-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy pathtemplate.yaml
232 lines (227 loc) · 7.42 KB
/
template.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
AWSTemplateFormatVersion: '2010-09-09'
Transform: AWS::Serverless-2016-10-31
Description: >
subscriber
Sample SAM Template for subscriber
Parameters:
pdsJwtAud:
Type: String
Default: "https://int.api.service.nhs.uk/oauth2/token"
pdsJwtKid:
Type: String
Default: "int-2"
pdsBaseUrl:
Type: String
Default: "https://int.api.service.nhs.uk"
managementInterfaceBaseUrl:
Type: String
Default: "http://api-django-staging.internal.hans.service.thepsc.co.uk"
domainName:
Type: String
Default: "api-staging.hans.service.thepsc.co.uk"
hostedZoneId:
Type: String
Default: "Z0749399NWCFPUQORL8R"
secretName:
Type: String
Default: "nhs-hans-staging"
vpcId:
Type: String
vpcEndpointId:
Type: String
securityGroupId:
Type: String
subnetId1:
Type: AWS::EC2::Subnet::Id
subnetId2:
Type: AWS::EC2::Subnet::Id
subnetId3:
Type: AWS::EC2::Subnet::Id
# More info about Globals: https://github.com/awslabs/serverless-application-model/blob/master/docs/globals.rst
Globals:
Function:
Timeout: 30
MemorySize: 128
Environment:
Variables:
POWERTOOLS_SERVICE_NAME: hans
LOG_LEVEL: INFO
# AWS SAM Spec is here: https://github.com/awslabs/serverless-application-model/blob/master/versions/2016-10-31.md#api
Resources:
DomainCertificate:
Type: AWS::CertificateManager::Certificate
Properties:
DomainName: !Ref domainName
ValidationMethod: DNS
DomainValidationOptions:
- DomainName: !Ref domainName
HostedZoneId: !Ref hostedZoneId
APIGatewayPublic:
Type: AWS::Serverless::Api
Properties:
Description: Domain configured API gateway for public-facing APIs
Domain:
CertificateArn: !Ref DomainCertificate
DomainName: !Ref domainName
Route53:
HostedZoneId: !Ref hostedZoneId
StageName: Prod
APIGatewayInternal:
Type: AWS::Serverless::Api
Properties:
Description: Domain configure API gateway for internal-only APIs
Auth:
ResourcePolicy:
SourceVpcWhitelist:
- !Ref vpcId
EndpointConfiguration:
Type: PRIVATE
VPCEndpointIds:
- !Ref vpcEndpointId
StageName: Prod
SubscriptionCreateFunction:
Type: AWS::Serverless::Function
Properties:
CodeUri: src/subscription_create
Handler: subscription_create.app.lambda_handler
Runtime: python3.9
Description: Lambda function that creates a subscription for a given CareRecipient
Architectures:
- x86_64
Events:
SubscriptionCreate:
Type: Api
Properties:
Path: /subscription
Method: post
RestApiId: !Ref APIGatewayInternal
Environment:
Variables:
PDS_JWT_RSA_PRIVATE_KEY: !Join
- ""
- - "{{resolve:secretsmanager:"
- !Ref secretName
- ":SecretString:PDS_JWT_RSA_PRIVATE_KEY}}"
PDS_JWT_SUB: !Join
- ""
- - "{{resolve:secretsmanager:"
- !Ref secretName
- ":SecretString:PDS_JWT_SUB}}"
PDS_JWT_ISS: !Join
- ""
- - "{{resolve:secretsmanager:"
- !Ref secretName
- ":SecretString:PDS_JWT_ISS}}"
PDS_API_KEY: !Join
- ""
- - "{{resolve:secretsmanager:"
- !Ref secretName
- ":SecretString:PDS_API_KEY}}"
PDS_JWT_AUD: !Ref pdsJwtAud
PDS_JWKS_KID: !Ref pdsJwtKid
