Merge branch 'PRMP-1416' of https://github.com/nhsconnect/national-do…

…cument-repository-infrastructure into PRMP-1416
nhsconnect · Jan 21, 2025 · 84ec468 · 84ec468
2 parents 40ce8a6 + de45e7e
commit 84ec468
Show file tree

Hide file tree

Showing 5 changed files with 157 additions and 63 deletions.
diff --git a/infrastructure/README.md b/infrastructure/README.md
@@ -8,7 +8,7 @@
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | 5.77.0 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | 5.66.0 |
 
 ## Modules
 
@@ -49,6 +49,9 @@
 | <a name="module_data-collection-lambda"></a> [data-collection-lambda](#module\_data-collection-lambda) | ./modules/lambda | n/a |
 | <a name="module_delete-doc-ref-gateway"></a> [delete-doc-ref-gateway](#module\_delete-doc-ref-gateway) | ./modules/gateway | n/a |
 | <a name="module_delete-doc-ref-lambda"></a> [delete-doc-ref-lambda](#module\_delete-doc-ref-lambda) | ./modules/lambda | n/a |
+| <a name="module_delete-document-object-alarm"></a> [delete-document-object-alarm](#module\_delete-document-object-alarm) | ./modules/lambda_alarms | n/a |
+| <a name="module_delete-document-object-alarm-topic"></a> [delete-document-object-alarm-topic](#module\_delete-document-object-alarm-topic) | ./modules/sns | n/a |
+| <a name="module_delete-document-object-lambda"></a> [delete-document-object-lambda](#module\_delete-document-object-lambda) | ./modules/lambda | n/a |
 | <a name="module_delete_doc_alarm"></a> [delete\_doc\_alarm](#module\_delete\_doc\_alarm) | ./modules/lambda_alarms | n/a |
 | <a name="module_delete_doc_alarm_topic"></a> [delete\_doc\_alarm\_topic](#module\_delete\_doc\_alarm\_topic) | ./modules/sns | n/a |
 | <a name="module_document-manifest-job-gateway"></a> [document-manifest-job-gateway](#module\_document-manifest-job-gateway) | ./modules/gateway | n/a |
@@ -175,8 +178,12 @@
 | [aws_backup_vault.backup_vault](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/backup_vault) | resource |
 | [aws_cloudwatch_event_rule.bulk_upload_metadata_schedule](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_event_rule) | resource |
 | [aws_cloudwatch_event_rule.bulk_upload_report_schedule](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_event_rule) | resource |
+| [aws_cloudwatch_event_rule.data_collection_schedule](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_event_rule) | resource |
+| [aws_cloudwatch_event_rule.statistical_report_schedule](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_event_rule) | resource |
 | [aws_cloudwatch_event_target.bulk_upload_metadata_schedule_event](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_event_target) | resource |
 | [aws_cloudwatch_event_target.bulk_upload_report_schedule_event](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_event_target) | resource |
+| [aws_cloudwatch_event_target.data_collection_schedule_event](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_event_target) | resource |
+| [aws_cloudwatch_event_target.statistical_report_schedule_event](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_event_target) | resource |
 | [aws_cloudwatch_log_group.mesh_log_group](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_group) | resource |
 | [aws_cloudwatch_log_metric_filter.error_log_metric_filter](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_metric_filter) | resource |
 | [aws_cloudwatch_log_metric_filter.inbox_message_count](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_metric_filter) | resource |
@@ -191,6 +198,7 @@
 | [aws_iam_policy.cloudwatch_log_query_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
 | [aws_iam_policy.copy_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
 | [aws_iam_policy.dynamodb_policy_scan_bulk_report](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
+| [aws_iam_policy.dynamodb_stream_delete_object_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
 | [aws_iam_policy.dynamodb_stream_manifest](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
 | [aws_iam_policy.dynamodb_stream_stitch_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
 | [aws_iam_policy.kms_mns_lambda_access](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
@@ -216,6 +224,14 @@
 | [aws_iam_role.sns_failure_feedback_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
 | [aws_iam_role.splunk_sqs_forwarder](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
 | [aws_iam_role.stitch_presign_url_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
+| [aws_iam_role_policy.ecs_execution](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource |
+| [aws_iam_role_policy.mesh_ecr_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource |
+| [aws_iam_role_policy.mesh_kms_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource |
+| [aws_iam_role_policy.mesh_logs_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource |
+| [aws_iam_role_policy.mesh_sns_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource |
+| [aws_iam_role_policy.mesh_ssm_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource |
+| [aws_iam_role_policy.sns_failure_feedback](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource |
+| [aws_iam_role_policy.splunk_access_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource |
 | [aws_iam_role_policy_attachment.backup_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
 | [aws_iam_role_policy_attachment.create_post_presign_url](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
 | [aws_iam_role_policy_attachment.cross_account_backup_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
@@ -225,6 +241,15 @@
 | [aws_iam_role_policy_attachment.lambda_stitch-lambda](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
 | [aws_iam_role_policy_attachment.manifest_presign_url](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
 | [aws_iam_role_policy_attachment.nrl_get_doc_presign_url](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
+| [aws_iam_role_policy_attachment.ods_weekly_app_config](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
+| [aws_iam_role_policy_attachment.ods_weekly_cloudwatch_log_query_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
+| [aws_iam_role_policy_attachment.ods_weekly_document_reference_dynamodb_table](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
+| [aws_iam_role_policy_attachment.ods_weekly_document_store](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
+| [aws_iam_role_policy_attachment.ods_weekly_lloyd_george_reference_dynamodb_table](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
+| [aws_iam_role_policy_attachment.ods_weekly_lloyd_george_store](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
+| [aws_iam_role_policy_attachment.ods_weekly_ssm_access_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
+| [aws_iam_role_policy_attachment.ods_weekly_statistical_reports_store](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
+| [aws_iam_role_policy_attachment.ods_weekly_statistics_dynamodb_table](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
 | [aws_iam_role_policy_attachment.ods_weekly_update_ecs_execution](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
 | [aws_iam_role_policy_attachment.policy_audit_search-patient-details-lambda](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
 | [aws_iam_role_policy_attachment.policy_audit_token_lambda](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
@@ -237,13 +262,17 @@
 | [aws_iam_role_policy_attachment.s3_restore_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
 | [aws_iam_role_policy_attachment.stitch_presign_url](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
 | [aws_lambda_event_source_mapping.bulk_upload_lambda](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_event_source_mapping) | resource |
+| [aws_lambda_event_source_mapping.document_reference_dynamodb_stream](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_event_source_mapping) | resource |
 | [aws_lambda_event_source_mapping.dynamodb_stream_manifest](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_event_source_mapping) | resource |
 | [aws_lambda_event_source_mapping.dynamodb_stream_stitch](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_event_source_mapping) | resource |
+| [aws_lambda_event_source_mapping.lloyd_george_dynamodb_stream](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_event_source_mapping) | resource |
 | [aws_lambda_event_source_mapping.mns_notification_lambda](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_event_source_mapping) | resource |
 | [aws_lambda_event_source_mapping.nems_message_lambda](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_event_source_mapping) | resource |
 | [aws_lambda_event_source_mapping.nrl_pointer_lambda](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_event_source_mapping) | resource |
 | [aws_lambda_permission.bulk_upload_metadata_schedule_permission](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_permission) | resource |
 | [aws_lambda_permission.bulk_upload_report_schedule_permission](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_permission) | resource |
+| [aws_lambda_permission.data_collection_schedule_permission](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_permission) | resource |
+| [aws_lambda_permission.statistical_report_schedule_permission](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_permission) | resource |
 | [aws_s3_bucket.logs_bucket](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket) | resource |
 | [aws_s3_bucket_lifecycle_configuration.doc-store-lifecycle-rules](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_lifecycle_configuration) | resource |
 | [aws_s3_bucket_lifecycle_configuration.lg-lifecycle-rules](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_lifecycle_configuration) | resource |

