[PRMP-1122] add policy to bulk upload to write to sqs

nhsconnect · Nov 26, 2024 · 9d0646d · 9d0646d
1 parent 0694f6a
commit 9d0646d
Show file tree

Hide file tree

Showing 9 changed files with 36 additions and 10 deletions.
diff --git a/infrastructure/README.md b/infrastructure/README.md
@@ -8,7 +8,7 @@
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | 5.73.0 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | 5.66.0 |
 
 ## Modules
 
@@ -186,6 +186,7 @@
 | [aws_iam_policy.dynamodb_stream_manifest](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
 | [aws_iam_policy.dynamodb_stream_stitch_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
 | [aws_iam_policy.lambda_audit_splunk_sqs_queue_send_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
+| [aws_iam_policy.lambda_sqs_combined_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
 | [aws_iam_policy.s3_document_data_policy_for_manifest_lambda](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
 | [aws_iam_policy.s3_document_data_policy_for_stitch_lambda](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
 | [aws_iam_policy.s3_document_data_policy_put_only](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
@@ -254,6 +255,7 @@
 | [aws_iam_policy_document.assume_role_policy_for_manifest_lambda](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_iam_policy_document.assume_role_policy_for_stitch_lambda](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_iam_policy_document.backup_assume_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [aws_iam_policy_document.combined_sqs_policies](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_iam_policy_document.ecr_policy_doc](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_iam_policy_document.ecs-assume-role-policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_iam_policy_document.ecs_execution](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
@@ -278,7 +280,7 @@
 |------|-------------|------|---------|:--------:|
 | <a name="input_auth_session_dynamodb_table_name"></a> [auth\_session\_dynamodb\_table\_name](#input\_auth\_session\_dynamodb\_table\_name) | The name of dynamodb table to store user login sessions | `string` | `"AuthSessionReferenceMetadata"` | no |
 | <a name="input_auth_state_dynamodb_table_name"></a> [auth\_state\_dynamodb\_table\_name](#input\_auth\_state\_dynamodb\_table\_name) | The name of dynamodb table to store the state values (for CIS2 authorisation) | `string` | `"AuthStateReferenceMetadata"` | no |
-| <a name="input_availability_zones"></a> [availability\_zones](#input\_availability\_zones) | This is a list that specifies all the Availability Zones that will have a pair of public and private subnets | `list(string)` | <pre>[<br/>  "eu-west-2a",<br/>  "eu-west-2b",<br/>  "eu-west-2c"<br/>]</pre> | no |
+| <a name="input_availability_zones"></a> [availability\_zones](#input\_availability\_zones) | This is a list that specifies all the Availability Zones that will have a pair of public and private subnets | `list(string)` | <pre>[<br>  "eu-west-2a",<br>  "eu-west-2b",<br>  "eu-west-2c"<br>]</pre> | no |
 | <a name="input_bulk_upload_report_dynamodb_table_name"></a> [bulk\_upload\_report\_dynamodb\_table\_name](#input\_bulk\_upload\_report\_dynamodb\_table\_name) | The name of dynamodb table to store bulk upload status | `string` | `"BulkUploadReport"` | no |
 | <a name="input_certificate_domain"></a> [certificate\_domain](#input\_certificate\_domain) | n/a | `string` | n/a | yes |
 | <a name="input_certificate_subdomain_name_prefix"></a> [certificate\_subdomain\_name\_prefix](#input\_certificate\_subdomain\_name\_prefix) | Prefix to add to subdomains on certification configurations, dev envs use api-{env}, prod envs use api.{env} | `string` | `"api-"` | no |
@@ -305,6 +307,7 @@
 | <a name="input_mesh_shared_key_ssm_param_name"></a> [mesh\_shared\_key\_ssm\_param\_name](#input\_mesh\_shared\_key\_ssm\_param\_name) | Name of SSM parameter containing MESH shared key | `string` | n/a | yes |
 | <a name="input_mesh_url"></a> [mesh\_url](#input\_mesh\_url) | URL of MESH service | `string` | n/a | yes |
 | <a name="input_message_destination"></a> [message\_destination](#input\_message\_destination) | n/a | `string` | `"sns"` | no |
+| <a name="input_nrl_api_endpoint"></a> [nrl\_api\_endpoint](#input\_nrl\_api\_endpoint) | n/a | `string` | `"api.service.nhs.uk/record-locator/producer/FHIR/R4/DocumentReference"` | no |
 | <a name="input_nrl_api_endpoint_suffix"></a> [nrl\_api\_endpoint\_suffix](#input\_nrl\_api\_endpoint\_suffix) | n/a | `string` | `"api.service.nhs.uk/record-locator/producer/FHIR/R4/DocumentReference"` | no |
 | <a name="input_num_private_subnets"></a> [num\_private\_subnets](#input\_num\_private\_subnets) | Sets the number of private subnets, one per availability zone | `number` | `3` | no |
 | <a name="input_num_public_subnets"></a> [num\_public\_subnets](#input\_num\_public\_subnets) | Sets the number of public subnets, one per availability zone | `number` | `3` | no |