PDS_BASE_URL: !Ref pdsBaseUrl
SubscriptionDeleteFunction:
Type: AWS::Serverless::Function
Properties:
CodeUri: src/subscription_delete
Handler: subscription_delete.app.lambda_handler
Runtime: python3.9
Description: Lambda function that deletes a subscription for a given CareRecipient
Architectures:
- x86_64
Events:
SubscriptionDelete:
Type: Api
Properties:
Path: /subscription/{id}
Method: delete
RestApiId: !Ref APIGatewayInternal
UnprocessedMessageQueue:
Type: AWS::SQS::Queue
Properties:
RedrivePolicy:
deadLetterTargetArn: !GetAtt DeadLetterQueue.Arn
maxReceiveCount: 10
EmailCareProviderFunction:
Type: AWS::Serverless::Function
Properties:
CodeUri: src/email_care_provider
Handler: email_care_provider.app.lambda_handler
Runtime: python3.9
Description: Lambda function that processes messages from the queue and sends emails to care providers
Architectures:
- x86_64
MemorySize: 512
Events:
NewUnprocessedMessage:
Type: SQS
Properties:
Queue: !GetAtt UnprocessedMessageQueue.Arn
BatchSize: 10
Enabled: True
Environment:
Variables:
MANAGEMENT_INTERFACE_BASE_URL: !Ref managementInterfaceBaseUrl
NOTIFY_API_KEY: !Join
- ""
- - "{{resolve:secretsmanager:"
- !Ref secretName
- ":SecretString:NOTIFY_API_KEY}}"
VpcConfig:
SecurityGroupIds:
- !Ref securityGroupId
SubnetIds:
- !Ref subnetId1
- !Ref subnetId2
- !Ref subnetId3
DeadLetterQueue:
Type: AWS::SQS::Queue
ConvertHL7v2ToFhirFunction:
Type: AWS::Serverless::Function
Properties:
CodeUri: src/convert_hl7v2_fhir
Handler: convert_hl7v2_fhir.app.lambda_handler
Runtime: python3.9
Description: Lambda function that converts HL7v2 (over HTTPs) to FHIR
Architectures:
- x86_64
MemorySize: 512
Events:
ConvertHL7v2:
Type: Api
Properties:
Path: /message/hl7v2
Method: post
RestApiId: !Ref APIGatewayPublic
Timeout: 30
Environment:
Variables:
SQS_CONVERTED_QUEUE_URL: !GetAtt UnprocessedMessageQueue.QueueUrl
MANAGEMENT_INTERFACE_BASE_URL: !Ref managementInterfaceBaseUrl
VpcConfig:
SecurityGroupIds:
- !Ref securityGroupId
SubnetIds:
- !Ref subnetId1
- !Ref subnetId2
- !Ref subnetId3
Policies:
- Statement:
- Sid: AllowQueueSendMessage
Effect: Allow
Action:
- sqs:SendMessage
Resource: !GetAtt UnprocessedMessageQueue.Arn
Outputs:
# ServerlessRestApi is an implicit API created out of Events key under Serverless::Function
# Find out more about other implicit resources you can reference within SAM
# https://github.com/awslabs/serverless-application-model/blob/master/docs/internals/generated_resources.rst#api
ManageAPI:
Description: "API Gateway endpoint URL for Prod stage for public functions (/message/hl7v2)"
Value: !Sub "https://${APIGatewayPublic}.execute-api.${AWS::Region}.amazonaws.com/Prod"
PrivateAPI:
Description: "API Gateway endpoint URL for Prod stage for private functions (/subscription/*)"
Value: !Sub "https://${APIGatewayInternal}-${vpcEndpointId}.execute-api.${AWS::Region}.amazonaws.com/Prod"
UnprocessedMessageQueueUrl:
Description: "URL for queue containing messages to be processed"
Value: !GetAtt UnprocessedMessageQueue.QueueUrl