Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

PRMP-935 new lambda-generate-stitch-record #199

Merged
merged 15 commits into from
Oct 29, 2024
Merged

PRMP-935 new lambda-generate-stitch-record #199

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
15 commits
Select commit Hold shift + click to select a range
aac8fdb
PRMP-935 new lambda-generate-stitch-record.tf
NogaNHS Oct 3, 2024
4c65bc3
PRMP-935 change resource name
NogaNHS Oct 3, 2024
2502dfa
PRMP-935 add miss env var
NogaNHS Oct 7, 2024
611b0ea
PRMP-935 add permissions
NogaNHS Oct 7, 2024
a3ab4ca
PRMP-935 add nhs number to table index
NogaNHS Oct 8, 2024
d02d42c
PRMP-935 add TTL to dyamno and remove jobId
NogaNHS Oct 8, 2024
2d213c0
PRMP-935 add dynamo query permissions
NogaNHS Oct 8, 2024
2b7a56b
PRMP-935 add dynamo to delete lambda
NogaNHS Oct 8, 2024
57dcf6f
PRMP-935 add dynamo to stitch lambda
NogaNHS Oct 8, 2024
3ba9d10
PRMP-935 change naming according to PR comments
NogaNHS Oct 9, 2024
9351a1a
PRMP-935 change naming according to PR comments
NogaNHS Oct 9, 2024
ea69dbd
PRMP-935 renaming tf resource
NogaNHS Oct 9, 2024
a6bb244
PRMP-935 add stitch permission to create lambda
NogaNHS Oct 9, 2024
4f90679
PRMP-935 add depends_on
NogaNHS Oct 15, 2024
b1e188e
PRMP-935 pr comments
NogaNHS Oct 18, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
16 changes: 12 additions & 4 deletions infrastructure/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,7 @@

| Name | Version |
|------|---------|
| <a name="provider_aws"></a> [aws](#provider\_aws) | ~> 5.0 |
| <a name="provider_aws"></a> [aws](#provider\_aws) | 5.66.0 |

