Merge branch 'main' into PRMP-1122

.github/workflows/terraform-daily-healthcheck-deploy-and-destroy.yml

@@ -171,7 +171,7 @@ jobs:
   deploy_ui:
     name: Deploy UI
     uses: nhsconnect/national-document-repository/.github/workflows/base-deploy-ui.yml@main
-    needs: ['set_workspace']
+    needs: ['terraform_process', 'set_workspace']
     with:
       build_branch: main
       sandbox: ${{ needs.set_workspace.outputs.workspace }}
@@ -180,6 +180,7 @@ jobs:
       AWS_ASSUME_ROLE: ${{ secrets.AWS_ASSUME_ROLE }}
 
   destroy_test_environment:
+    if: always()
     name: Destroy the Sandbox Environment from previous job
     needs: [ 'set_workspace', 'deploy_ui', 'deploy_all_lambdas' ]
     uses: ./.github/workflows/terraform-destroy-environment-manual.yml

infrastructure/README.md

@@ -8,7 +8,7 @@
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | ~> 5.0 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | 5.77.0 |
 
 ## Modules
 
@@ -163,12 +163,8 @@
 | [aws_backup_vault.backup_vault](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/backup_vault) | resource |
 | [aws_cloudwatch_event_rule.bulk_upload_metadata_schedule](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_event_rule) | resource |
 | [aws_cloudwatch_event_rule.bulk_upload_report_schedule](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_event_rule) | resource |
-| [aws_cloudwatch_event_rule.data_collection_schedule](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_event_rule) | resource |
-| [aws_cloudwatch_event_rule.statistical_report_schedule](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_event_rule) | resource |
 | [aws_cloudwatch_event_target.bulk_upload_metadata_schedule_event](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_event_target) | resource |
 | [aws_cloudwatch_event_target.bulk_upload_report_schedule_event](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_event_target) | resource |
-| [aws_cloudwatch_event_target.data_collection_schedule_event](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_event_target) | resource |
-| [aws_cloudwatch_event_target.statistical_report_schedule_event](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_event_target) | resource |
 | [aws_cloudwatch_log_group.mesh_log_group](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_group) | resource |
 | [aws_cloudwatch_log_metric_filter.error_log_metric_filter](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_metric_filter) | resource |
 | [aws_cloudwatch_log_metric_filter.inbox_message_count](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_metric_filter) | resource |
@@ -227,8 +223,6 @@
 | [aws_lambda_event_source_mapping.nrl_pointer_lambda](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_event_source_mapping) | resource |
 | [aws_lambda_permission.bulk_upload_metadata_schedule_permission](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_permission) | resource |
 | [aws_lambda_permission.bulk_upload_report_schedule_permission](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_permission) | resource |
-| [aws_lambda_permission.data_collection_schedule_permission](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_permission) | resource |
-| [aws_lambda_permission.statistical_report_schedule_permission](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_permission) | resource |
 | [aws_s3_bucket.logs_bucket](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket) | resource |
 | [aws_s3_bucket_lifecycle_configuration.doc-store-lifecycle-rules](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_lifecycle_configuration) | resource |
 | [aws_s3_bucket_lifecycle_configuration.lg-lifecycle-rules](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_lifecycle_configuration) | resource |

infrastructure/lambda-authoriser.tf

@@ -2,12 +2,11 @@ module "authoriser-lambda" {
   source  = "./modules/lambda"
   name    = "AuthoriserLambda"
   handler = "handlers.authoriser_handler.lambda_handler"
-  iam_role_policies = [
-    "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole",
-    "arn:aws:iam::aws:policy/CloudWatchLambdaInsightsExecutionRolePolicy",
-    aws_iam_policy.ssm_policy_authoriser.arn,
-    module.auth_session_dynamodb_table.dynamodb_policy,
-    module.ndr-app-config.app_config_policy_arn
+  iam_role_policy_documents = [
+    aws_iam_policy.ssm_policy_authoriser.policy,
+    module.auth_session_dynamodb_table.dynamodb_read_policy_document,
+    module.auth_session_dynamodb_table.dynamodb_write_policy_document,
+    module.ndr-app-config.app_config_policy
   ]
   rest_api_id       = aws_api_gateway_rest_api.ndr_doc_store_api.id
   api_execution_arn = aws_api_gateway_rest_api.ndr_doc_store_api.execution_arn

