Merge pull request #46 from NHSDigital/feat/CCM-7938_MessagingInfra

Feat/CCM-7938 messaging infra

Author: aidenvaines-cgi

.github/actions/create-lines-of-code-report/action.yaml

@@ -32,7 +32,7 @@ runs:
       run: zip lines-of-code-report.json.zip lines-of-code-report.json
     - name: "Upload CLOC report as an artefact"
       if: ${{ !env.ACT }}
-      uses: actions/upload-artifact@v3
+      uses: actions/upload-artifact@v4
       with:
         name: lines-of-code-report.json.zip
         path: ./lines-of-code-report.json.zip

.github/actions/scan-dependencies/action.yaml

@@ -32,7 +32,7 @@ runs:
       run: zip sbom-repository-report.json.zip sbom-repository-report.json
     - name: "Upload SBOM report as an artefact"
       if: ${{ !env.ACT }}
-      uses: actions/upload-artifact@v3
+      uses: actions/upload-artifact@v4
       with:
         name: sbom-repository-report.json.zip
         path: ./sbom-repository-report.json.zip
@@ -47,7 +47,7 @@ runs:
       run: zip vulnerabilities-repository-report.json.zip vulnerabilities-repository-report.json
     - name: "Upload vulnerabilities report as an artefact"
       if: ${{ !env.ACT }}
-      uses: actions/upload-artifact@v3
+      uses: actions/upload-artifact@v4
       with:
         name: vulnerabilities-repository-report.json.zip
         path: ./vulnerabilities-repository-report.json.zip

.gitignore

@@ -10,4 +10,4 @@ version.json
 *.code-workspace
 !project.code-workspace
 
-# Please, add your custom content below!
+infrastructure/modules/eventpub/lambda/*.zip

infrastructure/modules/eventpub/cloudwatch_log_group_kinesis_data_firehose.tf

@@ -0,0 +1,14 @@
+resource "aws_cloudwatch_log_group" "kinesis_data_firehose" {
+  count = var.enable_event_cache ? 1 : 0
+
+  name              = "/aws/firehose/${local.csi}"
+  kms_key_id        = var.kms_key_arn
+  retention_in_days = var.log_retention_in_days
+}
+
+resource "aws_cloudwatch_log_stream" "kinesis_data_firehose_extended_s3" {
+  count = var.enable_event_cache ? 1 : 0
+
+  name           = "extended_s3"
+  log_group_name = aws_cloudwatch_log_group.kinesis_data_firehose[0].name
+}

infrastructure/modules/eventpub/cloudwatch_log_group_lambda.tf

@@ -0,0 +1,5 @@
+resource "aws_cloudwatch_log_group" "lambda" {
+  name              = "/aws/lambda/${local.csi}"
+  retention_in_days = var.log_retention_in_days
+  kms_key_id        = var.kms_key_arn
+}

infrastructure/modules/eventpub/cloudwatch_log_group_sns_delivery_logging_failure.tf

@@ -0,0 +1,9 @@
+resource "aws_cloudwatch_log_group" "sns_delivery_logging_failure" {
+  count = var.enable_sns_delivery_logging ? 1 : 0
+
+  # SNS doesn't allow specifying a log group and is derived as: sns/${region}/${account_id}/${name_of_sns_topic}/Failure
+  # (for failure logs)
+  name              = "sns/${var.region}/${var.aws_account_id}/${local.csi}/Failure"
+  kms_key_id        = var.kms_key_arn
+  retention_in_days = var.log_retention_in_days
+}

infrastructure/modules/eventpub/cloudwatch_log_group_sns_delivery_logging_success.tf

