CDD-2443 Action PR comments

terraform/20-app/cognito.tf

@@ -1,46 +1,3 @@
-resource "aws_iam_role" "cognito_sns_role" {
-  name = "${local.prefix}-cognito-sns-role"
-
-  assume_role_policy = jsonencode({
-    Version = "2012-10-17",
-    Statement = [
-      {
-        Effect = "Allow",
-        Principal = {
-          Service = "cognito-idp.amazonaws.com"
-        },
-        Action = "sts:AssumeRole"
-      }
-    ]
-  })
-}
-
-resource "aws_sns_topic" "cognito_topic" {
-  name = "${local.prefix}-cognito-sms-topic"
-}
-
-resource "aws_iam_policy" "cognito_sns_policy" {
-  name = "${local.prefix}-cognito-sns-policy"
-
-  policy = jsonencode({
-    Version = "2012-10-17",
-    Statement = [
-      {
-        Effect = "Allow",
-        Action = [
-          "sns:Publish"
-        ],
-        Resource = aws_sns_topic.cognito_topic.arn
-      }
-    ]
-  })
-}
-
-resource "aws_iam_role_policy_attachment" "cognito_sns_policy_attachment" {
-  role       = aws_iam_role.cognito_sns_role.name
-  policy_arn = aws_iam_policy.cognito_sns_policy.arn
-}
-
 module "cognito" {
   source = "../modules/cognito"
   sns_role_arn = aws_iam_role.cognito_sns_role.arn
@@ -66,23 +23,6 @@ module "cognito" {
   prefix = local.prefix
 }
 
-resource "aws_iam_role" "cognito_lambda_role" {
-  name = "${local.prefix}-lambda-execution-role"
-
-  assume_role_policy = jsonencode({
-    Version = "2012-10-17",
-    Statement = [
-      {
-        Effect = "Allow",
-        Principal = {
-          Service = "lambda.amazonaws.com"
-        },
-        Action = "sts:AssumeRole"
-      }
-    ]
-  })
-}
-
 module "app_security_group" {
   source  = "terraform-aws-modules/security-group/aws"
   version = "~> 5.0"

terraform/20-app/outputs.tf

@@ -84,3 +84,4 @@ output "lambda" {
     ingestion_lambda_arn = module.lambda_ingestion.lambda_function_arn
   }
 }
+

terraform/20-app/sns.cognito.tf

@@ -0,0 +1,69 @@
+module "cognito_sns" {
+  source  = "terraform-aws-modules/sns/aws"
+  version = "~> 5.0"
+
+  name = "${local.prefix}-cognito-topic"
+
+  subscriptions = [
+    {
+      protocol = "email"
+      endpoint = var.cognito_admin_email
+    }
+  ]
+}
+
+resource "aws_iam_role" "cognito_sns_role" {
+  name = "${local.prefix}-cognito-sns-role"
+
+  assume_role_policy = jsonencode({
+    Version = "2012-10-17",
+    Statement = [
+      {
+        Effect = "Allow",
+        Principal = {
+          Service = "cognito-idp.amazonaws.com"
+        },
+        Action = "sts:AssumeRole"
+      }
+    ]
+  })
+}
+
+resource "aws_iam_policy" "cognito_sns_policy" {
+  name        = "${local.prefix}-cognito-sns-policy"
+  description = "Allows Cognito to publish messages to the SNS topic"
+
+  policy = jsonencode({
+    Version = "2012-10-17",
+    Statement = [
+      {
+        Sid    = "AllowCognitoToPublish",
+        Effect = "Allow",
+        Action = ["sns:Publish"],
+        Resource = module.cognito_sns.topic_arn
+      }
+    ]
+  })
+}
+
+resource "aws_iam_role_policy_attachment" "cognito_sns_policy_attachment" {
+  role       = aws_iam_role.cognito_sns_role.id
+  policy_arn = aws_iam_policy.cognito_sns_policy.arn
+}
+
+resource "aws_iam_role" "cognito_lambda_role" {
+  name = "${local.prefix}-lambda-execution-role"
+
+  assume_role_policy = jsonencode({
+    Version = "2012-10-17",
+    Statement = [
+      {
+        Effect = "Allow",
+        Principal = {
+          Service = "lambda.amazonaws.com"
+        },
+        Action = "sts:AssumeRole"
+      }
+    ]
+  })
+}

