CCM-8572: enrichment lambda

Author: harrim91

infrastructure/terraform/components/app/module_kms.tf

@@ -28,7 +28,6 @@ data "aws_iam_policy_document" "kms" {
       identifiers = [
         "logs.${var.region}.amazonaws.com",
         "sns.amazonaws.com",
-        "sqs.amazonaws.com",
       ]
     }
 

infrastructure/terraform/modules/s3-object-tagging-enrichment/README.md

@@ -9,13 +9,26 @@ No requirements.
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
-| <a name="input_csi"></a> [csi](#input\_csi) | CSI from the parent component | `string` | n/a | yes |
+| <a name="input_aws_account_id"></a> [aws\_account\_id](#input\_aws\_account\_id) | The AWS Account ID (numeric) | `string` | n/a | yes |
+| <a name="input_component"></a> [component](#input\_component) | The variable encapsulating the name of this component | `string` | n/a | yes |
+| <a name="input_environment"></a> [environment](#input\_environment) | The name of the tfscaffold environment | `string` | n/a | yes |
+| <a name="input_group"></a> [group](#input\_group) | The group variables are being inherited from (often synonymous with account short-name) | `string` | n/a | yes |
 | <a name="input_id"></a> [id](#input\_id) | ID for the module instance | `string` | n/a | yes |
 | <a name="input_kms_key_arn"></a> [kms\_key\_arn](#input\_kms\_key\_arn) | ARN of KMS Key used for encrypting application data | `string` | n/a | yes |
-| <a name="input_source_bucket"></a> [source\_bucket](#input\_source\_bucket) | Source bucket details | <pre>object({<br/>    name : string<br/>  })</pre> | n/a | yes |
+| <a name="input_log_retention_in_days"></a> [log\_retention\_in\_days](#input\_log\_retention\_in\_days) | The retention period in days for the Cloudwatch Logs events to be retained, default of 0 is indefinite | `number` | `0` | no |
+| <a name="input_output_event_source"></a> [output\_event\_source](#input\_output\_event\_source) | the value of the 'source' field on the emitted events | `string` | n/a | yes |
+| <a name="input_project"></a> [project](#input\_project) | The name of the tfscaffold project | `string` | n/a | yes |
+| <a name="input_region"></a> [region](#input\_region) | The AWS Region | `string` | n/a | yes |
+| <a name="input_source_bucket"></a> [source\_bucket](#input\_source\_bucket) | Source bucket details | <pre>object({<br/>    arn : string<br/>    name : string<br/>  })</pre> | n/a | yes |
+| <a name="input_source_csi"></a> [source\_csi](#input\_source\_csi) | CSI from the parent component | `string` | n/a | yes |
+| <a name="input_target_event_bus_arn"></a> [target\_event\_bus\_arn](#input\_target\_event\_bus\_arn) | ARN of the event bus to send tag-enrichment events to | `string` | n/a | yes |
 ## Modules
 
-No modules.
+| Name | Source | Version |
+|------|--------|---------|
+| <a name="module_build_get_s3_object_tags_lambda"></a> [build\_get\_s3\_object\_tags\_lambda](#module\_build\_get\_s3\_object\_tags\_lambda) | ../typescript-build-zip | n/a |
+| <a name="module_lambda_get_s3_object_tags"></a> [lambda\_get\_s3\_object\_tags](#module\_lambda\_get\_s3\_object\_tags) | ../lambda-function | n/a |
+| <a name="module_sqs_tags_added"></a> [sqs\_tags\_added](#module\_sqs\_tags\_added) | git::https://github.com/NHSDigital/nhs-notify-shared-modules.git//infrastructure/modules/sqs | v1.0.8 |
 ## Outputs
 
 No outputs.

infrastructure/terraform/modules/s3-object-tagging-enrichment/iam_role_pipe.tf

@@ -0,0 +1,10 @@
+module "build_get_s3_object_tags_lambda" {
+  source = "../typescript-build-zip"
+
+  source_code_dir = abspath("${path.module}/../../../../lambdas/get-s3-object-tags")
+
+  entrypoints = [
+    "src/get-s3-object-tags.ts"
+  ]
+}
+

infrastructure/terraform/modules/s3-object-tagging-enrichment/module_build_get_s3_object_tags_lambda.tf

@@ -1,19 +1,19 @@
-module "lambda_get_object_tags" {
+module "lambda_get_s3_object_tags" {
   source      = "../lambda-function"
   description = "Get S3 Object Tags"
 
-  function_name    = "${local.csi}-get-object-tags"
-  filename         = module.build_get_object_tags_lambda.zips["src/get-object-tag.ts"].path
-  source_code_hash = module.build_get_object_tags_lambda.zips["src/get-object-tag.ts"].base64sha256 // todo: create this lambda
+  function_name    = "${local.csi}-get-s3-object-tags"
+  filename         = module.build_get_object_tags_lambda.zips["src/get-s3-object-tags.ts"].path
+  source_code_hash = module.build_get_object_tags_lambda.zips["src/get-s3-object-tags.ts"].base64sha256 // todo: create this lambda
   runtime          = "nodejs20.x"
-  handler          = "get-object-tags.handler"
+  handler          = "get-s3-object-tags.handler"
 
   log_retention_in_days = var.log_retention_in_days
 
-  execution_role_policy_document = data.aws_iam_policy_document.get_template_lambda_policy.json
+  execution_role_policy_document = data.aws_iam_policy_document.get_s3_object_tags.json
 }
 
-data "aws_iam_policy_document" "get_template_lambda_policy" {
+data "aws_iam_policy_document" "get_s3_object_tags" {
   statement {
     sid    = "AllowSQS"
     effect = "Allow"

