NRL-1875 Define dynamodb pointers table as deploy parameter

mattdean3-nhs · mattdean3-nhs · commit 5a4af5e198da · 2026-01-08T08:49:57.000Z
diff --git a/scripts/seed_nft_tables.py b/scripts/seed_nft_tables.py
@@ -22,8 +22,8 @@
 from nrlf.tests.data import load_document_reference
 from tests.performance.seed_data_constants import (  # DEFAULT_COUNT_DISTRIBUTIONS,
     CHECKSUM_WEIGHTS,
-    DEFAULT_CUSTODIAN_DISTRIBUTIONS,
-    DEFAULT_TYPE_DISTRIBUTIONS,
+    CUSTODIAN_DISTRIBUTION_PROFILES,
+    TYPE_DISTRIBUTION_PROFILES,
 )
 
 dynamodb = boto3.client("dynamodb")
@@ -87,22 +87,24 @@ def _populate_seed_table(
     table_name: str,
     px_with_pointers: int,
     pointers_per_px: float = 1.0,
-    type_dists: dict[str, int] = DEFAULT_TYPE_DISTRIBUTIONS,
-    custodian_dists: dict[str, dict[str, int]] = DEFAULT_CUSTODIAN_DISTRIBUTIONS,
+    type_dist_profile: str = "default",
+    custodian_dist_profile: str = "default",
 ):
     """
     Seeds a table with example data for non-functional testing.
     """
     if pointers_per_px < 1.0:
         raise ValueError("Cannot populate table with patients with zero pointers")
+
+    type_dists = TYPE_DISTRIBUTION_PROFILES[type_dist_profile]
+    custodian_dists = CUSTODIAN_DISTRIBUTION_PROFILES[custodian_dist_profile]
+
     # set up iterations
     type_iter = _set_up_cyclical_iterator(type_dists)
     custodian_iters = _set_up_custodian_iterators(custodian_dists)
-    # count_iter = _set_up_cyclical_iterator(DEFAULT_COUNT_DISTRIBUTIONS)
     count_iter = _get_pointer_count_poisson_distributions(
         px_with_pointers, pointers_per_px
     )
-    # count_iter = _get_pointer_count_negbinom_distributions(px_with_pointers, pointers_per_px)
     testnum_cls = TestNhsNumbersIterator()
     testnum_iter = iter(testnum_cls)
 
diff --git a/terraform/infrastructure/data.tf b/terraform/infrastructure/data.tf
@@ -17,22 +17,12 @@ data "aws_iam_policy" "auth-store-read-policy" {
 
 data "aws_dynamodb_table" "pointers-table" {
   count = var.use_shared_resources ? 1 : 0
-  name  = "${local.pointers_table_prefix}-pointers-table"
+  name  = local.shared_pointers_table_name
 }
 
-data "aws_iam_policy" "pointers-table-read" {
-  count = var.use_shared_resources ? 1 : 0
-  name  = "${local.pointers_table_prefix}-pointers-table-read"
-}
-
-data "aws_iam_policy" "pointers-table-write" {
-  count = var.use_shared_resources ? 1 : 0
-  name  = "${local.pointers_table_prefix}-pointers-table-write"
-}
-
-data "aws_iam_policy" "pointers-kms-read-write" {
-  count = var.use_shared_resources ? 1 : 0
-  name  = "${local.pointers_table_prefix}-pointers-kms-read-write"
+data "aws_kms_key" "pointers-table-key" {
+  count  = var.use_shared_resources ? 1 : 0
+  key_id = "alias/${local.shared_pointers_table_name}-key"
 }
 
 data "external" "current-info" {
diff --git a/terraform/infrastructure/etc/dev.tfvars b/terraform/infrastructure/etc/dev.tfvars
@@ -1,8 +1,8 @@
 account_name     = "dev"
 aws_account_name = "dev"
 
