Feature/ccm 12950 transform publish updates

infrastructure/terraform/components/api/event_source_mapping_mi_updates.tf

@@ -1,11 +1,11 @@
 resource "aws_lambda_event_source_mapping" "mi_updates_transformer_kinesis" {
-  event_source_arn                     = aws_kinesis_stream.mi_change_stream.arn
-  function_name                        = module.mi_updates_transformer.function_arn
-  starting_position                    = "LATEST"
-  batch_size                           = 10
-  maximum_batching_window_in_seconds   = 1
+  event_source_arn                   = aws_kinesis_stream.mi_change_stream.arn
+  function_name                      = module.mi_updates_transformer.function_arn
+  starting_position                  = "LATEST"
+  batch_size                         = 10
+  maximum_batching_window_in_seconds = 1
 
   depends_on = [
-    module.mi_updates_transformer    # ensures updates transformer exists
+    module.mi_updates_transformer # ensures updates transformer exists
   ]
 }

infrastructure/terraform/components/api/lambda_event_source_mapping_letter_status_update.tf

@@ -0,0 +1,9 @@
+resource "aws_lambda_event_source_mapping" "letter_status_update" {
+  event_source_arn                   = module.letter_status_updates_queue.sqs_queue_arn
+  function_name                      = module.letter_status_update.function_name
+  batch_size                         = 10
+  maximum_batching_window_in_seconds = 5
+  function_response_types = [
+    "ReportBatchItemFailures"
+  ]
+}

infrastructure/terraform/components/api/locals.tf

@@ -27,6 +27,8 @@ locals {
     SUPPLIER_ID_HEADER       = "nhsd-supplier-id",
     APIM_CORRELATION_HEADER  = "nhsd-correlation-id",
     DOWNLOAD_URL_TTL_SECONDS = 60
+    SNS_TOPIC_ARN            = "${module.eventsub.eventsub_topic.arn}",
+    EVENT_SOURCE             = "/data-plane/supplier-api/${var.group}/${var.environment}/letters"
   }
 
   core_pdf_bucket_arn        = "arn:aws:s3:::comms-${var.core_account_id}-eu-west-2-${var.core_environment}-api-stg-pdf-pipeline"

infrastructure/terraform/components/api/module_lambda_letter_status_update.tf

@@ -59,7 +59,6 @@ data "aws_iam_policy_document" "letter_status_update" {
     actions = [
       "dynamodb:GetItem",
       "dynamodb:Query",
-      "dynamodb:UpdateItem",
     ]
 
     resources = [
@@ -82,4 +81,17 @@ data "aws_iam_policy_document" "letter_status_update" {
       module.letter_status_updates_queue.sqs_queue_arn
     ]
   }
+
+  statement {
+    sid    = "AllowSNSPublish"
+    effect = "Allow"
+
+    actions = [
+      "sns:Publish"
+    ]
+
+    resources = [
+      module.eventsub.eventsub_topic.arn
+    ]
+  }
 }

infrastructure/terraform/components/api/module_lambda_letter_updates_transformer.tf

@@ -36,7 +36,7 @@ module "letter_updates_transformer" {
 
   lambda_env_vars = merge(local.common_lambda_env_vars, {
     EVENTPUB_SNS_TOPIC_ARN = "${module.eventpub.sns_topic.arn}",
-    EVENT_SOURCE = "/data-plane/supplier-api/${var.group}/${var.environment}/letters"
+    EVENT_SOURCE           = "/data-plane/supplier-api/${var.group}/${var.environment}/letters"
   })
 }
 

infrastructure/terraform/components/api/module_sqs_letter_updates.tf

@@ -38,7 +38,7 @@ data "aws_iam_policy_document" "letter_updates_queue_policy" {
     condition {
       test     = "ArnEquals"
       variable = "aws:SourceArn"
-      values   = [module.eventsub.sns_topic.arn]
+      values   = [module.eventsub.eventsub_topic.arn]
     }
   }
 
@@ -65,7 +65,7 @@ data "aws_iam_policy_document" "letter_updates_queue_policy" {
     condition {
       test     = "ArnEquals"
       variable = "aws:SourceArn"
-      values   = [module.eventsub.sns_topic.arn]
+      values   = [module.eventsub.eventsub_topic.arn]
     }
   }
 }

infrastructure/terraform/components/api/modules_eventsub.tf

@@ -22,7 +22,7 @@ module "eventsub" {
   sns_success_logging_sample_percent = var.sns_success_logging_sample_percent
 
   event_cache_expiry_days = 30
-  enable_event_cache                 = var.enable_event_cache
+  enable_event_cache      = var.enable_event_cache
 
   shared_infra_account_id = var.shared_infra_account_id
 }

infrastructure/terraform/components/api/sns_topic_subscription_eventsub_sqs_letter_updates.tf

