Merge pull request #191 from NHSDigital/feature/CCM-7252_new-table

CCM-7252: Terraform changes for implementing database operations in templates API

Author: chris-elliott-nhsd

infrastructure/terraform/components/acct/iam_policy_github_deploy_overload.tf

@@ -18,6 +18,7 @@ data "aws_iam_policy_document" "github_deploy" {
       "amplify:*",
       "cloudformation:*",
       "ses:*",
+      "appsync:*"
     ]
     resources = ["*"]
   }

infrastructure/terraform/modules/lambda-function/lambda_function_main.tf

@@ -6,4 +6,8 @@ resource "aws_lambda_function" "main" {
   source_code_hash = var.source_code_hash
   handler          = var.handler
   runtime          = var.runtime
+
+  environment {
+    variables = var.environment_variables
+  }
 }

infrastructure/terraform/modules/lambda-function/outputs.tf

@@ -1,4 +1,3 @@
 output "function_arn" {
   value = aws_lambda_function.main.arn
 }
-

infrastructure/terraform/modules/lambda-function/variables.tf

@@ -40,3 +40,9 @@ variable "log_retention_in_days" {
   description = "Specifies the number of days you want to retain log events in the log group for this Lambda"
   default     = 0
 }
+
+variable "environment_variables" {
+  type        = map(string)
+  description = "Lambda environment variables"
+  default     = {}
+}

infrastructure/terraform/modules/templates-api/dynamodb_table_templates.tf

@@ -0,0 +1,26 @@
+resource "aws_dynamodb_table" "templates" {
+    name = "${local.csi}-templates"
+    billing_mode = "PAY_PER_REQUEST"
+
+    hash_key = "owner"
+    range_key = "id"
+
+    attribute {
+      name = "owner"
+      type = "S"
+    }
+
+    attribute {
+        name = "id"
+        type = "S"
+    }
+
+    point_in_time_recovery {
+      enabled = true
+    }
+
+    server_side_encryption {
+        enabled     = true
+        kms_key_arn = aws_kms_key.dynamo.arn
+    }
+}

infrastructure/terraform/modules/templates-api/kms_key_dynamo.tf

@@ -0,0 +1,5 @@
+resource "aws_kms_key" "dynamo" {
+  description             = "CMK for encrypting dynamodb data"
+  deletion_window_in_days = 14
+  enable_key_rotation     = true
+}

infrastructure/terraform/modules/templates-api/module_authorizer_lambda.tf

@@ -17,4 +17,3 @@ module "authorizer_build" {
   source_code_dir = "${local.lambdas_source_code_dir}/authorizer"
   entrypoint      = "src/index.ts"
 }
-

infrastructure/terraform/modules/templates-api/module_endpoint_lambda.tf

@@ -9,6 +9,12 @@ module "endpoint_lambda" {
   handler          = "index.handler"
 
   log_retention_in_days = var.log_retention_in_days
+
+  environment_variables = {
+    TEMPLATES_TABLE_NAME = aws_dynamodb_table.templates.name
+  }
+
+  execution_role_policy_document = data.aws_iam_policy_document.endpoint_lambda_dynamo_access.json
 }
 
 
@@ -19,3 +25,36 @@ module "endpoint_build" {
   entrypoint      = "src/index.ts"
 }
 
+data "aws_iam_policy_document" "endpoint_lambda_dynamo_access" {
+  statement {
+    sid    = "AllowDynamoAccess"
+    effect = "Allow"
+
+    actions = [
+      "dynamodb:GetItem",
+      "dynamodb:PutItem",
+      "dynamodb:Query"
+    ]
+
+    resources = [
+      aws_dynamodb_table.templates.arn,
+    ]
+  }
+
+  statement {
+    sid    = "AllowKMSAccess"
+    effect = "Allow"
+
+    actions = [
+      "kms:Decrypt",
+      "kms:DescribeKey",
+      "kms:Encrypt",
+      "kms:GenerateDataKey*",
+      "kms:ReEncrypt*",
+    ]
+
+    resources = [
+      aws_kms_key.dynamo.arn
+    ]
+  }
+}

infrastructure/terraform/modules/typescript-build-zip/null_resource_typescript_build.tf

@@ -8,4 +8,3 @@ resource "null_resource" "typescript_build" {
     command     = "npm ci && npm run build"
   }
 }
-

jest.config.ts

@@ -78,6 +78,7 @@ const config: Config = {
     'fixture',
     'helpers.ts',
     '/tests/test-team/',
+    '.build'
   ],
 
   // Set the absolute path for imports