-dynamodb_pointers_table_prefix         = "nhsd-nrlf--dev"
-dynamodb_sandbox_pointers_table_prefix = "nhsd-nrlf--dev-sandbox"
+dynamodb_pointers_table_name         = "nhsd-nrlf--dev-pointers-table"
+dynamodb_sandbox_pointers_table_name = "nhsd-nrlf--dev-sandbox-pointers-table"
 
 domain                = "api.record-locator.dev.national.nhs.uk"
 public_domain         = "internal-dev.api.service.nhs.uk"
diff --git a/terraform/infrastructure/etc/int.tfvars b/terraform/infrastructure/etc/int.tfvars
@@ -1,9 +1,9 @@
 account_name     = "int"
 aws_account_name = "test"
 
-dynamodb_pointers_table_prefix         = "nhsd-nrlf--int"
-dynamodb_sandbox_pointers_table_prefix = "nhsd-nrlf--int-sandbox"
-deletion_protection                    = true
+dynamodb_pointers_table_name         = "nhsd-nrlf--int-pointers-table"
+dynamodb_sandbox_pointers_table_name = "nhsd-nrlf--int-sandbox-pointers-table"
+deletion_protection                  = true
 
 domain                = "api.record-locator.int.national.nhs.uk"
 public_domain         = "int.api.service.nhs.uk"
diff --git a/terraform/infrastructure/etc/perftest.tfvars b/terraform/infrastructure/etc/perftest.tfvars
@@ -1,7 +1,7 @@
 account_name     = "perftest"
 aws_account_name = "test"
 
-dynamodb_pointers_table_prefix = "nhsd-nrlf--perftest-baseline"
+dynamodb_pointers_table_name = "nhsd-nrlf--perftest-baseline-pointers-table"
 
 domain        = "perftest.record-locator.national.nhs.uk"
 public_domain = "perftest.api.service.nhs.uk"
diff --git a/terraform/infrastructure/etc/prod.tfvars b/terraform/infrastructure/etc/prod.tfvars
@@ -1,8 +1,8 @@
 account_name     = "prod"
 aws_account_name = "prod"
 
-dynamodb_pointers_table_prefix = "nhsd-nrlf--prod"
-deletion_protection            = true
+dynamodb_pointers_table_name = "nhsd-nrlf--prod-pointers-table"
+deletion_protection          = true
 
 domain        = "api.record-locator.national.nhs.uk"
 public_domain = "api.service.nhs.uk"
diff --git a/terraform/infrastructure/etc/qa.tfvars b/terraform/infrastructure/etc/qa.tfvars
@@ -1,8 +1,8 @@
 account_name     = "qa"
 aws_account_name = "test"
 
-dynamodb_pointers_table_prefix         = "nhsd-nrlf--qa"
-dynamodb_sandbox_pointers_table_prefix = "nhsd-nrlf--qa-sandbox"
+dynamodb_pointers_table_name         = "nhsd-nrlf--qa-pointers-table"
+dynamodb_sandbox_pointers_table_name = "nhsd-nrlf--qa-sandbox-pointers-table"
 
 domain                = "qa.record-locator.national.nhs.uk"
 public_domain         = "internal-qa.api.service.nhs.uk"
diff --git a/terraform/infrastructure/etc/ref.tfvars b/terraform/infrastructure/etc/ref.tfvars
@@ -1,7 +1,7 @@
 account_name     = "ref"
 aws_account_name = "test"
 
-dynamodb_pointers_table_prefix = "nhsd-nrlf--ref"
+dynamodb_pointers_table_name = "nhsd-nrlf--ref-pointers-table"
 
