Migrate supplier updates so that they pass through new topic

Author: stevebux

infrastructure/terraform/components/api/locals.tf

@@ -27,7 +27,7 @@ locals {
     SUPPLIER_ID_HEADER       = "nhsd-supplier-id",
     APIM_CORRELATION_HEADER  = "nhsd-correlation-id",
     DOWNLOAD_URL_TTL_SECONDS = 60
-    SNS_TOPIC_ARN            = "${module.eventsub.eventsub_topic.arn}",
+    AMENDMENTS_TOPIC_ARN     = "${module.eventsub.amendments_topic.arn}",
     EVENT_SOURCE             = "/data-plane/supplier-api/${var.group}/${var.environment}/letters"
   }
 

infrastructure/terraform/components/api/module_lambda_letter_status_update.tf

@@ -91,7 +91,7 @@ data "aws_iam_policy_document" "letter_status_update" {
     ]
 
     resources = [
-      module.eventsub.eventsub_topic.arn
+      module.eventsub.amendments_topic.arn
     ]
   }
 }

infrastructure/terraform/components/api/module_sqs_letter_updates.tf

@@ -18,29 +18,6 @@ module "sqs_letter_updates" {
 
 data "aws_iam_policy_document" "letter_updates_queue_policy" {
   version = "2012-10-17"
-  statement {
-    sid    = "AllowSNSToSendMessage"
-    effect = "Allow"
-
-    principals {
-      type        = "Service"
-      identifiers = ["sns.amazonaws.com"]
-    }
-
-    actions = [
-      "sqs:SendMessage"
-    ]
-
-    resources = [
-      "arn:aws:sqs:${var.region}:${var.aws_account_id}:${var.project}-${var.environment}-${var.component}-letter-updates-queue"
-    ]
-
-    condition {
-      test     = "ArnEquals"
-      variable = "aws:SourceArn"
-      values   = [module.eventsub.eventsub_topic.arn]
-    }
-  }
 
   statement {
     sid    = "AllowSNSPermissions"
@@ -65,7 +42,7 @@ data "aws_iam_policy_document" "letter_updates_queue_policy" {
     condition {
       test     = "ArnEquals"
       variable = "aws:SourceArn"
-      values   = [module.eventsub.eventsub_topic.arn]
+      values   = [module.eventsub.eventsub_topic.arn, module.eventsub.amendments_topic.arn]
     }
   }
 }

infrastructure/terraform/components/api/sns_topic_subscription_eventsub_sqs_letter_updates.tf

@@ -3,3 +3,9 @@ resource "aws_sns_topic_subscription" "eventsub_sqs_letter_updates" {
   protocol  = "sqs"
   endpoint  = module.sqs_letter_updates.sqs_queue_arn
 }
+
+resource "aws_sns_topic_subscription" "amendments_sqs_letter_updates" {
+  topic_arn = module.eventsub.amendments_topic.arn
+  protocol  = "sqs"
+  endpoint  = module.sqs_letter_updates.sqs_queue_arn
+}

infrastructure/terraform/modules/eventsub/cloudwatch_log_group_sns_delivery_logging_failure.tf

@@ -7,3 +7,13 @@ resource "aws_cloudwatch_log_group" "sns_delivery_logging_failure" {
   kms_key_id        = var.kms_key_arn
   retention_in_days = var.log_retention_in_days
 }
+
+resource "aws_cloudwatch_log_group" "amendments_sns_delivery_logging_failure" {
+  count = var.enable_sns_delivery_logging ? 1 : 0
+
+  # SNS doesn't allow specifying a log group and is derived as: sns/${region}/${account_id}/${name_of_sns_topic}/Failure
+  # (for failure logs)
+  name              = "sns/${var.region}/${var.aws_account_id}/${local.csi}-amendments/Failure"
+  kms_key_id        = var.kms_key_arn
+  retention_in_days = var.log_retention_in_days
+}

infrastructure/terraform/modules/eventsub/cloudwatch_log_group_sns_delivery_logging_success.tf