infrastructure/lambda-back-channel-logout.tf

@@ -23,12 +23,11 @@ module "back_channel_logout_lambda" {
   source  = "./modules/lambda"
   name    = "BackChannelLogoutHandler"
   handler = "handlers.back_channel_logout_handler.lambda_handler"
-  iam_role_policies = [
-    "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole",
-    "arn:aws:iam::aws:policy/CloudWatchLambdaInsightsExecutionRolePolicy",
-    aws_iam_policy.ssm_policy_oidc.arn,
-    module.auth_session_dynamodb_table.dynamodb_policy,
-    module.ndr-app-config.app_config_policy_arn
+  iam_role_policy_documents = [
+    aws_iam_policy.ssm_policy_oidc.policy,
+    module.auth_session_dynamodb_table.dynamodb_read_policy_document,
+    module.auth_session_dynamodb_table.dynamodb_write_policy_document,
+    module.ndr-app-config.app_config_policy
   ]
   rest_api_id       = aws_api_gateway_rest_api.ndr_doc_store_api.id
   resource_id       = module.back-channel-logout-gateway.gateway_resource_id

infrastructure/lambda-bulk-upload-metadata.tf

@@ -3,12 +3,12 @@ module "bulk-upload-metadata-lambda" {
   name           = "BulkUploadMetadataLambda"
   handler        = "handlers.bulk_upload_metadata_handler.lambda_handler"
   lambda_timeout = 900
-  iam_role_policies = [
-    "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole",
-    "arn:aws:iam::aws:policy/CloudWatchLambdaInsightsExecutionRolePolicy",
-    module.ndr-bulk-staging-store.s3_object_access_policy,
-    module.sqs-lg-bulk-upload-metadata-queue.sqs_policy,
-    module.ndr-app-config.app_config_policy_arn
+  iam_role_policy_documents = [
+    module.ndr-bulk-staging-store.s3_read_policy_document,
+    module.ndr-bulk-staging-store.s3_write_policy_document,
+    module.sqs-lg-bulk-upload-metadata-queue.sqs_read_policy_document,
+    module.sqs-lg-bulk-upload-metadata-queue.sqs_write_policy_document,
+    module.ndr-app-config.app_config_policy
   ]
 
   rest_api_id       = null

infrastructure/lambda-bulk-upload-report.tf

@@ -2,13 +2,13 @@ module "bulk-upload-report-lambda" {
   source  = "./modules/lambda"
   name    = "BulkUploadReportLambda"
   handler = "handlers.bulk_upload_report_handler.lambda_handler"
-  iam_role_policies = [
-    "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole",
-    "arn:aws:iam::aws:policy/CloudWatchLambdaInsightsExecutionRolePolicy",
-    module.statistical-reports-store.s3_object_access_policy,
-    module.bulk_upload_report_dynamodb_table.dynamodb_policy,
-    aws_iam_policy.dynamodb_policy_scan_bulk_report.arn,
-    module.ndr-app-config.app_config_policy_arn
+  iam_role_policy_documents = [
+    module.statistical-reports-store.s3_read_policy_document,
+    module.statistical-reports-store.s3_write_policy_document,
+    module.bulk_upload_report_dynamodb_table.dynamodb_read_policy_document,
+    module.bulk_upload_report_dynamodb_table.dynamodb_write_policy_document,
+    aws_iam_policy.dynamodb_policy_scan_bulk_report.policy,
+    module.ndr-app-config.app_config_policy
   ]
   rest_api_id       = null
   api_execution_arn = null