 domain        = "api.record-locator.ref.national.nhs.uk"
 public_domain = "ref.api.service.nhs.uk"
diff --git a/terraform/infrastructure/iam.tf b/terraform/infrastructure/iam.tf
@@ -0,0 +1,86 @@
+resource "aws_iam_policy" "pointers-table-read" {
+  count       = var.use_shared_resources ? 1 : 0
+  name        = "${local.prefix}-allow-pointers-table-read"
+  description = "Read the pointers-table"
+  policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [
+      {
+        Action = [
+          "kms:Decrypt",
+          "kms:DescribeKey"
+        ]
+        Effect = "Allow"
+        Resource = [
+          data.aws_kms_key.pointers-table-key[0].arn
+        ]
+      },
+      {
+        Effect = "Allow"
+        Action = [
+          "dynamodb:Query",
+          "dynamodb:Scan",
+          "dynamodb:GetItem",
+        ],
+        Resource = [
+          "${data.aws_dynamodb_table.pointers-table[0].arn}*"
+        ]
+      }
+    ]
+  })
+}
+
+resource "aws_iam_policy" "pointers-table-write" {
+  count       = var.use_shared_resources ? 1 : 0
+  name        = "${local.prefix}-allow-pointers-table-write"
+  description = "Write to the pointers-table"
+  policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [
+      {
+        Action = [
+          "kms:Encrypt",
+          "kms:GenerateDataKey"
+        ]
+        Effect = "Allow"
+        Resource = [
+          data.aws_kms_key.pointers-table-key[0].arn
+        ]
+      },
+      {
+        Effect = "Allow"
+        Action = [
+          "dynamodb:PutItem",
+          "dynamodb:UpdateItem",
+          "dynamodb:DeleteItem",
+        ],
+        Resource = [
+          "${data.aws_dynamodb_table.pointers-table[0].arn}*"
+        ]
+      }
+    ]
+  })
+}
+
+resource "aws_iam_policy" "pointers-kms-read-write" {
+  count       = var.use_shared_resources ? 1 : 0
+  name        = "${local.prefix}-allow-pointers-kms-read-write"
+  description = "Encrypt and decrypt with the pointers table kms key"
+  policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [
+      {
+        Action = [
+          "kms:Decrypt",
+          "kms:DescribeKey",
+          "kms:Encrypt",
+          "kms:GenerateDataKey"
+        ]
+        Effect = "Allow"
+        Resource = [
+          data.aws_kms_key.pointers-table-key[0].arn
+        ]
+      }
+    ]
+  })
+}
diff --git a/terraform/infrastructure/lambda.tf b/terraform/infrastructure/lambda.tf
@@ -17,7 +17,9 @@ module "consumer__readDocumentReference" {
   }
   additional_policies = [
     local.pointers_table_read_policy_arn,
-    local.pointers_kms_read_write_arn,
+    #local.pointers_kms_read_write_arn,
+    #aws_iam_policy.pointers-table-read.arn,
+    #aws_iam_policy.pointers-kms-read-write.arn,
     local.auth_store_read_policy_arn
   ]
   firehose_subscriptions = local.firehose_lambda_subscriptions
@@ -44,7 +46,9 @@ module "consumer__searchDocumentReference" {
   }
   additional_policies = [
     local.pointers_table_read_policy_arn,
-    local.pointers_kms_read_write_arn,
+    #local.pointers_kms_read_write_arn,
+    #aws_iam_policy.pointers-table-read.arn,
+    #aws_iam_policy.pointers-kms-read-write.arn,
     local.auth_store_read_policy_arn
   ]
   firehose_subscriptions = local.firehose_lambda_subscriptions
@@ -71,7 +75,9 @@ module "consumer__searchPostDocumentReference" {
   }
   additional_policies = [
     local.pointers_table_read_policy_arn,
-    local.pointers_kms_read_write_arn,
+    #local.pointers_kms_read_write_arn,
+    #aws_iam_policy.pointers-table-read.arn,
+    #aws_iam_policy.pointers-kms-read-write.arn,
     local.auth_store_read_policy_arn
   ]
   firehose_subscriptions = local.firehose_lambda_subscriptions
@@ -99,7 +105,9 @@ module "producer__createDocumentReference" {
   additional_policies = [
     local.pointers_table_write_policy_arn,
     local.pointers_table_read_policy_arn,
-    local.pointers_kms_read_write_arn,
+    #aws_iam_policy.pointers-table-read.arn,
+    #aws_iam_policy.pointers-table-write.arn,
+    #aws_iam_policy.pointers-table-write.arn,
     local.auth_store_read_policy_arn
   ]
