream_arn
+  target             = module.sqs_template_mgmt_events.sqs_queue_arn
+  desired_state      = var.enable_event_stream ? "RUNNING" : "STOPPED"
+  kms_key_identifier = var.kms_key_arn
+
+  source_parameters {
+    dynamodb_stream_parameters {
+      starting_position                  = "TRIM_HORIZON"
+      on_partial_batch_item_failure      = "AUTOMATIC_BISECT"
+      batch_size                         = 10
+      maximum_batching_window_in_seconds = 5
+      maximum_retry_attempts             = 5
+      maximum_record_age_in_seconds      = -1
+
+      dead_letter_config {
+        arn = module.sqs_template_table_events_pipe_dlq.sqs_queue_arn
+      }
+    }
+  }
+
+  target_parameters {
+    sqs_queue_parameters {
+      message_group_id         = "$.dynamodb.Keys.id.S"
+      message_deduplication_id = "$.eventID"
+    }
+  }
+
+  log_configuration {
+    level                  = "ERROR"
+    include_execution_data = ["ALL"]
+
+    cloudwatch_logs_log_destination {
+      log_group_arn = aws_cloudwatch_log_group.pipe_template_table_events.arn
+    }
+  }
+}
+
+resource "aws_iam_role" "pipe_template_table_events" {
+  name               = "${local.csi}-pipe-template-table-events"
+  description        = "IAM Role for Pipe forward template table stream events to SQS"
+  assume_role_policy = data.aws_iam_policy_document.pipes_trust_policy.json
+}
+
+data "aws_iam_policy_document" "pipes_trust_policy" {
+  statement {
+    sid     = "PipesAssumeRole"
+    effect  = "Allow"
+    actions = ["sts:AssumeRole"]
+
+    principals {
+      type        = "Service"
+      identifiers = ["pipes.amazonaws.com"]
+    }
+  }
+}
+
+resource "aws_iam_role_policy" "pipe_template_table_events" {
+  name   = "${local.csi}-pipe-template-table-events"
+  role   = aws_iam_role.pipe_template_table_events.id
+  policy = data.aws_iam_policy_document.pipe_template_table_events.json
+}
+
+data "aws_iam_policy_document" "pipe_template_table_events" {
+  version = "2012-10-17"
+
+  statement {
+    sid    = "AllowDynamoStreamRead"
+    effect = "Allow"
+    actions = [
+      "dynamodb:DescribeStream",
+      "dynamodb:GetRecords",
+      "dynamodb:GetShardIterator",
+      "dynamodb:ListStreams",
+    ]
+    resources = [aws_dynamodb_table.templates.stream_arn]
+  }
+
+  statement {
+    sid     = "AllowSqsSendMessage"
+    effect  = "Allow"
+    actions = ["sqs:SendMessage"]
+    resources = [
+      module.sqs_template_mgmt_events.sqs_queue_arn,
+      module.sqs_template_table_events_pipe_dlq.sqs_queue_arn,
+    ]
+  }
+
+  statement {
+    sid    = "AllowKmsUsage"
+    effect = "Allow"
+    actions = [
+      "kms:Decrypt",
+      "kms:Encrypt",
+      "kms:GenerateDataKey*"
+    ]
+    resources = [var.kms_key_arn]
+  }
+}

infrastructure/terraform/modules/backend-api/variables.tf

@@ -76,6 +76,12 @@ variable "enable_proofing" {
   description = "Enable proofing feature flag"
 }
 
+variable "enable_event_stream" {
+  type        = bool
+  description = "Enable DynamoDB streaming to SQS?"
+  default     = false
+}
+
 variable "kms_key_arn" {
   type        = string
   description = "KMS Key ARN"