CCM-10442: Event publisher lambda

Author: chris-elliott-nhsd

infrastructure/terraform/components/app/module_backend_api.tf

@@ -31,4 +31,6 @@ module "backend_api" {
   email_domain                            = module.ses.domain
   template_submitted_sender_email_address = "template-submitted@${module.ses.domain}"
   proof_requested_sender_email_address    = "proof-requested@${module.ses.domain}"
+
+  sns_topic_arn  = module.eventpub.sns_topic.arn
 }

infrastructure/terraform/modules/backend-api/README.md

@@ -32,6 +32,7 @@ No requirements.
 | <a name="input_proof_requested_sender_email_address"></a> [proof\_requested\_sender\_email\_address](#input\_proof\_requested\_sender\_email\_address) | Proof requested sender email address | `string` | n/a | yes |
 | <a name="input_region"></a> [region](#input\_region) | The AWS Region | `string` | n/a | yes |
 | <a name="input_send_to_firehose"></a> [send\_to\_firehose](#input\_send\_to\_firehose) | Flag indicating whether logs should be sent to firehose | `bool` | n/a | yes |
+| <a name="input_sns_topic_arn"></a> [sns\_topic\_arn](#input\_sns\_topic\_arn) | SNS topic ARN | `string` | `null` | no |
 | <a name="input_template_submitted_sender_email_address"></a> [template\_submitted\_sender\_email\_address](#input\_template\_submitted\_sender\_email\_address) | Template submitted sender email address | `string` | n/a | yes |
 ## Modules
 
@@ -45,6 +46,7 @@ No requirements.
 | <a name="module_get_template_lambda"></a> [get\_template\_lambda](#module\_get\_template\_lambda) | git::https://github.com/NHSDigital/nhs-notify-shared-modules.git//infrastructure/modules/lambda | v2.0.4 |
 | <a name="module_lambda_copy_scanned_object_to_internal"></a> [lambda\_copy\_scanned\_object\_to\_internal](#module\_lambda\_copy\_scanned\_object\_to\_internal) | git::https://github.com/NHSDigital/nhs-notify-shared-modules.git//infrastructure/modules/lambda | v2.0.4 |
 | <a name="module_lambda_delete_failed_scanned_object"></a> [lambda\_delete\_failed\_scanned\_object](#module\_lambda\_delete\_failed\_scanned\_object) | git::https://github.com/NHSDigital/nhs-notify-shared-modules.git//infrastructure/modules/lambda | v2.0.4 |
+| <a name="module_lambda_event_publisher"></a> [lambda\_event\_publisher](#module\_lambda\_event\_publisher) | git::https://github.com/NHSDigital/nhs-notify-shared-modules.git//infrastructure/modules/lambda | v2.0.4 |
 | <a name="module_lambda_process_proof"></a> [lambda\_process\_proof](#module\_lambda\_process\_proof) | git::https://github.com/NHSDigital/nhs-notify-shared-modules.git//infrastructure/modules/lambda | v2.0.4 |
 | <a name="module_lambda_set_file_virus_scan_status_for_upload"></a> [lambda\_set\_file\_virus\_scan\_status\_for\_upload](#module\_lambda\_set\_file\_virus\_scan\_status\_for\_upload) | git::https://github.com/NHSDigital/nhs-notify-shared-modules.git//infrastructure/modules/lambda | v2.0.4 |
 | <a name="module_lambda_sftp_poll"></a> [lambda\_sftp\_poll](#module\_lambda\_sftp\_poll) | git::https://github.com/NHSDigital/nhs-notify-shared-modules.git//infrastructure/modules/lambda | v2.0.4 |
@@ -56,7 +58,7 @@ No requirements.
 | <a name="module_s3bucket_internal"></a> [s3bucket\_internal](#module\_s3bucket\_internal) | git::https://github.com/NHSDigital/nhs-notify-shared-modules.git//infrastructure/modules/s3bucket | v1.0.8 |
 | <a name="module_s3bucket_quarantine"></a> [s3bucket\_quarantine](#module\_s3bucket\_quarantine) | git::https://github.com/NHSDigital/nhs-notify-shared-modules.git//infrastructure/modules/s3bucket | v1.0.8 |
 | <a name="module_sqs_sftp_upload"></a> [sqs\_sftp\_upload](#module\_sqs\_sftp\_upload) | git::https://github.com/NHSDigital/nhs-notify-shared-modules.git//infrastructure/modules/sqs | v2.0.1 |
-| <a name="module_sqs_template_mgmt_events"></a> [sqs\_template\_mgmt\_events](#module\_sqs\_template\_mgmt\_events) | git::https://github.com/NHSDigital/nhs-notify-shared-modules.git//infrastructure/modules/sqs | v2.0.8 |
+| <a name="module_sqs_template_mgmt_events"></a> [sqs\_template\_mgmt\_events](#module\_sqs\_template\_mgmt\_events) | git::https://github.com/NHSDigital/nhs-notify-shared-modules.git//infrastructure/modules/sqs | v2.0.15 |
 | <a name="module_sqs_template_table_events_pipe_dlq"></a> [sqs\_template\_table\_events\_pipe\_dlq](#module\_sqs\_template\_table\_events\_pipe\_dlq) | git::https://github.com/NHSDigital/nhs-notify-shared-modules.git//infrastructure/modules/sqs | v2.0.8 |
 | <a name="module_sqs_validate_letter_template_files"></a> [sqs\_validate\_letter\_template\_files](#module\_sqs\_validate\_letter\_template\_files) | git::https://github.com/NHSDigital/nhs-notify-shared-modules.git//infrastructure/modules/sqs | v2.0.1 |
 | <a name="module_submit_template_lambda"></a> [submit\_template\_lambda](#module\_submit\_template\_lambda) | git::https://github.com/NHSDigital/nhs-notify-shared-modules.git//infrastructure/modules/lambda | v2.0.4 |

