diff --git a/infrastructure/README.md b/infrastructure/README.md
index 499607ce..615f880c 100644
--- a/infrastructure/README.md
+++ b/infrastructure/README.md
@@ -8,7 +8,7 @@
| Name | Version |
|------|---------|
-| [aws](#provider\_aws) | ~> 5.0 |
+| [aws](#provider\_aws) | 5.77.0 |
## Modules
@@ -163,12 +163,8 @@
| [aws_backup_vault.backup_vault](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/backup_vault) | resource |
| [aws_cloudwatch_event_rule.bulk_upload_metadata_schedule](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_event_rule) | resource |
| [aws_cloudwatch_event_rule.bulk_upload_report_schedule](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_event_rule) | resource |
-| [aws_cloudwatch_event_rule.data_collection_schedule](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_event_rule) | resource |
-| [aws_cloudwatch_event_rule.statistical_report_schedule](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_event_rule) | resource |
| [aws_cloudwatch_event_target.bulk_upload_metadata_schedule_event](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_event_target) | resource |
| [aws_cloudwatch_event_target.bulk_upload_report_schedule_event](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_event_target) | resource |
-| [aws_cloudwatch_event_target.data_collection_schedule_event](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_event_target) | resource |
-| [aws_cloudwatch_event_target.statistical_report_schedule_event](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_event_target) | resource |
| [aws_cloudwatch_log_group.mesh_log_group](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_group) | resource |
| [aws_cloudwatch_log_metric_filter.error_log_metric_filter](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_metric_filter) | resource |
| [aws_cloudwatch_log_metric_filter.inbox_message_count](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_metric_filter) | resource |
@@ -227,8 +223,6 @@
| [aws_lambda_event_source_mapping.nrl_pointer_lambda](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_event_source_mapping) | resource |
| [aws_lambda_permission.bulk_upload_metadata_schedule_permission](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_permission) | resource |
| [aws_lambda_permission.bulk_upload_report_schedule_permission](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_permission) | resource |
-| [aws_lambda_permission.data_collection_schedule_permission](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_permission) | resource |
-| [aws_lambda_permission.statistical_report_schedule_permission](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_permission) | resource |
| [aws_s3_bucket.logs_bucket](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket) | resource |
| [aws_s3_bucket_lifecycle_configuration.doc-store-lifecycle-rules](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_lifecycle_configuration) | resource |
| [aws_s3_bucket_lifecycle_configuration.lg-lifecycle-rules](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_lifecycle_configuration) | resource |
diff --git a/infrastructure/lambda-authoriser.tf b/infrastructure/lambda-authoriser.tf
index 4d92fb87..b9c9129c 100644
--- a/infrastructure/lambda-authoriser.tf
+++ b/infrastructure/lambda-authoriser.tf
@@ -2,12 +2,11 @@ module "authoriser-lambda" {
source = "./modules/lambda"
name = "AuthoriserLambda"
handler = "handlers.authoriser_handler.lambda_handler"
- iam_role_policies = [
- "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole",
- "arn:aws:iam::aws:policy/CloudWatchLambdaInsightsExecutionRolePolicy",
- aws_iam_policy.ssm_policy_authoriser.arn,
- module.auth_session_dynamodb_table.dynamodb_policy,
- module.ndr-app-config.app_config_policy_arn
+ iam_role_policy_documents = [
+ aws_iam_policy.ssm_policy_authoriser.policy,
+ module.auth_session_dynamodb_table.dynamodb_read_policy_document,
+ module.auth_session_dynamodb_table.dynamodb_write_policy_document,
+ module.ndr-app-config.app_config_policy
]
rest_api_id = aws_api_gateway_rest_api.ndr_doc_store_api.id
api_execution_arn = aws_api_gateway_rest_api.ndr_doc_store_api.execution_arn
diff --git a/infrastructure/lambda-back-channel-logout.tf b/infrastructure/lambda-back-channel-logout.tf
index 25504d7c..4a8cc773 100644
--- a/infrastructure/lambda-back-channel-logout.tf
+++ b/infrastructure/lambda-back-channel-logout.tf
@@ -23,12 +23,11 @@ module "back_channel_logout_lambda" {
source = "./modules/lambda"
name = "BackChannelLogoutHandler"
handler = "handlers.back_channel_logout_handler.lambda_handler"
- iam_role_policies = [
- "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole",
- "arn:aws:iam::aws:policy/CloudWatchLambdaInsightsExecutionRolePolicy",
- aws_iam_policy.ssm_policy_oidc.arn,
- module.auth_session_dynamodb_table.dynamodb_policy,
- module.ndr-app-config.app_config_policy_arn
+ iam_role_policy_documents = [
+ aws_iam_policy.ssm_policy_oidc.policy,
+ module.auth_session_dynamodb_table.dynamodb_read_policy_document,
+ module.auth_session_dynamodb_table.dynamodb_write_policy_document,
+ module.ndr-app-config.app_config_policy
]
rest_api_id = aws_api_gateway_rest_api.ndr_doc_store_api.id
resource_id = module.back-channel-logout-gateway.gateway_resource_id
diff --git a/infrastructure/lambda-bulk-upload-metadata.tf b/infrastructure/lambda-bulk-upload-metadata.tf
index 1ddb91a9..e161e2ff 100644
--- a/infrastructure/lambda-bulk-upload-metadata.tf
+++ b/infrastructure/lambda-bulk-upload-metadata.tf
@@ -3,12 +3,12 @@ module "bulk-upload-metadata-lambda" {
name = "BulkUploadMetadataLambda"
handler = "handlers.bulk_upload_metadata_handler.lambda_handler"
lambda_timeout = 900
- iam_role_policies = [
- "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole",
- "arn:aws:iam::aws:policy/CloudWatchLambdaInsightsExecutionRolePolicy",
- module.ndr-bulk-staging-store.s3_object_access_policy,
- module.sqs-lg-bulk-upload-metadata-queue.sqs_policy,
- module.ndr-app-config.app_config_policy_arn
+ iam_role_policy_documents = [
+ module.ndr-bulk-staging-store.s3_read_policy_document,
+ module.ndr-bulk-staging-store.s3_write_policy_document,
+ module.sqs-lg-bulk-upload-metadata-queue.sqs_read_policy_document,
+ module.sqs-lg-bulk-upload-metadata-queue.sqs_write_policy_document,
+ module.ndr-app-config.app_config_policy
]
rest_api_id = null
diff --git a/infrastructure/lambda-bulk-upload-report.tf b/infrastructure/lambda-bulk-upload-report.tf
index 91076cb3..5fb04193 100644
--- a/infrastructure/lambda-bulk-upload-report.tf
+++ b/infrastructure/lambda-bulk-upload-report.tf
@@ -2,13 +2,13 @@ module "bulk-upload-report-lambda" {
source = "./modules/lambda"
name = "BulkUploadReportLambda"
handler = "handlers.bulk_upload_report_handler.lambda_handler"
- iam_role_policies = [
- "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole",
- "arn:aws:iam::aws:policy/CloudWatchLambdaInsightsExecutionRolePolicy",
- module.statistical-reports-store.s3_object_access_policy,
