CCM-10257: Implement Eventpub in Core

Author: jamesthompson26-nhs

infrastructure/modules/eventpub/README.md

@@ -11,6 +11,7 @@
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
+| <a name="input_alarm_prefixes"></a> [alarm\_prefixes](#input\_alarm\_prefixes) | Object containing prefixes for alarm descriptions, e.g. 'RELIABILITY:', 'SECURITY:', 'PERFORMANCE:' | <pre>object({<br/>    dlq          = string<br/>    sns_delivery = string<br/>    lambda       = string<br/>  })</pre> | <pre>{<br/>  "dlq": null,<br/>  "lambda": null,<br/>  "sns_delivery": null<br/>}</pre> | no |
 | <a name="input_aws_account_id"></a> [aws\_account\_id](#input\_aws\_account\_id) | The AWS Account ID (numeric) | `string` | n/a | yes |
 | <a name="input_component"></a> [component](#input\_component) | The name of the terraformscaffold component calling this module | `string` | n/a | yes |
 | <a name="input_control_plane_bus_arn"></a> [control\_plane\_bus\_arn](#input\_control\_plane\_bus\_arn) | Data plane event bus arn | `string` | n/a | yes |
@@ -22,6 +23,7 @@
 | <a name="input_event_cache_buffer_interval"></a> [event\_cache\_buffer\_interval](#input\_event\_cache\_buffer\_interval) | The buffer interval for data firehose | `number` | `500` | no |
 | <a name="input_event_cache_expiry_days"></a> [event\_cache\_expiry\_days](#input\_event\_cache\_expiry\_days) | s3 archiving expiry in days | `number` | `30` | no |
 | <a name="input_group"></a> [group](#input\_group) | The name of the tfscaffold group | `string` | `null` | no |
+| <a name="input_iam_permissions_boundary_arn"></a> [iam\_permissions\_boundary\_arn](#input\_iam\_permissions\_boundary\_arn) | The ARN of the permissions boundary to use for the IAM role | `string` | `null` | no |
 | <a name="input_kms_key_arn"></a> [kms\_key\_arn](#input\_kms\_key\_arn) | KMS key arn to use for this function | `string` | n/a | yes |
 | <a name="input_log_level"></a> [log\_level](#input\_log\_level) | The log level to be used in lambda functions within the component. Any log with a lower severity than the configured value will not be logged: https://docs.python.org/3/library/logging.html#levels | `string` | `"WARN"` | no |
 | <a name="input_log_retention_in_days"></a> [log\_retention\_in\_days](#input\_log\_retention\_in\_days) | The retention period in days for the Cloudwatch Logs events generated by the lambda function | `number` | n/a | yes |

infrastructure/modules/eventpub/cloudwatch_metric_alarm_dlq_alarm.tf

@@ -1,6 +1,6 @@
 resource "aws_cloudwatch_metric_alarm" "dlq_alarm" {
   alarm_name          = "${local.csi}-dlq-messages-alarm"
-  alarm_description   = "Alarm for messages in the DLQ"
+  alarm_description   = "${var.alarm_prefixes.dlq} Alarm for messages in the DLQ"
   comparison_operator = "GreaterThanThreshold"
   evaluation_periods  = 1
   metric_name         = "ApproximateNumberOfMessagesVisible"

infrastructure/modules/eventpub/cloudwatch_metric_alarm_lambda_errors.tf

@@ -0,0 +1,17 @@
+resource "aws_cloudwatch_metric_alarm" "lambda_errors" {
+  alarm_name          = "${local.csi}-lambda-errors-alarm"
+  alarm_description   = "${var.alarm_prefixes.lambda} Alarm for Lambda function errors"
+  comparison_operator = "GreaterThanOrEqualToThreshold"
+  evaluation_periods  = 1
+  metric_name         = "Errors"
+  namespace           = "AWS/Lambda"
+  period              = 300
+  statistic           = "Sum"
+  threshold           = 1
+  actions_enabled     = true
+  treat_missing_data  = "notBreaching"
+
+  dimensions = {
+    FunctionName = aws_lambda_function.main.function_name
+  }
+}