diff --git a/infrastructure/api.tf b/infrastructure/api.tf
@@ -154,7 +154,7 @@ module "api_endpoint_url_ssm_parameter" {
   name                = "api_endpoint"
   description         = "api endpoint url for ${var.environment}"
   resource_depends_on = aws_api_gateway_deployment.ndr_api_deploy
-  value               = aws_api_gateway_deployment.ndr_api_deploy.invoke_url
+  value               = "https://${aws_api_gateway_base_path_mapping.api_mapping.domain_name}"
   type                = "SecureString"
   owner               = var.owner
   environment         = var.environment

diff --git a/infrastructure/audit.tf b/infrastructure/audit.tf
@@ -18,28 +18,31 @@ resource "aws_iam_role" "splunk_sqs_forwarder" {
   name               = "${var.environment}_splunk_sqs_forwarder_role"
   description        = "Role to allow Repo to integrate with Splunk"
   assume_role_policy = data.aws_iam_policy_document.splunk_trust_policy.json
-  inline_policy {
-    name = "${var.environment}_splunk_access_policy"
-    policy = jsonencode({
-      Version = "2012-10-17"
-      Statement = [
-        {
-          Effect = "Allow"
-          Action = [
-            "sqs:GetQueueAttributes",
-            "sqs:ListQueues",
-            "sqs:ReceiveMessage",
-            "sqs:GetQueueUrl",
-            "sqs:SendMessage",
-            "sqs:DeleteMessage"
-          ]
-          Resource = [
-            module.sqs-splunk-queue[0].sqs_arn,
-          ]
-        },
-      ]
-    })
-  }
+}
+
+resource "aws_iam_role_policy" "splunk_access_policy" {
+  name  = "${var.environment}_splunk_access_policy"
+  count = local.is_sandbox ? 0 : 1
+  role  = aws_iam_role.splunk_sqs_forwarder[0].id
+  policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [
+      {
+        Effect = "Allow"
+        Action = [
+          "sqs:GetQueueAttributes",
+          "sqs:ListQueues",
+          "sqs:ReceiveMessage",
+          "sqs:GetQueueUrl",
+          "sqs:SendMessage",
+          "sqs:DeleteMessage"
+        ]
+        Resource = [
+          module.sqs-splunk-queue[0].sqs_arn,
+        ]
+      },
+    ]
+  })
 }
 
