CCM-13295: Ingest reporting metadata into Glue table (#199)

* CCM-13295: Add a scheduled state machine to refresh Glue table metadata

* CCM-13295: Add reasonCode and reasonText fields to the event_record table

* CCM-13295: Add source conditions to all SQS queue IAM policies allowing EventBridge

* CCM-13295: Add a component test for report-event-transformer lambda

* CCM-13295: Increase CI workflow's unit test job timeout

Author: gareth-allan

.github/workflows/stage-2-test.yaml

@@ -89,7 +89,7 @@ jobs:
   test-unit:
     name: "Unit tests"
     runs-on: ubuntu-latest
-    timeout-minutes: 5
+    timeout-minutes: 7
     permissions:
       contents: read
       packages: read

infrastructure/terraform/components/dl/README.md

@@ -32,6 +32,7 @@ No requirements.
 | <a name="input_log_level"></a> [log\_level](#input\_log\_level) | The log level to be used in lambda functions within the component. Any log with a lower severity than the configured value will not be logged: https://docs.python.org/3/library/logging.html#levels | `string` | `"INFO"` | no |
 | <a name="input_log_retention_in_days"></a> [log\_retention\_in\_days](#input\_log\_retention\_in\_days) | The retention period in days for the Cloudwatch Logs events to be retained, default of 0 is indefinite | `number` | `0` | no |
 | <a name="input_mesh_poll_schedule"></a> [mesh\_poll\_schedule](#input\_mesh\_poll\_schedule) | Schedule to poll MESH for messages | `string` | `"rate(5 minutes)"` | no |
+| <a name="input_metadata_refresh_schedule"></a> [metadata\_refresh\_schedule](#input\_metadata\_refresh\_schedule) | Schedule for refreshing reporting metadata. | `string` | `"cron(10 6-22 * * ? *)"` | no |
 | <a name="input_parent_acct_environment"></a> [parent\_acct\_environment](#input\_parent\_acct\_environment) | Name of the environment responsible for the acct resources used, affects things like DNS zone. Useful for named dev environments | `string` | `"main"` | no |
 | <a name="input_pdm_mock_access_token"></a> [pdm\_mock\_access\_token](#input\_pdm\_mock\_access\_token) | Mock access token for PDM API authentication (used in local/dev environments) | `string` | `"mock-pdm-token"` | no |
 | <a name="input_pdm_use_non_mock_token"></a> [pdm\_use\_non\_mock\_token](#input\_pdm\_use\_non\_mock\_token) | Whether to use the shared APIM access token from SSM (/component/environment/apim/access\_token) instead of the mock token | `bool` | `false` | no |

infrastructure/terraform/components/dl/cloudwatch_metric_alarm_metadata_refresh_executions_aborted.tf

@@ -0,0 +1,16 @@
+resource "aws_cloudwatch_metric_alarm" "metadata_refresh_executions_aborted" {
+  alarm_name          = "${local.csi}-metadata-refresh-execution-aborted"
+  comparison_operator = "GreaterThanOrEqualToThreshold"
+  evaluation_periods  = 1
+  metric_name         = "ExecutionsAborted"
+  namespace           = "AWS/States"
+  period              = 60
+  statistic           = "Sum"
+  threshold           = 1
+  alarm_description   = "This metric monitors aborted step function executions"
+  treat_missing_data  = "notBreaching"
+
+  dimensions = {
+    StateMachineArn = aws_sfn_state_machine.metadata_refresh.arn
+  }
+}

infrastructure/terraform/components/dl/cloudwatch_metric_alarm_metadata_refresh_executions_failed.tf