infrastructure/lambda-bulk-upload.tf

@@ -2,16 +2,24 @@ module "bulk-upload-lambda" {
   source  = "./modules/lambda"
   name    = "BulkUploadLambda"
   handler = "handlers.bulk_upload_handler.lambda_handler"
-  iam_role_policies = [
-    "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole",
-    "arn:aws:iam::aws:policy/CloudWatchLambdaInsightsExecutionRolePolicy",
-    module.ndr-app-config.app_config_policy_arn,
-    aws_iam_policy.ssm_access_policy.arn,
-    aws_iam_policy.lambda_sqs_combined_policy.arn,
-    module.ndr-bulk-staging-store.s3_object_access_policy,
-    module.ndr-lloyd-george-store.s3_object_access_policy,
-    module.lloyd_george_reference_dynamodb_table.dynamodb_policy,
-    module.bulk_upload_report_dynamodb_table.dynamodb_policy,
+
+  iam_role_policy_documents = [
+    module.ndr-bulk-staging-store.s3_read_policy_document,
+    module.ndr-bulk-staging-store.s3_write_policy_document,
+    module.ndr-lloyd-george-store.s3_read_policy_document,
+    module.ndr-lloyd-george-store.s3_write_policy_document,
+    module.lloyd_george_reference_dynamodb_table.dynamodb_read_policy_document,
+    module.lloyd_george_reference_dynamodb_table.dynamodb_write_policy_document,
+    module.bulk_upload_report_dynamodb_table.dynamodb_read_policy_document,
+    module.bulk_upload_report_dynamodb_table.dynamodb_write_policy_document,
+    module.sqs-nrl-queue.sqs_read_policy_document,
+    module.sqs-nrl-queue.sqs_write_policy_document,
+    module.sqs-lg-bulk-upload-metadata-queue.sqs_read_policy_document,
+    module.sqs-lg-bulk-upload-metadata-queue.sqs_write_policy_document,
+    module.sqs-lg-bulk-upload-invalid-queue.sqs_read_policy_document,
+    module.sqs-lg-bulk-upload-invalid-queue.sqs_write_policy_document,
+    aws_iam_policy.ssm_access_policy.policy,
+    module.ndr-app-config.app_config_policy
   ]
   rest_api_id       = null
   api_execution_arn = null
@@ -45,7 +53,6 @@ module "bulk-upload-lambda" {
     module.lloyd_george_reference_dynamodb_table,
     module.bulk_upload_report_dynamodb_table,
     aws_iam_policy.ssm_access_policy,
-    module.ndr-app-config
   ]
 }
 

infrastructure/lambda-create-doc-ref.tf

@@ -66,21 +66,27 @@ module "create-doc-ref-lambda" {
   source  = "./modules/lambda"
   name    = "CreateDocRefLambda"
   handler = "handlers.create_document_reference_handler.lambda_handler"
-  iam_role_policies = [
-    module.document_reference_dynamodb_table.dynamodb_policy,
-    module.stitch_metadata_reference_dynamodb_table.dynamodb_policy,
-    module.lloyd_george_reference_dynamodb_table.dynamodb_policy,
-    module.ndr-bulk-staging-store.s3_object_access_policy,
-    module.ndr-lloyd-george-store.s3_object_access_policy,
-    module.ndr-document-store.s3_object_access_policy,
-    "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole",
-    "arn:aws:iam::aws:policy/CloudWatchLambdaInsightsExecutionRolePolicy",
-    aws_iam_policy.ssm_access_policy.arn,
-    module.ndr-app-config.app_config_policy_arn,
+  iam_role_policy_documents = [
+    module.ndr-bulk-staging-store.s3_read_policy_document,
+    module.ndr-bulk-staging-store.s3_write_policy_document,
+    module.ndr-lloyd-george-store.s3_write_policy_document,
+    module.ndr-lloyd-george-store.s3_read_policy_document,
+    module.ndr-document-store.s3_read_policy_document,
+    module.ndr-document-store.s3_write_policy_document,
+    module.document_reference_dynamodb_table.dynamodb_write_policy_document,
+    module.document_reference_dynamodb_table.dynamodb_read_policy_document,
+    module.stitch_metadata_reference_dynamodb_table.dynamodb_read_policy_document,
+    module.stitch_metadata_reference_dynamodb_table.dynamodb_write_policy_document,
+    module.lloyd_george_reference_dynamodb_table.dynamodb_write_policy_document,
+    module.lloyd_george_reference_dynamodb_table.dynamodb_read_policy_document,
+    aws_iam_policy.ssm_access_policy.policy,
+    module.ndr-app-config.app_config_policy,
   ]
-  rest_api_id       = aws_api_gateway_rest_api.ndr_doc_store_api.id
-  resource_id       = module.create-doc-ref-gateway.gateway_resource_id
-  http_methods      = ["POST"]
+  rest_api_id  = aws_api_gateway_rest_api.ndr_doc_store_api.id
+  resource_id  = module.create-doc-ref-gateway.gateway_resource_id
+  http_methods = ["POST"]
+  memory_size  = 512
+
   api_execution_arn = aws_api_gateway_rest_api.ndr_doc_store_api.execution_arn
   lambda_environment_variables = {
     STAGING_STORE_BUCKET_NAME     = "${terraform.workspace}-${var.staging_store_bucket_name}"

