Feature/ccm 12950 transform publish updates #385

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open

stevebux wants to merge 16 commits into main from feature/CCM-12950-Transform-Publish-Updates

infrastructure/terraform/components/api/README.md

            
                      Original file line number
                      Diff line number
                      Diff line change
                  
    @@ -18,8 +18,8 @@ No requirements.
  
    | <a name="input_default_tags"></a> [default\_tags](#input\_default\_tags) | A map of default tags to apply to all taggable resources within the component | `map(string)` | `{}` | no |

    | <a name="input_disable_gateway_execute_endpoint"></a> [disable\_gateway\_execute\_endpoint](#input\_disable\_gateway\_execute\_endpoint) | Disable the execution endpoint for the API Gateway | `bool` | `true` | no |

    | <a name="input_enable_api_data_trace"></a> [enable\_api\_data\_trace](#input\_enable\_api\_data\_trace) | Enable API Gateway data trace logging | `bool` | `false` | no |

    | <a name="input_enable_event_cache"></a> [enable\_event\_cache](#input\_enable\_event\_cache) | Enable caching of events to an S3 bucket | `bool` | `false` | no |

    | <a name="input_enable_sns_delivery_logging"></a> [enable\_sns\_delivery\_logging](#input\_enable\_sns\_delivery\_logging) | Enable SNS Delivery Failure Notifications | `bool` | `false` | no |

    | <a name="input_enable_event_cache"></a> [enable\_event\_cache](#input\_enable\_event\_cache) | Enable caching of events to an S3 bucket | `bool` | `true` | no |

    | <a name="input_enable_sns_delivery_logging"></a> [enable\_sns\_delivery\_logging](#input\_enable\_sns\_delivery\_logging) | Enable SNS Delivery Failure Notifications | `bool` | `true` | no |

    | <a name="input_environment"></a> [environment](#input\_environment) | The name of the tfscaffold environment | `string` | n/a | yes |

    | <a name="input_eventpub_control_plane_bus_arn"></a> [eventpub\_control\_plane\_bus\_arn](#input\_eventpub\_control\_plane\_bus\_arn) | ARN of the EventBridge control plane bus for eventpub | `string` | `""` | no |

    | <a name="input_eventpub_data_plane_bus_arn"></a> [eventpub\_data\_plane\_bus\_arn](#input\_eventpub\_data\_plane\_bus\_arn) | ARN of the EventBridge data plane bus for eventpub | `string` | `""` | no |

    @@ -37,7 +37,7 @@ No requirements.
  
    | <a name="input_project"></a> [project](#input\_project) | The name of the tfscaffold project | `string` | n/a | yes |

    | <a name="input_region"></a> [region](#input\_region) | The AWS Region | `string` | n/a | yes |

    | <a name="input_shared_infra_account_id"></a> [shared\_infra\_account\_id](#input\_shared\_infra\_account\_id) | The AWS Account ID of the shared infrastructure account | `string` | `"000000000000"` | no |

    | <a name="input_sns_success_logging_sample_percent"></a> [sns\_success\_logging\_sample\_percent](#input\_sns\_success\_logging\_sample\_percent) | Enable SNS Delivery Successful Sample Percentage | `number` | `0` | no |

    | <a name="input_sns_success_logging_sample_percent"></a> [sns\_success\_logging\_sample\_percent](#input\_sns\_success\_logging\_sample\_percent) | Enable SNS Delivery Successful Sample Percentage | `number` | `100` | no |

    ## Modules

    | Name | Source | Version |

infrastructure/terraform/components/api/event_source_mapping_mi_updates.tf

            
                      Original file line number
                      Diff line number
                      Diff line change
                  