@@ -7,3 +7,13 @@ resource "aws_cloudwatch_log_group" "sns_delivery_logging_success" {
   kms_key_id        = var.kms_key_arn
   retention_in_days = var.log_retention_in_days
 }
+
+resource "aws_cloudwatch_log_group" "amendments_sns_delivery_logging_success" {
+  count = var.enable_sns_delivery_logging ? 1 : 0
+
+  # SNS doesn't allow specifying a log group and is derived as: sns/${region}/${account_id}/${name_of_sns_topic}
+  # (for success logs)
+  name              = "sns/${var.region}/${var.aws_account_id}/${local.csi}-amendments"
+  kms_key_id        = var.kms_key_arn
+  retention_in_days = var.log_retention_in_days
+}

infrastructure/terraform/modules/eventsub/iam_policy_sns_delivery_logging_cloudwatch.tf

@@ -39,6 +39,10 @@ data "aws_iam_policy_document" "sns_delivery_logging_cloudwatch" {
       "${aws_cloudwatch_log_group.sns_delivery_logging_success[0].arn}:log-stream:*",
       aws_cloudwatch_log_group.sns_delivery_logging_failure[0].arn,
       "${aws_cloudwatch_log_group.sns_delivery_logging_failure[0].arn}:log-stream:*",
+      aws_cloudwatch_log_group.amendments_sns_delivery_logging_success[0].arn,
+      "${aws_cloudwatch_log_group.amendments_sns_delivery_logging_success[0].arn}:log-stream:*",
+      aws_cloudwatch_log_group.amendments_sns_delivery_logging_failure[0].arn,
+      "${aws_cloudwatch_log_group.amendments_sns_delivery_logging_failure[0].arn}:log-stream:*",
     ]
   }
 }

lambdas/api-handler/src/config/__tests__/env.test.ts

@@ -26,7 +26,7 @@ describe("lambdaEnv", () => {
     process.env.MAX_LIMIT = "2500";
     process.env.QUEUE_URL = "url";
     process.env.EVENT_SOURCE = "supplier-api";
-    process.env.SNS_TOPIC_ARN = "sns-topic.arn";
+    process.env.AMENDMENTS_TOPIC_ARN = "sns-topic.arn";
 
     const { envVars } = require("../env");
 
@@ -41,7 +41,7 @@ describe("lambdaEnv", () => {
       MAX_LIMIT: 2500,
       QUEUE_URL: "url",
       EVENT_SOURCE: "supplier-api",
-      SNS_TOPIC_ARN: "sns-topic.arn",
+      AMENDMENTS_TOPIC_ARN: "sns-topic.arn",
     });
   });
 
@@ -66,7 +66,7 @@ describe("lambdaEnv", () => {
     process.env.MI_TTL_HOURS = "2160";
     process.env.DOWNLOAD_URL_TTL_SECONDS = "60";
     process.env.EVENT_SOURCE = "supplier-api";
-    process.env.SNS_TOPIC_ARN = "sns-topic.arn";
+    process.env.AMENDMENTS_TOPIC_ARN = "sns-topic.arn";
 
     const { envVars } = require("../env");
 
@@ -80,7 +80,7 @@ describe("lambdaEnv", () => {
       DOWNLOAD_URL_TTL_SECONDS: 60,
       MAX_LIMIT: undefined,
       EVENT_SOURCE: "supplier-api",
-      SNS_TOPIC_ARN: "sns-topic.arn",
+      AMENDMENTS_TOPIC_ARN: "sns-topic.arn",
     });
   });
 });

lambdas/api-handler/src/config/env.ts

@@ -11,7 +11,7 @@ const EnvVarsSchema = z.object({
   MAX_LIMIT: z.coerce.number().int().optional(),
   QUEUE_URL: z.coerce.string().optional(),
   EVENT_SOURCE: z.string(),
-  SNS_TOPIC_ARN: z.string(),
+  AMENDMENTS_TOPIC_ARN: z.string(),
 });
 
 export type EnvVars = z.infer<typeof EnvVarsSchema>;

lambdas/api-handler/src/handlers/__tests__/letter-status-update.test.ts

@@ -117,7 +117,7 @@ describe("createLetterStatusUpdateHandler", () => {
         i + 1,
         expect.objectContaining({
           input: expect.objectContaining({
-            TopicArn: mockedDeps.env.SNS_TOPIC_ARN,
+            TopicArn: mockedDeps.env.AMENDMENTS_TOPIC_ARN,
             Message: JSON.stringify(
               mapLetterToCloudEvent(
                 updateLetterCommands[i] as Letter,