- module.bulk_upload_report_dynamodb_table.dynamodb_policy,
- aws_iam_policy.dynamodb_policy_scan_bulk_report.arn,
- module.ndr-app-config.app_config_policy_arn
+ iam_role_policy_documents = [
+ module.statistical-reports-store.s3_read_policy_document,
+ module.statistical-reports-store.s3_write_policy_document,
+ module.bulk_upload_report_dynamodb_table.dynamodb_read_policy_document,
+ module.bulk_upload_report_dynamodb_table.dynamodb_write_policy_document,
+ aws_iam_policy.dynamodb_policy_scan_bulk_report.policy,
+ module.ndr-app-config.app_config_policy
]
rest_api_id = null
api_execution_arn = null
diff --git a/infrastructure/lambda-bulk-upload.tf b/infrastructure/lambda-bulk-upload.tf
index 5f7f3de3..b37aaa01 100644
--- a/infrastructure/lambda-bulk-upload.tf
+++ b/infrastructure/lambda-bulk-upload.tf
@@ -2,17 +2,23 @@ module "bulk-upload-lambda" {
source = "./modules/lambda"
name = "BulkUploadLambda"
handler = "handlers.bulk_upload_handler.lambda_handler"
- iam_role_policies = [
- "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole",
- "arn:aws:iam::aws:policy/CloudWatchLambdaInsightsExecutionRolePolicy",
- module.ndr-bulk-staging-store.s3_object_access_policy,
- module.ndr-lloyd-george-store.s3_object_access_policy,
- module.lloyd_george_reference_dynamodb_table.dynamodb_policy,
- module.bulk_upload_report_dynamodb_table.dynamodb_policy,
- module.sqs-lg-bulk-upload-metadata-queue.sqs_policy,
- module.sqs-lg-bulk-upload-invalid-queue.sqs_policy,
- aws_iam_policy.ssm_access_policy.arn,
- module.ndr-app-config.app_config_policy_arn
+ iam_role_policy_documents = [
+ module.ndr-bulk-staging-store.s3_read_policy_document,
+ module.ndr-bulk-staging-store.s3_write_policy_document,
+ module.ndr-lloyd-george-store.s3_read_policy_document,
+ module.ndr-lloyd-george-store.s3_write_policy_document,
+ module.lloyd_george_reference_dynamodb_table.dynamodb_read_policy_document,
+ module.lloyd_george_reference_dynamodb_table.dynamodb_write_policy_document,
+ module.bulk_upload_report_dynamodb_table.dynamodb_read_policy_document,
+ module.bulk_upload_report_dynamodb_table.dynamodb_write_policy_document,
+ module.sqs-nrl-queue.sqs_read_policy_document,
+ module.sqs-nrl-queue.sqs_write_policy_document,
+ module.sqs-lg-bulk-upload-metadata-queue.sqs_read_policy_document,
+ module.sqs-lg-bulk-upload-metadata-queue.sqs_write_policy_document,
+ module.sqs-lg-bulk-upload-invalid-queue.sqs_read_policy_document,
+ module.sqs-lg-bulk-upload-invalid-queue.sqs_write_policy_document,
+ aws_iam_policy.ssm_access_policy.policy,
+ module.ndr-app-config.app_config_policy
]
rest_api_id = null
api_execution_arn = null
@@ -29,6 +35,7 @@ module "bulk-upload-lambda" {
METADATA_SQS_QUEUE_URL = module.sqs-lg-bulk-upload-metadata-queue.sqs_url
INVALID_SQS_QUEUE_URL = module.sqs-lg-bulk-upload-invalid-queue.sqs_url
PDS_FHIR_IS_STUBBED = local.is_sandbox
+ NRL_SQS_URL = module.sqs-nrl-queue.sqs_url
}
is_gateway_integration_needed = false
@@ -44,7 +51,6 @@ module "bulk-upload-lambda" {
module.lloyd_george_reference_dynamodb_table,
module.bulk_upload_report_dynamodb_table,
aws_iam_policy.ssm_access_policy,
- module.ndr-app-config
]
}
diff --git a/infrastructure/lambda-create-doc-ref.tf b/infrastructure/lambda-create-doc-ref.tf
index 657749fe..fa25c634 100644
--- a/infrastructure/lambda-create-doc-ref.tf
+++ b/infrastructure/lambda-create-doc-ref.tf
@@ -66,21 +66,27 @@ module "create-doc-ref-lambda" {
source = "./modules/lambda"
name = "CreateDocRefLambda"
handler = "handlers.create_document_reference_handler.lambda_handler"
- iam_role_policies = [
- module.document_reference_dynamodb_table.dynamodb_policy,
- module.stitch_metadata_reference_dynamodb_table.dynamodb_policy,
- module.lloyd_george_reference_dynamodb_table.dynamodb_policy,
- module.ndr-bulk-staging-store.s3_object_access_policy,
- module.ndr-lloyd-george-store.s3_object_access_policy,
- module.ndr-document-store.s3_object_access_policy,
- "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole",
- "arn:aws:iam::aws:policy/CloudWatchLambdaInsightsExecutionRolePolicy",
- aws_iam_policy.ssm_access_policy.arn,
- module.ndr-app-config.app_config_policy_arn,
+ iam_role_policy_documents = [
+ module.ndr-bulk-staging-store.s3_read_policy_document,
+ module.ndr-bulk-staging-store.s3_write_policy_document,
+ module.ndr-lloyd-george-store.s3_write_policy_document,
+ module.ndr-lloyd-george-store.s3_read_policy_document,
+ module.ndr-document-store.s3_read_policy_document,
+ module.ndr-document-store.s3_write_policy_document,
+ module.document_reference_dynamodb_table.dynamodb_write_policy_document,
+ module.document_reference_dynamodb_table.dynamodb_read_policy_document,
+ module.stitch_metadata_reference_dynamodb_table.dynamodb_read_policy_document,
+ module.stitch_metadata_reference_dynamodb_table.dynamodb_write_policy_document,
+ module.lloyd_george_reference_dynamodb_table.dynamodb_write_policy_document,
+ module.lloyd_george_reference_dynamodb_table.dynamodb_read_policy_document,
+ aws_iam_policy.ssm_access_policy.policy,
+ module.ndr-app-config.app_config_policy,
]
- rest_api_id = aws_api_gateway_rest_api.ndr_doc_store_api.id
- resource_id = module.create-doc-ref-gateway.gateway_resource_id
- http_methods = ["POST"]
+ rest_api_id = aws_api_gateway_rest_api.ndr_doc_store_api.id
+ resource_id = module.create-doc-ref-gateway.gateway_resource_id
+ http_methods = ["POST"]
+ memory_size = 512
+
api_execution_arn = aws_api_gateway_rest_api.ndr_doc_store_api.execution_arn
lambda_environment_variables = {
STAGING_STORE_BUCKET_NAME = "${terraform.workspace}-${var.staging_store_bucket_name}"
diff --git a/infrastructure/lambda-data-collection.tf b/infrastructure/lambda-data-collection.tf
index f68b6ed0..260f6d8e 100644
--- a/infrastructure/lambda-data-collection.tf
+++ b/infrastructure/lambda-data-collection.tf
@@ -45,16 +45,19 @@ module "data-collection-lambda" {
name = "DataCollectionLambda"
handler = "handlers.data_collection_handler.lambda_handler"
lambda_timeout = 900
- iam_role_policies = [
- "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole",
- "arn:aws:iam::aws:policy/CloudWatchLambdaInsightsExecutionRolePolicy",
- module.ndr-app-config.app_config_policy_arn,
- module.statistics_dynamodb_table.dynamodb_policy,
- module.ndr-lloyd-george-store.s3_list_object_policy,
- module.ndr-document-store.s3_list_object_policy,
- module.lloyd_george_reference_dynamodb_table.dynamodb_policy,
- module.document_reference_dynamodb_table.dynamodb_policy,
- aws_iam_policy.cloudwatch_log_query_policy.arn
+ iam_role_policy_documents = [
+ module.ndr-app-config.app_config_policy,
+ module.statistics_dynamodb_table.dynamodb_read_policy_document,
+ module.statistics_dynamodb_table.dynamodb_write_policy_document,
+ module.ndr-lloyd-george-store.s3_read_policy_document,
+ module.ndr-lloyd-george-store.s3_write_policy_document,
+ module.ndr-document-store.s3_read_policy_document,
+ module.ndr-document-store.s3_write_policy_document,
+ module.lloyd_george_reference_dynamodb_table.dynamodb_read_policy_document,