## Modules

Expand Down Expand Up @@ -67,6 +67,9 @@
| <a name="module_generate-document-manifest-alarm"></a> [generate-document-manifest-alarm](#module\_generate-document-manifest-alarm) | ./modules/lambda_alarms | n/a |
| <a name="module_generate-document-manifest-alarm-topic"></a> [generate-document-manifest-alarm-topic](#module\_generate-document-manifest-alarm-topic) | ./modules/sns | n/a |
| <a name="module_generate-document-manifest-lambda"></a> [generate-document-manifest-lambda](#module\_generate-document-manifest-lambda) | ./modules/lambda | n/a |
| <a name="module_generate-lloyd-george-stitch-alarm"></a> [generate-lloyd-george-stitch-alarm](#module\_generate-lloyd-george-stitch-alarm) | ./modules/lambda_alarms | n/a |
| <a name="module_generate-lloyd-george-stitch-alarm-topic"></a> [generate-lloyd-george-stitch-alarm-topic](#module\_generate-lloyd-george-stitch-alarm-topic) | ./modules/sns | n/a |
| <a name="module_generate-lloyd-george-stitch-lambda"></a> [generate-lloyd-george-stitch-lambda](#module\_generate-lloyd-george-stitch-lambda) | ./modules/lambda | n/a |
| <a name="module_lambda-layer-core"></a> [lambda-layer-core](#module\_lambda-layer-core) | ./modules/lambda_layers | n/a |
| <a name="module_lambda-layer-data"></a> [lambda-layer-data](#module\_lambda-layer-data) | ./modules/lambda_layers | n/a |
| <a name="module_lloyd-george-stitch-gateway"></a> [lloyd-george-stitch-gateway](#module\_lloyd-george-stitch-gateway) | ./modules/gateway | n/a |
Expand Down Expand Up @@ -120,6 +123,7 @@
| <a name="module_statistical-report-lambda"></a> [statistical-report-lambda](#module\_statistical-report-lambda) | ./modules/lambda | n/a |
| <a name="module_statistical-reports-store"></a> [statistical-reports-store](#module\_statistical-reports-store) | ./modules/s3/ | n/a |
| <a name="module_statistics_dynamodb_table"></a> [statistics\_dynamodb\_table](#module\_statistics\_dynamodb\_table) | ./modules/dynamo_db | n/a |
| <a name="module_stitch_metadata_reference_dynamodb_table"></a> [stitch\_metadata\_reference\_dynamodb\_table](#module\_stitch\_metadata\_reference\_dynamodb\_table) | ./modules/dynamo_db | n/a |
| <a name="module_update-upload-state-gateway"></a> [update-upload-state-gateway](#module\_update-upload-state-gateway) | ./modules/gateway | n/a |
| <a name="module_update-upload-state-lambda"></a> [update-upload-state-lambda](#module\_update-upload-state-lambda) | ./modules/lambda | n/a |
| <a name="module_update_upload_state_alarm"></a> [update\_upload\_state\_alarm](#module\_update\_upload\_state\_alarm) | ./modules/lambda_alarms | n/a |
Expand Down Expand Up @@ -175,7 +179,8 @@
| [aws_iam_policy.cloudwatch_log_query_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
| [aws_iam_policy.copy_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
| [aws_iam_policy.dynamodb_policy_scan_bulk_report](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
| [aws_iam_policy.dynamodb_stream_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
| [aws_iam_policy.dynamodb_stream_manifest](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
| [aws_iam_policy.dynamodb_stream_stitch_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
| [aws_iam_policy.lambda_audit_splunk_sqs_queue_send_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
| [aws_iam_policy.s3_document_data_policy_for_manifest_lambda](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
| [aws_iam_policy.s3_document_data_policy_for_stitch_lambda](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
Expand Down Expand Up @@ -205,13 +210,15 @@
| [aws_iam_role_policy_attachment.policy_audit_search-patient-details-lambda](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
| [aws_iam_role_policy_attachment.policy_audit_token_lambda](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
| [aws_iam_role_policy_attachment.policy_generate_manifest_lambda](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
| [aws_iam_role_policy_attachment.policy_generate_stitch_lambda](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
| [aws_iam_role_policy_attachment.policy_manifest_lambda](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
| [aws_iam_role_policy_attachment.restore_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
| [aws_iam_role_policy_attachment.s3_backup_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