    @@ -1,11 +1,11 @@
  
    resource "aws_lambda_event_source_mapping" "mi_updates_transformer_kinesis" {

      event_source_arn                     = aws_kinesis_stream.mi_change_stream.arn

      function_name                        = module.mi_updates_transformer.function_arn

      starting_position                    = "LATEST"

      batch_size                           = 10

      maximum_batching_window_in_seconds   = 1

      event_source_arn                   = aws_kinesis_stream.mi_change_stream.arn

      function_name                      = module.mi_updates_transformer.function_arn

      starting_position                  = "LATEST"

      batch_size                         = 10

      maximum_batching_window_in_seconds = 1

      depends_on = [

        module.mi_updates_transformer    # ensures updates transformer exists

        module.mi_updates_transformer # ensures updates transformer exists

      ]

    }

infrastructure/terraform/components/api/lambda_event_source_mapping_letter_status_update.tf

-Original file line number
+Diff line change
@@ -0,0 +1,9 @@
+    resource "aws_lambda_event_source_mapping" "letter_status_update" {
+      event_source_arn                   = module.letter_status_updates_queue.sqs_queue_arn
+      function_name                      = module.letter_status_update.function_name
+      batch_size                         = 10
+      maximum_batching_window_in_seconds = 5
+      function_response_types = [
+        "ReportBatchItemFailures"
+      ]
+    }

infrastructure/terraform/components/api/locals.tf

-Original file line number
+Diff line change
@@ Expand Up / @@ -27,6 +27,8 @@ locals { @@
         SUPPLIER_ID_HEADER       = "nhsd-supplier-id",
         APIM_CORRELATION_HEADER  = "nhsd-correlation-id",
         DOWNLOAD_URL_TTL_SECONDS = 60
+        AMENDMENTS_TOPIC_ARN     = "${module.eventsub.amendments_topic.arn}",
+        EVENT_SOURCE             = "/data-plane/supplier-api/${var.group}/${var.environment}/letters"
       }
       core_pdf_bucket_arn        = "arn:aws:s3:::comms-${var.core_account_id}-eu-west-2-${var.core_environment}-api-stg-pdf-pipeline"
@@ Expand Down @@

infrastructure/terraform/components/api/module_lambda_letter_status_update.tf

-Original file line number
+Diff line change
@@ Expand Up / @@ -59,7 +59,6 @@ data "aws_iam_policy_document" "letter_status_update" { @@
         actions = [
           "dynamodb:GetItem",
           "dynamodb:Query",
-          "dynamodb:UpdateItem",
         ]
         resources = [
@@ Expand All / @@ -82,4 +81,17 @@ data "aws_iam_policy_document" "letter_status_update" { @@
           module.letter_status_updates_queue.sqs_queue_arn
         ]
       }
+      statement {
+        sid    = "AllowSNSPublish"
+        effect = "Allow"
+        actions = [
+          "sns:Publish"
+        ]
+        resources = [
+          module.eventsub.amendments_topic.arn
+        ]
+      }
     }

infrastructure/terraform/components/api/module_lambda_letter_updates_transformer.tf

-Original file line number
+Diff line change
@@ Expand Up / @@ -36,7 +36,7 @@ module "letter_updates_transformer" { @@
       lambda_env_vars = merge(local.common_lambda_env_vars, {
         EVENTPUB_SNS_TOPIC_ARN = "${module.eventpub.sns_topic.arn}",
-        EVENT_SOURCE = "/data-plane/supplier-api/${var.group}/${var.environment}/letters"
+        EVENT_SOURCE           = "/data-plane/supplier-api/${var.group}/${var.environment}/letters"
       })
     }
@@ Expand Down @@

infrastructure/terraform/components/api/module_sqs_letter_updates.tf

-Original file line number
+Diff line change
@@ Expand Up / @@ -18,29 +18,6 @@ module "sqs_letter_updates" { @@
     data "aws_iam_policy_document" "letter_updates_queue_policy" {
       version = "2012-10-17"
-      statement {
-        sid    = "AllowSNSToSendMessage"
-        effect = "Allow"
-        principals {
-          type        = "Service"
-          identifiers = ["sns.amazonaws.com"]
-        }
-        actions = [
-          "sqs:SendMessage"
-        ]
-        resources = [
-          "arn:aws:sqs:${var.region}:${var.aws_account_id}:${var.project}-${var.environment}-${var.component}-letter-updates-queue"
-        ]
-        condition {
-          test     = "ArnEquals"
-          variable = "aws:SourceArn"
-          values   = [module.eventsub.sns_topic.arn]
-        }
-      }
       statement {
         sid    = "AllowSNSPermissions"
@@ Expand All @@
         condition {
           test     = "ArnEquals"
           variable = "aws:SourceArn"
-          values   = [module.eventsub.sns_topic.arn]
+          values   = [module.eventsub.eventsub_topic.arn, module.eventsub.amendments_topic.arn]
         }
       }
     }