+ module.lloyd_george_reference_dynamodb_table.dynamodb_write_policy_document,
+ module.document_reference_dynamodb_table.dynamodb_read_policy_document,
+ module.document_reference_dynamodb_table.dynamodb_write_policy_document,
+ aws_iam_policy.cloudwatch_log_query_policy.policy
]
rest_api_id = null
api_execution_arn = null
diff --git a/infrastructure/lambda-delete-doc-ref.tf b/infrastructure/lambda-delete-doc-ref.tf
index a10e5a16..6e20428c 100644
--- a/infrastructure/lambda-delete-doc-ref.tf
+++ b/infrastructure/lambda-delete-doc-ref.tf
@@ -65,16 +65,20 @@ module "delete-doc-ref-lambda" {
source = "./modules/lambda"
name = "DeleteDocRefLambda"
handler = "handlers.delete_document_reference_handler.lambda_handler"
- iam_role_policies = [
- module.document_reference_dynamodb_table.dynamodb_policy,
- module.ndr-document-store.s3_object_access_policy,
- module.lloyd_george_reference_dynamodb_table.dynamodb_policy,
- module.ndr-lloyd-george-store.s3_object_access_policy,
- "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole",
- "arn:aws:iam::aws:policy/CloudWatchLambdaInsightsExecutionRolePolicy",
- module.ndr-app-config.app_config_policy_arn,
- module.stitch_metadata_reference_dynamodb_table.dynamodb_policy,
- module.sqs-nrl-queue.sqs_policy
+ iam_role_policy_documents = [
+ module.document_reference_dynamodb_table.dynamodb_read_policy_document,
+ module.document_reference_dynamodb_table.dynamodb_write_policy_document,
+ module.ndr-document-store.s3_read_policy_document,
+ module.ndr-document-store.s3_write_policy_document,
+ module.lloyd_george_reference_dynamodb_table.dynamodb_read_policy_document,
+ module.lloyd_george_reference_dynamodb_table.dynamodb_write_policy_document,
+ module.ndr-lloyd-george-store.s3_read_policy_document,
+ module.ndr-lloyd-george-store.s3_write_policy_document,
+ module.ndr-app-config.app_config_policy,
+ module.stitch_metadata_reference_dynamodb_table.dynamodb_read_policy_document,
+ module.stitch_metadata_reference_dynamodb_table.dynamodb_write_policy_document,
+ module.sqs-nrl-queue.sqs_read_policy_document,
+ module.sqs-nrl-queue.sqs_write_policy_document
]
rest_api_id = aws_api_gateway_rest_api.ndr_doc_store_api.id
resource_id = module.delete-doc-ref-gateway.gateway_resource_id
@@ -88,7 +92,6 @@ module "delete-doc-ref-lambda" {
LLOYD_GEORGE_DYNAMODB_NAME = "${terraform.workspace}_${var.lloyd_george_dynamodb_table_name}"
STITCH_METADATA_DYNAMODB_NAME = "${terraform.workspace}_${var.stitch_metadata_dynamodb_table_name}"
WORKSPACE = terraform.workspace
- NRL_SQS_QUEUE_URL = module.sqs-nrl-queue.sqs_url
}
depends_on = [
aws_api_gateway_rest_api.ndr_doc_store_api,
diff --git a/infrastructure/lambda-document-manifest-job.tf b/infrastructure/lambda-document-manifest-job.tf
index 736c1bde..94aec428 100644
--- a/infrastructure/lambda-document-manifest-job.tf
+++ b/infrastructure/lambda-document-manifest-job.tf
@@ -67,14 +67,16 @@ module "document-manifest-job-lambda" {
name = "DocumentManifestJobLambda"
handler = "handlers.document_manifest_job_handler.lambda_handler"
lambda_timeout = 900
- iam_role_policies = [
- module.document_reference_dynamodb_table.dynamodb_policy,
- module.lloyd_george_reference_dynamodb_table.dynamodb_policy,
- module.zip_store_reference_dynamodb_table.dynamodb_policy,
- module.ndr-zip-request-store.s3_object_access_policy,
- "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole",
- "arn:aws:iam::aws:policy/CloudWatchLambdaInsightsExecutionRolePolicy",
- module.ndr-app-config.app_config_policy_arn
+ iam_role_policy_documents = [
+ module.document_reference_dynamodb_table.dynamodb_read_policy_document,
+ module.document_reference_dynamodb_table.dynamodb_write_policy_document,
+ module.lloyd_george_reference_dynamodb_table.dynamodb_read_policy_document,
+ module.lloyd_george_reference_dynamodb_table.dynamodb_write_policy_document,
+ module.zip_store_reference_dynamodb_table.dynamodb_read_policy_document,
+ module.zip_store_reference_dynamodb_table.dynamodb_write_policy_document,
+ module.ndr-zip-request-store.s3_read_policy_document,
+ module.ndr-zip-request-store.s3_write_policy_document,
+ module.ndr-app-config.app_config_policy
]
rest_api_id = aws_api_gateway_rest_api.ndr_doc_store_api.id
resource_id = module.document-manifest-job-gateway.gateway_resource_id
diff --git a/infrastructure/lambda-feature-flags.tf b/infrastructure/lambda-feature-flags.tf
index 5b04353f..b5c7a36a 100644
--- a/infrastructure/lambda-feature-flags.tf
+++ b/infrastructure/lambda-feature-flags.tf
@@ -66,10 +66,8 @@ module "feature-flags-lambda" {
source = "./modules/lambda"
name = "FeatureFlagsLambda"
handler = "handlers.feature_flags_handler.lambda_handler"
- iam_role_policies = [
- "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole",
- "arn:aws:iam::aws:policy/CloudWatchLambdaInsightsExecutionRolePolicy",
- module.ndr-app-config.app_config_policy_arn
+ iam_role_policy_documents = [
+ module.ndr-app-config.app_config_policy
]
rest_api_id = aws_api_gateway_rest_api.ndr_doc_store_api.id
resource_id = module.feature-flags-gateway.gateway_resource_id
diff --git a/infrastructure/lambda-generate-document-manifest.tf b/infrastructure/lambda-generate-document-manifest.tf
index 49bd8987..0b90481f 100644
--- a/infrastructure/lambda-generate-document-manifest.tf
+++ b/infrastructure/lambda-generate-document-manifest.tf
@@ -46,15 +46,18 @@ module "generate-document-manifest-lambda" {
handler = "handlers.generate_document_manifest_handler.lambda_handler"
lambda_timeout = 900
lambda_ephemeral_storage = 512
- iam_role_policies = [
- module.ndr-document-store.s3_object_access_policy,
- module.ndr-lloyd-george-store.s3_object_access_policy,
- module.zip_store_reference_dynamodb_table.dynamodb_policy,
- module.ndr-zip-request-store.s3_object_access_policy,
- "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole",
- "arn:aws:iam::aws:policy/CloudWatchLambdaInsightsExecutionRolePolicy",
- module.ndr-app-config.app_config_policy_arn,
- aws_iam_policy.dynamodb_stream_manifest.arn
+ memory_size = 512
+ iam_role_policy_documents = [
+ module.ndr-document-store.s3_read_policy_document,
+ module.ndr-document-store.s3_write_policy_document,
+ module.ndr-lloyd-george-store.s3_read_policy_document,
+ module.ndr-lloyd-george-store.s3_write_policy_document,
+ module.zip_store_reference_dynamodb_table.dynamodb_read_policy_document,
+ module.zip_store_reference_dynamodb_table.dynamodb_write_policy_document,
+ module.ndr-zip-request-store.s3_read_policy_document,
+ module.ndr-zip-request-store.s3_write_policy_document,
+ module.ndr-app-config.app_config_policy,
+ aws_iam_policy.dynamodb_stream_manifest.policy
]
rest_api_id = null
api_execution_arn = null
diff --git a/infrastructure/lambda-generate-stitch-record.tf b/infrastructure/lambda-generate-stitch-record.tf
index 52ef3763..4733f5c1 100644
--- a/infrastructure/lambda-generate-stitch-record.tf
+++ b/infrastructure/lambda-generate-stitch-record.tf
@@ -47,15 +47,17 @@ module "generate-lloyd-george-stitch-lambda" {