| [aws_iam_role_policy_attachment.s3_cross_account_restore_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
| [aws_iam_role_policy_attachment.s3_restore_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
| [aws_lambda_event_source_mapping.bulk_upload_lambda](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_event_source_mapping) | resource |
| [aws_lambda_event_source_mapping.dynamodb_stream_event_mapping](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_event_source_mapping) | resource |
| [aws_lambda_event_source_mapping.dynamodb_stream_manifest](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_event_source_mapping) | resource |
| [aws_lambda_event_source_mapping.dynamodb_stream_stitch](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_event_source_mapping) | resource |
| [aws_lambda_event_source_mapping.nems_message_lambda](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_event_source_mapping) | resource |
| [aws_lambda_permission.bulk_upload_metadata_schedule_permission](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_permission) | resource |
| [aws_lambda_permission.bulk_upload_report_schedule_permission](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_permission) | resource |
Expand Down Expand Up @@ -265,7 +272,7 @@
|------|-------------|------|---------|:--------:|
| <a name="input_auth_session_dynamodb_table_name"></a> [auth\_session\_dynamodb\_table\_name](#input\_auth\_session\_dynamodb\_table\_name) | The name of dynamodb table to store user login sessions | `string` | `"AuthSessionReferenceMetadata"` | no |
| <a name="input_auth_state_dynamodb_table_name"></a> [auth\_state\_dynamodb\_table\_name](#input\_auth\_state\_dynamodb\_table\_name) | The name of dynamodb table to store the state values (for CIS2 authorisation) | `string` | `"AuthStateReferenceMetadata"` | no |
| <a name="input_availability_zones"></a> [availability\_zones](#input\_availability\_zones) | This is a list that specifies all the Availability Zones that will have a pair of public and private subnets | `list(string)` | <pre>[<br/> "eu-west-2a",<br/> "eu-west-2b",<br/> "eu-west-2c"<br/>]</pre> | no |
| <a name="input_availability_zones"></a> [availability\_zones](#input\_availability\_zones) | This is a list that specifies all the Availability Zones that will have a pair of public and private subnets | `list(string)` | <pre>[<br> "eu-west-2a",<br> "eu-west-2b",<br> "eu-west-2c"<br>]</pre> | no |
| <a name="input_bulk_upload_report_dynamodb_table_name"></a> [bulk\_upload\_report\_dynamodb\_table\_name](#input\_bulk\_upload\_report\_dynamodb\_table\_name) | The name of dynamodb table to store bulk upload status | `string` | `"BulkUploadReport"` | no |
| <a name="input_certificate_domain"></a> [certificate\_domain](#input\_certificate\_domain) | n/a | `string` | n/a | yes |
| <a name="input_certificate_subdomain_name_prefix"></a> [certificate\_subdomain\_name\_prefix](#input\_certificate\_subdomain\_name\_prefix) | Prefix to add to subdomains on certification configurations, dev envs use api-{env}, prod envs use api.{env} | `string` | `"api-"` | no |
Expand Down Expand Up @@ -302,6 +309,7 @@
| <a name="input_standalone_vpc_tag"></a> [standalone\_vpc\_tag](#input\_standalone\_vpc\_tag) | This is the tag assigned to the standalone vpc that should be created manaully before the first run of the infrastructure | `string` | n/a | yes |
| <a name="input_statistical_reports_bucket_name"></a> [statistical\_reports\_bucket\_name](#input\_statistical\_reports\_bucket\_name) | The name of S3 bucket to store weekly generated statistical reports | `string` | `"statistical-reports"` | no |
| <a name="input_statistics_dynamodb_table_name"></a> [statistics\_dynamodb\_table\_name](#input\_statistics\_dynamodb\_table\_name) | The name of dynamodb table to store application statistics | `string` | `"ApplicationStatistics"` | no |
| <a name="input_stitch_metadata_dynamodb_table_name"></a> [stitch\_metadata\_dynamodb\_table\_name](#input\_stitch\_metadata\_dynamodb\_table\_name) | n/a | `string` | `"LloydGeorgeStitchJobMetadata"` | no |
| <a name="input_zip_store_bucket_name"></a> [zip\_store\_bucket\_name](#input\_zip\_store\_bucket\_name) | n/a | `string` | `"zip-request-store"` | no |
| <a name="input_zip_store_dynamodb_table_name"></a> [zip\_store\_dynamodb\_table\_name](#input\_zip\_store\_dynamodb\_table\_name) | n/a | `string` | `"ZipStoreReferenceMetadata"` | no |