…ichment/module_lambda_get_object_tags.tf …ment/module_lambda_get_s3_object_tags.tfinfrastructure/terraform/modules/s3-object-tagging-enrichment/module_lambda_get_object_tags.tf renamed to infrastructure/terraform/modules/s3-object-tagging-enrichment/module_lambda_get_s3_object_tags.tf infrastructure/terraform/modules/s3-object-tagging-enrichment/module_lambda_get_object_tags.tf renamed to infrastructure/terraform/modules/s3-object-tagging-enrichment/module_lambda_get_s3_object_tags.tf

@@ -5,7 +5,7 @@ resource "aws_pipes_pipe" "tags_added" {
 
   source     = module.sqs_tags_added.sqs_queue_arn
   target     = var.target_event_bus_arn
-  enrichment = module.lambda_get_object_tags.function_arn
+  enrichment = module.lambda_get_s3_object_tags.function_arn
 
   target_parameters {
     eventbridge_event_bus_parameters {
@@ -14,22 +14,74 @@ resource "aws_pipes_pipe" "tags_added" {
       resources   = [var.source_bucket.arn]
     }
   }
+}
+
+resource "aws_iam_role" "pipe" {
+  name               = "${local.csi}-pipe"
+  description        = "Role used by Pipes enrich S3 tagging events"
+  assume_role_policy = data.aws_iam_policy_document.pipe_trust_policy.json
+}
+
+resource "aws_iam_role_policy" "pipe" {
+  role   = aws_iam_role.pipe.id
+  policy = data.aws_iam_policy_document.pipe.json
+}
 
-  # unsupported apparently
-  # kms_key_identifier = var.kms_key_arn
+data "aws_iam_policy_document" "pipe_trust_policy" {
+  version = "2012-10-17"
+
+  statement {
+    sid     = "PipesAssumeRole"
+    effect  = "Allow"
+    actions = ["sts:AssumeRole"]
+
+    principals {
+      type = "Service"
+
+      identifiers = ["pipes.amazonaws.com"]
+    }
 
-  # do we need this?
-  log_configuration {
-    include_execution_data = ["ALL"]
-    level                  = "INFO"
-    cloudwatch_logs_log_destination {
-      log_group_arn = aws_cloudwatch_log_group.pipe.arn
+    condition {
+      test     = "StringEquals"
+      variable = "aws:SourceAccount"
+      values   = [var.aws_account_id]
+    }
+
+    condition {
+      test     = "StringEquals"
+      variable = "aws:SourceArn"
+      values   = [aws_pipes_pipe.tags_added.arn]
     }
   }
 }
 
-resource "aws_cloudwatch_log_group" "pipe" {
-  name              = "/aws/pipes/${local.csi}-tags-added"
-  retention_in_days = var.log_retention_in_days
-  kms_key_id        = var.kms_key_arn
+data "aws_iam_policy_document" "pipe" {
+  version = "2012-10-17"
+
+  statement {
+    sid    = "AllowSqsSource"
+    effect = "Allow"
+    actions = [
+      "sqs:ReceiveMessage",
+      "sqs:DeleteMessage",
+      "sqs:GetQueueAttributes",
+    ]
+    resources = [aws_sqs_queue.tags_added.arn]
+  }
+
+  statement {
+    sid       = "AllowLambdaEnrich"
+    effect    = "Allow"
+    actions   = ["lambda:InvokeFunction"]
+    resources = [module.lambda_get_object_tags.function_arn]
+  }
+
+  statement {
+    sid     = "AllowEventBusTarget"
+    effect  = "Allow"
+    actions = ["events:PutEvent"]
+    resources = [
+      var.target_event_bus_arn
+    ]
+  }
 }

infrastructure/terraform/modules/s3-object-tagging-enrichment/pipes_pipe_tags_added.tf

@@ -0,0 +1 @@
+dist

lambdas/get-s3-object-tags/.eslintignore

@@ -0,0 +1,4 @@
+.build
+coverage
+node_modules
+dist

lambdas/get-s3-object-tags/.gitignore

@@ -0,0 +1,6 @@
+import type { Config } from 'jest';
+import { baseJestConfig } from 'nhs-notify-web-template-management-utils'; // eslint-disable-line no-restricted-exports
+
+const config: Config = { ...baseJestConfig, testEnvironment: 'node' };
+
+export default config;

lambdas/get-s3-object-tags/jest.config.ts

@@ -0,0 +1,29 @@
+{
+  "name": "nhs-notify-get-s3-object-tags",
+  "version": "0.0.1",
+  "private": true,
+  "scripts": {
+    "test:unit": "jest --config jest.config.ts",
+    "lint": "eslint .",
+    "lint:fix": "eslint . --fix",
+    "typecheck": "tsc --noEmit"
+  },
+  "devDependencies": {
+    "@swc/core": "^1.10.1",
+    "@swc/jest": "^0.2.37",
+    "@tsconfig/node20": "^20.1.4",
+    "@types/aws-lambda": "^8.10.145",
+    "@types/jest": "^29.5.14",
+    "aws-sdk-client-mock": "^4.1.0",
+    "esbuild": "^0.24.0",
+    "jest": "^29.7.0",
+    "ts-jest": "^29.2.5",
+    "ts-node": "^10.9.2",
+    "typescript": "^5.5.4"
+  },
+  "dependencies": {
+    "@aws-sdk/client-s3": "3.621.0",
+    "nhs-notify-web-template-management-utils": "*",
+    "zod": "^3.23.8"
+  }
+}