lambda_timeout = 900
lambda_ephemeral_storage = 1024
memory_size = 1769
- iam_role_policies = [
- module.ndr-document-store.s3_object_access_policy,
- module.ndr-lloyd-george-store.s3_object_access_policy,
- "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole",
- "arn:aws:iam::aws:policy/CloudWatchLambdaInsightsExecutionRolePolicy",
- module.ndr-app-config.app_config_policy_arn,
- aws_iam_policy.dynamodb_stream_stitch_policy.arn,
- module.stitch_metadata_reference_dynamodb_table.dynamodb_policy,
- module.lloyd_george_reference_dynamodb_table.dynamodb_policy
+ iam_role_policy_documents = [
+ module.ndr-document-store.s3_read_policy_document,
+ module.ndr-document-store.s3_write_policy_document,
+ module.ndr-lloyd-george-store.s3_read_policy_document,
+ module.ndr-lloyd-george-store.s3_write_policy_document,
+ module.ndr-app-config.app_config_policy,
+ aws_iam_policy.dynamodb_stream_stitch_policy.policy,
+ module.stitch_metadata_reference_dynamodb_table.dynamodb_read_policy_document,
+ module.stitch_metadata_reference_dynamodb_table.dynamodb_write_policy_document,
+ module.lloyd_george_reference_dynamodb_table.dynamodb_read_policy_document,
+ module.lloyd_george_reference_dynamodb_table.dynamodb_write_policy_document
]
rest_api_id = null
api_execution_arn = null
diff --git a/infrastructure/lambda-lloyd-george-record-stitch.tf b/infrastructure/lambda-lloyd-george-record-stitch.tf
index ec93e75f..7bc36ed0 100644
--- a/infrastructure/lambda-lloyd-george-record-stitch.tf
+++ b/infrastructure/lambda-lloyd-george-record-stitch.tf
@@ -66,13 +66,14 @@ module "lloyd-george-stitch-lambda" {
source = "./modules/lambda"
name = "LloydGeorgeStitchLambda"
handler = "handlers.lloyd_george_record_stitch_handler.lambda_handler"
- iam_role_policies = [
- module.ndr-lloyd-george-store.s3_object_access_policy,
- "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole",
- "arn:aws:iam::aws:policy/CloudWatchLambdaInsightsExecutionRolePolicy",
- module.ndr-app-config.app_config_policy_arn,
- module.stitch_metadata_reference_dynamodb_table.dynamodb_policy,
- module.lloyd_george_reference_dynamodb_table.dynamodb_policy
+ iam_role_policy_documents = [
+ module.ndr-lloyd-george-store.s3_read_policy_document,
+ module.ndr-lloyd-george-store.s3_write_policy_document,
+ module.ndr-app-config.app_config_policy,
+ module.stitch_metadata_reference_dynamodb_table.dynamodb_read_policy_document,
+ module.stitch_metadata_reference_dynamodb_table.dynamodb_write_policy_document,
+ module.lloyd_george_reference_dynamodb_table.dynamodb_read_policy_document,
+ module.lloyd_george_reference_dynamodb_table.dynamodb_write_policy_document
]
rest_api_id = aws_api_gateway_rest_api.ndr_doc_store_api.id
resource_id = module.lloyd-george-stitch-gateway.gateway_resource_id
diff --git a/infrastructure/lambda-login-redirect.tf b/infrastructure/lambda-login-redirect.tf
index e88f8c1c..80d41233 100644
--- a/infrastructure/lambda-login-redirect.tf
+++ b/infrastructure/lambda-login-redirect.tf
@@ -19,12 +19,11 @@ module "login_redirect_lambda" {
source = "./modules/lambda"
name = "LoginRedirectHandler"
handler = "handlers.login_redirect_handler.lambda_handler"
- iam_role_policies = [
- "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole",
- "arn:aws:iam::aws:policy/CloudWatchLambdaInsightsExecutionRolePolicy",
- aws_iam_policy.ssm_policy_oidc.arn,
- module.auth_state_dynamodb_table.dynamodb_policy,
- module.ndr-app-config.app_config_policy_arn
+ iam_role_policy_documents = [
+ aws_iam_policy.ssm_policy_oidc.policy,
+ module.auth_state_dynamodb_table.dynamodb_read_policy_document,
+ module.auth_state_dynamodb_table.dynamodb_write_policy_document,
+ module.ndr-app-config.app_config_policy
]
rest_api_id = aws_api_gateway_rest_api.ndr_doc_store_api.id
resource_id = aws_api_gateway_resource.login_resource.id
diff --git a/infrastructure/lambda-logout.tf b/infrastructure/lambda-logout.tf
index 916d2a00..75b535e2 100644
--- a/infrastructure/lambda-logout.tf
+++ b/infrastructure/lambda-logout.tf
@@ -22,12 +22,11 @@ module "logout_lambda" {
source = "./modules/lambda"
name = "LogoutHandler"
handler = "handlers.logout_handler.lambda_handler"
- iam_role_policies = [
- "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole",
- "arn:aws:iam::aws:policy/CloudWatchLambdaInsightsExecutionRolePolicy",
- aws_iam_policy.ssm_policy_oidc.arn,
- module.auth_session_dynamodb_table.dynamodb_policy,
- module.ndr-app-config.app_config_policy_arn
+ iam_role_policy_documents = [
+ aws_iam_policy.ssm_policy_oidc.policy,
+ module.auth_session_dynamodb_table.dynamodb_read_policy_document,
+ module.auth_session_dynamodb_table.dynamodb_write_policy_document,
+ module.ndr-app-config.app_config_policy
]
rest_api_id = aws_api_gateway_rest_api.ndr_doc_store_api.id
resource_id = module.logout-gateway.gateway_resource_id
diff --git a/infrastructure/lambda-manage-nrl-pointer.tf b/infrastructure/lambda-manage-nrl-pointer.tf
index 961d14f5..b46ab2b2 100644
--- a/infrastructure/lambda-manage-nrl-pointer.tf
+++ b/infrastructure/lambda-manage-nrl-pointer.tf
@@ -3,12 +3,11 @@ module "manage-nrl-pointer-lambda" {
name = "ManageNrlPointerLambda"
handler = "handlers.manage_nrl_pointer_handler.lambda_handler"
lambda_timeout = 600
- iam_role_policies = [
- "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole",
- "arn:aws:iam::aws:policy/CloudWatchLambdaInsightsExecutionRolePolicy",
- module.ndr-app-config.app_config_policy_arn,
- module.sqs-nrl-queue.sqs_policy,
- aws_iam_policy.ssm_access_policy.arn
+ iam_role_policy_documents = [
+ module.ndr-app-config.app_config_policy,
+ module.sqs-nrl-queue.sqs_read_policy_document,
+ module.sqs-nrl-queue.sqs_write_policy_document,
+ aws_iam_policy.ssm_access_policy.policy
]
rest_api_id = null
api_execution_arn = null
@@ -22,6 +21,10 @@ module "manage-nrl-pointer-lambda" {
}
is_gateway_integration_needed = false
is_invoked_from_gateway = false
+
+ depends_on = [
+ module.ndr-app-config
+ ]
}
module "manage-nrl-pointer-alarm" {
@@ -32,6 +35,7 @@ module "manage-nrl-pointer-alarm" {
namespace = "AWS/Lambda"
alarm_actions = [module.manage-nrl-pointer-alarm-topic.arn]
ok_actions = [module.manage-nrl-pointer-alarm-topic.arn]
+ depends_on = [module.manage-nrl-pointer-lambda, module.manage-nrl-pointer-alarm-topic]
}
module "manage-nrl-pointer-alarm-topic" {
@@ -61,6 +65,8 @@ module "manage-nrl-pointer-alarm-topic" {
}
]
})
+
+ depends_on = [module.manage-nrl-pointer-lambda, module.sns_encryption_key]
}
resource "aws_lambda_event_source_mapping" "nrl_pointer_lambda" {
@@ -76,6 +82,15 @@ resource "aws_lambda_event_source_mapping" "nrl_pointer_lambda" {
})
}
}
+
+ scaling_config {
+ maximum_concurrency = local.bulk_upload_lambda_concurrent_limit
+ }
+
+ depends_on = [
+ module.sqs-nrl-queue,
+ module.manage-nrl-pointer-lambda
+ ]
}
diff --git a/infrastructure/lambda-nems-message.tf b/infrastructure/lambda-nems-message.tf
index 5a8f7d7a..123b67d0 100644
--- a/infrastructure/lambda-nems-message.tf
+++ b/infrastructure/lambda-nems-message.tf