infrastructure/terraform/components/api/modules_eventsub.tf

-Original file line number
+Diff line change
@@ Expand Up / @@ -22,7 +22,7 @@ module "eventsub" { @@
       sns_success_logging_sample_percent = var.sns_success_logging_sample_percent
       event_cache_expiry_days = 30
-      enable_event_cache                 = var.enable_event_cache
+      enable_event_cache      = var.enable_event_cache
       shared_infra_account_id = var.shared_infra_account_id
     }

...astructure/terraform/components/api/sns_topic_subscription_eventsub_sqs_letter_updates.tf

-Original file line number
+Diff line change
@@ -1,5 +1,11 @@
     resource "aws_sns_topic_subscription" "eventsub_sqs_letter_updates" {
-      topic_arn = module.eventsub.sns_topic.arn
+      topic_arn = module.eventsub.eventsub_topic.arn
+      protocol  = "sqs"
+      endpoint  = module.sqs_letter_updates.sqs_queue_arn
+    }
+    resource "aws_sns_topic_subscription" "amendments_sqs_letter_updates" {
+      topic_arn = module.eventsub.amendments_topic.arn
       protocol  = "sqs"
       endpoint  = module.sqs_letter_updates.sqs_queue_arn
     }

infrastructure/terraform/components/api/variables.tf

            
                      Original file line number
                      Diff line number
                      Diff line change
                  
    @@ -167,19 +167,19 @@ variable "core_environment" {
  
    variable "enable_event_cache" {

      type        = bool

      description = "Enable caching of events to an S3 bucket"

      default     = false

      default     = true

    }

    variable "enable_sns_delivery_logging" {

      type        = bool

      description = "Enable SNS Delivery Failure Notifications"

      default     = false

      default     = true

    }

    variable "sns_success_logging_sample_percent" {

      type        = number

      description = "Enable SNS Delivery Successful Sample Percentage"

      default     = 0

      default     = 100

    }

    variable "enable_api_data_trace" {

infrastructure/terraform/modules/eventsub/README.md

-Original file line number
+Diff line change
@@ Expand Up / @@ -39,8 +39,9 @@ @@
     | Name | Description |
     |------|-------------|
+    | <a name="output_amendments_topic"></a> [amendments\_topic](#output\_amendments\_topic) | Amendments SNS Topic ARN and Name |
+    | <a name="output_eventsub_topic"></a> [eventsub\_topic](#output\_eventsub\_topic) | SNS Topic ARN and Name |
     | <a name="output_s3_bucket_event_cache"></a> [s3\_bucket\_event\_cache](#output\_s3\_bucket\_event\_cache) | S3 Bucket ARN and Name for event cache |
-    | <a name="output_sns_topic"></a> [sns\_topic](#output\_sns\_topic) | SNS Topic ARN and Name |
     <!-- vale on -->
     <!-- markdownlint-enable -->
     <!-- END_TF_DOCS -->

...structure/terraform/modules/eventsub/cloudwatch_log_group_sns_delivery_logging_failure.tf

-Original file line number
+Diff line change
@@ Expand Up @@
       kms_key_id        = var.kms_key_arn
       retention_in_days = var.log_retention_in_days
     }
+    resource "aws_cloudwatch_log_group" "amendments_sns_delivery_logging_failure" {
+      count = var.enable_sns_delivery_logging ? 1 : 0
+      # SNS doesn't allow specifying a log group and is derived as: sns/${region}/${account_id}/${name_of_sns_topic}/Failure
+      # (for failure logs)
+      name              = "sns/${var.region}/${var.aws_account_id}/${local.csi}-amendments/Failure"
+      kms_key_id        = var.kms_key_arn
+      retention_in_days = var.log_retention_in_days
+    }

