From d7964d8fc3f91fdad9eb914778d19c35b5008701 Mon Sep 17 00:00:00 2001 From: Jack Plowman Date: Fri, 20 Oct 2023 08:22:01 +0100 Subject: [PATCH] Move to lambda module Remove iam module Add remaining lambdas --- Makefile | 28 +- build/automation/var/profile/dev.mk | 2 +- build/automation/var/project.mk | 47 +- deployment/serverless.yml | 300 ------ .../modules/lambda-iam-role/data.tf | 10 - .../modules/lambda-iam-role/main.tf | 47 - .../modules/lambda-iam-role/outputs.tf | 3 - .../modules/lambda-iam-role/variables.tf | 13 - .../.terraform.lock.hcl | 40 - .../stacks/after-lambda-deployment/data.tf | 59 -- .../after-lambda-deployment/terraform.tf | 11 - .../after-lambda-deployment/variables.tf | 175 ---- .../stacks/application/.terraform.lock.hcl | 60 ++ infrastructure/stacks/application/data.tf | 31 + infrastructure/stacks/application/iam.tf | 852 +++++++++--------- infrastructure/stacks/application/lambda.tf | 456 +++++++++- infrastructure/stacks/application/outputs.tf | 10 +- infrastructure/stacks/application/sns.tf | 12 + .../splunk.tf | 35 +- .../sqs.tf | 48 +- .../stacks/application/variables.tf | 293 +++++- 21 files changed, 1285 insertions(+), 1247 deletions(-) delete mode 100644 deployment/serverless.yml delete mode 100644 infrastructure/modules/lambda-iam-role/data.tf delete mode 100644 infrastructure/modules/lambda-iam-role/main.tf delete mode 100644 infrastructure/modules/lambda-iam-role/outputs.tf delete mode 100644 infrastructure/modules/lambda-iam-role/variables.tf delete mode 100644 infrastructure/stacks/after-lambda-deployment/.terraform.lock.hcl delete mode 100644 infrastructure/stacks/after-lambda-deployment/data.tf delete mode 100755 infrastructure/stacks/after-lambda-deployment/terraform.tf delete mode 100755 infrastructure/stacks/after-lambda-deployment/variables.tf rename infrastructure/stacks/{after-lambda-deployment => application}/splunk.tf (73%) rename infrastructure/stacks/{after-lambda-deployment => application}/sqs.tf (62%) diff --git a/Makefile b/Makefile index 1704c474d..c74df8f44 100644 --- a/Makefile +++ b/Makefile @@ -34,7 +34,7 @@ deploy: # Deploys whole project - mandatory: PROFILE undeploy: # Undeploys whole project - mandatory: PROFILE eval "$$(make -s populate-deployment-variables)" - make terraform-destroy-auto-approve STACKS=blue-green-link,application,shared-resources + make terraform-destroy-auto-approve STACKS=blue-green-link,application,shared-resources VERSION=any if [ "$(PROFILE)" != "live" ]; then make terraform-destroy-auto-approve STACKS=api-key fi @@ -45,27 +45,16 @@ build-and-deploy: # Builds and Deploys whole project - mandatory: PROFILE populate-deployment-variables: echo "unset AWS_PROFILE" - echo "export DB_WRITER_SERVER=$(DB_WRITER_ROUTE_53)" - echo "export DB_READER_SERVER=$(DB_READER_ROUTE_53)" DEPLOYMENT_SECRETS=$$(make -s secret-get-existing-value NAME=$(DEPLOYMENT_SECRETS)) - echo "export DB_READ_AND_WRITE_USER_NAME=$$(echo $$DEPLOYMENT_SECRETS | jq -r '.$(DB_USER_NAME_SECRET_KEY)')" - echo "export DB_READ_ONLY_USER_NAME=$$(echo $$DEPLOYMENT_SECRETS | jq -r '.$(DB_READ_ONLY_USER_NAME_SECRET_KEY)')" echo "export SLACK_WEBHOOK_URL=$$(echo $$DEPLOYMENT_SECRETS | jq -r '.