Merge branch 'main' into feature/CCM-11965_letter-template-preview-content-changes

Author: harrim91

infrastructure/terraform/components/sandbox/module_backend_api.tf

@@ -31,7 +31,7 @@ module "backend_api" {
 
   send_to_firehose = false
 
-  enable_event_stream = true
+  enable_routing_config_event_stream = true
 
   email_domain                            = local.email_domain
   template_submitted_sender_email_address = local.sandbox_letter_supplier_mock_template_submitted_sender

infrastructure/terraform/modules/backend-api/README.md

@@ -16,7 +16,7 @@ No requirements.
 | <a name="input_csi"></a> [csi](#input\_csi) | CSI from the parent component | `string` | n/a | yes |
 | <a name="input_email_domain"></a> [email\_domain](#input\_email\_domain) | Email domain | `string` | n/a | yes |
 | <a name="input_enable_backup"></a> [enable\_backup](#input\_enable\_backup) | Enable Backups for the DynamoDB table? | `bool` | `true` | no |
-| <a name="input_enable_event_stream"></a> [enable\_event\_stream](#input\_enable\_event\_stream) | Enable DynamoDB streaming to EventBridge | `bool` | `true` | no |
+| <a name="input_enable_routing_config_event_stream"></a> [enable\_routing\_config\_event\_stream](#input\_enable\_routing\_config\_event\_stream) | Enable DynamoDB streaming from routing config table to EventBridge | `bool` | `false` | no |
 | <a name="input_environment"></a> [environment](#input\_environment) | The name of the tfscaffold environment | `string` | n/a | yes |
 | <a name="input_function_s3_bucket"></a> [function\_s3\_bucket](#input\_function\_s3\_bucket) | Name of S3 bucket to upload lambda artefacts to | `string` | n/a | yes |
 | <a name="input_group"></a> [group](#input\_group) | The group variables are being inherited from (often synonmous with account short-name) | `string` | n/a | yes |
@@ -60,6 +60,7 @@ No requirements.
 | <a name="module_s3bucket_download"></a> [s3bucket\_download](#module\_s3bucket\_download) | https://github.com/NHSDigital/nhs-notify-shared-modules/releases/download/v2.0.20/terraform-s3bucket.zip | n/a |
 | <a name="module_s3bucket_internal"></a> [s3bucket\_internal](#module\_s3bucket\_internal) | https://github.com/NHSDigital/nhs-notify-shared-modules/releases/download/v2.0.20/terraform-s3bucket.zip | n/a |
 | <a name="module_s3bucket_quarantine"></a> [s3bucket\_quarantine](#module\_s3bucket\_quarantine) | https://github.com/NHSDigital/nhs-notify-shared-modules/releases/download/v2.0.20/terraform-s3bucket.zip | n/a |
+| <a name="module_sqs_routing_config_table_events_pipe_dlq"></a> [sqs\_routing\_config\_table\_events\_pipe\_dlq](#module\_sqs\_routing\_config\_table\_events\_pipe\_dlq) | https://github.com/NHSDigital/nhs-notify-shared-modules/releases/download/v2.0.20/terraform-sqs.zip | n/a |
 | <a name="module_sqs_sftp_upload"></a> [sqs\_sftp\_upload](#module\_sqs\_sftp\_upload) | https://github.com/NHSDigital/nhs-notify-shared-modules/releases/download/v2.0.20/terraform-sqs.zip | n/a |
 | <a name="module_sqs_template_mgmt_events"></a> [sqs\_template\_mgmt\_events](#module\_sqs\_template\_mgmt\_events) | https://github.com/NHSDigital/nhs-notify-shared-modules/releases/download/v2.0.20/terraform-sqs.zip | n/a |
 | <a name="module_sqs_template_table_events_pipe_dlq"></a> [sqs\_template\_table\_events\_pipe\_dlq](#module\_sqs\_template\_table\_events\_pipe\_dlq) | https://github.com/NHSDigital/nhs-notify-shared-modules/releases/download/v2.0.20/terraform-sqs.zip | n/a |

infrastructure/terraform/modules/backend-api/cloudwatch_log_group_pipe_routing_config_table_events.tf