...structure/terraform/modules/eventsub/cloudwatch_log_group_sns_delivery_logging_success.tf

-Original file line number
+Diff line change
@@ Expand Up @@
       kms_key_id        = var.kms_key_arn
       retention_in_days = var.log_retention_in_days
     }
+    resource "aws_cloudwatch_log_group" "amendments_sns_delivery_logging_success" {
+      count = var.enable_sns_delivery_logging ? 1 : 0
+      # SNS doesn't allow specifying a log group and is derived as: sns/${region}/${account_id}/${name_of_sns_topic}
+      # (for success logs)
+      name              = "sns/${var.region}/${var.aws_account_id}/${local.csi}-amendments"
+      kms_key_id        = var.kms_key_arn
+      retention_in_days = var.log_retention_in_days
+    }

infrastructure/terraform/modules/eventsub/cloudwatch_metric_alarm_sns_delivery_failures.tf

-Original file line number
+Diff line change
@@ Expand Up @@
       treat_missing_data  = "notBreaching"
       dimensions = {
-        TopicName = aws_sns_topic.main.name
+        TopicName = aws_sns_topic.eventsub_topic.name
+      }
+    }
+    resource "aws_cloudwatch_metric_alarm" "amendments_delivery_failures" {
+      alarm_name          = "${local.csi}-amendments-sns-delivery-failures"
+      alarm_description   = "RELIABILITY: Alarm for amendments SNS topic delivery failures"
+      comparison_operator = "GreaterThanThreshold"
+      evaluation_periods  = 1
+      metric_name         = "NumberOfNotificationsFailed"
+      namespace           = "AWS/SNS"
+      period              = 300
+      statistic           = "Sum"
+      threshold           = 0
+      treat_missing_data  = "notBreaching"
+      dimensions = {
+        TopicName = aws_sns_topic.amendments_topic.name
       }
     }

infrastructure/terraform/modules/eventsub/iam_policy_sns_delivery_logging_cloudwatch.tf

-Original file line number
+Diff line change
@@ Expand Up @@
           "${aws_cloudwatch_log_group.sns_delivery_logging_success[0].arn}:log-stream:*",
           aws_cloudwatch_log_group.sns_delivery_logging_failure[0].arn,
           "${aws_cloudwatch_log_group.sns_delivery_logging_failure[0].arn}:log-stream:*",
+          aws_cloudwatch_log_group.amendments_sns_delivery_logging_success[0].arn,
+          "${aws_cloudwatch_log_group.amendments_sns_delivery_logging_success[0].arn}:log-stream:*",
+          aws_cloudwatch_log_group.amendments_sns_delivery_logging_failure[0].arn,
+          "${aws_cloudwatch_log_group.amendments_sns_delivery_logging_failure[0].arn}:log-stream:*",
         ]
       }
     }

infrastructure/terraform/modules/eventsub/iam_role_firehose_role.tf

-Original file line number
+Diff line change
@@ -1,8 +1,8 @@
     resource "aws_iam_role" "firehose_role" {
       count = var.enable_event_cache ? 1 : 0
-      name                 = "${local.csi}-firehose-role"
-      assume_role_policy   = data.aws_iam_policy_document.firehose_assume_role[0].json
+      name               = "${local.csi}-firehose-role"
+      assume_role_policy = data.aws_iam_policy_document.firehose_assume_role[0].json
     }
     data "aws_iam_policy_document" "firehose_assume_role" {
@@ Expand Down @@

infrastructure/terraform/modules/eventsub/iam_role_sns.tf

-Original file line number
+Diff line change
@@ -1,6 +1,6 @@
     resource "aws_iam_role" "sns_role" {
-      name                 = "${local.csi}-sns-role"
-      assume_role_policy   = data.aws_iam_policy_document.sns_assume_role.json
+      name               = "${local.csi}-sns-role"
+      assume_role_policy = data.aws_iam_policy_document.sns_assume_role.json
     }
     resource "aws_iam_policy" "firehose_delivery" {
@@ Expand Down @@

