national-document-repository-infrastructure/infrastructure/lambda-bulk-upload-metadata-processor.tf at 63940bcd113a09fde5071c9d9e61f6a6b214b77d · NHSDigital/national-document-repository-infrastructure · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
module "bulk-upload-metadata-processor-lambda" {
  source         = "./modules/lambda"
  name           = "BulkUploadMetadataProcessor"
  handler        = "handlers.bulk_upload_metadata_processor_handler.lambda_handler"
  lambda_timeout = 900

  iam_role_policy_documents = [
    module.ndr-bulk-staging-store.s3_read_policy_document,
    module.ndr-bulk-staging-store.s3_write_policy_document,
    module.bulk_upload_report_dynamodb_table.dynamodb_read_policy_document,
    module.bulk_upload_report_dynamodb_table.dynamodb_write_policy_document,
    module.sqs-lg-bulk-upload-metadata-queue.sqs_read_policy_document,
    module.sqs-lg-bulk-upload-metadata-queue.sqs_write_policy_document,
    module.lg-bulk-upload-expedite-metadata-queue.sqs_read_policy_document,
    module.lg-bulk-upload-expedite-metadata-queue.sqs_write_policy_document,
    module.document_review_queue.sqs_write_policy_document,
    module.ndr-app-config.app_config_policy,
    aws_iam_policy.ssm_access_policy.policy,
    data.aws_iam_policy.aws_lambda_vpc_access_execution_role.policy,
  ]

  lambda_environment_variables = {
    APPCONFIG_APPLICATION      = module.ndr-app-config.app_config_application_id
    APPCONFIG_ENVIRONMENT      = module.ndr-app-config.app_config_environment_id
    APPCONFIG_CONFIGURATION    = module.ndr-app-config.app_config_configuration_profile_id
    WORKSPACE                  = terraform.workspace
    STAGING_STORE_BUCKET_NAME  = "${terraform.workspace}-${var.staging_store_bucket_name}"
    BULK_UPLOAD_DYNAMODB_NAME  = "${terraform.workspace}_${var.bulk_upload_report_dynamodb_table_name}"
    LLOYD_GEORGE_BUCKET_NAME   = "${terraform.workspace}-${var.lloyd_george_bucket_name}"
    LLOYD_GEORGE_DYNAMODB_NAME = "${terraform.workspace}_${var.lloyd_george_dynamodb_table_name}"
    METADATA_SQS_QUEUE_URL     = module.sqs-lg-bulk-upload-metadata-queue.sqs_url
    EXPEDITE_SQS_QUEUE_URL     = module.lg-bulk-upload-expedite-metadata-queue.sqs_url
    REVIEW_SQS_QUEUE_URL       = module.document_review_queue.sqs_url
    VIRUS_SCAN_STUB            = !local.is_production
  }

  vpc_subnet_ids         = length(data.aws_security_groups.virus_scanner_api.ids) == 1 ? module.ndr-vpc-ui.private_subnets : []
  vpc_security_group_ids = length(data.aws_security_groups.virus_scanner_api.ids) == 1 ? [data.aws_security_groups.virus_scanner_api.ids[0]] : []

  rest_api_id                   = null
  api_execution_arn             = null
  is_gateway_integration_needed = false
  is_invoked_from_gateway       = false
}

module "bulk-upload-metadata-processor-alarm" {
  source               = "./modules/lambda_alarms"
  lambda_function_name = module.bulk-upload-metadata-processor-lambda.function_name
  lambda_timeout       = module.bulk-upload-metadata-processor-lambda.timeout
  lambda_name          = "bulk_upload_metadata_processor_handler"
  namespace            = "AWS/Lambda"
  alarm_actions        = [module.bulk-upload-metadata-processor-alarm-topic.arn]
  ok_actions           = [module.bulk-upload-metadata-processor-alarm-topic.arn]
  depends_on           = [module.bulk-upload-metadata-processor-lambda, module.bulk-upload-metadata-processor-alarm-topic]
}