   firehose_subscriptions = local.firehose_lambda_subscriptions
@@ -127,7 +135,10 @@ module "producer__deleteDocumentReference" {
   additional_policies = [
     local.pointers_table_write_policy_arn,
     local.pointers_table_read_policy_arn,
-    local.pointers_kms_read_write_arn,
+    #local.pointers_kms_read_write_arn,
+    #aws_iam_policy.pointers-table-read.arn,
+    #aws_iam_policy.pointers-table-write.arn,
+    #aws_iam_policy.pointers-kms-read-write.arn,
     local.auth_store_read_policy_arn
   ]
   firehose_subscriptions = local.firehose_lambda_subscriptions
@@ -154,7 +165,9 @@ module "producer__readDocumentReference" {
   }
   additional_policies = [
     local.pointers_table_read_policy_arn,
-    local.pointers_kms_read_write_arn,
+    #local.pointers_kms_read_write_arn,
+    #aws_iam_policy.pointers-table-read.arn,
+    #aws_iam_policy.pointers-kms-read-write.arn,
     local.auth_store_read_policy_arn
   ]
   firehose_subscriptions = local.firehose_lambda_subscriptions
@@ -181,7 +194,9 @@ module "producer__searchDocumentReference" {
   }
   additional_policies = [
     local.pointers_table_read_policy_arn,
-    local.pointers_kms_read_write_arn,
+    #local.pointers_kms_read_write_arn,
+    #aws_iam_policy.pointers-table-read.arn,
+    #aws_iam_policy.pointers-kms-read-write.arn,
     local.auth_store_read_policy_arn
   ]
   firehose_subscriptions = local.firehose_lambda_subscriptions
@@ -208,7 +223,9 @@ module "producer__searchPostDocumentReference" {
   }
   additional_policies = [
     local.pointers_table_read_policy_arn,
-    local.pointers_kms_read_write_arn,
+    #local.pointers_kms_read_write_arn,
+    #aws_iam_policy.pointers-table-read.arn,
+    #aws_iam_policy.pointers-kms-read-write.arn,
     local.auth_store_read_policy_arn
   ]
   firehose_subscriptions = local.firehose_lambda_subscriptions
@@ -236,7 +253,10 @@ module "producer__updateDocumentReference" {
   additional_policies = [
     local.pointers_table_read_policy_arn,
     local.pointers_table_write_policy_arn,
-    local.pointers_kms_read_write_arn,
+    #local.pointers_kms_read_write_arn,
+    #aws_iam_policy.pointers-table-read.arn,
+    #aws_iam_policy.pointers-table-write.arn,
+    #aws_iam_policy.pointers-kms-read-write.arn,
     local.auth_store_read_policy_arn
   ]
   firehose_subscriptions = local.firehose_lambda_subscriptions
@@ -264,7 +284,10 @@ module "producer__upsertDocumentReference" {
   additional_policies = [
     local.pointers_table_write_policy_arn,
     local.pointers_table_read_policy_arn,
-    local.pointers_kms_read_write_arn,
+    #local.pointers_kms_read_write_arn,
+    #aws_iam_policy.pointers-table-read.arn,
+    #aws_iam_policy.pointers-table-write.arn,
+    #aws_iam_policy.pointers-kms-read-write.arn,
     local.auth_store_read_policy_arn
   ]
   firehose_subscriptions = local.firehose_lambda_subscriptions
@@ -292,7 +315,9 @@ module "consumer__status" {
   }
   additional_policies = [
     local.pointers_table_read_policy_arn,
-    local.pointers_kms_read_write_arn,
+    #local.pointers_kms_read_write_arn,
+    #aws_iam_policy.pointers-table-read.arn,
+    #aws_iam_policy.pointers-kms-read-write.arn,
     local.auth_store_read_policy_arn
   ]
   firehose_subscriptions = local.firehost_lambda_splunk_only_subscription
@@ -321,7 +346,9 @@ module "producer__status" {
   }
   additional_policies = [
     local.pointers_table_read_policy_arn,
-    local.pointers_kms_read_write_arn,
+    #local.pointers_kms_read_write_arn,
+    #aws_iam_policy.pointers-table-read.arn,
+    #aws_iam_policy.pointers-kms-read-write.arn,
     local.auth_store_read_policy_arn
   ]
   firehose_subscriptions = local.firehost_lambda_splunk_only_subscription
diff --git a/terraform/infrastructure/locals.tf b/terraform/infrastructure/locals.tf
@@ -51,10 +51,9 @@ locals {
   auth_store_id              = var.use_shared_resources ? data.aws_s3_bucket.authorization-store[0].id : module.ephemeral-s3-permission-store[0].bucket_id
   auth_store_read_policy_arn = var.use_shared_resources ? data.aws_iam_policy.auth-store-read-policy[0].arn : module.ephemeral-s3-permission-store[0].bucket_read_policy_arn
 