@@ -0,0 +1,5 @@
+resource "aws_cloudwatch_log_group" "pipe_routing_config_table_events" {
+  name              = "/aws/vendedlogs/pipes/${local.csi}-routing-config-table-events"
+  kms_key_id        = var.kms_key_arn
+  retention_in_days = var.log_retention_in_days
+}

infrastructure/terraform/modules/backend-api/module_lambda_event_publisher.tf

@@ -25,9 +25,10 @@ module "lambda_event_publisher" {
   }
 
   lambda_env_vars = {
-    SNS_TOPIC_ARN        = coalesce(var.sns_topic_arn, aws_sns_topic.main.arn)
-    TEMPLATES_TABLE_NAME = aws_dynamodb_table.templates.name
-    EVENT_SOURCE         = "//notify.nhs.uk/${var.component}/${var.group}/${var.environment}"
+    EVENT_SOURCE              = "//notify.nhs.uk/${var.component}/${var.group}/${var.environment}"
+    ROUTING_CONFIG_TABLE_NAME = aws_dynamodb_table.routing_configuration.name
+    SNS_TOPIC_ARN             = coalesce(var.sns_topic_arn, aws_sns_topic.main.arn)
+    TEMPLATES_TABLE_NAME      = aws_dynamodb_table.templates.name
   }
 
   function_s3_bucket      = var.function_s3_bucket

infrastructure/terraform/modules/backend-api/module_sqs_routing_config_table_events_pipe_dlq.tf

@@ -0,0 +1,11 @@
+module "sqs_routing_config_table_events_pipe_dlq" {
+  source = "https://github.com/NHSDigital/nhs-notify-shared-modules/releases/download/v2.0.20/terraform-sqs.zip"
+
+  aws_account_id  = var.aws_account_id
+  component       = var.component
+  environment     = var.environment
+  project         = var.project
+  region          = var.region
+  name            = "routing-config-table-events-pipe-dead-letter"
+  sqs_kms_key_arn = var.kms_key_arn
+}

infrastructure/terraform/modules/backend-api/pipes_pipe_routing_config_table_events.tf

@@ -0,0 +1,113 @@
+resource "aws_pipes_pipe" "routing_config_table_events" {
+  depends_on = [module.sqs_routing_config_table_events_pipe_dlq]
+
+  name               = "${local.csi}-routing-config-table-events"
+  role_arn           = aws_iam_role.pipe_routing_config_table_events.arn
+  source             = aws_dynamodb_table.routing_configuration.stream_arn
+  target             = module.sqs_template_mgmt_events.sqs_queue_arn
+  desired_state      = var.enable_routing_config_event_stream ? "RUNNING" : "STOPPED"
+  kms_key_identifier = var.kms_key_arn
+
+  source_parameters {
+    dynamodb_stream_parameters {
+      starting_position                  = "TRIM_HORIZON"
+      on_partial_batch_item_failure      = "AUTOMATIC_BISECT"
+      batch_size                         = 10
+      maximum_batching_window_in_seconds = 5
+      maximum_retry_attempts             = 5
+      maximum_record_age_in_seconds      = -1
+
+      dead_letter_config {
+        arn = module.sqs_routing_config_table_events_pipe_dlq.sqs_queue_arn
+      }
+    }
+  }
+
+  target_parameters {
+    input_template = <<-EOF
+      {
+        "dynamodb": <$.dynamodb>,
+        "eventID": <$.eventID>,
+        "eventName": <$.eventName>,
+        "eventSource": <$.eventSource>,
+        "tableName": "${aws_dynamodb_table.routing_configuration.name}"
+      }
+    EOF
+
+    sqs_queue_parameters {
+      message_group_id         = "$.dynamodb.Keys.id.S"
+      message_deduplication_id = "$.eventID"
+    }
+  }
+
+  log_configuration {
+    level                  = "ERROR"
+    include_execution_data = ["ALL"]
+
+    cloudwatch_logs_log_destination {
+      log_group_arn = aws_cloudwatch_log_group.pipe_routing_config_table_events.arn
+    }
+  }
+}
+
+resource "aws_iam_role" "pipe_routing_config_table_events" {
+  name               = "${local.csi}-pipe-routing-config-table-events"
+  description        = "IAM Role for Pipe to forward routing config table stream events to SQS"
+  assume_role_policy = data.aws_iam_policy_document.pipes_routing_config_trust_policy.json
+}
+
+data "aws_iam_policy_document" "pipes_routing_config_trust_policy" {
+  statement {
+    sid     = "PipesAssumeRole"
+    effect  = "Allow"
+    actions = ["sts:AssumeRole"]
+
+    principals {
+      type        = "Service"
+      identifiers = ["pipes.amazonaws.com"]
+    }
+  }
+}
+
+resource "aws_iam_role_policy" "pipe_routing_config_table_events" {
+  name   = "${local.csi}-pipe-routing-config-table-events"
+  role   = aws_iam_role.pipe_routing_config_table_events.id
+  policy = data.aws_iam_policy_document.pipe_routing_config_table_events.json
+}
+
+data "aws_iam_policy_document" "pipe_routing_config_table_events" {
+  version = "2012-10-17"
+
+  statement {
+    sid    = "AllowDynamoStreamRead"
+    effect = "Allow"
+    actions = [
+      "dynamodb:DescribeStream",
+      "dynamodb:GetRecords",
+      "dynamodb:GetShardIterator",
+      "dynamodb:ListStreams",
+    ]
+    resources = [aws_dynamodb_table.routing_configuration.stream_arn]
+  }
+
+  statement {
+    sid     = "AllowSqsSendMessage"
+    effect  = "Allow"
+    actions = ["sqs:SendMessage"]
+    resources = [
+      module.sqs_template_mgmt_events.sqs_queue_arn,
+      module.sqs_routing_config_table_events_pipe_dlq.sqs_queue_arn,
+    ]
+  }
+
+  statement {
+    sid    = "AllowKmsUsage"
+    effect = "Allow"
+    actions = [
+      "kms:Decrypt",
+      "kms:Encrypt",
+      "kms:GenerateDataKey*"
+    ]
+    resources = [var.kms_key_arn]
+  }
+}