Expand Down
32 changes: 32 additions & 0 deletions infrastructure/dynamo_db.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -134,6 +134,38 @@ module "zip_store_reference_dynamodb_table" {
owner = var.owner
}

module "stitch_metadata_reference_dynamodb_table" {
source = "./modules/dynamo_db"
table_name = var.stitch_metadata_dynamodb_table_name
hash_key = "ID"
deletion_protection_enabled = local.is_production
stream_enabled = true
ttl_enabled = true
ttl_attribute_name = "ExpireAt"

attributes = [
{
name = "ID"
type = "S"
},
{
name = "NhsNumber"
type = "S"
}
]

global_secondary_indexes = [
{
name = "NhsNumberIndex"
hash_key = "NhsNumber"
projection_type = "ALL"
}
]

environment = var.environment
owner = var.owner
}

module "auth_state_dynamodb_table" {
source = "./modules/dynamo_db"
table_name = var.auth_state_dynamodb_table_name
Expand Down
25 changes: 14 additions & 11 deletions infrastructure/lambda-create-doc-ref.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -68,6 +68,7 @@ module "create-doc-ref-lambda" {
handler = "handlers.create_document_reference_handler.lambda_handler"
iam_role_policies = [
module.document_reference_dynamodb_table.dynamodb_policy,
module.stitch_metadata_reference_dynamodb_table.dynamodb_policy,
module.lloyd_george_reference_dynamodb_table.dynamodb_policy,
module.ndr-bulk-staging-store.s3_object_access_policy,
module.ndr-lloyd-george-store.s3_object_access_policy,
Expand All @@ -82,16 +83,17 @@ module "create-doc-ref-lambda" {
http_methods = ["POST"]
api_execution_arn = aws_api_gateway_rest_api.ndr_doc_store_api.execution_arn
lambda_environment_variables = {
STAGING_STORE_BUCKET_NAME = "${terraform.workspace}-${var.staging_store_bucket_name}"
APPCONFIG_APPLICATION = module.ndr-app-config.app_config_application_id
APPCONFIG_ENVIRONMENT = module.ndr-app-config.app_config_environment_id
APPCONFIG_CONFIGURATION = module.ndr-app-config.app_config_configuration_profile_id
DOCUMENT_STORE_BUCKET_NAME = "${terraform.workspace}-${var.docstore_bucket_name}"
DOCUMENT_STORE_DYNAMODB_NAME = "${terraform.workspace}_${var.docstore_dynamodb_table_name}"
LLOYD_GEORGE_DYNAMODB_NAME = "${terraform.workspace}_${var.lloyd_george_dynamodb_table_name}"
PDS_FHIR_IS_STUBBED = local.is_sandbox,
WORKSPACE = terraform.workspace
PRESIGNED_ASSUME_ROLE = aws_iam_role.create_post_presign_url_role.arn
STAGING_STORE_BUCKET_NAME = "${terraform.workspace}-${var.staging_store_bucket_name}"
APPCONFIG_APPLICATION = module.ndr-app-config.app_config_application_id
APPCONFIG_ENVIRONMENT = module.ndr-app-config.app_config_environment_id
APPCONFIG_CONFIGURATION = module.ndr-app-config.app_config_configuration_profile_id
DOCUMENT_STORE_BUCKET_NAME = "${terraform.workspace}-${var.docstore_bucket_name}"
chrisbloe marked this conversation as resolved.
Show resolved Hide resolved
DOCUMENT_STORE_DYNAMODB_NAME = "${terraform.workspace}_${var.docstore_dynamodb_table_name}"
LLOYD_GEORGE_DYNAMODB_NAME = "${terraform.workspace}_${var.lloyd_george_dynamodb_table_name}"
STITCH_METADATA_DYNAMODB_NAME = "${terraform.workspace}_${var.stitch_metadata_dynamodb_table_name}"
PDS_FHIR_IS_STUBBED = local.is_sandbox,
WORKSPACE = terraform.workspace
PRESIGNED_ASSUME_ROLE = aws_iam_role.create_post_presign_url_role.arn
}
depends_on = [
aws_api_gateway_rest_api.ndr_doc_store_api,
Expand All @@ -101,6 +103,7 @@ module "create-doc-ref-lambda" {
module.create-doc-ref-gateway,
module.ndr-app-config,
module.lloyd_george_reference_dynamodb_table,
module.document_reference_dynamodb_table
module.document_reference_dynamodb_table,
module.stitch_metadata_reference_dynamodb_table
]
}
17 changes: 10 additions & 7 deletions infrastructure/lambda-delete-doc-ref.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -72,23 +72,26 @@ module "delete-doc-ref-lambda" {
module.ndr-lloyd-george-store.s3_object_access_policy,
"arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole",
"arn:aws:iam::aws:policy/CloudWatchLambdaInsightsExecutionRolePolicy",
module.ndr-app-config.app_config_policy_arn
module.ndr-app-config.app_config_policy_arn,
module.stitch_metadata_reference_dynamodb_table.dynamodb_policy
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Are we missing a depends on for these?

