feat: notifications v3 [ON HOLD]

.github/lambda-filter.yml

@@ -32,3 +32,5 @@ file-upload-processor:
   - "lambda-code/file-upload-processor/**"
 file-upload-cleanup:
   - "lambda-code/file-upload-cleanup/**"
+notification:
+  - "lambda-code/notification/**"

aws/alarms/cloudwatch_app.tf

@@ -416,7 +416,8 @@ locals {
     vault_integrity          = var.lambda_vault_integrity_log_group_name,
     api_end_to_end_test      = var.lambda_api_end_to_end_test_log_group_name,
     file_upload_processor    = var.lambda_file_upload_processor_log_group_name,
-    file_upload_cleanup      = var.lambda_file_upload_cleanup_log_group_name
+    file_upload_cleanup      = var.lambda_file_upload_cleanup_log_group_name,
+    notification             = var.lambda_notification_log_group_name,
   }
 }
 

aws/alarms/dashboards.tf

@@ -18,6 +18,7 @@ resource "aws_cloudwatch_dashboard" "forms_service_health" {
     lambda_response_archiver_log_group_name = var.lambda_response_archiver_log_group_name,
     lambda_submission_log_group_name        = var.lambda_submission_log_group_name,
     lambda_vault_integrity_log_group_name   = var.lambda_vault_integrity_log_group_name,
+    lambda_notification_log_group_name      = var.lambda_notification_log_group_name,
     rds_cluster_identifier                  = var.rds_cluster_identifier,
     region                                  = var.region
   })

aws/alarms/inputs.tf

@@ -325,3 +325,8 @@ variable "unhealthy_host_count_for_target_group_2_alarm_arn" {
   description = "ARN of unhealthy host count alarm for target group 2"
   type        = string
 }
+
+variable "lambda_notification_log_group_name" {
+  description = "Notification Lambda CloudWatch log group name"
+  type        = string
+}

aws/dynamodb/dynamo.tf

@@ -218,3 +218,29 @@ resource "aws_dynamodb_table" "api_audit_logs" {
   }
 }
 
+resource "aws_dynamodb_table" "notification" {
+  # checkov:skip=CKV_AWS_28: 'point in time recovery' is set to true for staging and production
+  name                        = "Notification"
+  billing_mode                = "PAY_PER_REQUEST"
+  hash_key                    = "NotificationID"
+  deletion_protection_enabled = var.env != "development"
+
+  attribute {
+    name = "NotificationID"
+    type = "S"
+  }
+
+  ttl {
+    enabled        = true
+    attribute_name = "TTL"
+  }
+
+  server_side_encryption {
+    enabled     = true
+    kms_key_arn = var.kms_key_dynamodb_arn
+  }
+
+  point_in_time_recovery {
+    enabled = var.env != "development"
+  }
+}

aws/dynamodb/outputs.tf

@@ -36,4 +36,14 @@ output "dynamodb_api_audit_logs_arn" {
 output "dynamodb_api_audit_logs_table_name" {
   description = "API Audit Logs table name"
   value       = aws_dynamodb_table.api_audit_logs.name
-}
+}
+
+output "dynamodb_notification_table_arn" {
+  description = "DynamoDB notification table ARN"
+  value       = aws_dynamodb_table.notification.arn
+}
+
+output "dynamodb_notification_table_name" {
+  description = "DynamoDB notification table name"
+  value       = aws_dynamodb_table.notification.name
+}

aws/ecr/ecr.tf

@@ -53,6 +53,7 @@ locals {
     "api-end-to-end-test-lambda",
     "file-upload-processor-lambda",
     "file-upload-cleanup-lambda",
+    "notification-lambda",
     var.env == "staging" ? "load-testing-lambda" : null
   ]))
 }

aws/lambdas/iam.tf

@@ -139,7 +139,9 @@ data "aws_iam_policy_document" "lambda_dynamodb" {
       var.dynamodb_app_audit_logs_arn,
       "${var.dynamodb_app_audit_logs_arn}/index/*",
       var.dynamodb_api_audit_logs_arn,
-      "${var.dynamodb_api_audit_logs_arn}/index/*"
+      "${var.dynamodb_api_audit_logs_arn}/index/*",
+      var.dynamodb_notification_table_arn,
+      "${var.dynamodb_notification_table_arn}/index/*"
     ]
   }
 }

aws/lambdas/inputs.tf

@@ -281,3 +281,23 @@ variable "api_end_to_end_test_lambda_security_group_id" {
   description = "API end to end test Lambda security group ID"
   type        = string
 }
+
+variable "sqs_notification_queue_arn" {
+  description = "ARN of the notification SQS queue"
+  type        = string
+}
+
+variable "sqs_notification_queue_url" {
+  description = "URL of the notification SQS queue"
+  type        = string
+}
+
+variable "dynamodb_notification_table_arn" {
+  description = "ARN of the notification DynamoDB table"
+  type        = string
+}
+
+variable "dynamodb_notification_table_name" {
+  description = "Name of the notification DynamoDB table"
+  type        = string
+}