infrastructure/terraform/modules/backend-api/pipes_pipe_template_table_events.tf

@@ -5,7 +5,7 @@ resource "aws_pipes_pipe" "template_table_events" {
   role_arn           = aws_iam_role.pipe_template_table_events.arn
   source             = aws_dynamodb_table.templates.stream_arn
   target             = module.sqs_template_mgmt_events.sqs_queue_arn
-  desired_state      = var.enable_event_stream ? "RUNNING" : "STOPPED"
+  desired_state      = "RUNNING"
   kms_key_identifier = var.kms_key_arn
 
   source_parameters {
@@ -24,7 +24,15 @@ resource "aws_pipes_pipe" "template_table_events" {
   }
 
   target_parameters {
-      input_template = "{\"dynamodb\": <$.dynamodb>,\"eventID\": <$.eventID>,\"eventName\": <$.eventName>,\"eventSource\": <$.eventSource>,\"tableName\": \"${aws_dynamodb_table.templates.name}\"}"
+    input_template = <<-EOF
+      {
+        "dynamodb": <$.dynamodb>,
+        "eventID": <$.eventID>,
+        "eventName": <$.eventName>,
+        "eventSource": <$.eventSource>,
+        "tableName": "${aws_dynamodb_table.templates.name}"
+      }
+    EOF
 
     sqs_queue_parameters {
       message_group_id         = "$.dynamodb.Keys.id.S"
@@ -44,11 +52,11 @@ resource "aws_pipes_pipe" "template_table_events" {
 
 resource "aws_iam_role" "pipe_template_table_events" {
   name               = "${local.csi}-pipe-template-table-events"
-  description        = "IAM Role for Pipe forward template table stream events to SQS"
-  assume_role_policy = data.aws_iam_policy_document.pipes_trust_policy.json
+  description        = "IAM Role for Pipe to forward template table stream events to SQS"
+  assume_role_policy = data.aws_iam_policy_document.pipes_templates_trust_policy.json
 }
 
-data "aws_iam_policy_document" "pipes_trust_policy" {
+data "aws_iam_policy_document" "pipes_templates_trust_policy" {
   statement {
     sid     = "PipesAssumeRole"
     effect  = "Allow"

infrastructure/terraform/modules/backend-api/variables.tf

@@ -71,10 +71,10 @@ variable "enable_backup" {
   default     = true
 }
 
-variable "enable_event_stream" {
+variable "enable_routing_config_event_stream" {
   type        = bool
-  description = "Enable DynamoDB streaming to EventBridge"
-  default     = true
+  description = "Enable DynamoDB streaming from routing config table to EventBridge"
+  default     = false
 }
 
 variable "kms_key_arn" {