infrastructure/terraform/modules/eventsub/iam_role_sns_delivery_logging.tf

-Original file line number
+Diff line change
@@ -1,8 +1,8 @@
     resource "aws_iam_role" "sns_delivery_logging_role" {
       count = var.enable_sns_delivery_logging ? 1 : 0
-      name                 = "${local.csi}-sns-delivery-logging"
-      assume_role_policy   = data.aws_iam_policy_document.sns_delivery_logging_assume_role[0].json
+      name               = "${local.csi}-sns-delivery-logging"
+      assume_role_policy = data.aws_iam_policy_document.sns_delivery_logging_assume_role[0].json
     }
     data "aws_iam_policy_document" "sns_delivery_logging_assume_role" {
@@ Expand Down @@

infrastructure/terraform/modules/eventsub/module_s3bucket_event_cache.tf

-Original file line number
+Diff line change
@@ Expand Up / @@ -48,7 +48,7 @@ module "s3bucket_event_cache" { @@
       }
       default_tags = {
-        Name = "Event Cache Storage"
+        Name                       = "Event Cache Storage"
         NHSE-Enable-S3-Backup-Acct = "True"
       }
     }
@@ Expand Down @@

infrastructure/terraform/modules/eventsub/moved.tf

-Original file line number
+Diff line change
@@ -0,0 +1,11 @@
+    # Moved blocks to handle resource renames without destroy/recreate
+    moved {
+      from = aws_sns_topic.main
+      to   = aws_sns_topic.eventsub_topic
+    }
+    moved {
+      from = aws_sns_topic_policy.main
+      to   = aws_sns_topic_policy.eventsub_topic
+    }

infrastructure/terraform/modules/eventsub/outputs.tf

-Original file line number
+Diff line change
@@ -1,8 +1,16 @@
-    output "sns_topic" {
+    output "eventsub_topic" {
       description = "SNS Topic ARN and Name"
       value = {
-        arn  = aws_sns_topic.main.arn
-        name = aws_sns_topic.main.name
+        arn  = aws_sns_topic.eventsub_topic.arn
+        name = aws_sns_topic.eventsub_topic.name
+      }
+    }
+    output "amendments_topic" {
+      description = "Amendments SNS Topic ARN and Name"
+      value = {
+        arn  = aws_sns_topic.amendments_topic.arn
+        name = aws_sns_topic.amendments_topic.name
       }
     }
@@ Expand Down @@

infrastructure/terraform/modules/eventsub/sns_topic.tf

This file was deleted.