module "bulk-upload-metadata-processor-alarm-topic" {
  source                 = "./modules/sns"
  sns_encryption_key_id  = module.sns_encryption_key.id
  topic_name             = "bulk-upload-metadata-processor-topic"
  topic_protocol         = "email"
  is_topic_endpoint_list = true
  topic_endpoint_list    = local.is_sandbox ? [] : nonsensitive(split(",", data.aws_ssm_parameter.cloud_security_notification_email_list.value))
  delivery_policy = jsonencode({
    "Version" : "2012-10-17",
    "Statement" : [
      {
        "Effect" : "Allow",
        "Principal" : {
          "Service" : "cloudwatch.amazonaws.com"
        },
        "Action" : [
          "SNS:Publish",
        ],
        "Condition" : {
          "ArnLike" : {
            "aws:SourceArn" : "arn:aws:cloudwatch:eu-west-2:${data.aws_caller_identity.current.account_id}:alarm:*"
          }
        }
        "Resource" : "*"
      }
    ]
  })

  depends_on = [module.bulk-upload-metadata-processor-lambda, module.sns_encryption_key]
}

resource "aws_cloudwatch_event_rule" "bulk_upload_metadata_processor_lambda_expedite" {
  name        = "${terraform.workspace}-staging-bulk-store-expedite-folder-object-created-rule"
  description = "Trigger bulk_upload_metadata_processor_lambda when a file is added to the expedite/ folder in the staging-bulk-store bucket"
  event_pattern = jsonencode({
    "source" : ["aws.s3"],
    "detail-type" : ["Object Created"],
    "detail" : {
      "bucket" : {
        "name" : [module.ndr-bulk-staging-store.bucket_id]
      },
      "object" : {
        "key" : [{ "prefix" : "expedite/" }],
        "size" : [{ "numeric" : [">", 0] }]
      }
    }
  })
  depends_on = [
    module.ndr-bulk-staging-store
  ]
}

resource "aws_cloudwatch_event_target" "bulk_upload_metadata_processor_lambda" {
  rule      = aws_cloudwatch_event_rule.bulk_upload_metadata_processor_lambda_expedite.name
  arn       = module.bulk-upload-metadata-processor-lambda.lambda_arn
  target_id = "bulk-upload-metadata-processor-lambda"
  depends_on = [
    module.bulk-upload-metadata-processor-lambda,
    aws_cloudwatch_event_rule.bulk_upload_metadata_processor_lambda_expedite
  ]
}

resource "aws_lambda_permission" "bulk_upload_metadata_processor_lambda_expedite" {
  statement_id  = "AllowEventBridgeInvoke"
  action        = "lambda:InvokeFunction"
  function_name = module.bulk-upload-metadata-processor-lambda.function_name
  principal     = "events.amazonaws.com"
  source_arn    = aws_cloudwatch_event_rule.bulk_upload_metadata_processor_lambda_expedite.arn
  depends_on = [
    module.bulk-upload-metadata-processor-lambda,
    aws_cloudwatch_event_rule.bulk_upload_metadata_processor_lambda_expedite
  ]
}

resource "aws_cloudwatch_metric_alarm" "bulk_upload_metadata_processor_expedite_validation_failed" {
  count               = local.is_sandbox ? 0 : 1
  alarm_name          = "${terraform.workspace}-bulk-upload-metadata-processor-expedite-validation-failed"
  alarm_description   = "Alarm when expedite upload validation fails in the bulk upload metadata processor lambda."
  namespace           = "NDRInsights"
  metric_name         = "ExpediteUploadValidationFailed"
  statistic           = "Sum"
  period              = 3600
  evaluation_periods  = 1
  comparison_operator = "GreaterThanThreshold"
  threshold           = 0
  treat_missing_data  = "notBreaching"

  alarm_actions = [module.sqs_alarm_lambda_topic.arn]
  tags = {
    Name         = "${terraform.workspace}-bulk-upload-metadata-processor-expedite-validation-failed"
    severity     = "medium"
    alarm_group  = "${terraform.workspace}-bulk-upload-metadata-processor"
    alarm_metric = "ExpediteUploadValidationFailed"
    is_kpi       = "false"
  }

  depends_on = [
    aws_cloudwatch_log_metric_filter.bulk_upload_metadata_processor_expedite_validation_failed,
    module.bulk-upload-metadata-processor-alarm-topic,
  ]
}