enable dead letter queue

Author: Karthikeyannhs

infrastructure/modules/lambda/lambda.tf

@@ -33,9 +33,17 @@ resource "aws_lambda_function" "eligibility_signposting_lambda" {
     security_group_ids = var.security_group_ids
   }
 
+  layers = ["arn:aws:lambda:${var.region}:580247275435:layer:LambdaInsightsExtension:38"]
+
+  dead_letter_config {
+    target_arn = aws_sqs_queue.lambda_dlq.arn
+  }
+
   tracing_config {
     mode = "Active"
   }
+
+  depends_on = [aws_iam_role_policy_attachment.lambda_dlq_attach]
 }
 
 # provisioned concurrency - number of pre-warmed lambda containers

infrastructure/modules/lambda/outputs.tf

@@ -16,3 +16,7 @@ output "aws_lambda_invoke_arn" {
 output "lambda_cmk_arn" {
   value = aws_kms_key.lambda_cmk.arn
 }
+
+output "lambda_role_arn" {
+  value = var.eligibility_lambda_role_arn
+}

infrastructure/modules/lambda/sqs.tf

@@ -0,0 +1,26 @@
+resource "aws_sqs_queue" "lambda_dlq" {
+  name = "${var.lambda_func_name}_dead_letter_queue"
+  kms_master_key_id = aws_kms_key.lambda_cmk.id
+  tags = var.tags
+}
+
+resource "aws_iam_policy" "lambda_sqs_send_policy" {
+  name = "LambdaSQSMessageSendPolicy"
+  policy = jsonencode({
+    Version = "2012-10-17",
+    Statement = [
+      {
+        Effect = "Allow",
+        Action = "sqs:SendMessage",
+        "Resource": "*"
+      }
+    ]
+  })
+}
+
+
+# Attach lambda_dlq_policy to Lambda
+resource "aws_iam_role_policy_attachment" "lambda_dlq_attach" {
+  role       = var.eligibility_lambda_role_name
+  policy_arn = aws_iam_policy.lambda_sqs_send_policy.arn
+}

infrastructure/modules/lambda/variables.tf

@@ -3,6 +3,11 @@ variable "eligibility_lambda_role_arn" {
   type        = string
 }
 
+variable "eligibility_lambda_role_name" {
+  description = "lambda read role name for dynamodb"
+  type        = string
+}
+
 variable "lambda_func_name" {
   description = "Name of the Lambda function"
   type        = string

infrastructure/stacks/api-layer/iam_policies.tf

@@ -189,6 +189,13 @@ resource "aws_iam_role_policy_attachment" "lambda_logs_policy_attachment" {
   policy_arn = "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"
 }
 
+#Attach lambda_insights_policy_attachment to Lambda
+resource "aws_iam_role_policy_attachment" "lambda_insights_policy_attachment" {
+  role       = aws_iam_role.eligibility_lambda_role.name
+  policy_arn = "arn:aws:iam::aws:policy/CloudWatchLambdaInsightsExecutionRolePolicy"
+}
+
+
 # Policy doc for S3 Audit bucket
 data "aws_iam_policy_document" "s3_audit_bucket_policy" {
   statement {

infrastructure/stacks/api-layer/lambda.tf

@@ -13,6 +13,7 @@ data "aws_subnet" "private_subnets" {
 module "eligibility_signposting_lambda_function" {
   source                          = "../../modules/lambda"
   eligibility_lambda_role_arn     = aws_iam_role.eligibility_lambda_role.arn
+  eligibility_lambda_role_name    = aws_iam_role.eligibility_lambda_role.name
   workspace                       = local.workspace
   environment                     = var.environment
   lambda_func_name                = "${terraform.workspace == "default" ? "" : "${terraform.workspace}-"}eligibility_signposting_api"