]
rest_api_id = aws_api_gateway_rest_api.ndr_doc_store_api.id
resource_id = module.delete-doc-ref-gateway.gateway_resource_id
http_methods = ["DELETE"]
api_execution_arn = aws_api_gateway_rest_api.ndr_doc_store_api.execution_arn
lambda_environment_variables = {
APPCONFIG_APPLICATION = module.ndr-app-config.app_config_application_id
APPCONFIG_ENVIRONMENT = module.ndr-app-config.app_config_environment_id
APPCONFIG_CONFIGURATION = module.ndr-app-config.app_config_configuration_profile_id
DOCUMENT_STORE_DYNAMODB_NAME = "${terraform.workspace}_${var.docstore_dynamodb_table_name}"
LLOYD_GEORGE_DYNAMODB_NAME = "${terraform.workspace}_${var.lloyd_george_dynamodb_table_name}"
WORKSPACE = terraform.workspace
APPCONFIG_APPLICATION = module.ndr-app-config.app_config_application_id
APPCONFIG_ENVIRONMENT = module.ndr-app-config.app_config_environment_id
APPCONFIG_CONFIGURATION = module.ndr-app-config.app_config_configuration_profile_id
DOCUMENT_STORE_DYNAMODB_NAME = "${terraform.workspace}_${var.docstore_dynamodb_table_name}"
LLOYD_GEORGE_DYNAMODB_NAME = "${terraform.workspace}_${var.lloyd_george_dynamodb_table_name}"
STITCH_METADATA_DYNAMODB_NAME = "${terraform.workspace}_${var.stitch_metadata_dynamodb_table_name}"
WORKSPACE = terraform.workspace
}
depends_on = [
aws_api_gateway_rest_api.ndr_doc_store_api,
module.document_reference_dynamodb_table,
module.stitch_metadata_reference_dynamodb_table,
module.delete-doc-ref-gateway,
module.ndr-app-config
]
Expand Down
9 changes: 5 additions & 4 deletions infrastructure/lambda-generate-document-manifest.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -55,7 +55,7 @@ module "generate-document-manifest-lambda" {
"arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole",
"arn:aws:iam::aws:policy/CloudWatchLambdaInsightsExecutionRolePolicy",
module.ndr-app-config.app_config_policy_arn,
aws_iam_policy.dynamodb_stream_policy.arn
aws_iam_policy.dynamodb_stream_manifest.arn
]
rest_api_id = null
api_execution_arn = null
Expand All @@ -78,11 +78,12 @@ module "generate-document-manifest-lambda" {
module.zip_store_reference_dynamodb_table,
module.ndr-zip-request-store,
module.ndr-document-store,
module.ndr-lloyd-george-store
module.ndr-lloyd-george-store,
aws_iam_policy.dynamodb_stream_manifest
]
}

resource "aws_iam_policy" "dynamodb_stream_policy" {
resource "aws_iam_policy" "dynamodb_stream_manifest" {
name = "${terraform.workspace}_dynamodb_stream_to_manifest_policy"

policy = jsonencode({
Expand All @@ -103,7 +104,7 @@ resource "aws_iam_role_policy_attachment" "policy_generate_manifest_lambda" {
policy_arn = try(aws_iam_policy.lambda_audit_splunk_sqs_queue_send_policy[0].arn, null)
}

resource "aws_lambda_event_source_mapping" "dynamodb_stream_event_mapping" {
resource "aws_lambda_event_source_mapping" "dynamodb_stream_manifest" {
event_source_arn = module.zip_store_reference_dynamodb_table.dynamodb_stream_arn
function_name = module.generate-document-manifest-lambda.lambda_arn
batch_size = 1
Expand Down
Loading
Loading