@@ -1,5 +1,5 @@
 resource "aws_sns_topic_subscription" "eventsub_sqs_letter_updates" {
-  topic_arn = module.eventsub.sns_topic.arn
+  topic_arn = module.eventsub.eventsub_topic.arn
   protocol  = "sqs"
   endpoint  = module.sqs_letter_updates.sqs_queue_arn
 }

infrastructure/terraform/modules/eventsub/README.md

@@ -39,8 +39,9 @@
 
 | Name | Description |
 |------|-------------|
+| <a name="output_amendments_topic"></a> [amendments\_topic](#output\_amendments\_topic) | Amendments SNS Topic ARN and Name |
+| <a name="output_eventsub_topic"></a> [eventsub\_topic](#output\_eventsub\_topic) | SNS Topic ARN and Name |
 | <a name="output_s3_bucket_event_cache"></a> [s3\_bucket\_event\_cache](#output\_s3\_bucket\_event\_cache) | S3 Bucket ARN and Name for event cache |
-| <a name="output_sns_topic"></a> [sns\_topic](#output\_sns\_topic) | SNS Topic ARN and Name |
 <!-- vale on -->
 <!-- markdownlint-enable -->
 <!-- END_TF_DOCS -->

infrastructure/terraform/modules/eventsub/cloudwatch_metric_alarm_sns_delivery_failures.tf

@@ -11,6 +11,23 @@ resource "aws_cloudwatch_metric_alarm" "sns_delivery_failures" {
   treat_missing_data  = "notBreaching"
 
   dimensions = {
-    TopicName = aws_sns_topic.main.name
+    TopicName = aws_sns_topic.eventsub_topic.name
+  }
+}
+
+resource "aws_cloudwatch_metric_alarm" "amendments_delivery_failures" {
+  alarm_name          = "${local.csi}-amendments-sns-delivery-failures"
+  alarm_description   = "RELIABILITY: Alarm for amendments SNS topic delivery failures"
+  comparison_operator = "GreaterThanThreshold"
+  evaluation_periods  = 1
+  metric_name         = "NumberOfNotificationsFailed"
+  namespace           = "AWS/SNS"
+  period              = 300
+  statistic           = "Sum"
+  threshold           = 0
+  treat_missing_data  = "notBreaching"
+
+  dimensions = {
+    TopicName = aws_sns_topic.amendments_topic.name
   }
 }

infrastructure/terraform/modules/eventsub/iam_role_firehose_role.tf

@@ -1,8 +1,8 @@
 resource "aws_iam_role" "firehose_role" {
   count = var.enable_event_cache ? 1 : 0
 
-  name                 = "${local.csi}-firehose-role"
-  assume_role_policy   = data.aws_iam_policy_document.firehose_assume_role[0].json
+  name               = "${local.csi}-firehose-role"
+  assume_role_policy = data.aws_iam_policy_document.firehose_assume_role[0].json
 }
 
 data "aws_iam_policy_document" "firehose_assume_role" {

infrastructure/terraform/modules/eventsub/iam_role_sns.tf

@@ -1,6 +1,6 @@
 resource "aws_iam_role" "sns_role" {
-  name                 = "${local.csi}-sns-role"
-  assume_role_policy   = data.aws_iam_policy_document.sns_assume_role.json
+  name               = "${local.csi}-sns-role"
+  assume_role_policy = data.aws_iam_policy_document.sns_assume_role.json
 }
 
 resource "aws_iam_policy" "firehose_delivery" {

infrastructure/terraform/modules/eventsub/iam_role_sns_delivery_logging.tf

@@ -1,8 +1,8 @@
 resource "aws_iam_role" "sns_delivery_logging_role" {
   count = var.enable_sns_delivery_logging ? 1 : 0
 
-  name                 = "${local.csi}-sns-delivery-logging"
-  assume_role_policy   = data.aws_iam_policy_document.sns_delivery_logging_assume_role[0].json
+  name               = "${local.csi}-sns-delivery-logging"
+  assume_role_policy = data.aws_iam_policy_document.sns_delivery_logging_assume_role[0].json
 }
 
 data "aws_iam_policy_document" "sns_delivery_logging_assume_role" {

infrastructure/terraform/modules/eventsub/module_s3bucket_event_cache.tf

@@ -48,7 +48,7 @@ module "s3bucket_event_cache" {
   }
 
   default_tags = {
-    Name = "Event Cache Storage"
+    Name                       = "Event Cache Storage"
     NHSE-Enable-S3-Backup-Acct = "True"
   }
 }

infrastructure/terraform/modules/eventsub/moved.tf

@@ -0,0 +1,11 @@
+# Moved blocks to handle resource renames without destroy/recreate
+
+moved {
+  from = aws_sns_topic.main
+  to   = aws_sns_topic.eventsub_topic
+}
+
+moved {
+  from = aws_sns_topic_policy.main
+  to   = aws_sns_topic_policy.eventsub_topic
+}

infrastructure/terraform/modules/eventsub/outputs.tf

@@ -1,8 +1,16 @@
-output "sns_topic" {
+output "eventsub_topic" {
   description = "SNS Topic ARN and Name"
   value = {
-    arn  = aws_sns_topic.main.arn
-    name = aws_sns_topic.main.name
+    arn  = aws_sns_topic.eventsub_topic.arn
+    name = aws_sns_topic.eventsub_topic.name
+  }
+}
+
+output "amendments_topic" {
+  description = "Amendments SNS Topic ARN and Name"
+  value = {
+    arn  = aws_sns_topic.amendments_topic.arn
+    name = aws_sns_topic.amendments_topic.name
   }
 }
 