infrastructure/modules/eventpub/cloudwatch_metric_alarm_sns_delivery_failures.tf

@@ -0,0 +1,16 @@
+resource "aws_cloudwatch_metric_alarm" "sns_delivery_failures" {
+  alarm_name          = "${local.csi}-sns-delivery-failures"
+  alarm_description   = "${var.alarm_prefixes.sns_delivery} Alarm when SNS topic ${aws_sns_topic.main.name} has delivery failures"
+  comparison_operator = "GreaterThanThreshold"
+  evaluation_periods  = 1
+  metric_name         = "NumberOfNotificationsFailed"
+  namespace           = "AWS/SNS"
+  period              = 300
+  statistic           = "Sum"
+  threshold           = 0
+  treat_missing_data  = "notBreaching"
+
+  dimensions = {
+    TopicName = aws_sns_topic.main.name
+  }
+}

infrastructure/modules/eventpub/iam_role_firehose_role.tf

@@ -1,8 +1,9 @@
 resource "aws_iam_role" "firehose_role" {
   count = var.enable_event_cache ? 1 : 0
 
-  name               = "${local.csi}-firehose-role"
-  assume_role_policy = data.aws_iam_policy_document.firehose_assume_role[0].json
+  name                 = "${local.csi}-firehose-role"
+  assume_role_policy   = data.aws_iam_policy_document.firehose_assume_role[0].json
+  permissions_boundary = var.iam_permissions_boundary_arn != null ? var.iam_permissions_boundary_arn : null
 }
 
 data "aws_iam_policy_document" "firehose_assume_role" {

infrastructure/modules/eventpub/iam_role_lambda.tf

@@ -1,6 +1,7 @@
 resource "aws_iam_role" "lambda" {
-  name               = local.csi
-  assume_role_policy = data.aws_iam_policy_document.lambda_assumerole.json
+  name                 = local.csi
+  assume_role_policy   = data.aws_iam_policy_document.lambda_assumerole.json
+  permissions_boundary = var.iam_permissions_boundary_arn != null ? var.iam_permissions_boundary_arn : null
 }
 
 resource "aws_iam_policy" "lambda" {

infrastructure/modules/eventpub/iam_role_sns.tf

@@ -1,6 +1,7 @@
 resource "aws_iam_role" "sns_role" {
-  name               = "${local.csi}-sns-role"
-  assume_role_policy = data.aws_iam_policy_document.sns_assume_role.json
+  name                 = "${local.csi}-sns-role"
+  assume_role_policy   = data.aws_iam_policy_document.sns_assume_role.json
+  permissions_boundary = var.iam_permissions_boundary_arn != null ? var.iam_permissions_boundary_arn : null
 }
 
 resource "aws_iam_policy" "firehose_delivery" {

infrastructure/modules/eventpub/iam_role_sns_delivery_logging.tf

@@ -1,8 +1,9 @@
 resource "aws_iam_role" "sns_delivery_logging_role" {
   count = var.enable_sns_delivery_logging ? 1 : 0
 
-  name               = "${local.csi}-sns-delivery-logging"
-  assume_role_policy = data.aws_iam_policy_document.sns_delivery_logging_assume_role[0].json
+  name                 = "${local.csi}-sns-delivery-logging"
+  assume_role_policy   = data.aws_iam_policy_document.sns_delivery_logging_assume_role[0].json
+  permissions_boundary = var.iam_permissions_boundary_arn != null ? var.iam_permissions_boundary_arn : null
 }
 
 data "aws_iam_policy_document" "sns_delivery_logging_assume_role" {

infrastructure/modules/eventpub/variables.tf

@@ -108,3 +108,23 @@ variable "control_plane_bus_arn" {
   type        = string
   description = "Data plane event bus arn"
 }
+
+variable "iam_permissions_boundary_arn" {
+  type        = string
+  description = "The ARN of the permissions boundary to use for the IAM role"
+  default     = null
+}
+
+variable "alarm_prefixes" {
+  type = object({
+    dlq          = string
+    sns_delivery = string
+    lambda       = string
+  })
+  description = "Object containing prefixes for alarm descriptions, e.g. 'RELIABILITY:', 'SECURITY:', 'PERFORMANCE:'"
+  default = {
+    dlq          = null
+    sns_delivery = null
+    lambda       = null
+  }
+}