@@ -0,0 +1,16 @@
+resource "aws_cloudwatch_metric_alarm" "metadata_refresh_executions_failed" {
+  alarm_name          = "${local.csi}-metadata-refresh-executions-failed"
+  comparison_operator = "GreaterThanOrEqualToThreshold"
+  evaluation_periods  = 1
+  metric_name         = "ExecutionsFailed"
+  namespace           = "AWS/States"
+  period              = 60
+  statistic           = "Sum"
+  threshold           = 1
+  alarm_description   = "This metric monitors failed step function executions"
+  treat_missing_data  = "notBreaching"
+
+  dimensions = {
+    StateMachineArn = aws_sfn_state_machine.metadata_refresh.arn
+  }
+}

infrastructure/terraform/components/dl/cloudwatch_metric_alarm_metadata_refresh_executions_timedout.tf

@@ -0,0 +1,16 @@
+resource "aws_cloudwatch_metric_alarm" "metadata_refresh_executions_timedout" {
+  alarm_name          = "${local.csi}-metadata-refresh-executions-timedout"
+  comparison_operator = "GreaterThanOrEqualToThreshold"
+  evaluation_periods  = 1
+  metric_name         = "ExecutionsTimedOut"
+  namespace           = "AWS/States"
+  period              = 60
+  statistic           = "Sum"
+  threshold           = 1
+  alarm_description   = "This metric monitors step function execution timeouts"
+  treat_missing_data  = "notBreaching"
+
+  dimensions = {
+    StateMachineArn = aws_sfn_state_machine.metadata_refresh.arn
+  }
+}

infrastructure/terraform/components/dl/glue_catalog_table_event_record.tf

@@ -24,6 +24,14 @@ resource "aws_glue_catalog_table" "event_record" {
       name = "pagecount"
       type = "int"
     }
+    columns {
+      name = "reasoncode"
+      type = "string"
+    }
+    columns {
+      name = "reasontext"
+      type = "string"
+    }
     columns {
       name = "supplierid"
       type = "string"

infrastructure/terraform/components/dl/module_sqs_mesh_acknowledge.tf

@@ -34,5 +34,11 @@ data "aws_iam_policy_document" "sqs_mesh_acknowledge" {
     resources = [
       "arn:aws:sqs:${var.region}:${var.aws_account_id}:${local.csi}-mesh-acknowledge-queue"
     ]
+
+    condition {
+      test     = "ArnLike"
+      variable = "aws:SourceArn"
+      values   = [aws_cloudwatch_event_rule.mesh_inbox_message_downloaded.arn]
+    }
   }
 }

infrastructure/terraform/components/dl/module_sqs_mesh_download.tf

@@ -34,5 +34,11 @@ data "aws_iam_policy_document" "sqs_mesh_download" {
     resources = [
       "arn:aws:sqs:${var.region}:${var.aws_account_id}:${local.csi}-mesh-download-queue"
     ]
+
+    condition {
+      test     = "ArnLike"
+      variable = "aws:SourceArn"
+      values   = [aws_cloudwatch_event_rule.mesh_inbox_message_received.arn]
+    }
   }
 }

infrastructure/terraform/components/dl/module_sqs_pdm_poll.tf

@@ -31,5 +31,11 @@ data "aws_iam_policy_document" "sqs_pdm_poll" {
     resources = [
       "arn:aws:sqs:${var.region}:${var.aws_account_id}:${local.csi}-pdm-poll-queue"
     ]
+
+    condition {
+      test     = "ArnLike"
+      variable = "aws:SourceArn"
+      values   = [aws_cloudwatch_event_rule.pdm_resource_submitted.arn, aws_cloudwatch_event_rule.pdm_resource_unavailable.arn]
+    }
   }
 }

infrastructure/terraform/components/dl/module_sqs_pdm_uploader.tf

@@ -34,5 +34,11 @@ data "aws_iam_policy_document" "sqs_pdm_uploader" {
     resources = [
       "arn:aws:sqs:${var.region}:${var.aws_account_id}:${local.csi}-pdm-uploader-queue"
     ]
+
+    condition {
+      test     = "ArnLike"
+      variable = "aws:SourceArn"
+      values   = [aws_cloudwatch_event_rule.mesh_inbox_message_downloaded.arn]
+    }
   }
 }