tidy up SAM templates so insights work

anthony-nhs · anthony-nhs · commit b4342ffda22c · 2024-02-28T11:22:12.000Z
diff --git a/SAMtemplates/lambda_resources.yaml b/SAMtemplates/lambda_resources.yaml
@@ -68,12 +68,17 @@ Resources:
             Principal:
               Service: "lambda.amazonaws.com"
             Action: "sts:AssumeRole"
-  LambdaPolicy:
-    Type: "AWS::IAM::ManagedPolicy"
+      ManagedPolicyArns:
+        - !ImportValue lambda-resources:LambdaInsightsLogGroupPolicy
+        - !ImportValue account-resources:LambdaEncryptCloudwatchKMSPolicy
+
+  LambdaManagedPolicy:
+    Type: AWS::IAM::ManagedPolicy
     Properties:
-      Description: "allow access to logs for lambda role"
+      Roles:
+        - !Ref LambdaRole
       PolicyDocument:
-        Version: "2012-10-17"
+        Version: 2012-10-17
         Statement:
           - Effect: Allow
             Action:
@@ -82,45 +87,14 @@ Resources:
             Resource:
               - !Sub "arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:${LambdaLogGroup}"
               - !Sub "arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:${LambdaLogGroup}:log-stream:*"
-      Roles:
-        - !Ref LambdaRole
-  LambdaKMSPolicy:
-    Type: "AWS::IAM::ManagedPolicy"
-    Properties:
-      Description: "allow access to cloudwatch KMS key for lambda role"
-      PolicyDocument:
-        Version: "2012-10-17"
-        Statement:
-          - Effect: Allow
-            Action:
-              - kms:DescribeKey
-              - kms:GenerateDataKey*
-              - kms:Encrypt
-              - kms:ReEncrypt*
-            Resource:
-              - !Ref CloudWatchKMSKey
-      Roles:
-        - !Ref LambdaRole
-  LambdaSecretsKMSPolicy:
-    Type: "AWS::IAM::ManagedPolicy"
-    Properties:
-      Description: "allow access to secrets KMS key for lambda role"
-      PolicyDocument:
-        Version: "2012-10-17"
-        Statement:
-          - Effect: Allow
-            Action:
-              - kms:Decrypt
-            Resource:
-              - !ImportValue account-resources:SecretsKMSKey
-      Roles:
-        - !Ref LambdaRole
+
   LambdaLogGroup:
     Type: "AWS::Logs::LogGroup"
     Properties:
       LogGroupName: !Sub "/aws/lambda/${LambdaName}"
       RetentionInDays: !Ref LogRetentionDays
       KmsKeyId: !Ref CloudWatchKMSKey
+
   LambdaSplunkSubscriptionFilter:
     Condition: ShouldUseSplunk
     Type: AWS::Logs::SubscriptionFilter
diff --git a/SAMtemplates/main_template.yaml b/SAMtemplates/main_template.yaml
@@ -3,6 +3,49 @@ Transform: AWS::Serverless-2016-10-31
 Description: >
   FHIR validator lambda
 
+Parameters:
+  VersionNumber:
+    Type: String
+    Description: Current release version
+    Default: "xxx"
+  CommitId:
+    Type: String
+    Description: Most recent commit hash
+    Default: "xxx"
+  LogLevel:
+    Type: String
+    Description: The log level to set in the lambda
+    Default: "INFO"
+  LogRetentionDays:
+    Type: Number
+    Description: How long to keep logs for
+    Default: 30
+    AllowedValues:
+      [
+        1,
+        3,
+        5,
+        7,
+        14,
+        30,
+        60,
+        90,
+        120,
+        150,
+        180,
+        365,
+        400,
+        545,
+        731,
+        1096,
+        1827,
+        2192,
+        2557,
+        2922,
+        3288,
+        3653,
+      ]
+
 Resources:
   FHIRValidatorResources:
     Type: AWS::Serverless::Application
@@ -14,7 +57,7 @@ Resources:
         SplunkDeliveryStream: !ImportValue lambda-resources:SplunkDeliveryStream
         EnableSplunk: "true"
         LambdaName: !Sub "${AWS::StackName}-FHIRValidator"
-        LogRetentionDays: "30"
+        LogRetentionDays: !Ref LogRetentionDays
 
   FHIRValidator:
     Type: AWS::Serverless::Function
@@ -34,7 +77,6 @@ Resources:
       Layers:
         - !Sub "arn:aws:lambda:${AWS::Region}:580247275435:layer:LambdaInsightsExtension:38"
 
-
 Outputs:
   FHIRValidatorLambdaName:
     Description: Name of the FHIR validator lambda