infrastructure/terraform/modules/eventsub/sns_topic_eventsub.tf

-Original file line number
+Diff line change
@@ -0,0 +1,49 @@
+    resource "aws_sns_topic" "eventsub_topic" {
+      name              = local.csi
+      kms_master_key_id = var.kms_key_arn
+      application_failure_feedback_role_arn    = var.enable_sns_delivery_logging == true ? aws_iam_role.sns_delivery_logging_role[0].arn : null
+      application_success_feedback_role_arn    = var.enable_sns_delivery_logging == true ? aws_iam_role.sns_delivery_logging_role[0].arn : null
+      application_success_feedback_sample_rate = var.enable_sns_delivery_logging == true ? var.sns_success_logging_sample_percent : null
+      firehose_failure_feedback_role_arn    = var.enable_sns_delivery_logging == true ? aws_iam_role.sns_delivery_logging_role[0].arn : null
+      firehose_success_feedback_role_arn    = var.enable_sns_delivery_logging == true ? aws_iam_role.sns_delivery_logging_role[0].arn : null
+      firehose_success_feedback_sample_rate = var.enable_sns_delivery_logging == true ? var.sns_success_logging_sample_percent : null
+      http_failure_feedback_role_arn    = var.enable_sns_delivery_logging == true ? aws_iam_role.sns_delivery_logging_role[0].arn : null
+      http_success_feedback_role_arn    = var.enable_sns_delivery_logging == true ? aws_iam_role.sns_delivery_logging_role[0].arn : null
+      http_success_feedback_sample_rate = var.enable_sns_delivery_logging == true ? var.sns_success_logging_sample_percent : null
+      lambda_failure_feedback_role_arn    = var.enable_sns_delivery_logging == true ? aws_iam_role.sns_delivery_logging_role[0].arn : null
+      lambda_success_feedback_role_arn    = var.enable_sns_delivery_logging == true ? aws_iam_role.sns_delivery_logging_role[0].arn : null
+      lambda_success_feedback_sample_rate = var.enable_sns_delivery_logging == true ? var.sns_success_logging_sample_percent : null
+      sqs_failure_feedback_role_arn    = var.enable_sns_delivery_logging == true ? aws_iam_role.sns_delivery_logging_role[0].arn : null
+      sqs_success_feedback_role_arn    = var.enable_sns_delivery_logging == true ? aws_iam_role.sns_delivery_logging_role[0].arn : null
+      sqs_success_feedback_sample_rate = var.enable_sns_delivery_logging == true ? var.sns_success_logging_sample_percent : null
+    }
+    resource "aws_sns_topic" "amendments_topic" {
+      name              = "${local.csi}-amendments"
+      kms_master_key_id = var.kms_key_arn
+      application_failure_feedback_role_arn    = var.enable_sns_delivery_logging == true ? aws_iam_role.sns_delivery_logging_role[0].arn : null
+      application_success_feedback_role_arn    = var.enable_sns_delivery_logging == true ? aws_iam_role.sns_delivery_logging_role[0].arn : null
+      application_success_feedback_sample_rate = var.enable_sns_delivery_logging == true ? var.sns_success_logging_sample_percent : null
+      firehose_failure_feedback_role_arn    = var.enable_sns_delivery_logging == true ? aws_iam_role.sns_delivery_logging_role[0].arn : null
+      firehose_success_feedback_role_arn    = var.enable_sns_delivery_logging == true ? aws_iam_role.sns_delivery_logging_role[0].arn : null
+      firehose_success_feedback_sample_rate = var.enable_sns_delivery_logging == true ? var.sns_success_logging_sample_percent : null
+      http_failure_feedback_role_arn    = var.enable_sns_delivery_logging == true ? aws_iam_role.sns_delivery_logging_role[0].arn : null
+      http_success_feedback_role_arn    = var.enable_sns_delivery_logging == true ? aws_iam_role.sns_delivery_logging_role[0].arn : null
+      http_success_feedback_sample_rate = var.enable_sns_delivery_logging == true ? var.sns_success_logging_sample_percent : null
+      lambda_failure_feedback_role_arn    = var.enable_sns_delivery_logging == true ? aws_iam_role.sns_delivery_logging_role[0].arn : null
+      lambda_success_feedback_role_arn    = var.enable_sns_delivery_logging == true ? aws_iam_role.sns_delivery_logging_role[0].arn : null
+      lambda_success_feedback_sample_rate = var.enable_sns_delivery_logging == true ? var.sns_success_logging_sample_percent : null
+      sqs_failure_feedback_role_arn    = var.enable_sns_delivery_logging == true ? aws_iam_role.sns_delivery_logging_role[0].arn : null
+      sqs_success_feedback_role_arn    = var.enable_sns_delivery_logging == true ? aws_iam_role.sns_delivery_logging_role[0].arn : null
+      sqs_success_feedback_sample_rate = var.enable_sns_delivery_logging == true ? var.sns_success_logging_sample_percent : null
+    }

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Feature/ccm 12950 transform publish updates #385

Uh oh!

Diff view

Diff view

There are no files selected for viewing

Uh oh!

Uh oh!

Uh oh!

Feature/ccm 12950 transform publish updates #385

Are you sure you want to change the base?

Uh oh!

Feature/ccm 12950 transform publish updates #385

Uh oh!

Uh oh!

Diff view

Diff view

There are no files selected for viewing

Uh oh!

Uh oh!

Uh oh!