@@ -4,12 +4,12 @@ module "nems-message-lambda" {
name = "NemsMessageLambda"
handler = "handlers.nems_message_handler.lambda_handler"
lambda_timeout = 60
- iam_role_policies = [
- "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole",
- "arn:aws:iam::aws:policy/CloudWatchLambdaInsightsExecutionRolePolicy",
- module.lloyd_george_reference_dynamodb_table.dynamodb_policy,
- module.sqs-nems-queue[0].sqs_policy,
- module.ndr-app-config.app_config_policy_arn
+ iam_role_policy_documents = [
+ module.lloyd_george_reference_dynamodb_table.dynamodb_read_policy_document,
+ module.lloyd_george_reference_dynamodb_table.dynamodb_write_policy_document,
+ module.sqs-nems-queue[0].sqs_read_policy_document,
+ module.sqs-nems-queue[0].sqs_write_policy_document,
+ module.ndr-app-config.app_config_policy
]
rest_api_id = null
api_execution_arn = null
diff --git a/infrastructure/lambda-search-doc-references.tf b/infrastructure/lambda-search-doc-references.tf
index 5d0e9a3c..09e30e8a 100644
--- a/infrastructure/lambda-search-doc-references.tf
+++ b/infrastructure/lambda-search-doc-references.tf
@@ -67,12 +67,12 @@ module "search-document-references-lambda" {
source = "./modules/lambda"
name = "SearchDocumentReferencesLambda"
handler = "handlers.document_reference_search_handler.lambda_handler"
- iam_role_policies = [
- module.document_reference_dynamodb_table.dynamodb_policy,
- module.lloyd_george_reference_dynamodb_table.dynamodb_policy,
- "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole",
- "arn:aws:iam::aws:policy/CloudWatchLambdaInsightsExecutionRolePolicy",
- module.ndr-app-config.app_config_policy_arn
+ iam_role_policy_documents = [
+ module.document_reference_dynamodb_table.dynamodb_read_policy_document,
+ module.document_reference_dynamodb_table.dynamodb_write_policy_document,
+ module.lloyd_george_reference_dynamodb_table.dynamodb_read_policy_document,
+ module.lloyd_george_reference_dynamodb_table.dynamodb_write_policy_document,
+ module.ndr-app-config.app_config_policy
]
rest_api_id = aws_api_gateway_rest_api.ndr_doc_store_api.id
resource_id = module.search-document-references-gateway.gateway_resource_id
diff --git a/infrastructure/lambda-search-patient.tf b/infrastructure/lambda-search-patient.tf
index 64a05c69..7466ebad 100644
--- a/infrastructure/lambda-search-patient.tf
+++ b/infrastructure/lambda-search-patient.tf
@@ -66,11 +66,9 @@ module "search-patient-details-lambda" {
source = "./modules/lambda"
name = "SearchPatientDetailsLambda"
handler = "handlers.search_patient_details_handler.lambda_handler"
- iam_role_policies = [
- "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole",
- "arn:aws:iam::aws:policy/CloudWatchLambdaInsightsExecutionRolePolicy",
- aws_iam_policy.ssm_access_policy.arn,
- module.ndr-app-config.app_config_policy_arn
+ iam_role_policy_documents = [
+ aws_iam_policy.ssm_access_policy.policy,
+ module.ndr-app-config.app_config_policy
]
rest_api_id = aws_api_gateway_rest_api.ndr_doc_store_api.id
resource_id = module.search-patient-details-gateway.gateway_resource_id
diff --git a/infrastructure/lambda-send-feedback.tf b/infrastructure/lambda-send-feedback.tf
index 7c71cf03..042b4a8f 100644
--- a/infrastructure/lambda-send-feedback.tf
+++ b/infrastructure/lambda-send-feedback.tf
@@ -78,12 +78,10 @@ module "send-feedback-lambda" {
source = "./modules/lambda"
name = "SendFeedbackLambda"
handler = "handlers.send_feedback_handler.lambda_handler"
- iam_role_policies = [
- "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole",
- "arn:aws:iam::aws:policy/CloudWatchLambdaInsightsExecutionRolePolicy",
- aws_iam_policy.ssm_access_policy.arn,
- aws_iam_policy.ses_send_email_policy.arn,
- module.ndr-app-config.app_config_policy_arn
+ iam_role_policy_documents = [
+ aws_iam_policy.ssm_access_policy.policy,
+ aws_iam_policy.ses_send_email_policy.policy,
+ module.ndr-app-config.app_config_policy
]
rest_api_id = aws_api_gateway_rest_api.ndr_doc_store_api.id
resource_id = module.send-feedback-gateway.gateway_resource_id
diff --git a/infrastructure/lambda-statistical-report.tf b/infrastructure/lambda-statistical-report.tf
index c7628c0a..35969240 100644
--- a/infrastructure/lambda-statistical-report.tf
+++ b/infrastructure/lambda-statistical-report.tf
@@ -45,13 +45,13 @@ module "statistical-report-lambda" {
name = "StatisticalReportLambda"
handler = "handlers.statistical_report_handler.lambda_handler"
lambda_timeout = 900
- iam_role_policies = [
- "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole",
- "arn:aws:iam::aws:policy/CloudWatchLambdaInsightsExecutionRolePolicy",
- module.ndr-app-config.app_config_policy_arn,
- module.statistics_dynamodb_table.dynamodb_policy,
- module.statistical-reports-store.s3_object_access_policy,
- aws_iam_policy.cloudwatch_log_query_policy.arn
+ iam_role_policy_documents = [
+ module.ndr-app-config.app_config_policy,
+ module.statistics_dynamodb_table.dynamodb_read_policy_document,
+ module.statistics_dynamodb_table.dynamodb_write_policy_document,
+ module.statistical-reports-store.s3_read_policy_document,
+ module.statistical-reports-store.s3_write_policy_document,
+ aws_iam_policy.cloudwatch_log_query_policy.policy
]
rest_api_id = null
api_execution_arn = null
diff --git a/infrastructure/lambda-token.tf b/infrastructure/lambda-token.tf
index 454b1165..7aa566d1 100644
--- a/infrastructure/lambda-token.tf
+++ b/infrastructure/lambda-token.tf
@@ -23,13 +23,13 @@ module "create-token-lambda" {
source = "./modules/lambda"
name = "TokenRequestHandler"
handler = "handlers.token_handler.lambda_handler"
- iam_role_policies = [
- "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole",
- "arn:aws:iam::aws:policy/CloudWatchLambdaInsightsExecutionRolePolicy",
- aws_iam_policy.ssm_policy_token.arn,
- module.auth_session_dynamodb_table.dynamodb_policy,
- module.auth_state_dynamodb_table.dynamodb_policy,
- module.ndr-app-config.app_config_policy_arn
+ iam_role_policy_documents = [
+ aws_iam_policy.ssm_policy_token.policy,
+ module.auth_session_dynamodb_table.dynamodb_read_policy_document,
+ module.auth_session_dynamodb_table.dynamodb_write_policy_document,
+ module.auth_state_dynamodb_table.dynamodb_read_policy_document,
+ module.auth_state_dynamodb_table.dynamodb_write_policy_document,
+ module.ndr-app-config.app_config_policy
]
rest_api_id = aws_api_gateway_rest_api.ndr_doc_store_api.id
resource_id = module.create-token-gateway.gateway_resource_id
diff --git a/infrastructure/lambda-update-upload-state.tf b/infrastructure/lambda-update-upload-state.tf
index 96e98b5d..48ef2945 100644
--- a/infrastructure/lambda-update-upload-state.tf
+++ b/infrastructure/lambda-update-upload-state.tf
@@ -66,12 +66,12 @@ module "update-upload-state-lambda" {
source = "./modules/lambda"
name = "UpdateUploadStateLambda"
handler = "handlers.update_upload_state_handler.lambda_handler"
- iam_role_policies = [
- module.document_reference_dynamodb_table.dynamodb_policy,
- module.lloyd_george_reference_dynamodb_table.dynamodb_policy,