$(SLACK_WEBHOOK_SECRET_KEY)')" echo "export PROJECT_SYSTEM_EMAIL_ADDRESS=$$(echo $$DEPLOYMENT_SECRETS | jq -r '.$(SYSTEM_EMAIL_KEY)')" echo "export PROJECT_TEAM_EMAIL_ADDRESS=$$(echo $$DEPLOYMENT_SECRETS | jq -r '.$(TEAM_EMAIL_KEY)')" - echo "export PROJECT_SERVICE_CATEGORY=$$(echo $$DEPLOYMENT_SECRETS | jq -r '.$(SERVICE_CATEGORY_KEY)')" - echo "export PROJECT_DATA_CLASSIFICATION=$$(echo $$DEPLOYMENT_SECRETS | jq -r '.$(DATA_CLASSIFICATION_KEY)')" - echo "export PROJECT_DISTRIBUTION_LIST=$$(echo $$DEPLOYMENT_SECRETS | jq -r '.$(DISTRIBUTION_LIST_KEY)')" echo "export TF_VAR_service_category=$$(echo $$DEPLOYMENT_SECRETS | jq -r '.$(SERVICE_CATEGORY_KEY)')" echo "export TF_VAR_data_classification=$$(echo $$DEPLOYMENT_SECRETS | jq -r '.$(DATA_CLASSIFICATION_KEY)')" echo "export TF_VAR_distribution_list=$$(echo $$DEPLOYMENT_SECRETS | jq -r '.$(DISTRIBUTION_LIST_KEY)')" echo "export TF_VAR_aws_sso_role=$$(echo $$DEPLOYMENT_SECRETS | jq -r '.$(AWS_SSO_ROLE_KEY)')" - -unit-test-local: - pyenv local .venv - pip install -r application/requirements-dev.txt -r application/service_matcher/requirements.txt -r application/event_replay/requirements.txt -r application/service_sync/requirements.txt -r application/change_event_dlq_handler/requirements.txt - cd application - python -m pytest --junitxml=./testresults.xml --cov-report term-missing --cov-report xml:coverage.xml --cov=. -vv + echo "export TF_VAR_dos_db_read_and_write_user_name=$$(echo $$DEPLOYMENT_SECRETS | jq -r '.$(DB_USER_NAME_SECRET_KEY)')" + echo "export TF_VAR_dos_db_read_only_user_name=$$(echo $$DEPLOYMENT_SECRETS | jq -r '.$(DB_READ_ONLY_USER_NAME_SECRET_KEY)')" unit-test: make -s docker-run-tester \ @@ -213,6 +202,7 @@ quality-checker-build-and-deploy: ### Build and deploy quality checker lambda do quick-build-and-deploy: # Build and deploy lambdas only (meant to for fast redeployment of existing lambdas) - mandatory: PROFILE, ENVIRONMENT make -s build VERSION=$(BUILD_TAG) make -s push-images VERSION=$(BUILD_TAG) + eval "$$(make -s populate-deployment-variables)" make terraform-apply-auto-approve STACKS=application VERSION=$(BUILD_TAG) push-images: # Use VERSION=[] to push a perticular version otherwise with default to latest @@ -453,10 +443,7 @@ deploy-shared-resources: # Deploys shared resources (Only intended to run in pip deploy-blue-green-environment: # Deploys blue/green resources (Only intended to run in pipeline) - mandatory: PROFILE, ENVIRONMENT, SHARED_ENVIRONMENT, BLUE_GREEN_ENVIRONMENT eval "$$(make -s populate-deployment-variables)" - make terraform-apply-auto-approve STACKS=before-lambda-deployment - eval "$$(make -s populate-serverless-variables)" - make serverless-deploy - make terraform-apply-auto-approve STACKS=after-lambda-deployment + make terraform-apply-auto-approve STACKS=application build-and-deploy-blue-green-environment: # Deploys blue/green resources - mandatory: PROFILE, ENVIRONMENT, SHARED_ENVIRONMENT, BLUE_GREEN_ENVIRONMENT make build-and-push VERSION=$(BUILD_TAG) @@ -475,10 +462,7 @@ undeploy-shared-resources: # Undeploys shared resources (Only intended to run in