Merge pull request #1539 from ministryofjustice/MLPAB-2566-dev-set-de…

…ad-letter-queue-for-all-eventbridge-targets

MLPAB-2566 - set dead letter queue for all custom bus eventbridge targets

terraform/environment/region/event_received.tf

@@ -23,6 +23,7 @@ module "event_received" {
   search_index_name             = var.search_index_name
   search_collection_arn         = var.search_collection_arn
   event_received_lambda_role    = var.iam_roles.event_received_lambda
+  event_bus_dead_letter_queue   = module.event_bus.event_bus_dead_letter_queue
   vpc_config = {
     subnet_ids         = data.aws_subnet.application[*].id
     security_group_ids = [data.aws_security_group.lambda_egress.id]

terraform/environment/region/modules/event_bus/outputs.tf

@@ -1,3 +1,7 @@
 output "event_bus" {
   value = aws_cloudwatch_event_bus.main
 }
+
+output "event_bus_dead_letter_queue" {
+  value = aws_sqs_queue.event_bus_dead_letter_queue
+}

terraform/environment/region/modules/event_received/event_bus_dead_letter_queue_policy.tf

@@ -0,0 +1,31 @@
+data "aws_iam_policy_document" "event_bus_dead_letter_queue_policy" {
+  statement {
+    sid    = "events-received queue permissions"
+    effect = "Allow"
+
+    principals {
+      type        = "Service"
+      identifiers = ["events.amazonaws.com"]
+    }
+
+    actions   = ["sqs:SendMessage"]
+    resources = [var.event_bus_dead_letter_queue.arn]
+
+    condition {
+      test     = "ArnEquals"
+      variable = "aws:SourceArn"
+      values = [
+        aws_cloudwatch_event_rule.receive_events_lpa_store.arn,
+        aws_cloudwatch_event_rule.receive_events_mlpa.arn,
+        aws_cloudwatch_event_rule.receive_events_sirius.arn,
+      ]
+    }
+  }
+  provider = aws.region
+}
+
+resource "aws_sqs_queue_policy" "event_bus_dead_letter_queue_policy" {
+  queue_url = var.event_bus_dead_letter_queue.id
+  policy    = data.aws_iam_policy_document.event_bus_dead_letter_queue_policy.json
+  provider  = aws.region
+}

terraform/environment/region/modules/event_received/lambda.tf → terraform/environment/region/modules/event_received/main.tf

@@ -68,6 +68,9 @@ resource "aws_cloudwatch_event_target" "receive_events_sirius" {
   rule           = aws_cloudwatch_event_rule.receive_events_sirius.name
   arn            = module.event_received.lambda.arn
   provider       = aws.region
+  dead_letter_config {
+    arn = var.event_bus_dead_letter_queue.arn
+  }
 }
 
 resource "aws_cloudwatch_event_rule" "receive_events_lpa_store" {
@@ -87,7 +90,10 @@ resource "aws_cloudwatch_event_target" "receive_events_lpa_store" {
   event_bus_name = var.event_bus_name
   rule           = aws_cloudwatch_event_rule.receive_events_lpa_store.name
   arn            = module.event_received.lambda.arn
-  provider       = aws.region
+  dead_letter_config {
+    arn = var.event_bus_dead_letter_queue.arn
+  }
+  provider = aws.region
 }
 
 resource "aws_cloudwatch_event_rule" "receive_events_mlpa" {
@@ -107,7 +113,10 @@ resource "aws_cloudwatch_event_target" "receive_events_mlpa" {
   event_bus_name = var.event_bus_name
   rule           = aws_cloudwatch_event_rule.receive_events_mlpa.name
   arn            = module.event_received.lambda.arn
-  provider       = aws.region
+  dead_letter_config {
+    arn = var.event_bus_dead_letter_queue.arn
+  }
+  provider = aws.region
 }
 
 resource "aws_lambda_permission" "allow_cloudwatch_to_call_event_received_sirius" {

terraform/environment/region/modules/event_received/variables.tf

@@ -68,3 +68,7 @@ variable "vpc_config" {
     security_group_ids = list(string)
   })
 }
+
+variable "event_bus_dead_letter_queue" {
+  type = any
+}