- "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole",
- "arn:aws:iam::aws:policy/CloudWatchLambdaInsightsExecutionRolePolicy",
- module.ndr-app-config.app_config_policy_arn,
+ iam_role_policy_documents = [
+ module.document_reference_dynamodb_table.dynamodb_read_policy_document,
+ module.document_reference_dynamodb_table.dynamodb_write_policy_document,
+ module.lloyd_george_reference_dynamodb_table.dynamodb_read_policy_document,
+ module.lloyd_george_reference_dynamodb_table.dynamodb_write_policy_document,
+ module.ndr-app-config.app_config_policy,
]
rest_api_id = aws_api_gateway_rest_api.ndr_doc_store_api.id
resource_id = module.update-upload-state-gateway.gateway_resource_id
diff --git a/infrastructure/lambda-upload-confirm-result.tf b/infrastructure/lambda-upload-confirm-result.tf
index e8ff1b2d..11b80c07 100644
--- a/infrastructure/lambda-upload-confirm-result.tf
+++ b/infrastructure/lambda-upload-confirm-result.tf
@@ -65,15 +65,18 @@ module "upload_confirm_result_lambda" {
source = "./modules/lambda"
name = "UploadConfirmResultLambda"
handler = "handlers.upload_confirm_result_handler.lambda_handler"
- iam_role_policies = [
- "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole",
- "arn:aws:iam::aws:policy/CloudWatchLambdaInsightsExecutionRolePolicy",
- module.ndr-app-config.app_config_policy_arn,
- module.ndr-bulk-staging-store.s3_object_access_policy,
- module.ndr-document-store.s3_object_access_policy,
- module.ndr-lloyd-george-store.s3_object_access_policy,
- module.document_reference_dynamodb_table.dynamodb_policy,
- module.lloyd_george_reference_dynamodb_table.dynamodb_policy,
+ iam_role_policy_documents = [
+ module.ndr-app-config.app_config_policy,
+ module.ndr-bulk-staging-store.s3_read_policy_document,
+ module.ndr-bulk-staging-store.s3_write_policy_document,
+ module.ndr-document-store.s3_read_policy_document,
+ module.ndr-document-store.s3_write_policy_document,
+ module.ndr-lloyd-george-store.s3_read_policy_document,
+ module.ndr-lloyd-george-store.s3_write_policy_document,
+ module.document_reference_dynamodb_table.dynamodb_read_policy_document,
+ module.document_reference_dynamodb_table.dynamodb_write_policy_document,
+ module.lloyd_george_reference_dynamodb_table.dynamodb_read_policy_document,
+ module.lloyd_george_reference_dynamodb_table.dynamodb_write_policy_document,
]
rest_api_id = aws_api_gateway_rest_api.ndr_doc_store_api.id
resource_id = module.upload_confirm_result_gateway.gateway_resource_id
diff --git a/infrastructure/lambda-virus-scan-result.tf b/infrastructure/lambda-virus-scan-result.tf
index 5dfbf5be..527c4216 100644
--- a/infrastructure/lambda-virus-scan-result.tf
+++ b/infrastructure/lambda-virus-scan-result.tf
@@ -63,17 +63,19 @@ module "virus_scan_result_alarm_topic" {
}
module "virus_scan_result_lambda" {
- source = "./modules/lambda"
- name = "VirusScanResult"
- handler = "handlers.virus_scan_result_handler.lambda_handler"
- iam_role_policies = [
- module.ndr-bulk-staging-store.s3_object_access_policy,
- "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole",
- "arn:aws:iam::aws:policy/CloudWatchLambdaInsightsExecutionRolePolicy",
- module.ndr-app-config.app_config_policy_arn,
- aws_iam_policy.ssm_access_policy.arn,
- module.document_reference_dynamodb_table.dynamodb_policy,
- module.lloyd_george_reference_dynamodb_table.dynamodb_policy,
+ source = "./modules/lambda"
+ name = "VirusScanResult"
+ handler = "handlers.virus_scan_result_handler.lambda_handler"
+ memory_size = 256
+ iam_role_policy_documents = [
+ module.ndr-bulk-staging-store.s3_read_policy_document,
+ module.ndr-bulk-staging-store.s3_write_policy_document,
+ module.ndr-app-config.app_config_policy,
+ aws_iam_policy.ssm_access_policy.policy,
+ module.document_reference_dynamodb_table.dynamodb_read_policy_document,
+ module.document_reference_dynamodb_table.dynamodb_write_policy_document,
+ module.lloyd_george_reference_dynamodb_table.dynamodb_read_policy_document,
+ module.lloyd_george_reference_dynamodb_table.dynamodb_write_policy_document,
]
rest_api_id = aws_api_gateway_rest_api.ndr_doc_store_api.id
resource_id = module.virus_scan_result_gateway.gateway_resource_id
diff --git a/infrastructure/modules/app_config/README.md b/infrastructure/modules/app_config/README.md
index d47d5250..d60e2fb7 100644
--- a/infrastructure/modules/app_config/README.md
+++ b/infrastructure/modules/app_config/README.md
@@ -23,6 +23,7 @@ No modules.
| [aws_appconfig_environment.ndr-app-config-environment](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/appconfig_environment) | resource |
| [aws_appconfig_hosted_configuration_version.ndr-app-config-profile-version](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/appconfig_hosted_configuration_version) | resource |
| [aws_iam_policy.app_config_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
+| [aws_iam_policy_document.app_config_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
## Inputs
@@ -40,4 +41,5 @@ No modules.
| [app\_config\_application\_id](#output\_app\_config\_application\_id) | n/a |
| [app\_config\_configuration\_profile\_id](#output\_app\_config\_configuration\_profile\_id) | n/a |
| [app\_config\_environment\_id](#output\_app\_config\_environment\_id) | n/a |
+| [app\_config\_policy](#output\_app\_config\_policy) | n/a |
| [app\_config\_policy\_arn](#output\_app\_config\_policy\_arn) | n/a |
diff --git a/infrastructure/modules/app_config/main.tf b/infrastructure/modules/app_config/main.tf
index c26fa28a..d48381e6 100644
--- a/infrastructure/modules/app_config/main.tf
+++ b/infrastructure/modules/app_config/main.tf
@@ -95,4 +95,16 @@ resource "aws_iam_policy" "app_config_policy" {
}
]
})
+}
+
+data "aws_iam_policy_document" "app_config_policy" {
+ statement {
+ actions = [
+ "appconfig:GetLatestConfiguration",
+ "appconfig:StartConfigurationSession"
+ ]
+ resources = [
+ "arn:aws:appconfig:*:*:application/${aws_appconfig_application.ndr-app-config-application.id}/environment/${aws_appconfig_environment.ndr-app-config-environment.environment_id}/configuration/${aws_appconfig_configuration_profile.ndr-app-config-profile.configuration_profile_id}"
+ ]
+ }
}
\ No newline at end of file
diff --git a/infrastructure/modules/app_config/output.tf b/infrastructure/modules/app_config/output.tf
index c507877e..0c8d6a24 100644
--- a/infrastructure/modules/app_config/output.tf
+++ b/infrastructure/modules/app_config/output.tf
@@ -10,6 +10,10 @@ output "app_config_configuration_profile_id" {
value = aws_appconfig_configuration_profile.ndr-app-config-profile.configuration_profile_id
}
+output "app_config_policy" {
+ value = data.aws_iam_policy_document.app_config_policy.json
+}
+
output "app_config_policy_arn" {
value = aws_iam_policy.app_config_policy.arn
}
\ No newline at end of file
diff --git a/infrastructure/modules/dynamo_db/README.md b/infrastructure/modules/dynamo_db/README.md
index 89e38e45..ebe8d1b2 100644
--- a/infrastructure/modules/dynamo_db/README.md
+++ b/infrastructure/modules/dynamo_db/README.md
@@ -18,6 +18,8 @@ No modules.