infrastructure/terraform/modules/backend-api/module_lambda_event_publisher.tf

@@ -0,0 +1,115 @@
+module "lambda_event_publisher" {
+  source = "git::https://github.com/NHSDigital/nhs-notify-shared-modules.git//infrastructure/modules/lambda?ref=v2.0.4"
+
+  project        = var.project
+  environment    = var.environment
+  component      = var.component
+  aws_account_id = var.aws_account_id
+  region         = var.region
+
+  kms_key_arn = var.kms_key_arn
+
+  function_name = "event-publisher"
+
+  function_module_name  = "event-publisher"
+  handler_function_name = "handler"
+  description           = "Lambda that accepts events from the dynamodb stream and publishes them to SNS"
+
+  memory  = 512
+  timeout = 20
+  runtime = "nodejs20.x"
+
+  log_retention_in_days = var.log_retention_in_days
+  iam_policy_document = {
+    body = data.aws_iam_policy_document.event_publisher.json
+  }
+
+  lambda_env_vars = {
+    SNS_TOPIC_ARN = coalesce(var.sns_topic_arn, aws_sns_topic.main.arn)
+    TEMPLATES_TABLE_NAME = aws_dynamodb_table.templates.name
+    EVENT_SOURCE = "//notify.nhs.uk/${var.component}/${var.group}/${var.environment}"
+  }
+
+  function_s3_bucket      = var.function_s3_bucket
+  function_code_base_path = local.lambdas_dir
+  function_code_dir       = "event-publisher/dist"
+
+  send_to_firehose          = var.send_to_firehose
+  log_destination_arn       = var.log_destination_arn
+  log_subscription_role_arn = var.log_subscription_role_arn
+}
+
+resource "aws_lambda_event_source_mapping" "event_publisher" {
+  event_source_arn                   = module.sqs_template_mgmt_events.sqs_queue_arn
+  function_name                      = module.lambda_event_publisher.function_name
+  batch_size                         = 5
+  maximum_batching_window_in_seconds = 0
+  function_response_types = [
+    "ReportBatchItemFailures"
+  ]
+
+  scaling_config {
+    maximum_concurrency = 5
+  }
+}
+
+data "aws_iam_policy_document" "event_publisher" {
+  statement {
+    sid    = "AllowSNS"
+    effect = "Allow"
+
+    actions = [
+      "sns:Publish",
+    ]
+
+    resources = [
+      coalesce(var.sns_topic_arn, aws_sns_topic.main.arn)
+    ]
+  }
+
+  statement {
+    sid    = "AllowSQSDLQ"
+    effect = "Allow"
+
+    actions = [
+      "sqs:SendMessage",
+    ]
+
+    resources = [
+      module.sqs_template_mgmt_events.sqs_dlq_arn,
+    ]
+  }
+
+  statement {
+    sid    = "AllowSQS"
+    effect = "Allow"
+
+    actions = [
+      "sqs:ReceiveMessage",
+      "sqs:DeleteMessage",
+      "sqs:GetQueueAttributes",
+      "sqs:ChangeMessageVisibility",
+    ]
+
+    resources = [
+      module.sqs_template_mgmt_events.sqs_queue_arn,
+    ]
+  }
+
+  statement {
+    sid    = "AllowKMS"
+    effect = "Allow"
+
+    actions = [
+      "kms:Decrypt",
+      "kms:DescribeKey",
+      "kms:Encrypt",
+      "kms:GenerateDataKey*",
+      "kms:ReEncrypt*",
+    ]
+
+    resources = [
+      var.kms_key_arn,
+    ]
+  }
+}