 resource "aws_iam_policy" "lambda_audit_splunk_sqs_queue_send_policy" {

diff --git a/infrastructure/ecs.tf b/infrastructure/ecs.tf
@@ -99,17 +99,6 @@ module "ndr-ecs-fargate-ods-update" {
 resource "aws_iam_role" "ods_weekly_update_task_role" {
   count = local.is_sandbox ? 0 : 1
   name  = "${terraform.workspace}_ods_weekly_update_task_role"
-  managed_policy_arns = [
-    module.lloyd_george_reference_dynamodb_table.dynamodb_policy,
-    aws_iam_policy.ssm_access_policy.arn,
-    module.statistics_dynamodb_table.dynamodb_policy,
-    module.statistical-reports-store.s3_object_access_policy,
-    module.ndr-app-config.app_config_policy_arn,
-    module.ndr-lloyd-george-store.s3_list_object_policy,
-    module.ndr-document-store.s3_list_object_policy,
-    module.document_reference_dynamodb_table.dynamodb_policy,
-    aws_iam_policy.cloudwatch_log_query_policy.arn
-  ]
   assume_role_policy = jsonencode(
     {
       "Version" : "2012-10-17",
@@ -127,4 +116,58 @@ resource "aws_iam_role" "ods_weekly_update_task_role" {
       ]
     }
   )
+}
+
+resource "aws_iam_role_policy_attachment" "ods_weekly_lloyd_george_reference_dynamodb_table" {
+  count      = local.is_sandbox ? 0 : 1
+  role       = aws_iam_role.ods_weekly_update_task_role[0].name
+  policy_arn = module.lloyd_george_reference_dynamodb_table.dynamodb_policy
+}
+
+resource "aws_iam_role_policy_attachment" "ods_weekly_ssm_access_policy" {
+  count      = local.is_sandbox ? 0 : 1
+  role       = aws_iam_role.ods_weekly_update_task_role[0].name
+  policy_arn = aws_iam_policy.ssm_access_policy.arn
+}
+
+resource "aws_iam_role_policy_attachment" "ods_weekly_statistics_dynamodb_table" {
+  count      = local.is_sandbox ? 0 : 1
+  role       = aws_iam_role.ods_weekly_update_task_role[0].name
+  policy_arn = module.statistics_dynamodb_table.dynamodb_policy
+}
+
+resource "aws_iam_role_policy_attachment" "ods_weekly_statistical_reports_store" {
+  count      = local.is_sandbox ? 0 : 1
+  role       = aws_iam_role.ods_weekly_update_task_role[0].name
+  policy_arn = module.statistical-reports-store.s3_object_access_policy
+}
+
+resource "aws_iam_role_policy_attachment" "ods_weekly_app_config" {
+  count      = local.is_sandbox ? 0 : 1
+  role       = aws_iam_role.ods_weekly_update_task_role[0].name
+  policy_arn = module.ndr-app-config.app_config_policy_arn
+}
+
+resource "aws_iam_role_policy_attachment" "ods_weekly_lloyd_george_store" {
+  count      = local.is_sandbox ? 0 : 1
+  role       = aws_iam_role.ods_weekly_update_task_role[0].name
+  policy_arn = module.ndr-lloyd-george-store.s3_list_object_policy
+}
+
+resource "aws_iam_role_policy_attachment" "ods_weekly_document_store" {
+  count      = local.is_sandbox ? 0 : 1
+  role       = aws_iam_role.ods_weekly_update_task_role[0].name
+  policy_arn = module.ndr-document-store.s3_list_object_policy
+}
+
+resource "aws_iam_role_policy_attachment" "ods_weekly_document_reference_dynamodb_table" {
+  count      = local.is_sandbox ? 0 : 1
+  role       = aws_iam_role.ods_weekly_update_task_role[0].name
+  policy_arn = module.document_reference_dynamodb_table.dynamodb_policy
+}
+
+resource "aws_iam_role_policy_attachment" "ods_weekly_cloudwatch_log_query_policy" {
+  count      = local.is_sandbox ? 0 : 1
+  role       = aws_iam_role.ods_weekly_update_task_role[0].name
+  policy_arn = aws_iam_policy.cloudwatch_log_query_policy.arn
 }