terraform/20-app/vars.tf

@@ -36,4 +36,10 @@ variable "api_gateway_stage_name" {
   description = "The stage name for API Gateway (e.g. dev or live)"
   type        = string
   default     = "dev"
+}
+
+variable "cognito_admin_email" {
+  description = "Admin email address for Cognito SNS notifications"
+  type        = string
+  default     = "[email protected]"
 }

terraform/modules/api-gateway/iam.tf

@@ -0,0 +1,61 @@
+resource "aws_api_gateway_account" "account" {
+  cloudwatch_role_arn = aws_iam_role.api_gateway_cloudwatch_role.arn
+
+  depends_on = [
+    aws_iam_role.api_gateway_cloudwatch_role,
+    aws_iam_role_policy.api_gateway_cloudwatch_policy
+  ]
+}
+
+resource "aws_iam_role" "api_gateway_cloudwatch_role" {
+  name = "${var.prefix}-api-gateway-cloudwatch-role"
+
+  assume_role_policy = jsonencode({
+    Version = "2012-10-17",
+    Statement = [
+      {
+        Effect = "Allow",
+        Principal = {
+          Service = "apigateway.amazonaws.com"
+        },
+        Action = "sts:AssumeRole"
+      }
+    ]
+  })
+}
+
+resource "aws_iam_role_policy" "api_gateway_cloudwatch_policy" {
+  role = aws_iam_role.api_gateway_cloudwatch_role.id
+
+  policy = jsonencode({
+    Version = "2012-10-17",
+    Statement = [
+      {
+        Effect = "Allow",
+        Action = [
+          "logs:CreateLogGroup",
+          "logs:CreateLogStream",
+          "logs:PutLogEvents",
+          "logs:DescribeLogGroups",
+          "logs:DescribeLogStreams",
+          "logs:GetLogEvents",
+          "logs:FilterLogEvents"
+        ],
+        Resource = [
+          "arn:aws:logs:${var.region}:${data.aws_caller_identity.current.account_id}:log-group:/aws/apigateway/*"
+        ]
+      },
+      {
+        Effect = "Allow",
+        Action = [
+          "apigateway:GET",
+          "apigateway:PUT",
+          "apigateway:POST",
+          "apigateway:DELETE",
+          "apigateway:PATCH"
+        ],
+        Resource = aws_api_gateway_rest_api.api_gateway.execution_arn
+      }
+    ]
+  })
+}

terraform/modules/api-gateway/lambda.tf

@@ -0,0 +1,37 @@
+resource "aws_lambda_function" "api_gateway_lambda" {
+  function_name = "${var.prefix}-api-gateway-lambda"
+  runtime       = "nodejs18.x"
+  role          = var.lambda_role_arn
+  handler       = "api_gateway_lambda.handler"
+
+  source_code_hash = filebase64sha256("${path.module}/api_gateway_lambda.zip")
+  filename    = "${path.module}/api_gateway_lambda.zip"
+  timeout     = 15
+  publish     = true
+  description = "Handles API Gateway requests for the ${var.prefix} service"
+}
+
+resource "aws_lambda_alias" "live" {
+  name             = "live"
+  description      = "Alias pointing to the live version of the Lambda function"
+  function_name    = aws_lambda_function.api_gateway_lambda.arn
+  function_version = "$LATEST"
+}
+
+resource "aws_lambda_alias" "dev" {
+  name             = "dev"
+  description      = "Alias pointing to the dev version of the Lambda function"
+  function_name    = aws_lambda_function.api_gateway_lambda.arn
+  function_version = "$LATEST"
+}
+
+resource "aws_lambda_permission" "allow_api_gateway" {
+  statement_id = "AllowAPIGatewayInvoke"
+  action       = "lambda:InvokeFunction"
+  function_name = lookup({
+    "live" = aws_lambda_alias.live.arn,
+    "dev"  = aws_lambda_alias.dev.arn
+  }, var.lambda_alias, aws_lambda_alias.live.arn)
+  principal  = "apigateway.amazonaws.com"
+  source_arn = "arn:aws:execute-api:${var.region}:${data.aws_caller_identity.current.account_id}:${aws_api_gateway_rest_api.api_gateway.id}/*/*/*"
+}