aws/lambdas/notification.tf

@@ -0,0 +1,48 @@
+
+resource "aws_lambda_function" "notification" {
+  function_name = "notification"
+  image_uri     = "${var.ecr_repository_lambda_urls["notification-lambda"]}:latest"
+  package_type  = "Image"
+  role          = aws_iam_role.lambda.arn
+  timeout       = 300 # lambda can run for up to 5 minutes
+  memory_size   = 512
+
+  dynamic "vpc_config" {
+    for_each = local.vpc_config
+    content {
+      security_group_ids = vpc_config.value.security_group_ids
+      subnet_ids         = vpc_config.value.subnet_ids
+    }
+  }
+
+  environment {
+    variables = {
+      REGION                           = var.region
+      DYNAMODB_NOTIFICATION_TABLE_NAME = var.dynamodb_notification_table_name
+      NOTIFY_API_KEY                   = var.notify_api_key_secret_arn
+    }
+  }
+
+  logging_config {
+    log_format = "Text"
+    log_group  = "/aws/lambda/Notification"
+  }
+
+  tracing_config {
+    mode = "Active"
+  }
+}
+
+resource "aws_cloudwatch_log_group" "notification" {
+  name              = "/aws/lambda/Notification"
+  kms_key_id        = var.kms_key_cloudwatch_arn
+  retention_in_days = 731
+}
+
+resource "aws_lambda_event_source_mapping" "notification_sqs" {
+  event_source_arn        = var.sqs_notification_queue_arn
+  function_name           = aws_lambda_function.notification.function_name
+  batch_size              = 10
+  enabled                 = true
+  function_response_types = ["ReportBatchItemFailures"]
+}

aws/lambdas/outputs.tf

@@ -87,3 +87,13 @@ output "forms_lambda_client_iam_role_name" {
   description = "IAM role name for forms client Lambda"
   value       = try(aws_iam_role.forms_lambda_client[0].name, null)
 }
+
+output "lambda_notification_log_group_name" {
+  description = "Notification Lambda CloudWatch log group name"
+  value       = aws_cloudwatch_log_group.notification.name
+}
+
+output "lambda_notification_function_name" {
+  description = "Notification Lambda function name"
+  value       = aws_lambda_function.notification.function_name
+}

aws/lambdas/reliability.tf

@@ -22,11 +22,12 @@ resource "aws_lambda_function" "reliability" {
 
   environment {
     variables = {
-      ENVIRONMENT    = local.env
-      REGION         = var.region
-      NOTIFY_API_KEY = var.notify_api_key_secret_arn
-      TEMPLATE_ID    = var.gc_template_id
-      DB_URL         = var.database_url_secret_arn
+      ENVIRONMENT             = local.env
+      REGION                  = var.region
+      NOTIFY_API_KEY          = var.notify_api_key_secret_arn
+      TEMPLATE_ID             = var.gc_template_id
+      DB_URL                  = var.database_url_secret_arn
+      NOTIFICATION_QUEUE_URL  = var.sqs_notification_queue_url
     }
   }
 

aws/network/development_env/vpc_endpoints.tf

@@ -25,4 +25,15 @@ resource "aws_vpc_endpoint" "secretsmanager" {
     aws_security_group.privatelink.id,
   ]
   subnet_ids = local.private_subnet_ids
+}
+
+resource "aws_vpc_endpoint" "sqs" {
+  vpc_id              = aws_vpc.forms.id
+  vpc_endpoint_type   = "Interface"
+  service_name        = "com.amazonaws.${var.region}.sqs"
+  private_dns_enabled = true
+  security_group_ids = [
+    aws_security_group.privatelink.id
+  ]
+  subnet_ids = local.private_subnet_ids
 }

aws/sqs/outputs.tf

@@ -72,3 +72,13 @@ output "sqs_file_upload_deadletter_queue_name" {
   description = "File upload dead-letter queue name"
   value       = aws_sqs_queue.file_upload_deadletter_queue.name
 }
+
+output "sqs_notification_queue_arn" {
+  description = "Notification queue ARN"
+  value       = aws_sqs_queue.notification_queue.arn
+}
+
+output "sqs_notification_queue_url" {
+  description = "Notification queue URL"
+  value       = aws_sqs_queue.notification_queue.url
+}

aws/sqs/sqs.tf

@@ -158,3 +158,15 @@ resource "aws_sqs_queue" "file_upload_deadletter_queue" {
   message_retention_seconds = 1209600
   receive_wait_time_seconds = 5
 }
+
+# Notification queue (no DLQ requirement)
+resource "aws_sqs_queue" "notification_queue" {
+  # checkov:skip=CKV_AWS_27: Encrytion not Required and difficult to support with S3 notification source
+  name                              = "notification_queue"
+  delay_seconds                     = 0
+  max_message_size                  = 262144
+  message_retention_seconds         = 86400 // 24 hours
+  visibility_timeout_seconds        = 1800
+  kms_master_key_id                 = "alias/aws/sqs"
+  kms_data_key_reuse_period_seconds = 300
+}