-  pointers_table_prefix = local.is_sandbox_env ? "${var.dynamodb_sandbox_pointers_table_prefix}" : "${var.dynamodb_pointers_table_prefix}"
-
+  shared_pointers_table_name      = local.is_sandbox_env ? var.dynamodb_sandbox_pointers_table_name : var.dynamodb_pointers_table_name
   pointers_table_name             = var.use_shared_resources ? data.aws_dynamodb_table.pointers-table[0].name : module.ephemeral-pointers-table[0].table_name
-  pointers_table_read_policy_arn  = var.use_shared_resources ? data.aws_iam_policy.pointers-table-read[0].arn : module.ephemeral-pointers-table[0].read_policy_arn
-  pointers_table_write_policy_arn = var.use_shared_resources ? data.aws_iam_policy.pointers-table-write[0].arn : module.ephemeral-pointers-table[0].write_policy_arn
-  pointers_kms_read_write_arn     = var.use_shared_resources ? data.aws_iam_policy.pointers-kms-read-write[0].arn : module.ephemeral-pointers-table[0].kms_read_write_policy_arn
+  pointers_table_key_arn          = var.use_shared_resources ? data.aws_kms_key.pointers-table-key[0].arn : module.ephemeral-pointers-table[0].kms_key_arn
+  pointers_table_read_policy_arn  = var.use_shared_resources ? aws_iam_policy.pointers-table-read[0].arn : module.ephemeral-pointers-table[0].read_policy_arn
+  pointers_table_write_policy_arn = var.use_shared_resources ? aws_iam_policy.pointers-table-write[0].arn : module.ephemeral-pointers-table[0].write_policy_arn
 }
diff --git a/terraform/infrastructure/modules/pointers-table/output.tf b/terraform/infrastructure/modules/pointers-table/output.tf
@@ -17,3 +17,8 @@ output "kms_read_write_policy_arn" {
   description = "Policy to encrypt and decrypt the pointers table with the kms key"
   value       = aws_iam_policy.pointers-kms-read-write.arn
 }
+
+output "kms_key_arn" {
+  description = "KMS key arn for the pointers table"
+  value       = aws_kms_key.pointers-table-key.arn
+}
diff --git a/terraform/infrastructure/vars.tf b/terraform/infrastructure/vars.tf
@@ -68,13 +68,13 @@ variable "disable_firehose_lambda_subscriptions" {
   default     = false
 }
 
-variable "dynamodb_pointers_table_prefix" {
+variable "dynamodb_pointers_table_name" {
   type        = string
-  description = "The prefix of the DynamoDB pointers table to use when using shared resources"
+  description = "The name of the DynamoDB pointers table to use when using shared resources"
 }
 
-variable "dynamodb_sandbox_pointers_table_prefix" {
+variable "dynamodb_sandbox_pointers_table_name" {
   type        = string
-  description = "The prefix of the DynamoDB pointers table to use when using shared resources in a sandbox environment"
+  description = "The name of the DynamoDB pointers table to use when using shared resources in a sandbox environment"
   default     = null
 }
diff --git a/tests/performance/seed_data_constants.py b/tests/performance/seed_data_constants.py
