Add custom resource to manage OpenSearch indices

Author: landonshumway-ia

backend/compact-connect/bin/compile_requirements.sh

@@ -18,6 +18,8 @@ pip-compile --no-emit-index-url --upgrade --no-strip-extras lambdas/python/provi
 pip-compile --no-emit-index-url --upgrade --no-strip-extras lambdas/python/provider-data-v1/requirements.in
 pip-compile --no-emit-index-url --upgrade --no-strip-extras lambdas/python/purchases/requirements-dev.in
 pip-compile --no-emit-index-url --upgrade --no-strip-extras lambdas/python/purchases/requirements.in
+pip-compile --no-emit-index-url --upgrade --no-strip-extras lambdas/python/search/requirements-dev.in
+pip-compile --no-emit-index-url --upgrade --no-strip-extras lambdas/python/search/requirements.in
 pip-compile --no-emit-index-url --upgrade --no-strip-extras lambdas/python/staff-user-pre-token/requirements-dev.in
 pip-compile --no-emit-index-url --upgrade --no-strip-extras lambdas/python/staff-user-pre-token/requirements.in
 pip-compile --no-emit-index-url --upgrade --no-strip-extras lambdas/python/staff-users/requirements-dev.in

backend/compact-connect/bin/sync_deps.sh

@@ -22,6 +22,8 @@ pip-sync \
   lambdas/python/provider-data-v1/requirements.txt \
   lambdas/python/purchases/requirements-dev.txt \
   lambdas/python/purchases/requirements.txt \
+  lambdas/python/search/requirements-dev.txt \
+  lambdas/python/search/requirements.txt \
   lambdas/python/staff-user-pre-token/requirements-dev.txt \
   lambdas/python/staff-user-pre-token/requirements.txt \
   lambdas/python/staff-users/requirements-dev.txt \

backend/compact-connect/common_constructs/python_function.py

@@ -5,7 +5,7 @@
 from aws_cdk import Duration
 from aws_cdk.aws_cloudwatch import Alarm, ComparisonOperator, Stats, TreatMissingData
 from aws_cdk.aws_cloudwatch_actions import SnsAction
-from aws_cdk.aws_iam import IRole, Role, ServicePrincipal
+from aws_cdk.aws_iam import IRole, Role, ServicePrincipal, ManagedPolicy
 from aws_cdk.aws_lambda import ILayerVersion, Runtime
 from aws_cdk.aws_lambda_python_alpha import PythonFunction as CdkPythonFunction
 from aws_cdk.aws_logs import ILogGroup, LogGroup, RetentionDays
@@ -81,6 +81,24 @@ def __init__(
                 assumed_by=ServicePrincipal('lambda.amazonaws.com'),
             )
             log_group.grant_write(role)
+            if 'vpc' in kwargs:
+                # if the function is being created in a VPC, add the AWSLambdaVPCAccessExecutionRole policy to the role
+                role.add_managed_policy(
+                    ManagedPolicy.from_aws_managed_policy_name('service-role/AWSLambdaVPCAccessExecutionRole')
+                )
+                NagSuppressions.add_resource_suppressions(
+                    role,
+                    suppressions=[
+                        {
+                            'id': 'AwsSolutions-IAM4',
+                            'appliesTo': [
+                                'Policy::arn:<AWS::Partition>:iam::aws:policy/service-role/AWSLambdaVPCAccessExecutionRole'
+                            ],
+                            'reason': "Lambdas deployed within a VPC require this policy to access the VPC.",
+                        },
+                    ],
+                )
+
         # We can't directly grant a provided role permission to log to our log group, since that could create a
         # circular dependency with the stack the role came from. The role creator will have to be responsible for
         # setting its permissions.

backend/compact-connect/lambdas/python/common/cc_common/config.py

@@ -22,6 +22,20 @@ class _Config:
     presigned_post_ttl_seconds = 3600
     default_page_size = 100
 