diff --git a/infrastructure/lambda-bulk-upload.tf b/infrastructure/lambda-bulk-upload.tf
@@ -5,14 +5,13 @@ module "bulk-upload-lambda" {
   iam_role_policies = [
     "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole",
     "arn:aws:iam::aws:policy/CloudWatchLambdaInsightsExecutionRolePolicy",
+    module.ndr-app-config.app_config_policy_arn,
+    aws_iam_policy.ssm_access_policy.arn,
+    aws_iam_policy.lambda_sqs_combined_policy.arn,
     module.ndr-bulk-staging-store.s3_object_access_policy,
     module.ndr-lloyd-george-store.s3_object_access_policy,
     module.lloyd_george_reference_dynamodb_table.dynamodb_policy,
     module.bulk_upload_report_dynamodb_table.dynamodb_policy,
-    module.sqs-lg-bulk-upload-metadata-queue.sqs_policy,
-    module.sqs-lg-bulk-upload-invalid-queue.sqs_policy,
-    aws_iam_policy.ssm_access_policy.arn,
-    module.ndr-app-config.app_config_policy_arn
   ]
   rest_api_id       = null
   api_execution_arn = null
@@ -29,6 +28,7 @@ module "bulk-upload-lambda" {
     METADATA_SQS_QUEUE_URL     = module.sqs-lg-bulk-upload-metadata-queue.sqs_url
     INVALID_SQS_QUEUE_URL      = module.sqs-lg-bulk-upload-invalid-queue.sqs_url
     PDS_FHIR_IS_STUBBED        = local.is_sandbox
+    NRL_SQS_URL                = module.sqs-nrl-queue.sqs_url
   }
 
   is_gateway_integration_needed  = false

diff --git a/infrastructure/modules/ecs/README.md b/infrastructure/modules/ecs/README.md
@@ -63,7 +63,7 @@ No modules.
 | <a name="input_ecs_task_definition_cpu"></a> [ecs\_task\_definition\_cpu](#input\_ecs\_task\_definition\_cpu) | n/a | `number` | `1024` | no |
 | <a name="input_ecs_task_definition_memory"></a> [ecs\_task\_definition\_memory](#input\_ecs\_task\_definition\_memory) | n/a | `number` | `2048` | no |
 | <a name="input_environment"></a> [environment](#input\_environment) | n/a | `string` | n/a | yes |
-| <a name="input_environment_vars"></a> [environment\_vars](#input\_environment\_vars) | n/a | `list` | <pre>[<br/>  null<br/>]</pre> | no |
+| <a name="input_environment_vars"></a> [environment\_vars](#input\_environment\_vars) | n/a | `list` | <pre>[<br>  null<br>]</pre> | no |
 | <a name="input_is_autoscaling_needed"></a> [is\_autoscaling\_needed](#input\_is\_autoscaling\_needed) | n/a | `bool` | `true` | no |
 | <a name="input_is_lb_needed"></a> [is\_lb\_needed](#input\_is\_lb\_needed) | n/a | `bool` | `false` | no |
 | <a name="input_is_service_needed"></a> [is\_service\_needed](#input\_is\_service\_needed) | n/a | `bool` | `true` | no |

diff --git a/infrastructure/modules/sqs/README.md b/infrastructure/modules/sqs/README.md
@@ -49,4 +49,5 @@ No modules.
 | <a name="output_sqs_arn"></a> [sqs\_arn](#output\_sqs\_arn) | n/a |
 | <a name="output_sqs_id"></a> [sqs\_id](#output\_sqs\_id) | n/a |
 | <a name="output_sqs_policy"></a> [sqs\_policy](#output\_sqs\_policy) | Arn for the iam policy for accessing this queue |
+| <a name="output_sqs_policy_json"></a> [sqs\_policy\_json](#output\_sqs\_policy\_json) | JSON for the iam policy for accessing this queue |
 | <a name="output_sqs_url"></a> [sqs\_url](#output\_sqs\_url) | n/a |
diff --git a/infrastructure/modules/sqs/main.tf b/infrastructure/modules/sqs/main.tf
@@ -22,7 +22,6 @@ resource "aws_iam_policy" "sqs_queue_policy" {
   policy = jsonencode({
     Version = "2012-10-17"
     Statement = [{
-      "Sid"    = "shsqsstatement",
       "Effect" = "Allow",
       "Action" = [
         "sqs:SendMessage",

diff --git a/infrastructure/modules/sqs/variable.tf b/infrastructure/modules/sqs/variable.tf
@@ -93,6 +93,11 @@ output "sqs_policy" {
   description = "Arn for the iam policy for accessing this queue"
 }
 
+output "sqs_policy_json" {
+  value       = aws_iam_policy.sqs_queue_policy.policy
+  description = "JSON for the iam policy for accessing this queue"
+}
+
 output "sqs_url" {
   value = aws_sqs_queue.sqs_queue.url
-}
+}
diff --git a/infrastructure/policies.tf b/infrastructure/policies.tf
@@ -17,3 +17,17 @@ resource "aws_iam_policy" "ssm_access_policy" {
     ]
   })
 }
+
+data "aws_iam_policy_document" "combined_sqs_policies" {
+  source_policy_documents = [
+    module.sqs-lg-bulk-upload-metadata-queue.sqs_policy_json,
+    module.sqs-lg-bulk-upload-invalid-queue.sqs_policy_json,
+    module.sqs-nrl-queue.sqs_policy_json
+  ]
+}
+
+resource "aws_iam_policy" "lambda_sqs_combined_policy" {
+  name        = "${terraform.workspace}-lambda-sqs-combined-policy"
+  description = "Combined SQS policies for Lambda"
+  policy      = data.aws_iam_policy_document.combined_sqs_policies.json
+}
diff --git a/infrastructure/variable.tf b/infrastructure/variable.tf
@@ -235,6 +235,10 @@ locals {
   current_account_id = data.aws_caller_identity.current.account_id
 }
 
+variable "nrl_api_endpoint" {
+  default = "api.service.nhs.uk/record-locator/producer/FHIR/R4/DocumentReference"
+}
+
 variable "nrl_api_endpoint_suffix" {
   default = "api.service.nhs.uk/record-locator/producer/FHIR/R4/DocumentReference"
 }
diff --git a/virusscanner/terraform/README.md b/virusscanner/terraform/README.md
@@ -8,7 +8,7 @@
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 4.0 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | 5.43.0 |
 
 ## Modules