@@ -0,0 +1,9 @@
+resource "aws_cloudwatch_log_group" "sns_delivery_logging_success" {
+  count = var.enable_sns_delivery_logging ? 1 : 0
+
+  # SNS doesn't allow specifying a log group and is derived as: sns/${region}/${account_id}/${name_of_sns_topic}/Failure
+  # (for failure logs)
+  name              = "sns/${var.region}/${var.aws_account_id}/${local.csi}"
+  kms_key_id        = var.kms_key_arn
+  retention_in_days = var.log_retention_in_days
+}

infrastructure/modules/eventpub/data_archive_file_lambda.tf

@@ -0,0 +1,12 @@
+data "archive_file" "lambda" {
+  type        = "zip"
+  source_dir  = "${path.module}/lambda/eventpub/src"
+  output_path = "${path.module}/lambda/eventpub.zip"
+  excludes = [
+    # NodeJS Exclusions
+    "**/__tests__",
+    "**/node_modules",
+    "**/package.json",
+    "**/package-lock.json",
+  ]
+}

infrastructure/modules/eventpub/iam_policy_sns_delivery_logging_cloudwatch.tf

@@ -0,0 +1,44 @@
+resource "aws_iam_policy" "sns_delivery_logging_cloudwatch" {
+  count = var.enable_sns_delivery_logging ? 1 : 0
+
+  name        = "${local.csi}-${var.name}-sns-delivery"
+  description = "Policy for ${local.csi}-${var.name} SNS Delivery Logging"
+  policy      = data.aws_iam_policy_document.sns_delivery_logging_cloudwatch[0].json
+}
+
+data "aws_iam_policy_document" "sns_delivery_logging_cloudwatch" {
+  count = var.enable_sns_delivery_logging ? 1 : 0
+
+  statement {
+    sid    = "KMSCloudwatchKeyAccess"
+    effect = "Allow"
+
+    actions = [
+      "kms:GenerateDataKey",
+      "kms:Decrypt",
+    ]
+
+    resources = [
+      var.kms_key_arn
+    ]
+  }
+
+  statement {
+    sid    = "AllowSNSDeliveryNotifications"
+    effect = "Allow"
+
+    actions = [
+      "logs:CreateLogStream",
+      "logs:PutLogEvents",
+      "logs:PutMetricFilter",
+      "logs:PutRetentionPolicy",
+    ]
+
+    resources = [
+      aws_cloudwatch_log_group.sns_delivery_logging_success[0].arn,
+      "${aws_cloudwatch_log_group.sns_delivery_logging_success[0].arn}:log-stream:*",
+      aws_cloudwatch_log_group.sns_delivery_logging_failure[0].arn,
+      "${aws_cloudwatch_log_group.sns_delivery_logging_failure[0].arn}:log-stream:*",
+    ]
+  }
+}

infrastructure/modules/eventpub/iam_role_firehose_role.tf

@@ -0,0 +1,59 @@
+resource "aws_iam_role" "firehose_role" {
+  count = var.enable_event_cache ? 1 : 0
+
+  name               = "${local.csi}-firehose-role"
+  assume_role_policy = data.aws_iam_policy_document.firehose_assume_role[0].json
+}
+
+data "aws_iam_policy_document" "firehose_assume_role" {
+  count = var.enable_event_cache ? 1 : 0
+
+  statement {
+    effect = "Allow"
+
+    principals {
+      type        = "Service"
+      identifiers = ["firehose.amazonaws.com"]
+    }
+
+    actions = ["sts:AssumeRole"]
+  }
+}
+
+resource "aws_iam_role_policy_attachment" "s3_write_object" {
+  count = var.enable_event_cache ? 1 : 0
+
+  role       = aws_iam_role.firehose_role[0].name
+  policy_arn = aws_iam_policy.s3_write_object[0].arn
+}
+
+resource "aws_iam_policy" "s3_write_object" {
+  count = var.enable_event_cache ? 1 : 0
+
+  name        = "${local.csi}-${var.name}-s3-write-object"
+  description = "S3 Put Object policy for ${local.csi}-${var.name} Firehose"
+  policy      = data.aws_iam_policy_document.s3_write_object[0].json
+}
+
+data "aws_iam_policy_document" "s3_write_object" {
+  count = var.enable_event_cache ? 1 : 0
+
+  statement {
+    sid    = "AllowWriteObject"
+    effect = "Allow"
+
+    actions = [
+      "s3:AbortMultipartUpload",
+      "s3:GetBucketLocation",
+      "s3:GetObject",
+      "s3:ListBucket",
+      "s3:ListBucketMultipartUploads",
+      "s3:PutObject",
+      "s3:PutObject",
+    ]
+
+    resources = [
+      "${module.s3bucket_event_cache[0].arn}/*",
+    ]
+  }
+}