undeploy-blue-green-environment: # Undeploys blue/green resources (Only intended to run in pipeline) - mandatory: PROFILE, ENVIRONMENT, SHARED_ENVIRONMENT, BLUE_GREEN_ENVIRONMENT eval "$$(make -s populate-deployment-variables)" - make terraform-destroy-auto-approve STACKS=after-lambda-deployment - eval "$$(make -s populate-serverless-variables)" - make serverless-remove VERSION="any" - make terraform-destroy-auto-approve STACKS=before-lambda-deployment + make terraform-destroy-auto-approve STACKS=application unlink-blue-green-environment: # Un-Links blue green environment - mandatory: PROFILE, ENVIRONMENT, SHARED_ENVIRONMENT, BLUE_GREEN_ENVIRONMENT eval "$$(make -s populate-deployment-variables)" diff --git a/build/automation/var/profile/dev.mk b/build/automation/var/profile/dev.mk index 9bd4da1de..7f52d6f5e 100644 --- a/build/automation/var/profile/dev.mk +++ b/build/automation/var/profile/dev.mk @@ -8,7 +8,7 @@ LOG_LEVEL:= DEBUG # DB Name DB_CLUSTER_NAME := uec-core-dos-regression-cluster-14 DB_WRITER_NAME := uec-core-dos-regression-cluster-14-one -DB_READER_NAME := ec-core-dos-regression-cluster-14-two +DB_READER_NAME := uec-core-dos-regression-cluster-14-two # DB Route 53s DB_WRITER_ROUTE_53 := core-dos-regression-master.dos-db-rds diff --git a/build/automation/var/project.mk b/build/automation/var/project.mk index 7baecfcf9..db4d65f9d 100644 --- a/build/automation/var/project.mk +++ b/build/automation/var/project.mk @@ -30,11 +30,6 @@ TF_VAR_github_owner = nhsd-exeter TF_VAR_github_repo = dos-integration PARALLEL_TEST_COUNT := $(or $(PARALLEL_TEST_COUNT), auto) -# DOS DB (Aurora) -TF_VAR_dos_db_cluster_name:= $(DB_CLUSTER_NAME) -TF_VAR_dos_db_writer_name := $(DB_WRITER_NAME) -TF_VAR_dos_db_reader_name := $(DB_READER_NAME) - UNACCEPTABLE_VULNERABILITY_LEVELS = CRITICAL,HIGH,MEDIUM BLUE_GREEN_ENVIRONMENT := $(or $(BLUE_GREEN_ENVIRONMENT), $(ENVIRONMENT)) @@ -67,8 +62,6 @@ TF_VAR_nightly_rule_name := $(PROJECT_ID)-$(ENVIRONMENT)-performance-pipeline-ni # General TF_VAR_docker_registry := $(DOCKER_REGISTRY) -TF_VAR_log_level := $(LOG_LEVEL) -TF_VAR_lambda_powertools_service_name := $(PROGRAMME)-$(TEAM_ID)-$(PROFILE)-$(BLUE_GREEN_ENVIRONMENT) # Tags TF_VAR_tags_secret_manager = $(TAG_SECRET_MANAGER) @@ -199,27 +192,15 @@ TF_VAR_service_sync_lambda := $(PROJECT_ID)-$(BLUE_GREEN_ENVIRONMENT)-$(SERVICE_ TF_VAR_slack_messenger_lambda := $(PROJECT_ID)-$(BLUE_GREEN_ENVIRONMENT)-$(SLACK_MESSENGER) TF_VAR_quality_checker_lambda := $(PROJECT_ID)-$(BLUE_GREEN_ENVIRONMENT)-$(QUALITY_CHECKER) -# Lambda IAM Roles -TF_VAR_change_event_dlq_handler_role := $(CHANGE_EVENT_DLQ_HANDLER_LAMBDA)-role -TF_VAR_dos_db_handler_role := $(DOS_DB_HANDLER_LAMBDA)-role -TF_VAR_dos_db_update_dlq_handler_role := $(DOS_DB_UPDATE_DLQ_HANDLER_LAMBDA)-role -TF_VAR_event_replay_role := $(EVENT_REPLAY_LAMBDA)-role -TF_VAR_ingest_change_event_role := $(INGEST_CHANGE_EVENT_LAMBDA)-role -TF_VAR_send_email_role := $(SEND_EMAIL_LAMBDA)-role -TF_VAR_service_matcher_role := $(SERVICE_MATCHER_LAMBDA)-role -TF_VAR_service_sync_role := $(SERVICE_SYNC_LAMBDA)-role -TF_VAR_slack_messenger_role := $(SLACK_MESSENGER_LAMBDA)-role -TF_VAR_quality_checker_role := $(QUALITY_CHECKER_LAMBDA)-role - # Lambda Versions TF_VAR_change_event_dlq_handler_version := $(or $(CHANGE_EVENT_DLQ_HANDLER_VERSION), $(VERSION)) -TF_VAR_dos_db_handlerversion := $(or $(DOS_DB_HANDLER_VERSION), $(VERSION)) +TF_VAR_dos_db_handler_version := $(or $(DOS_DB_HANDLER_VERSION), $(VERSION)) TF_VAR_dos_db_update_dlq_handler_version := $(or $(DOS_DB_UPDATE_DLQ_HANDLER_VERSION), $(VERSION)) TF_VAR_event_replay_version := $(or $(EVENT_REPLAY_VERSION), $(VERSION)) TF_VAR_ingest_change_event_version := $(or $(INGEST_CHANGE_EVENT_VERSION), $(VERSION)) TF_VAR_send_email_version := $(or $(SEND_EMAIL_VERSION), $(VERSION)) TF_VAR_service_matcher_version := $(or $(SERVICE_MATCHER_VERSION), $(VERSION)) -TF_VAR_service_sync_lambda_version := $(or $(SERVICE_SYNC_VERSION), $(VERSION)) +TF_VAR_service_sync_version := $(or $(SERVICE_SYNC_VERSION), $(VERSION)) TF_VAR_slack_messenger_version := $(or $(SLACK_MESSENGER_VERSION), $(VERSION)) TF_VAR_quality_checker_version := $(or $(QUALITY_CHECKER_VERSION), $(VERSION)) @@ -241,3 +222,27 @@ TF_VAR_sqs_dlq_recieved_msg_alert_name := $(PROJECT_ID)-$(BLUE_GREEN_ENVIRONMENT TF_VAR_sns_topic_app_alerts_for_slack_default_region := $(PROJECT_ID)-$(BLUE_GREEN_ENVIRONMENT)-topic-app-alerts-for-slack-default-region TF_VAR_sns_topic_app_alerts_for_slack_route53_health_check_alarm_region := $(PROJECT_ID)-$(BLUE_GREEN_ENVIRONMENT)-topic-app-alerts-for-slack-route53-health-check-alarm-region SQS_QUEUE_URL:= https://sqs.$(AWS_REGION).amazonaws.com/$(AWS_ACCOUNT_ID)/$(TF_VAR_change_event_queue) + +# Lambda Concurrency +TF_VAR_service_matcher_max_concurrency := $(SERVICE_MATCHER_MAX_CONCURRENCY) +TF_VAR_service_sync_max_concurrency := $(SERVICE_SYNC_MAX_CONCURRENCY) + +# Lambda Variables +TF_VAR_log_level := $(LOG_LEVEL) +TF_VAR_lambda_powertools_service_name := $(PROGRAMME)-$(TEAM_ID)-$(PROFILE)-$(BLUE_GREEN_ENVIRONMENT) +TF_VAR_dos_db_cluster_name := $(DB_CLUSTER_NAME) +TF_VAR_dos_db_writer_name := $(DB_WRITER_NAME) +TF_VAR_dos_db_reader_name := $(DB_READER_NAME) +TF_VAR_dos_db_writer_route_53 := $(DB_WRITER_ROUTE_53) +TF_VAR_dos_db_reader_route_53 := $(DB_READER_ROUTE_53) +TF_VAR_dos_db_port := $(DB_PORT) +TF_VAR_dos_db_name := $(DB_NAME) +TF_VAR_dos_db_schema := $(DB_SCHEMA) +TF_VAR_dos_db_writer_security_group_name := $(DB_WRITER_SG_NAME) +TF_VAR_dos_db_reader_security_group_name := $(DB_READER_SG_NAME) +TF_VAR_dos_db_writer_secret_name := $(DB_WRITER_SECRET_NAME) +TF_VAR_dos_db_writer_secret_key := $(DB_WRITER_SECRET_KEY) +TF_VAR_dos_db_reader_secret_name := $(DB_READER_SECRET_NAME) +TF_VAR_dos_db_reader_secret_key := $(DB_READER_SECRET_KEY) +TF_VAR_dos_db_read_only_user_name_secret_name := $(DB_READ_ONLY_USER_NAME_SECRET_NAME) +TF_VAR_dos_db_read_only_user_name_secret_key := $(DB_READ_ONLY_USER_NAME_SECRET_KEY) diff --git a/deployment/serverless.yml b/deployment/serverless.yml deleted file mode 100644 index d4859612d..000000000 --- a/deployment/serverless.yml +++ /dev/null @@ -1,300 +0,0 @@ -# For documentation see here - https://www.serverless.com/framework/docs/providers/aws/guide/serverless.yml -service: uec-dos-integration -frameworkVersion: "3" -configValidationMode: error - -provider: - name: aws - deploymentMethod: direct - lambdaHashingVersion: 20201221 - architecture: arm64 - region: ${env:AWS_REGION} - versionFunctions: false - deploymentBucket: - blockPublicAccess: true - skipPolicySetup: true - versioning: true - serverSideEncryption: aws:kms - sseKMSKeyId: ${env:TERRAFORM_KMS_KEY_ID} - stackTags: - BUILD_TIMESTAMP: ${env:VERSION} - BlueGreenEnvironment: ${env:BLUE_GREEN_ENVIRONMENT} - DataClassification: ${env:PROJECT_DATA_CLASSIFICATION} - EnvironmentType: ${env:AWS_ACCOUNT_NAME} - Owner: ${env:PROJECT_DISTRIBUTION_LIST} - Product: ${env:PROJECT_ID} - Profile: ${env:PROFILE} - Programme: ${env:PROGRAMME} - Project: ${env:PROJECT_DISPLAY_NAME} - PublicFacing: "No" - Service: ${env:PROJECT_ID} - ServiceCategory: ${env:PROJECT_SERVICE_CATEGORY} - SharedEnvironment: ${env:SHARED_ENVIRONMENT} - TagVersion: "2.0" - Tool: "Serverless Framework deployed by CloudFormation" - tags: - BUILD_TIMESTAMP: ${env:VERSION} - BlueGreenEnvironment: ${env:BLUE_GREEN_ENVIRONMENT} - DataClassification: ${env:PROJECT_DATA_CLASSIFICATION} - Environment: ${env:AWS_ACCOUNT_NAME} - Owner: ${env:PROJECT_DISTRIBUTION_LIST} - Product: ${env:PROJECT_ID} - Profile: ${env:PROFILE} - Programme: ${env:PROGRAMME} - Project: ${env:PROJECT_DISPLAY_NAME} - PublicFacing: "No" - Service: ${env:PROJECT_ID} - ServiceCategory: ${env:PROJECT_SERVICE_CATEGORY} - SharedEnvironment: ${env:SHARED_ENVIRONMENT} - TagVersion: "2.0" - Tool: "Serverless Framework deployed by CloudFormation" - environment: - PROFILE: ${env:PROFILE} - ENV: ${env:BLUE_GREEN_ENVIRONMENT} - SHARED_ENVIRONMENT: ${env:SHARED_ENVIRONMENT} - POWERTOOLS_SERVICE_NAME: ${env:PROGRAMME}-${env:TEAM_ID}-${env:PROFILE}-${sls:stage} - POWERTOOLS_TRACER_CAPTURE_RESPONSE: true - POWERTOOLS_TRACER_CAPTURE_ERROR: true - POWERTOOLS_TRACE_MIDDLEWARES: true - LOG_LEVEL: ${env:LOG_LEVEL} - IMAGE_VERSION: ${env:VERSION} - logs: - restApi: - format: '{"requestTime":"$context.requestTime","requestId":"$context.requestId","httpMethod":"$context.httpMethod","path":"$context.path","resourcePath":"$context.resourcePath","status":"$context.status","responseLatency":"$context.responseLatency","xrayTraceId":"$context.xrayTraceId","integrationRequestId":"$context.integration.requestId","functionResponseStatus":"$context.integration.status","integrationLatency":"$context.integration.latency","integrationServiceStatus":"$context.integration.integrationStatus","ip":"$context.identity.sourceIp","userAgent":"$context.identity.userAgent"}' - tracing: - lambda: true - disableRollback: ${env:SERVERLESS_DISABLE_ROLLBACK} - -plugins: - - serverless-vpc-discovery - - serverless-plugin-ifelse - -custom: - serverlessIfElse: - - If: '"${env:PROFILE}" == "live"' - Exclude: - - functions.dos-db-handler - - If: '"${env:PROFILE}" == "perf"' - Exclude: - - functions.dos-db-handler - - If: '"${env:PROFILE}" == "perf2"' - Exclude: - - functions.dos-db-handler - -functions: - change-event-dlq-handler: - image: ${env:DOCKER_REGISTRY}/${env:CHANGE_EVENT_DLQ_HANDLER}:${env:VERSION} - name: ${env:CHANGE_EVENT_DLQ_HANDLER_LAMBDA} - description: ${sls:stage} Change Event DLQ Handler - memorySize: 128 - timeout: 30 - role: arn:aws:iam::${env:AWS_ACCOUNT_ID}:role/${env:TF_VAR_change_event_dlq_handler_role} - environment: - CHANGE_EVENTS_TABLE_NAME: ${env:TF_VAR_change_events_table_name} - maximumRetryAttempts: 0 - - dos-db-handler: - image: ${env:DOCKER_REGISTRY}/${env:DOS_DB_HANDLER}:${env:VERSION} - name: ${env:DOS_DB_HANDLER_LAMBDA} - description: ${sls:stage} DoS DB Handler for accessing DoS DB in Non-Live environments - memorySize: 128 - timeout: 30 - role: arn:aws:iam::${env:AWS_ACCOUNT_ID}:role/${env:TF_VAR_dos_db_handler_role} - environment: - DB_NAME: ${env:DB_NAME} - DB_PORT: ${env:DB_PORT} - DB_READ_ONLY_USER_NAME: ${env:DB_READ_ONLY_USER_NAME} - DB_READER_SECRET_NAME: ${env:DB_READER_SECRET_NAME} - DB_READER_SECRET_KEY: ${env:DB_READER_SECRET_KEY} - DB_READER_SERVER: ${env:DB_READER_SERVER} - DB_WRITER_SERVER: ${env:DB_WRITER_SERVER} - DB_SCHEMA: ${env:DB_SCHEMA} - DB_WRITER_SECRET_KEY: ${env:DOS_DEPLOYMENT_SECRETS_PASSWORD_KEY} - DB_WRITER_SECRET_NAME: ${env:DOS_DEPLOYMENT_SECRETS} - DB_READ_AND_WRITE_USER_NAME: ${env:DOS_DB_HANDLER_DB_READ_AND_WRITE_USER_NAME} - maximumRetryAttempts: 0 - vpcDiscovery: - vpcName: "${env:AWS_VPC_NAME}" - subnets: - - tagKey: Name - tagValues: - - "${env:AWS_VPC_NAME}-private-${env:AWS_REGION}a" - - "${env:AWS_VPC_NAME}-private-${env:AWS_REGION}b" - - "${env:AWS_VPC_NAME}-private-${env:AWS_REGION}c" - securityGroups: - - tagKey: Name - tagValues: - - "${env:TF_VAR_lambda_security_group_name}" - - dos-db-update-dlq-handler: - image: ${env:DOCKER_REGISTRY}/${env:DOS_DB_UPDATE_DLQ_HANDLER}:${env:VERSION} - name: ${env:DOS_DB_UPDATE_DLQ_HANDLER_LAMBDA} - description: ${sls:stage} DoS DB Update DLQ Handler - memorySize: 128 - timeout: 30 - role: arn:aws:iam::${env:AWS_ACCOUNT_ID}:role/${env:TF_VAR_dos_db_update_dlq_handler_role} - maximumRetryAttempts: 0 - - event-replay: - image: ${env:DOCKER_REGISTRY}/${env:EVENT_REPLAY}:${env:VERSION} - name: ${env:EVENT_REPLAY_LAMBDA} - description: ${sls:stage} Event Replay - memorySize: 128 - timeout: 30 - role: arn:aws:iam::${env:AWS_ACCOUNT_ID}:role/${env:TF_VAR_event_replay_role} - environment: - CHANGE_EVENTS_TABLE_NAME: ${env:TF_VAR_change_events_table_name} - CHANGE_EVENT_SQS_NAME: ${env:TF_VAR_change_event_queue} - maximumRetryAttempts: 0 - - ingest-change-event: - image: ${env:DOCKER_REGISTRY}/${env:INGEST_CHANGE_EVENT}:${env:VERSION} - name: ${env:INGEST_CHANGE_EVENT_LAMBDA} - description: ${sls:stage} Ingest Change Event - memorySize: 128 - timeout: 30 - role: arn:aws:iam::${env:AWS_ACCOUNT_ID}:role/${env:TF_VAR_ingest_change_event_role} - environment: - HOLDING_QUEUE_URL: ${env:HOLDING_QUEUE_URL} - CHANGE_EVENTS_TABLE_NAME: ${env:TF_VAR_change_events_table_name} - maximumRetryAttempts: 2 - - send-email: - image: ${env:DOCKER_REGISTRY}/${env:SEND_EMAIL}:${env:VERSION} - name: ${env:SEND_EMAIL_LAMBDA} - description: ${sls:stage} Send Email - memorySize: 128 - timeout: 30 - role: arn:aws:iam::${env:AWS_ACCOUNT_ID}:role/${env:TF_VAR_send_email_role} - environment: - AWS_ACCOUNT_NAME: ${env:AWS_ACCOUNT_NAME} - SYSTEM_EMAIL_ADDRESS: ${env:PROJECT_SYSTEM_EMAIL_ADDRESS} - EMAIL_SECRET_NAME: ${env:PROJECT_DEPLOYMENT_SECRETS} - maximumRetryAttempts: 2 - - service-matcher: - image: ${env:DOCKER_REGISTRY}/${env:SERVICE_MATCHER}:${env:VERSION} - name: ${env:SERVICE_MATCHER_LAMBDA} - description: ${sls:stage} Service Matcher - memorySize: 192 - timeout: 10 - role: arn:aws:iam::${env:AWS_ACCOUNT_ID}:role/${env:TF_VAR_service_matcher_role} - maximumRetryAttempts: 0 - reservedConcurrency: ${env:SERVICE_MATCHER_MAX_CONCURRENCY} - environment: - CHANGE_EVENTS_TABLE_NAME: ${env:TF_VAR_change_events_table_name} - UPDATE_REQUEST_QUEUE_URL: ${env:UPDATE_REQUEST_QUEUE_URL} - DB_NAME: ${env:DB_NAME} - DB_PORT: ${env:DB_PORT} - DB_READ_ONLY_USER_NAME: ${env:DB_READ_ONLY_USER_NAME} - DB_READER_SECRET_NAME: ${env:DB_READER_SECRET_NAME} - DB_READER_SECRET_KEY: ${env:DB_READER_SECRET_KEY} - DB_READER_SERVER: ${env:DB_READER_SERVER} - DB_SCHEMA: ${env:DB_SCHEMA} - PHARMACY_FIRST_PHASE_ONE_PARAMETER: ${env:PHARMACY_FIRST_PHASE_ONE_PARAMETER} - vpcDiscovery: - vpcName: "${env:AWS_VPC_NAME}" - subnets: - - tagKey: Name - tagValues: - - "${env:AWS_VPC_NAME}-private-${env:AWS_REGION}a" - - "${env:AWS_VPC_NAME}-private-${env:AWS_REGION}b" - - "${env:AWS_VPC_NAME}-private-${env:AWS_REGION}c" - securityGroups: - - tagKey: Name - tagValues: - - "${env:TF_VAR_lambda_security_group_name}" - - service-sync: - image: ${env:DOCKER_REGISTRY}/${env:SERVICE_SYNC}:${env:VERSION} - name: ${env:SERVICE_SYNC_LAMBDA} - description: ${sls:stage} Service Sync - memorySize: 512 - timeout: 20 - role: arn:aws:iam::${env:AWS_ACCOUNT_ID}:role/${env:TF_VAR_service_sync_role} - environment: - CHANGE_EVENTS_TABLE_NAME: ${env:TF_VAR_change_events_table_name} - UPDATE_REQUEST_QUEUE_URL: ${env:UPDATE_REQUEST_QUEUE_URL} - DB_NAME: ${env:DB_NAME} - DB_PORT: ${env:DB_PORT} - DB_READ_ONLY_USER_NAME: ${env:DB_READ_ONLY_USER_NAME} - DB_READER_SECRET_NAME: ${env:DB_READER_SECRET_NAME} - DB_READER_SECRET_KEY: ${env:DB_READER_SECRET_KEY} - DB_READER_SERVER: ${env:DB_READER_SERVER} - DB_WRITER_SERVER: ${env:DB_WRITER_SERVER} - DB_SCHEMA: ${env:DB_SCHEMA} - DB_WRITER_SECRET_KEY: ${env:DB_WRITER_SECRET_KEY} - DB_WRITER_SECRET_NAME: ${env:DB_WRITER_SECRET_NAME} - DB_READ_AND_WRITE_USER_NAME: ${env:DB_READ_AND_WRITE_USER_NAME} - SEND_EMAIL_BUCKET_NAME: ${env:SEND_EMAIL_BUCKET_NAME} - TEAM_EMAIL_ADDRESS: ${env:PROJECT_TEAM_EMAIL_ADDRESS} - SYSTEM_EMAIL_ADDRESS: ${env:PROJECT_SYSTEM_EMAIL_ADDRESS} - SEND_EMAIL_LAMBDA: ${env:TF_VAR_send_email_lambda} - reservedConcurrency: ${env:SERVICE_SYNC_MAX_CONCURRENCY} - maximumRetryAttempts: 0 - vpcDiscovery: - vpcName: "${env:AWS_VPC_NAME}" - subnets: - - tagKey: Name - tagValues: - - "${env:AWS_VPC_NAME}-private-${env:AWS_REGION}a" - - "${env:AWS_VPC_NAME}-private-${env:AWS_REGION}b" - - "${env:AWS_VPC_NAME}-private-${env:AWS_REGION}c" - securityGroups: - - tagKey: Name - tagValues: - - "${env:TF_VAR_lambda_security_group_name}" - - slack-messenger: - image: ${env:DOCKER_REGISTRY}/${env:SLACK_MESSENGER}:${env:VERSION} - name: ${env:SLACK_MESSENGER_LAMBDA} - description: ${sls:stage} Slack Messenger - memorySize: 128 - timeout: 10 - role: arn:aws:iam::${env:AWS_ACCOUNT_ID}:role/${env:TF_VAR_slack_messenger_role} - environment: - SLACK_ALERT_CHANNEL: ${env:SLACK_ALERT_CHANNEL} - SLACK_WEBHOOK_URL: ${env:SLACK_WEBHOOK_URL} - events: - - sns: - arn: arn:aws:sns:${env:AWS_REGION}:${env:AWS_ACCOUNT_ID}:${env:TF_VAR_sns_topic_app_alerts_for_slack_default_region} - - sns: - arn: arn:aws:sns:${env:TF_VAR_route53_health_check_alarm_region}:${env:AWS_ACCOUNT_ID}:${env:TF_VAR_sns_topic_app_alerts_for_slack_route53_health_check_alarm_region} - - quality-checker: - image: ${env:DOCKER_REGISTRY}/${env:QUALITY_CHECKER}:${env:VERSION} - name: ${env:QUALITY_CHECKER_LAMBDA} - description: ${sls:stage} Quality Checker - memorySize: 512 - timeout: 900 - role: arn:aws:iam::${env:AWS_ACCOUNT_ID}:role/${env:TF_VAR_quality_checker_role} - environment: - DB_NAME: ${env:DB_NAME} - DB_PORT: ${env:DB_PORT} - DB_READ_ONLY_USER_NAME: ${env:DB_READ_ONLY_USER_NAME} - DB_READER_SECRET_NAME: ${env:DB_READER_SECRET_NAME} - DB_READER_SECRET_KEY: ${env:DB_READER_SECRET_KEY} - DB_READER_SERVER: ${env:DB_READER_SERVER} - DB_WRITER_SERVER: ${env:DB_WRITER_SERVER} - DB_SCHEMA: ${env:DB_SCHEMA} - DB_WRITER_SECRET_KEY: ${env:DB_WRITER_SECRET_KEY} - DB_WRITER_SECRET_NAME: ${env:DB_WRITER_SECRET_NAME} - DB_READ_AND_WRITE_USER_NAME: ${env:DB_READ_AND_WRITE_USER_NAME} - maximumRetryAttempts: 0 - events: - - schedule: - name: ${env:QUALITY_CHECKER_LAMBDA}-schedule - description: Quality Checker Schedule for triggering a DoS quality check - rate: cron(30 4 ? * MON *) - vpcDiscovery: - vpcName: "${env:AWS_VPC_NAME}" - subnets: - - tagKey: Name - tagValues: - - "${env:AWS_VPC_NAME}-private-${env:AWS_REGION}a" - - "${env:AWS_VPC_NAME}-private-${env:AWS_REGION}b" - - "${env:AWS_VPC_NAME}-private-${env:AWS_REGION}c" - securityGroups: - - tagKey: Name - tagValues: - - "${env:TF_VAR_lambda_security_group_name}" diff --git a/infrastructure/modules/lambda-iam-role/data.tf b/infrastructure/modules/lambda-iam-role/data.tf deleted file mode 100644 index da538e7cd..000000000 --- a/infrastructure/modules/lambda-iam-role/data.tf +++ /dev/null @@ -1,10 +0,0 @@ -data "aws_iam_policy_document" "lambda-assume-role-policy" { - statement { - actions = ["sts:AssumeRole"] - - principals { - type = "Service" - identifiers = ["lambda.amazonaws.com"] - } - } -} diff --git a/infrastructure/modules/lambda-iam-role/main.tf b/infrastructure/modules/lambda-iam-role/main.tf deleted file mode 100644 index 52e3d7588..000000000 --- a/infrastructure/modules/lambda-iam-role/main.tf +++ /dev/null @@ -1,47 +0,0 @@ -resource "aws_iam_role" "lambda_role" { - name = "${var.lambda_name}-role" - path = "/" - description = "Role for Lambda function ${var.lambda_name}" - assume_role_policy = data.aws_iam_policy_document.lambda-assume-role-policy.json -} - -resource "aws_iam_role_policy" "lambda_generic_policy" { - name = "lambda-generic-policy" - role = aws_iam_role.lambda_role.id - #checkov:skip=CKV_AWS_355:This is a generic policy that is used by all lambdas - #checkov:skip=CKV_AWS_290:This is a generic policy that is used by all lambdas - #tfsec:ignore:aws-iam-no-policy-wildcards: This is a generic policy that is used by all lambdas - policy = <