infrastructure/terraform/modules/backend-api/module_sqs_template_mgmt_events.tf

@@ -1,5 +1,5 @@
 module "sqs_template_mgmt_events" {
-  source = "git::https://github.com/NHSDigital/nhs-notify-shared-modules.git//infrastructure/modules/sqs?ref=v2.0.8"
+  source = "git::https://github.com/NHSDigital/nhs-notify-shared-modules.git//infrastructure/modules/sqs?ref=v2.0.15"
 
   aws_account_id  = var.aws_account_id
   component       = var.component
@@ -9,4 +9,5 @@ module "sqs_template_mgmt_events" {
   name            = "template-mgmt-events"
   fifo_queue      = true
   sqs_kms_key_arn = var.kms_key_arn
+  create_dlq      = true
 }

infrastructure/terraform/modules/backend-api/pipes_pipe_template_table_events.tf

@@ -22,6 +22,8 @@ resource "aws_pipes_pipe" "template_table_events" {
   }
 
   target_parameters {
+      input_template = "{\"dynamodb\": <$.dynamodb>,\"eventID\": <$.eventID>,\"eventName\": <$.eventName>,\"eventSource\": <$.eventSource>,\"tableName\": \"${aws_dynamodb_table.templates.name}\"}"
+
     sqs_queue_parameters {
       message_group_id         = "$.dynamodb.Keys.id.S"
       message_deduplication_id = "$.eventID"

infrastructure/terraform/modules/backend-api/variables.tf

@@ -143,3 +143,9 @@ variable "proof_requested_sender_email_address" {
   type        = string
   description = "Proof requested sender email address"
 }
+
+variable "sns_topic_arn" {
+  type        = string
+  description = "SNS topic ARN"
+  default     = null
+}

lambdas/event-publisher/.eslintignore

@@ -0,0 +1 @@
+dist

lambdas/event-publisher/.gitignore

@@ -0,0 +1,4 @@
+.build
+coverage
+node_modules
+dist

lambdas/event-publisher/jest.config.ts

@@ -0,0 +1,9 @@
+import type { Config } from 'jest';
+import { baseJestConfig } from 'nhs-notify-web-template-management-utils';
+
+const config: Config = {
+  ...baseJestConfig,
+  testEnvironment: 'node',
+};
+
+export default config;

lambdas/event-publisher/package.json

@@ -0,0 +1,31 @@
+{
+  "dependencies": {
+    "@aws-sdk/client-dynamodb": "3.775.0",
+    "@aws-sdk/client-sns": "3.775.0",
+    "@aws-sdk/util-dynamodb": "3.775.0",
+    "nhs-notify-backend-client": "^0.0.1",
+    "nhs-notify-web-template-management-utils": "^0.0.1",
+    "zod": "^3.24.2"
+  },
+  "devDependencies": {
+    "@swc/core": "^1.11.13",
+    "@swc/jest": "^0.2.37",
+    "@tsconfig/node20": "^20.1.5",
+    "@types/aws-lambda": "^8.10.148",
+    "@types/jest": "^29.5.14",
+    "esbuild": "^0.24.0",
+    "jest": "^29.7.0",
+    "jest-mock-extended": "^3.0.7",
+    "typescript": "^5.8.2"
+  },
+  "name": "nhs-notify-templates-event-publisher",
+  "private": true,
+  "scripts": {
+    "lambda-build": "rm -rf dist && npx esbuild --bundle --minify --sourcemap --target=es2020 --platform=node --loader:.node=file --entry-names=[name] --outdir=dist src/event-publisher.ts",
+    "lint": "eslint .",
+    "lint:fix": "eslint . --fix",
+    "test:unit": "jest",
+    "typecheck": "tsc --noEmit"
+  },
+  "version": "0.0.1"
+}