infrastructure/lambda-data-collection.tf

@@ -45,16 +45,19 @@ module "data-collection-lambda" {
   name           = "DataCollectionLambda"
   handler        = "handlers.data_collection_handler.lambda_handler"
   lambda_timeout = 900
-  iam_role_policies = [
-    "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole",
-    "arn:aws:iam::aws:policy/CloudWatchLambdaInsightsExecutionRolePolicy",
-    module.ndr-app-config.app_config_policy_arn,
-    module.statistics_dynamodb_table.dynamodb_policy,
-    module.ndr-lloyd-george-store.s3_list_object_policy,
-    module.ndr-document-store.s3_list_object_policy,
-    module.lloyd_george_reference_dynamodb_table.dynamodb_policy,
-    module.document_reference_dynamodb_table.dynamodb_policy,
-    aws_iam_policy.cloudwatch_log_query_policy.arn
+  iam_role_policy_documents = [
+    module.ndr-app-config.app_config_policy,
+    module.statistics_dynamodb_table.dynamodb_read_policy_document,
+    module.statistics_dynamodb_table.dynamodb_write_policy_document,
+    module.ndr-lloyd-george-store.s3_read_policy_document,
+    module.ndr-lloyd-george-store.s3_write_policy_document,
+    module.ndr-document-store.s3_read_policy_document,
+    module.ndr-document-store.s3_write_policy_document,
+    module.lloyd_george_reference_dynamodb_table.dynamodb_read_policy_document,
+    module.lloyd_george_reference_dynamodb_table.dynamodb_write_policy_document,
+    module.document_reference_dynamodb_table.dynamodb_read_policy_document,
+    module.document_reference_dynamodb_table.dynamodb_write_policy_document,
+    aws_iam_policy.cloudwatch_log_query_policy.policy
   ]
   rest_api_id       = null
   api_execution_arn = null

infrastructure/lambda-delete-doc-ref.tf

@@ -65,16 +65,20 @@ module "delete-doc-ref-lambda" {
   source  = "./modules/lambda"
   name    = "DeleteDocRefLambda"
   handler = "handlers.delete_document_reference_handler.lambda_handler"
-  iam_role_policies = [
-    module.document_reference_dynamodb_table.dynamodb_policy,
-    module.ndr-document-store.s3_object_access_policy,
-    module.lloyd_george_reference_dynamodb_table.dynamodb_policy,
-    module.ndr-lloyd-george-store.s3_object_access_policy,
-    "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole",
-    "arn:aws:iam::aws:policy/CloudWatchLambdaInsightsExecutionRolePolicy",
-    module.ndr-app-config.app_config_policy_arn,
-    module.stitch_metadata_reference_dynamodb_table.dynamodb_policy,
-    module.sqs-nrl-queue.sqs_policy
+  iam_role_policy_documents = [
+    module.document_reference_dynamodb_table.dynamodb_read_policy_document,
+    module.document_reference_dynamodb_table.dynamodb_write_policy_document,
+    module.ndr-document-store.s3_read_policy_document,
+    module.ndr-document-store.s3_write_policy_document,
+    module.lloyd_george_reference_dynamodb_table.dynamodb_read_policy_document,
+    module.lloyd_george_reference_dynamodb_table.dynamodb_write_policy_document,
+    module.ndr-lloyd-george-store.s3_read_policy_document,
+    module.ndr-lloyd-george-store.s3_write_policy_document,
+    module.ndr-app-config.app_config_policy,
+    module.stitch_metadata_reference_dynamodb_table.dynamodb_read_policy_document,
+    module.stitch_metadata_reference_dynamodb_table.dynamodb_write_policy_document,
+    module.sqs-nrl-queue.sqs_read_policy_document,
+    module.sqs-nrl-queue.sqs_write_policy_document
   ]
   rest_api_id       = aws_api_gateway_rest_api.ndr_doc_store_api.id
   resource_id       = module.delete-doc-ref-gateway.gateway_resource_id
@@ -88,7 +92,6 @@ module "delete-doc-ref-lambda" {
     LLOYD_GEORGE_DYNAMODB_NAME    = "${terraform.workspace}_${var.lloyd_george_dynamodb_table_name}"
     STITCH_METADATA_DYNAMODB_NAME = "${terraform.workspace}_${var.stitch_metadata_dynamodb_table_name}"
     WORKSPACE                     = terraform.workspace
-    NRL_SQS_QUEUE_URL             = module.sqs-nrl-queue.sqs_url
   }
   depends_on = [
     aws_api_gateway_rest_api.ndr_doc_store_api,