terraform/modules/api-gateway/main.tf

@@ -1,32 +1,5 @@
 data "aws_caller_identity" "current" {}
 
-resource "aws_lambda_function" "api_gateway_lambda" {
-  function_name = "${var.prefix}-api-gateway-lambda"
-  runtime       = "nodejs18.x"
-  role          = var.lambda_role_arn
-  handler       = "api_gateway_lambda.handler"
-
-  source_code_hash = filebase64sha256("${path.module}/api_gateway_lambda.zip")
-  filename    = "${path.module}/api_gateway_lambda.zip"
-  timeout     = 15
-  publish     = true
-  description = "Handles API Gateway requests for the ${var.prefix} service"
-}
-
-resource "aws_lambda_alias" "live" {
-  name             = "live"
-  description      = "Alias pointing to the live version of the Lambda function"
-  function_name    = aws_lambda_function.api_gateway_lambda.arn
-  function_version = "$LATEST"
-}
-
-resource "aws_lambda_alias" "dev" {
-  name             = "dev"
-  description      = "Alias pointing to the dev version of the Lambda function"
-  function_name    = aws_lambda_function.api_gateway_lambda.arn
-  function_version = "$LATEST"
-}
-
 resource "aws_api_gateway_rest_api" "api_gateway" {
   name        = var.name
   description = var.description
@@ -95,90 +68,3 @@ resource "aws_api_gateway_stage" "stage" {
     prevent_destroy = false
   }
 }
-
-resource "aws_api_gateway_account" "account" {
-  cloudwatch_role_arn = aws_iam_role.api_gateway_cloudwatch_role.arn
-
-  depends_on = [
-    aws_iam_role.api_gateway_cloudwatch_role,
-    aws_iam_role_policy.api_gateway_cloudwatch_policy
-  ]
-}
-
-resource "aws_iam_role" "api_gateway_cloudwatch_role" {
-  name = "${var.prefix}-api-gateway-cloudwatch-role"
-
-  assume_role_policy = jsonencode({
-    Version = "2012-10-17",
-    Statement = [
-      {
-        Effect = "Allow",
-        Principal = {
-          Service = "apigateway.amazonaws.com"
-        },
-        Action = "sts:AssumeRole"
-      }
-    ]
-  })
-}
-
-resource "aws_iam_role_policy" "api_gateway_cloudwatch_policy" {
-  role = aws_iam_role.api_gateway_cloudwatch_role.id
-
-  policy = jsonencode({
-    Version = "2012-10-17",
-    Statement = [
-      {
-        Effect = "Allow",
-        Action = [
-          "logs:CreateLogGroup",
-          "logs:CreateLogStream",
-          "logs:PutLogEvents",
-          "logs:DescribeLogGroups",
-          "logs:DescribeLogStreams",
-          "logs:GetLogEvents",
-          "logs:FilterLogEvents"
-        ],
-        Resource = [
-          "arn:aws:logs:${var.region}:${data.aws_caller_identity.current.account_id}:log-group:/aws/apigateway/*"
-        ]
-      },
-      {
-        Effect = "Allow",
-        Action = [
-          "apigateway:GET",
-          "apigateway:PUT",
-          "apigateway:POST",
-          "apigateway:DELETE",
-          "apigateway:PATCH"
-        ],
-        Resource = aws_api_gateway_rest_api.api_gateway.execution_arn
-      }
-    ]
-  })
-}
-
-resource "aws_lambda_permission" "allow_api_gateway" {
-  statement_id = "AllowAPIGatewayInvoke"
-  action       = "lambda:InvokeFunction"
-  function_name = lookup({
-    "live" = aws_lambda_alias.live.arn,
-    "dev"  = aws_lambda_alias.dev.arn
-  }, var.lambda_alias, aws_lambda_alias.live.arn)
-  principal  = "apigateway.amazonaws.com"
-  source_arn = "arn:aws:execute-api:${var.region}:${data.aws_caller_identity.current.account_id}:${aws_api_gateway_rest_api.api_gateway.id}/*/*/*"
-}
-
-output "api_gateway_lambda_arn" {
-  description = "The ARN of the API Gateway Lambda function"
-  value       = aws_lambda_function.api_gateway_lambda.arn
-}
-
-variable "prefix" {
-  description = "Prefix for naming resources"
-  type        = string
-  validation {
-    condition = can(regex("^[a-zA-Z0-9_-]+$", var.prefix))
-    error_message = "Prefix must only contain letters, numbers, hyphens, or underscores."
-  }
-}

terraform/modules/api-gateway/outputs.tf

@@ -24,4 +24,9 @@ output "lambda_alias_arn" {
     "live" = aws_lambda_alias.live.arn,
     "dev"  = aws_lambda_alias.dev.arn
   }, var.lambda_alias, aws_lambda_alias.live.arn)
+}
+
+output "api_gateway_lambda_arn" {
+  description = "The ARN of the API Gateway Lambda function"
+  value       = aws_lambda_function.api_gateway_lambda.arn
 }