+    @property
+    def environment_region(self):
+        """
+        Returns the region name of the region the lambda is running in.
+        """
+        return os.environ['AWS_REGION']
+
+    @property
+    def opensearch_host_endpoint(self):
+        """
+        Returns the region name of the region the lambda is running in.
+        """
+        return os.environ['OPENSEARCH_HOST_ENDPOINT']
+
     @cached_property
     def cognito_client(self):
         return boto3.client('cognito-idp')

backend/compact-connect/lambdas/python/search/custom_resource_handler.py

@@ -0,0 +1,124 @@
+#!/usr/bin/env python3
+from abc import ABC, abstractmethod
+from typing import TypedDict
+
+from aws_lambda_powertools.logging.lambda_context import build_lambda_context_model
+from aws_lambda_powertools.utilities.typing import LambdaContext
+from cc_common.config import logger
+
+
+class CustomResourceResponse(TypedDict, total=False):
+    """Return body for the custom resource handler."""
+
+    PhysicalResourceId: str
+    Data: dict
+    NoEcho: bool
+
+
+class CustomResourceHandler(ABC):
+    """Base class for custom resource migrations.
+
+    This class provides a framework for implementing CloudFormation custom resources.
+    It handles the routing of CloudFormation events to appropriate methods and provides a consistent
+    logging pattern.
+
+    Subclasses must implement the on_create, on_update, and on_delete methods.
+
+    Instances of this class are callable and can be used directly as Lambda handlers.
+    """
+
+    def __init__(self, handler_name: str):
+        """Initialize the custom resource handler.
+
+        :type handler_name: str
+        """
+        self.handler_name = handler_name
+
+    def __call__(self, event: dict, _context: LambdaContext) -> CustomResourceResponse | None:
+        return self._on_event(event, _context)
+
+    def _on_event(self, event: dict, _context: LambdaContext) -> CustomResourceResponse | None:
+        """CloudFormation event handler using the CDK provider framework.
+        See: https://docs.aws.amazon.com/cdk/api/v2/python/aws_cdk.custom_resources/README.html
+
+        This method routes the event to the appropriate handler method based on the request type.
+
+        :param event: The lambda event with properties in ResourceProperties
+        :type event: dict
+        :param _context: Lambda context
+        :type _context: LambdaContext
+        :return: Optional result from the handler method
+        :rtype: Optional[CustomResourceResponse]
+        :raises ValueError: If the request type is not supported
+        """
+
+        # @logger.inject_lambda_context doesn't work on instance methods, so we'll build the context manually
+        lambda_context = build_lambda_context_model(_context)
+        logger.structure_logs(**lambda_context.__dict__)
+
+        logger.info(f'{self.handler_name} handler started')
+
+        properties = event.get('ResourceProperties', {})
+        request_type = event['RequestType']
+
+        match request_type:
+            case 'Create':
+                try:
+                    resp = self.on_create(properties)
+                except Exception as e:
+                    logger.error(f'Error in {self.handler_name} creation', exc_info=e)
+                    raise
+            case 'Update':
+                try:
+                    resp = self.on_update(properties)
+                except Exception as e:
+                    logger.error(f'Error in {self.handler_name} update', exc_info=e)
+                    raise
+            case 'Delete':
+                try:
+                    resp = self.on_delete(properties)
+                except Exception as e:
+                    logger.error(f'Error in {self.handler_name} delete', exc_info=e)
+                    raise
+            case _:
+                raise ValueError(f'Unexpected request type: {request_type}')
+
+        logger.info(f'{self.handler_name} handler complete')
+        return resp
+
+    @abstractmethod
+    def on_create(self, properties: dict) -> CustomResourceResponse | None:
+        """Handle Create events.
+
+        This method should be implemented by subclasses to perform the migration when a resource is being created.
+
+        :param properties: The ResourceProperties from the CloudFormation event
+        :type properties: dict
+        :return: Any result to be returned to CloudFormation
+        :rtype: Optional[CustomResourceResponse]
+        """
+
+    @abstractmethod
+    def on_update(self, properties: dict) -> CustomResourceResponse | None:
+        """Handle Update events.
+
+        This method should be implemented by subclasses to perform the migration when a resource is being updated.
+
+        :param properties: The ResourceProperties from the CloudFormation event
+        :type properties: dict
+        :return: Any result to be returned to CloudFormation
+        :rtype: Optional[CustomResourceResponse]
+        """
+
+    @abstractmethod
+    def on_delete(self, properties: dict) -> CustomResourceResponse | None:
+        """Handle Delete events.
+
+        This method should be implemented by subclasses to handle deletion of the migration. In many cases, this can
+        be a no-op as the migration is temporary and deletion should have no effect.
+
+        :param properties: The ResourceProperties from the CloudFormation event
+        :type properties: dict
+        :return: Any result to be returned to CloudFormation
+        :rtype: Optional[CustomResourceResponse]
+        """