|------|------|
| [aws_dynamodb_table.ndr_dynamodb_table](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/dynamodb_table) | resource |
| [aws_iam_policy.dynamodb_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
+| [aws_iam_policy_document.dynamodb_read_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [aws_iam_policy_document.dynamodb_write_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
## Inputs
@@ -43,6 +45,8 @@ No modules.
| Name | Description |
|------|-------------|
| [dynamodb\_policy](#output\_dynamodb\_policy) | n/a |
+| [dynamodb\_read\_policy\_document](#output\_dynamodb\_read\_policy\_document) | n/a |
| [dynamodb\_stream\_arn](#output\_dynamodb\_stream\_arn) | n/a |
| [dynamodb\_table\_arn](#output\_dynamodb\_table\_arn) | n/a |
+| [dynamodb\_write\_policy\_document](#output\_dynamodb\_write\_policy\_document) | n/a |
| [table\_name](#output\_table\_name) | n/a |
diff --git a/infrastructure/modules/dynamo_db/main.tf b/infrastructure/modules/dynamo_db/main.tf
index be28431a..bcbbeb28 100644
--- a/infrastructure/modules/dynamo_db/main.tf
+++ b/infrastructure/modules/dynamo_db/main.tf
@@ -82,4 +82,42 @@ resource "aws_iam_policy" "dynamodb_policy" {
] : []
)
})
+}
+
+data "aws_iam_policy_document" "dynamodb_read_policy" {
+ statement {
+ effect = "Allow"
+ actions = [
+ "dynamodb:Query",
+ "dynamodb:Scan",
+ "dynamodb:GetItem",
+ ]
+ resources = [
+ aws_dynamodb_table.ndr_dynamodb_table.arn,
+ ]
+ }
+
+ dynamic "statement" {
+ for_each = var.global_secondary_indexes
+ content {
+ effect = "Allow"
+ actions = ["dynamodb:Query"]
+ resources = ["${aws_dynamodb_table.ndr_dynamodb_table.arn}/index/${statement.value.name}"]
+ }
+ }
+}
+
+data "aws_iam_policy_document" "dynamodb_write_policy" {
+ statement {
+ effect = "Allow"
+ actions = [
+ "dynamodb:PutItem",
+ "dynamodb:UpdateItem",
+ "dynamodb:DeleteItem",
+ "dynamodb:BatchWriteItem"
+ ]
+ resources = [
+ aws_dynamodb_table.ndr_dynamodb_table.arn,
+ ]
+ }
}
\ No newline at end of file
diff --git a/infrastructure/modules/dynamo_db/output.tf b/infrastructure/modules/dynamo_db/output.tf
index d80661f5..3c9a83f1 100644
--- a/infrastructure/modules/dynamo_db/output.tf
+++ b/infrastructure/modules/dynamo_db/output.tf
@@ -12,4 +12,12 @@ output "dynamodb_stream_arn" {
output "table_name" {
value = aws_dynamodb_table.ndr_dynamodb_table.id
+}
+
+output "dynamodb_read_policy_document" {
+ value = data.aws_iam_policy_document.dynamodb_read_policy.json
+}
+
+output "dynamodb_write_policy_document" {
+ value = data.aws_iam_policy_document.dynamodb_write_policy.json
}
\ No newline at end of file
diff --git a/infrastructure/modules/lambda/README.md b/infrastructure/modules/lambda/README.md
index bdc3b9a2..16db8fc5 100644
--- a/infrastructure/modules/lambda/README.md
+++ b/infrastructure/modules/lambda/README.md
@@ -18,21 +18,25 @@ No modules.
| Name | Type |
|------|------|
| [aws_api_gateway_integration.lambda_integration](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/api_gateway_integration) | resource |
+| [aws_iam_policy.combined_policies](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
| [aws_iam_role.lambda_execution_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
+| [aws_iam_role_policy_attachment.default_policies](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
| [aws_iam_role_policy_attachment.lambda_execution_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
| [aws_lambda_function.lambda](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_function) | resource |
| [aws_lambda_permission.lambda_permission](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_permission) | resource |
| [archive_file.lambda](https://registry.terraform.io/providers/hashicorp/archive/latest/docs/data-sources/file) | data source |
| [aws_iam_policy_document.assume_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [aws_iam_policy_document.merged_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
## Inputs
| Name | Description | Type | Default | Required |
|------|-------------|------|---------|:--------:|
| [api\_execution\_arn](#input\_api\_execution\_arn) | n/a | `string` | n/a | yes |
+| [default\_policies](#input\_default\_policies) | n/a | `list` | [
"arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole",
"arn:aws:iam::aws:policy/CloudWatchLambdaInsightsExecutionRolePolicy"
]
| no |
| [handler](#input\_handler) | n/a | `string` | n/a | yes |
| [http\_methods](#input\_http\_methods) | n/a | `list(string)` | `[]` | no |
-| [iam\_role\_policies](#input\_iam\_role\_policies) | n/a | `list(string)` | n/a | yes |
+| [iam\_role\_policy\_documents](#input\_iam\_role\_policy\_documents) | n/a | `list(string)` | `[]` | no |
| [is\_gateway\_integration\_needed](#input\_is\_gateway\_integration\_needed) | Indicate whether the lambda need an aws\_api\_gateway\_integration resource block | `bool` | `true` | no |
| [is\_invoked\_from\_gateway](#input\_is\_invoked\_from\_gateway) | Indicate whether the lambda is supposed to be invoked by API gateway. Should be true for authoriser lambda. | `bool` | `true` | no |
| [lambda\_environment\_variables](#input\_lambda\_environment\_variables) | n/a | `map(string)` | `{}` | no |
diff --git a/infrastructure/modules/lambda/main.tf b/infrastructure/modules/lambda/main.tf
index 16cb33e7..d2c973e6 100644
--- a/infrastructure/modules/lambda/main.tf
+++ b/infrastructure/modules/lambda/main.tf
@@ -60,10 +60,24 @@ resource "aws_iam_role" "lambda_execution_role" {
assume_role_policy = data.aws_iam_policy_document.assume_role.json
}
+data "aws_iam_policy_document" "merged_policy" {
+ source_policy_documents = var.iam_role_policy_documents
+}
+
+resource "aws_iam_policy" "combined_policies" {
+ name = "${terraform.workspace}_${var.name}_combined_policy"
+ policy = data.aws_iam_policy_document.merged_policy.json
+}
+
+resource "aws_iam_role_policy_attachment" "default_policies" {
+ for_each = toset(var.default_policies)
+ role = aws_iam_role.lambda_execution_role.name
+ policy_arn = each.value
+}
+
resource "aws_iam_role_policy_attachment" "lambda_execution_policy" {
- count = length(var.iam_role_policies)
role = aws_iam_role.lambda_execution_role.name
- policy_arn = var.iam_role_policies[count.index]
+ policy_arn = aws_iam_policy.combined_policies.arn
}
data "archive_file" "lambda" {
diff --git a/infrastructure/modules/lambda/variable.tf b/infrastructure/modules/lambda/variable.tf
index cdbc1a44..5036e935 100644
--- a/infrastructure/modules/lambda/variable.tf
+++ b/infrastructure/modules/lambda/variable.tf
@@ -41,8 +41,9 @@ variable "api_execution_arn" {
type = string
}
-variable "iam_role_policies" {
- type = list(string)
+variable "iam_role_policy_documents" {
+ type = list(string)
+ default = []
}
variable "lambda_timeout" {
@@ -66,6 +67,13 @@ variable "reserved_concurrent_executions" {
default = -1
}
+variable "default_policies" {
+ default = [
+ "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole",
+ "arn:aws:iam::aws:policy/CloudWatchLambdaInsightsExecutionRolePolicy"
+ ]
+}
+
output "invoke_arn" {
value = aws_lambda_function.lambda.invoke_arn
}
diff --git a/infrastructure/modules/s3/README.md b/infrastructure/modules/s3/README.md
index c635f744..4704ad08 100644
--- a/infrastructure/modules/s3/README.md
+++ b/infrastructure/modules/s3/README.md
@@ -27,6 +27,8 @@ No modules.