env/cloud/alarms/terragrunt.hcl

@@ -109,6 +109,7 @@ dependency "lambdas" {
     lambda_api_end_to_end_test_log_group_name      = "/aws/lambda/API_End_To_End_Test"
     lambda_file_upload_processor_log_group_name    = "/aws/lambda/file-upload-processor"
     lambda_file_upload_cleanup_log_group_name      = "/aws/lambda/file-upload-cleanup"
+    lambda_notification_log_group_name             = "/aws/lambda/Notification"
   }
 }
 
@@ -231,6 +232,7 @@ inputs = {
   lambda_api_end_to_end_test_log_group_name      = dependency.lambdas.outputs.lambda_api_end_to_end_test_log_group_name
   lambda_file_upload_processor_log_group_name    = dependency.lambdas.outputs.lambda_file_upload_processor_log_group_name
   lambda_file_upload_cleanup_log_group_name      = dependency.lambdas.outputs.lambda_file_upload_cleanup_log_group_name
+  lambda_notification_log_group_name             = dependency.lambdas.outputs.lambda_notification_log_group_name
 
   rds_cluster_identifier = dependency.rds.outputs.rds_cluster_identifier
 

env/cloud/lambdas/terragrunt.hcl

@@ -81,6 +81,8 @@ dependency "sqs" {
     sqs_reliability_dead_letter_queue_id   = "https://sqs.ca-central-1.amazonaws.com/${local.aws_account_id}/reliability_deadletter_queue"
     sqs_app_audit_log_queue_arn            = "arn:aws:sqs:ca-central-1:${local.aws_account_id}:audit_log_queue"
     sqs_api_audit_log_queue_arn            = "arn:aws:sqs:ca-central-1:${local.aws_account_id}:api_audit_log_queue"
+    sqs_notification_queue_arn             = "arn:aws:sqs:ca-central-1:${local.aws_account_id}:notification_queue"
+    sqs_notification_queue_url             = "https://sqs.ca-central-1.amazonaws.com/${local.aws_account_id}/notification_queue"
   }
 }
 
@@ -119,6 +121,8 @@ dependency "dynamodb" {
     dynamodb_app_audit_logs_arn        = "arn:aws:dynamodb:ca-central-1:${local.aws_account_id}:table/AuditLogs"
     dynamodb_api_audit_logs_table_name = "ApiAuditLogs"
     dynamodb_api_audit_logs_arn        = "arn:aws:dynamodb:ca-central-1:${local.aws_account_id}:table/ApiAuditLogs"
+    dynamodb_notification_table_name   = "Notification"
+    dynamodb_notification_table_arn    = "arn:aws:dynamodb:ca-central-1:${local.aws_account_id}:table/Notification"
   }
 }
 
@@ -179,7 +183,8 @@ dependency "ecr" {
       api-end-to-end-test-lambda      = "test_url",
       file-upload-processor-lambda    = "test_url",
       file-upload-cleanup-lambda      = "test_url",
-      load-testing-lambda             = "test_url"
+      load-testing-lambda             = "test_url",
+      notification-lambda             = "test_url"
     }
   }
 }
@@ -233,6 +238,8 @@ inputs = {
   dynamodb_app_audit_logs_arn        = dependency.dynamodb.outputs.dynamodb_app_audit_logs_arn
   dynamodb_api_audit_logs_table_name = dependency.dynamodb.outputs.dynamodb_api_audit_logs_table_name
   dynamodb_api_audit_logs_arn        = dependency.dynamodb.outputs.dynamodb_api_audit_logs_arn
+  dynamodb_notification_table_name   = dependency.dynamodb.outputs.dynamodb_notification_table_name
+  dynamodb_notification_table_arn    = dependency.dynamodb.outputs.dynamodb_notification_table_arn
 
   kms_key_cloudwatch_arn = dependency.kms.outputs.kms_key_cloudwatch_arn
   kms_key_dynamodb_arn   = dependency.kms.outputs.kms_key_dynamodb_arn
@@ -252,6 +259,8 @@ inputs = {
   sqs_reliability_dead_letter_queue_id   = dependency.sqs.outputs.sqs_reliability_dead_letter_queue_id
   sqs_app_audit_log_queue_arn            = dependency.sqs.outputs.sqs_app_audit_log_queue_arn
   sqs_api_audit_log_queue_arn            = dependency.sqs.outputs.sqs_api_audit_log_queue_arn
+  sqs_notification_queue_arn             = dependency.sqs.outputs.sqs_notification_queue_arn
+  sqs_notification_queue_url             = dependency.sqs.outputs.sqs_notification_queue_url
 
   sns_topic_alert_critical_arn = dependency.sns.outputs.sns_topic_alert_critical_arn