Lambda versioning for provisioned concurrancy (#309)

Karthikeyannhs · eddalmond1 · commit 68fa0f1815cc · 2025-08-22T13:20:36.000+01:00
* lambda versioning for provisioned concurrency

* dlq is not for RequestResponse (sync)

* checkov skip for dlq
diff --git a/infrastructure/modules/lambda/data.tf b/infrastructure/modules/lambda/data.tf
@@ -1,6 +1 @@
 data "aws_caller_identity" "current" {}
-
-data "aws_lambda_function" "existing" {
-  function_name = var.lambda_func_name
-  qualifier     = "$LATEST"
-}
diff --git a/infrastructure/modules/lambda/lambda.tf b/infrastructure/modules/lambda/lambda.tf
@@ -1,4 +1,5 @@
 resource "aws_lambda_function" "eligibility_signposting_lambda" {
+  #checkov:skip=CKV_AWS_116: No deadletter queue is configured for this Lambda function, as the requests are synchronous
   #checkov:skip=CKV_AWS_115: Concurrent execution limit will be set at APIM level, not at Lambda level
   #checkov:skip=CKV_AWS_272: Skipping code signing but flagged to create ticket to investigate on ELI-238
   # If the file is not in the current working directory you will need to include a
@@ -27,15 +28,13 @@ resource "aws_lambda_function" "eligibility_signposting_lambda" {
 
   kms_key_arn = aws_kms_key.lambda_cmk.arn
 
+  publish = true
+
   vpc_config {
     subnet_ids         = var.vpc_intra_subnets
     security_group_ids = var.security_group_ids
   }
 
-  dead_letter_config {
-    target_arn = aws_sqs_queue.lambda_dlq.arn
-  }
-
   layers = compact([
   var.environment == "prod" ? "arn:aws:lambda:${var.region}:580247275435:layer:LambdaInsightsExtension:${var.lambda_insights_extension_version}" : null
   ])
@@ -49,14 +48,8 @@ resource "aws_lambda_function" "eligibility_signposting_lambda" {
 resource "aws_lambda_alias" "campaign_alias" {
   count            = var.environment == "prod" ? 1 : 0
   name             = "live"
-  function_name    = coalesce(
-    aws_lambda_function.eligibility_signposting_lambda.function_name,
-    data.aws_lambda_function.existing.function_name
-  )
-  function_version = coalesce(
-    aws_lambda_function.eligibility_signposting_lambda.version,
-    data.aws_lambda_function.existing.version
-  )
+  function_name    = aws_lambda_function.eligibility_signposting_lambda.function_name
+  function_version = aws_lambda_function.eligibility_signposting_lambda.version
 }
 
 # provisioned concurrency - number of pre-warmed lambda containers
@@ -66,3 +59,4 @@ resource "aws_lambda_provisioned_concurrency_config" "campaign_pc" {
   qualifier                         = aws_lambda_alias.campaign_alias[0].name
   provisioned_concurrent_executions = var.provisioned_concurrency_count
 }
+
diff --git a/infrastructure/modules/lambda/sqs.tf b/infrastructure/modules/lambda/sqs.tf
diff --git a/infrastructure/stacks/api-layer/assumed_role_permissions_boundary.tf b/infrastructure/stacks/api-layer/assumed_role_permissions_boundary.tf
@@ -52,10 +52,7 @@ data "aws_iam_policy_document" "assumed_role_permissions_boundary" {
 
       # X-Ray - Lambda tracing
       "xray:PutTraceSegments",
-      "xray:PutTelemetryRecords",
-
-      #SQS - message management
-      "sqs:SendMessage"
+      "xray:PutTelemetryRecords"
     ]
 
     resources = ["*"]
diff --git a/infrastructure/stacks/iams-developer-roles/github_actions_policies.tf b/infrastructure/stacks/iams-developer-roles/github_actions_policies.tf
@@ -550,32 +550,6 @@ resource "aws_iam_policy" "cloudwatch_management" {
   tags = merge(local.tags, { Name = "cloudwatch-management" })
 }
 
-# SQS Management Policy for GetQueueAttributes
-resource "aws_iam_policy" "sqs_management" {
-  name        = "sqs-management"
-  description = "Policy granting permissions to get SQS queue attributes"
-  path        = "/service-policies/"
-
-  policy = jsonencode({
-    Version = "2012-10-17",
-    Statement = [
-      {
-        Effect = "Allow",
-        Action = [
-          "sqs:GetQueueAttributes",
-          "sqs:listqueuetags",
-          "sqs:createqueue"
-        ],
-        Resource = [
-          "arn:aws:sqs:eu-west-2:${data.aws_caller_identity.current.account_id}:*"
-        ]
-      }
-    ]
-  })
-
-  tags = merge(local.tags, { Name = "sqs-management" })
-}
-
 # Attach the policies to the role
 resource "aws_iam_role_policy_attachment" "terraform_state" {
   role       = aws_iam_role.github_actions.name
@@ -621,9 +595,3 @@ resource "aws_iam_role_policy_attachment" "cloudwatch_management" {
   role       = aws_iam_role.github_actions.name
   policy_arn = aws_iam_policy.cloudwatch_management.arn
 }
-
-resource "aws_iam_role_policy_attachment" "sqs_management" {
-  role       = aws_iam_role.github_actions.name
-  policy_arn = aws_iam_policy.sqs_management.arn
-}
-
diff --git a/infrastructure/stacks/iams-developer-roles/iams_permissions_boundary.tf b/infrastructure/stacks/iams-developer-roles/iams_permissions_boundary.tf
@@ -221,13 +221,7 @@ data "aws_iam_policy_document" "permissions_boundary" {
       "ssm:GetParameters",
       "ssm:ListTagsForResource",
       "ssm:PutParameter",
-      "ssm:AddTagsToResource",
-
-      #SQS - message management
-      "sqs:SendMessage",
-      "sqs:GetQueueAttributes",
-      "sqs:listqueuetags",
-      "sqs:createqueue"
+      "ssm:AddTagsToResource"
     ]
 
     resources = ["*"]