| [aws_s3_bucket_versioning.bucket_versioning](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_versioning) | resource |
| [aws_iam_policy_document.s3_cloudfront_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
| [aws_iam_policy_document.s3_defaut_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [aws_iam_policy_document.s3_read_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [aws_iam_policy_document.s3_write_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
## Inputs
@@ -51,3 +53,5 @@ No modules.
| [bucket\_id](#output\_bucket\_id) | n/a |
| [s3\_list\_object\_policy](#output\_s3\_list\_object\_policy) | n/a |
| [s3\_object\_access\_policy](#output\_s3\_object\_access\_policy) | n/a |
+| [s3\_read\_policy\_document](#output\_s3\_read\_policy\_document) | n/a |
+| [s3\_write\_policy\_document](#output\_s3\_write\_policy\_document) | n/a |
diff --git a/infrastructure/modules/s3/main.tf b/infrastructure/modules/s3/main.tf
index f0be2d58..20130332 100644
--- a/infrastructure/modules/s3/main.tf
+++ b/infrastructure/modules/s3/main.tf
@@ -127,4 +127,23 @@ resource "aws_s3_bucket_versioning" "bucket_versioning" {
}
depends_on = [aws_s3_bucket.bucket]
+}
+
+data "aws_iam_policy_document" "s3_read_policy" {
+ statement {
+ actions = ["s3:Get*", "s3:List*"]
+ resources = [
+ aws_s3_bucket.bucket.arn,
+ "${aws_s3_bucket.bucket.arn}/*"
+ ]
+ }
+}
+
+data "aws_iam_policy_document" "s3_write_policy" {
+ statement {
+ actions = ["s3:Put*", "s3:Delete*", "s3:RestoreObject", "s3:AbortMultipartUpload"]
+ resources = [
+ "${aws_s3_bucket.bucket.arn}/*"
+ ]
+ }
}
\ No newline at end of file
diff --git a/infrastructure/modules/s3/output.tf b/infrastructure/modules/s3/output.tf
index ff1a354e..e32ec90b 100644
--- a/infrastructure/modules/s3/output.tf
+++ b/infrastructure/modules/s3/output.tf
@@ -16,4 +16,12 @@ output "bucket_arn" {
output "bucket_domain_name" {
value = aws_s3_bucket.bucket.bucket_domain_name
+}
+
+output "s3_read_policy_document" {
+ value = data.aws_iam_policy_document.s3_read_policy.json
+}
+
+output "s3_write_policy_document" {
+ value = data.aws_iam_policy_document.s3_write_policy.json
}
\ No newline at end of file
diff --git a/infrastructure/modules/sqs/README.md b/infrastructure/modules/sqs/README.md
index 5a23d32e..32a6cc8c 100644
--- a/infrastructure/modules/sqs/README.md
+++ b/infrastructure/modules/sqs/README.md
@@ -16,11 +16,12 @@ No modules.
| Name | Type |
|------|------|
-| [aws_iam_policy.sqs_queue_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
| [aws_sqs_queue.queue_deadletter](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sqs_queue) | resource |
| [aws_sqs_queue.sqs_queue](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sqs_queue) | resource |
| [aws_sqs_queue_redrive_allow_policy.terraform_queue_redrive_allow_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sqs_queue_redrive_allow_policy) | resource |
| [aws_sqs_queue_redrive_policy.dlq_redrive](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sqs_queue_redrive_policy) | resource |
+| [aws_iam_policy_document.sqs_read_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [aws_iam_policy_document.sqs_write_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
## Inputs
@@ -48,5 +49,6 @@ No modules.
| [endpoint](#output\_endpoint) | Same as sqs queue arn. For use when setting the queue as endpoint of sns topic |
| [sqs\_arn](#output\_sqs\_arn) | n/a |
| [sqs\_id](#output\_sqs\_id) | n/a |
-| [sqs\_policy](#output\_sqs\_policy) | Arn for the iam policy for accessing this queue |
+| [sqs\_read\_policy\_document](#output\_sqs\_read\_policy\_document) | n/a |
| [sqs\_url](#output\_sqs\_url) | n/a |
+| [sqs\_write\_policy\_document](#output\_sqs\_write\_policy\_document) | n/a |
diff --git a/infrastructure/modules/sqs/main.tf b/infrastructure/modules/sqs/main.tf
index aa08237c..51dd9cc9 100644
--- a/infrastructure/modules/sqs/main.tf
+++ b/infrastructure/modules/sqs/main.tf
@@ -18,24 +18,6 @@ resource "aws_sqs_queue" "sqs_queue" {
}
}
-resource "aws_iam_policy" "sqs_queue_policy" {
- policy = jsonencode({
- Version = "2012-10-17"
- Statement = [{
- "Sid" = "shsqsstatement",
- "Effect" = "Allow",
- "Action" = [
- "sqs:SendMessage",
- "sqs:ReceiveMessage",
- "sqs:DeleteMessage",
- "sqs:GetQueueAttributes"
- ],
- "Resource" = [
- aws_sqs_queue.sqs_queue.arn
- ]
- }] })
-}
-
resource "aws_sqs_queue" "queue_deadletter" {
count = var.enable_dlq ? 1 : 0
name = "${terraform.workspace}-${var.name}-deadletter-queue"
@@ -74,4 +56,33 @@ resource "aws_sqs_queue_redrive_policy" "dlq_redrive" {
deadLetterTargetArn = aws_sqs_queue.queue_deadletter[0].arn
maxReceiveCount = var.max_receive_count
})
-}
\ No newline at end of file
+}
+
+data "aws_iam_policy_document" "sqs_read_policy" {
+ statement {
+ effect = "Allow"
+ actions = [
+ "sqs:ReceiveMessage",
+ "sqs:GetQueueAttributes",
+ "sqs:GetQueueUrl"
+ ]
+ resources = concat(
+ [aws_sqs_queue.sqs_queue.arn],
+ var.enable_dlq ? [aws_sqs_queue.queue_deadletter[0].arn] : []
+ )
+ }
+}
+
+data "aws_iam_policy_document" "sqs_write_policy" {
+ statement {
+ effect = "Allow"
+ actions = [
+ "sqs:SendMessage",
+ "sqs:DeleteMessage"
+ ]
+ resources = concat(
+ [aws_sqs_queue.sqs_queue.arn],
+ var.enable_dlq ? [aws_sqs_queue.queue_deadletter[0].arn] : []
+ )
+ }
+}
diff --git a/infrastructure/modules/sqs/variable.tf b/infrastructure/modules/sqs/variable.tf
index 5c1345b3..9edb8bf0 100644
--- a/infrastructure/modules/sqs/variable.tf
+++ b/infrastructure/modules/sqs/variable.tf
@@ -88,11 +88,14 @@ output "sqs_id" {
value = aws_sqs_queue.sqs_queue.id
}
-output "sqs_policy" {
- value = aws_iam_policy.sqs_queue_policy.arn
- description = "Arn for the iam policy for accessing this queue"
-}
-
output "sqs_url" {
value = aws_sqs_queue.sqs_queue.url
}
+
+output "sqs_read_policy_document" {
+ value = data.aws_iam_policy_document.sqs_read_policy.json
+}
+
+output "sqs_write_policy_document" {
+ value = data.aws_iam_policy_document.sqs_write_policy.json
+}
\ No newline at end of file