add eventsub

Author: nhsd-david-wass

infrastructure/terraform/components/api/glue_crawler_event_crawler.tf

@@ -8,6 +8,10 @@ resource "aws_glue_crawler" "event_crawler" {
   s3_target {
     path = "s3://${local.csi_global}-eventcache/"
   }
+
+  s3_target {
+    path = "s3://${local.csi_global}-eventsubeventcache/"
+  }
   recrawl_policy {
     recrawl_behavior = "CRAWL_EVERYTHING"
   }

infrastructure/terraform/components/api/iam_role_glue.tf

@@ -38,19 +38,34 @@ data "aws_iam_policy_document" "glue_service_policy" {
     resources = ["arn:aws:logs:*:*:*"]
   }
 
+  statement {
+    sid    = "AllowListBucketAndGetLocation"
+    effect = "Allow"
+
+    actions = [
+      "s3:ListBucket",
+      "s3:GetBucketLocation"
+    ]
+
+    resources = [
+      "arn:aws:s3:::${local.csi_global}-eventcache",
+      "arn:aws:s3:::${local.csi_global}-eventsubeventcache"
+    ]
+  }
   statement {
     sid    = "AllowS3Access"
     effect = "Allow"
 
     actions = [
       "s3:GetObject",
+      "s3:GetObjectVersion",
       "s3:PutObject",
-      "s3:ListBucket",
-      "s3:GetBucketLocation",
       "s3:DeleteObject"
     ]
-    resources = ["arn:aws:s3:::${local.csi}-glue-bucket/*",
-    "arn:aws:s3:::${local.csi_global}-eventcache/*"]
+    resources = [
+      "arn:aws:s3:::${local.csi_global}-eventcache/*",
+      "arn:aws:s3:::${local.csi_global}-eventsubeventcache/*"
+    ]
   }
   statement {
     sid    = "GlueCatalogAccess"
@@ -65,7 +80,8 @@ data "aws_iam_policy_document" "glue_service_policy" {
       "glue:CreatePartition",
       "glue:BatchCreatePartition",
       "glue:GetPartition",
-      "glue:BatchGetPartition"
+      "glue:BatchGetPartition",
+      "glue:UpdatePartition"
     ]
     resources = ["*"]
   }

infrastructure/terraform/components/api/modules_eventsub.tf

@@ -12,6 +12,8 @@ module "eventsub" {
 
   default_tags = local.default_tags
 
+  glue_role_arn = aws_iam_role.glue_role.arn
+
   kms_key_arn           = module.kms.key_arn
   log_retention_in_days = var.log_retention_in_days
   log_level             = "INFO"
@@ -22,7 +24,7 @@ module "eventsub" {
   sns_success_logging_sample_percent = var.sns_success_logging_sample_percent
 
   event_cache_expiry_days = 30
-  enable_event_cache                 = var.enable_event_cache
+  enable_event_cache      = var.enable_event_cache
 
   shared_infra_account_id = var.shared_infra_account_id
 }

infrastructure/terraform/components/api/s3_bucket_policy_eventcache.tf

@@ -3,7 +3,7 @@ resource "aws_s3_bucket_policy" "eventcache" {
   bucket = local.event_cache_bucket_name
   policy = data.aws_iam_policy_document.eventcache[0].json
 
-  depends_on = [ module.eventpub ]
+  depends_on = [module.eventpub]
 }
 
 data "aws_iam_policy_document" "eventcache" {

infrastructure/terraform/modules/eventsub/README.md

@@ -21,6 +21,7 @@
 | <a name="input_event_cache_buffer_interval"></a> [event\_cache\_buffer\_interval](#input\_event\_cache\_buffer\_interval) | The buffer interval for data firehose | `number` | `500` | no |
 | <a name="input_event_cache_expiry_days"></a> [event\_cache\_expiry\_days](#input\_event\_cache\_expiry\_days) | s3 archiving expiry in days | `number` | `30` | no |
 | <a name="input_force_destroy"></a> [force\_destroy](#input\_force\_destroy) | When enabled will force destroy event-cache S3 bucket | `bool` | `false` | no |
+| <a name="input_glue_role_arn"></a> [glue\_role\_arn](#input\_glue\_role\_arn) | ARN of the Glue execution role from the parent | `string` | n/a | yes |
 | <a name="input_group"></a> [group](#input\_group) | The name of the tfscaffold group | `string` | `null` | no |
 | <a name="input_kms_key_arn"></a> [kms\_key\_arn](#input\_kms\_key\_arn) | KMS key arn to use for this function | `string` | n/a | yes |
 | <a name="input_log_level"></a> [log\_level](#input\_log\_level) | The log level to be used in lambda functions within the component. Any log with a lower severity than the configured value will not be logged: https://docs.python.org/3/library/logging.html#levels | `string` | `"WARN"` | no |

infrastructure/terraform/modules/eventsub/locals.tf

@@ -12,6 +12,18 @@ locals {
     "_",
     "",
   )
+  csi_global = replace(
+    format(
+      "%s-%s-%s-%s-%s",
+      var.project,
+      var.aws_account_id,
+      var.region,
+      var.environment,
+      var.component,
+    ),
+    "_",
+    "",
+  )
   default_tags = merge(
     var.default_tags,
     {

infrastructure/terraform/modules/eventsub/s3_bucket_policy_eventcache.tf

@@ -0,0 +1,48 @@
+resource "aws_s3_bucket_policy" "eventcache" {
+  bucket = module.s3bucket_event_cache[0].bucket
+  policy = data.aws_iam_policy_document.eventcache.json
+  count  = var.enable_event_cache ? 1 : 0
+}
+
+data "aws_iam_policy_document" "eventcache" {
+  statement {
+    sid    = "AllowGlueListBucketAndGetLocation"
+    effect = "Allow"
+
+    principals {
+      type        = "AWS"
+      identifiers = [var.glue_role_arn]
+    }
+
+    actions = [
+      "s3:ListBucket",
+      "s3:GetBucketLocation"
+    ]
+
+    resources = [
+      "arn:aws:s3:::${local.csi_global}-eventsubeventcache"
+    ]
+  }
+
+  # Object-level permissions: Get/Put/Delete objects
+  statement {
+    sid    = "AllowGlueObjectAccess"
+    effect = "Allow"
+
+    principals {
+      type        = "AWS"
+      identifiers = [var.glue_role_arn]
+    }
+
+    actions = [
+      "s3:GetObject",
+      "s3:GetObjectVersion",
+      "s3:PutObject",
+      "s3:DeleteObject"
+    ]
+
+    resources = [
+      "arn:aws:s3:::${local.csi_global}-eventsubeventcache/*"
+    ]
+  }
+}

infrastructure/terraform/modules/eventsub/variables.tf

@@ -114,3 +114,8 @@ variable "shared_infra_account_id" {
   description = "The AWS Account ID of the shared infrastructure account"
   default     = "000000000000"
 }
+
+variable "glue_role_arn" {
+  type        = string
+  description = "ARN of the Glue execution role from the parent"
+}