infrastructure/lambda-document-manifest-job.tf

@@ -67,14 +67,16 @@ module "document-manifest-job-lambda" {
   name           = "DocumentManifestJobLambda"
   handler        = "handlers.document_manifest_job_handler.lambda_handler"
   lambda_timeout = 900
-  iam_role_policies = [
-    module.document_reference_dynamodb_table.dynamodb_policy,
-    module.lloyd_george_reference_dynamodb_table.dynamodb_policy,
-    module.zip_store_reference_dynamodb_table.dynamodb_policy,
-    module.ndr-zip-request-store.s3_object_access_policy,
-    "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole",
-    "arn:aws:iam::aws:policy/CloudWatchLambdaInsightsExecutionRolePolicy",
-    module.ndr-app-config.app_config_policy_arn
+  iam_role_policy_documents = [
+    module.document_reference_dynamodb_table.dynamodb_read_policy_document,
+    module.document_reference_dynamodb_table.dynamodb_write_policy_document,
+    module.lloyd_george_reference_dynamodb_table.dynamodb_read_policy_document,
+    module.lloyd_george_reference_dynamodb_table.dynamodb_write_policy_document,
+    module.zip_store_reference_dynamodb_table.dynamodb_read_policy_document,
+    module.zip_store_reference_dynamodb_table.dynamodb_write_policy_document,
+    module.ndr-zip-request-store.s3_read_policy_document,
+    module.ndr-zip-request-store.s3_write_policy_document,
+    module.ndr-app-config.app_config_policy
   ]
   rest_api_id       = aws_api_gateway_rest_api.ndr_doc_store_api.id
   resource_id       = module.document-manifest-job-gateway.gateway_resource_id

infrastructure/lambda-feature-flags.tf

@@ -66,10 +66,8 @@ module "feature-flags-lambda" {
   source  = "./modules/lambda"
   name    = "FeatureFlagsLambda"
   handler = "handlers.feature_flags_handler.lambda_handler"
-  iam_role_policies = [
-    "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole",
-    "arn:aws:iam::aws:policy/CloudWatchLambdaInsightsExecutionRolePolicy",
-    module.ndr-app-config.app_config_policy_arn
+  iam_role_policy_documents = [
+    module.ndr-app-config.app_config_policy
   ]
   rest_api_id       = aws_api_gateway_rest_api.ndr_doc_store_api.id
   resource_id       = module.feature-flags-gateway.gateway_resource_id

infrastructure/lambda-generate-document-manifest.tf

@@ -46,15 +46,18 @@ module "generate-document-manifest-lambda" {
   handler                  = "handlers.generate_document_manifest_handler.lambda_handler"
   lambda_timeout           = 900
   lambda_ephemeral_storage = 512
-  iam_role_policies = [
-    module.ndr-document-store.s3_object_access_policy,
-    module.ndr-lloyd-george-store.s3_object_access_policy,
-    module.zip_store_reference_dynamodb_table.dynamodb_policy,
-    module.ndr-zip-request-store.s3_object_access_policy,
-    "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole",
-    "arn:aws:iam::aws:policy/CloudWatchLambdaInsightsExecutionRolePolicy",
-    module.ndr-app-config.app_config_policy_arn,
-    aws_iam_policy.dynamodb_stream_manifest.arn
+  memory_size              = 512
+  iam_role_policy_documents = [
+    module.ndr-document-store.s3_read_policy_document,
+    module.ndr-document-store.s3_write_policy_document,
+    module.ndr-lloyd-george-store.s3_read_policy_document,
+    module.ndr-lloyd-george-store.s3_write_policy_document,
+    module.zip_store_reference_dynamodb_table.dynamodb_read_policy_document,
+    module.zip_store_reference_dynamodb_table.dynamodb_write_policy_document,
+    module.ndr-zip-request-store.s3_read_policy_document,
+    module.ndr-zip-request-store.s3_write_policy_document,
+    module.ndr-app-config.app_config_policy,
+    aws_iam_policy.dynamodb_stream_manifest.policy
   ]
   rest_api_id       = null
   api_execution_arn = null