enhanced monitoring

Karthikeyannhs · Karthikeyannhs · commit 48553f75ddd4 · 2025-08-20T13:07:11.000+01:00
diff --git a/infrastructure/modules/lambda/lambda.tf b/infrastructure/modules/lambda/lambda.tf
@@ -11,7 +11,7 @@ resource "aws_lambda_function" "eligibility_signposting_lambda" {
 
   source_code_hash = filebase64sha256(var.file_name)
 
-  runtime     = "python3.13"
+  runtime     = var.runtime
   timeout     = 30
   memory_size = 2048
 
@@ -37,6 +37,10 @@ resource "aws_lambda_function" "eligibility_signposting_lambda" {
     target_arn = aws_sqs_queue.lambda_dlq.arn
   }
 
+  layers = compact([
+  var.environment == "prod" ? "arn:aws:lambda:${var.region}:580247275435:layer:LambdaInsightsExtension:${var.lambda_insights_extension_version}" : null
+  ])
+
   tracing_config {
     mode = "Active"
   }
diff --git a/infrastructure/modules/lambda/variables.tf b/infrastructure/modules/lambda/variables.tf
@@ -13,6 +13,12 @@ variable "lambda_func_name" {
   type        = string
 }
 
+variable "runtime" {
+  description = "runtime of the Lambda function"
+  type        = string
+}
+
+
 variable "vpc_intra_subnets" {
   description = "vpc private subnets for lambda"
   type        = list(string)
@@ -62,3 +68,8 @@ variable "provisioned_concurrency_count" {
   description = "Number of prewarmed Lambda instances"
   type        = number
 }
+
+variable "lambda_insights_extension_version" {
+  description = "version number of LambdaInsightsExtension"
+  type        = number
+}
diff --git a/infrastructure/stacks/api-layer/iam_policies.tf b/infrastructure/stacks/api-layer/iam_policies.tf
@@ -189,6 +189,13 @@ resource "aws_iam_role_policy_attachment" "lambda_logs_policy_attachment" {
   policy_arn = "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"
 }
 
+#Attach CloudWatchLambdaInsightsExecutionRolePolicy to lambda for enhanced monitoring
+resource "aws_iam_role_policy_attachment" "lambda_insights_policy" {
+  count      = var.environment == "prod" ? 1 : 0
+  role       = aws_iam_role.eligibility_lambda_role.name
+  policy_arn = "arn:aws:iam::aws:policy/CloudWatchLambdaInsightsExecutionRolePolicy"
+}
+
 # Policy doc for S3 Audit bucket
 data "aws_iam_policy_document" "s3_audit_bucket_policy" {
   statement {
diff --git a/infrastructure/stacks/api-layer/lambda.tf b/infrastructure/stacks/api-layer/lambda.tf
@@ -11,21 +11,23 @@ data "aws_subnet" "private_subnets" {
 }
 
 module "eligibility_signposting_lambda_function" {
-  source                          = "../../modules/lambda"
-  eligibility_lambda_role_arn     = aws_iam_role.eligibility_lambda_role.arn
-  eligibility_lambda_role_name    = aws_iam_role.eligibility_lambda_role.name
-  workspace                       = local.workspace
-  environment                     = var.environment
-  lambda_func_name                = "${terraform.workspace == "default" ? "" : "${terraform.workspace}-"}eligibility_signposting_api"
-  security_group_ids              = [data.aws_security_group.main_sg.id]
-  vpc_intra_subnets               = [for v in data.aws_subnet.private_subnets : v.id]
-  file_name                       = "../../../dist/lambda.zip"
-  handler                         = "eligibility_signposting_api.app.lambda_handler"
-  eligibility_rules_bucket_name   = module.s3_rules_bucket.storage_bucket_name
-  eligibility_status_table_name   = module.eligibility_status_table.table_name
-  kinesis_audit_stream_to_s3_name = module.eligibility_audit_firehose_delivery_stream.firehose_stream_name
-  log_level                       = "INFO"
-  enable_xray_patching            = "true"
-  stack_name                      = local.stack_name
-  provisioned_concurrency_count   = 5
+  source                            = "../../modules/lambda"
+  eligibility_lambda_role_arn       = aws_iam_role.eligibility_lambda_role.arn
+  eligibility_lambda_role_name      = aws_iam_role.eligibility_lambda_role.name
+  workspace                         = local.workspace
+  environment                       = var.environment
+  runtime                           = "python3.13"
+  lambda_func_name                  = "${terraform.workspace == "default" ? "" : "${terraform.workspace}-"}eligibility_signposting_api"
+  security_group_ids                = [data.aws_security_group.main_sg.id]
+  vpc_intra_subnets                 = [for v in data.aws_subnet.private_subnets : v.id]
+  file_name                         = "../../../dist/lambda.zip"
+  handler                           = "eligibility_signposting_api.app.lambda_handler"
+  eligibility_rules_bucket_name     = module.s3_rules_bucket.storage_bucket_name
+  eligibility_status_table_name     = module.eligibility_status_table.table_name
+  kinesis_audit_stream_to_s3_name   = module.eligibility_audit_firehose_delivery_stream.firehose_stream_name
+  lambda_insights_extension_version = 38
+  log_level                         = "INFO"
+  enable_xray_patching              = "true"
+  stack_name                        = local.stack_name
+  provisioned_concurrency_count     = 5
 }