infrastructure/terraform/modules/eventsub/sns_topic_eventsub.tf

@@ -0,0 +1,49 @@
+resource "aws_sns_topic" "eventsub_topic" {
+  name              = local.csi
+  kms_master_key_id = var.kms_key_arn
+
+  application_failure_feedback_role_arn    = var.enable_sns_delivery_logging == true ? aws_iam_role.sns_delivery_logging_role[0].arn : null
+  application_success_feedback_role_arn    = var.enable_sns_delivery_logging == true ? aws_iam_role.sns_delivery_logging_role[0].arn : null
+  application_success_feedback_sample_rate = var.enable_sns_delivery_logging == true ? var.sns_success_logging_sample_percent : null
+
+  firehose_failure_feedback_role_arn    = var.enable_sns_delivery_logging == true ? aws_iam_role.sns_delivery_logging_role[0].arn : null
+  firehose_success_feedback_role_arn    = var.enable_sns_delivery_logging == true ? aws_iam_role.sns_delivery_logging_role[0].arn : null
+  firehose_success_feedback_sample_rate = var.enable_sns_delivery_logging == true ? var.sns_success_logging_sample_percent : null
+
+  http_failure_feedback_role_arn    = var.enable_sns_delivery_logging == true ? aws_iam_role.sns_delivery_logging_role[0].arn : null
+  http_success_feedback_role_arn    = var.enable_sns_delivery_logging == true ? aws_iam_role.sns_delivery_logging_role[0].arn : null
+  http_success_feedback_sample_rate = var.enable_sns_delivery_logging == true ? var.sns_success_logging_sample_percent : null
+
+  lambda_failure_feedback_role_arn    = var.enable_sns_delivery_logging == true ? aws_iam_role.sns_delivery_logging_role[0].arn : null
+  lambda_success_feedback_role_arn    = var.enable_sns_delivery_logging == true ? aws_iam_role.sns_delivery_logging_role[0].arn : null
+  lambda_success_feedback_sample_rate = var.enable_sns_delivery_logging == true ? var.sns_success_logging_sample_percent : null
+
+  sqs_failure_feedback_role_arn    = var.enable_sns_delivery_logging == true ? aws_iam_role.sns_delivery_logging_role[0].arn : null
+  sqs_success_feedback_role_arn    = var.enable_sns_delivery_logging == true ? aws_iam_role.sns_delivery_logging_role[0].arn : null
+  sqs_success_feedback_sample_rate = var.enable_sns_delivery_logging == true ? var.sns_success_logging_sample_percent : null
+}
+
+resource "aws_sns_topic" "amendments_topic" {
+  name              = "${local.csi}-amendments"
+  kms_master_key_id = var.kms_key_arn
+
+  application_failure_feedback_role_arn    = var.enable_sns_delivery_logging == true ? aws_iam_role.sns_delivery_logging_role[0].arn : null
+  application_success_feedback_role_arn    = var.enable_sns_delivery_logging == true ? aws_iam_role.sns_delivery_logging_role[0].arn : null
+  application_success_feedback_sample_rate = var.enable_sns_delivery_logging == true ? var.sns_success_logging_sample_percent : null
+
+  firehose_failure_feedback_role_arn    = var.enable_sns_delivery_logging == true ? aws_iam_role.sns_delivery_logging_role[0].arn : null
+  firehose_success_feedback_role_arn    = var.enable_sns_delivery_logging == true ? aws_iam_role.sns_delivery_logging_role[0].arn : null
+  firehose_success_feedback_sample_rate = var.enable_sns_delivery_logging == true ? var.sns_success_logging_sample_percent : null
+
+  http_failure_feedback_role_arn    = var.enable_sns_delivery_logging == true ? aws_iam_role.sns_delivery_logging_role[0].arn : null
+  http_success_feedback_role_arn    = var.enable_sns_delivery_logging == true ? aws_iam_role.sns_delivery_logging_role[0].arn : null
+  http_success_feedback_sample_rate = var.enable_sns_delivery_logging == true ? var.sns_success_logging_sample_percent : null
+
+  lambda_failure_feedback_role_arn    = var.enable_sns_delivery_logging == true ? aws_iam_role.sns_delivery_logging_role[0].arn : null
+  lambda_success_feedback_role_arn    = var.enable_sns_delivery_logging == true ? aws_iam_role.sns_delivery_logging_role[0].arn : null
+  lambda_success_feedback_sample_rate = var.enable_sns_delivery_logging == true ? var.sns_success_logging_sample_percent : null
+
+  sqs_failure_feedback_role_arn    = var.enable_sns_delivery_logging == true ? aws_iam_role.sns_delivery_logging_role[0].arn : null
+  sqs_success_feedback_role_arn    = var.enable_sns_delivery_logging == true ? aws_iam_role.sns_delivery_logging_role[0].arn : null
+  sqs_success_feedback_sample_rate = var.enable_sns_delivery_logging == true ? var.sns_success_logging_sample_percent : null
+}