Updated infra folder to handle new INT environment

Author: robertnovac1

infra/.terraform.lock.hcl

@@ -0,0 +1,52 @@
+-include .env
+
+environment=$(ENVIRONMENT)
+
+tf_cmd = AWS_PROFILE=$(AWS_PROFILE) terraform
+
+project_name = immunisation
+project_short_name = imms
+tf_state=-backend-config="bucket=immunisation-preprod-infra-terraform-state-files"
+
+
+.PHONY : lock-provider workspace init plan apply clean destroy output state-list lambda-zip catch-all-zip
+
+lock-provider:
+	# Run this only when you install a new terraform provider. This will generate sha code in lock file for all platform
+	echo "This may take a while. Be patient!"
+	$(tf_cmd) providers lock -platform=darwin_arm64 -platform=darwin_amd64 -platform=linux_amd64 -platform=windows_amd64
+
+workspace:
+	$(tf_cmd) workspace new $(environment) || $(tf_cmd) workspace select $(environment) && echo "Switched to workspace/environment: $(environment)"
+
+init:
+	$(tf_cmd) init $(tf_state) -upgrade  
+
+init-reconfigure:
+	$(tf_cmd) init $(tf_state) -upgrade  -reconfigure
+
+plan:
+	 $(tf_cmd) plan 
+
+plan-changes: workspace
+	 $(tf_cmd) plan -out=plan && $(tf_cmd) show -no-color -json plan | jq -r '.resource_changes[] | select(.change.actions[0]=="update" or .change.actions[0]=="create" or .change.actions[0]=="add") | .address'
+
+apply: workspace
+	$(tf_cmd) apply -auto-approve
+
+clean:
+	rm -rf build .terraform upload-key
+
+destroy: workspace
+	$(tf_cmd) destroy -auto-approve
+	$(tf_cmd) workspace select default
+	$(tf_cmd) workspace delete $(environment)
+
+output:
+	$(tf_cmd) output -raw $(name)
+
+#Make lambda zip file in /terraform/zips directory. Whenever code gets changed in lamdba_typescript directory , new zip file gets uploaded to s3. For local,you can you this make target
+lambda-zip:
+	cd ../lambda_typescript && \
+	chmod +x ./deploy.sh && \
+	./deploy.sh

infra/Makefile

@@ -218,12 +218,6 @@ resource "aws_vpc_endpoint" "kinesis_stream_endpoint" {
   }
 }
 
-# TODO - remove and use the key we manage in this Terraform workspace
-data "aws_kms_key" "existing_lambda_env_encryption" {
-  count = local.account != "prod" ? 1 : 0
-
-  key_id = "648c8c6f-54bf-4b79-ad72-0be6e8d72423"
-}
 
 resource "aws_vpc_endpoint" "kms_endpoint" {
   vpc_id            = data.aws_vpc.default.id
@@ -247,13 +241,9 @@ resource "aws_vpc_endpoint" "kms_endpoint" {
           "kms:Encrypt",
           "kms:GenerateDataKey*"
         ],
-        Resource = local.account == "prod" ? [
+        Resource = [
           aws_kms_key.lambda_env_encryption.arn,
           aws_kms_key.s3_shared_key.arn
-          ] : [
-          aws_kms_key.lambda_env_encryption.arn,
-          aws_kms_key.s3_shared_key.arn,
-          data.aws_kms_key.existing_lambda_env_encryption[0].arn
         ]
       }
     ]

infra/endpoints.tf

@@ -13,8 +13,8 @@ terraform {
 }
 
 provider "aws" {
-  region  = var.aws_region
-  profile = "apim-dev"
+  region = var.aws_region
+  #profile = "apim-dev"
   default_tags {
     tags = {
       Project     = "immunisation-fhir-api"

infra/main.tf

@@ -1,11 +1,15 @@
+locals {
+  bucket_name = local.immunisation_account_id == "084828561157" ? "immunisation-batch-${local.account}-preprod-data-sources" : "immunisation-batch-${local.account}-data-sources"
+}
+
 # Overall entry point into batch in prod. Files are forwarded into the appropriate blue / green bucket.
 resource "aws_s3_bucket" "batch_data_source_bucket" {
-  count  = local.account == "prod" ? 1 : 0
-  bucket = "immunisation-batch-${local.account}-data-sources"
+  count  = 1
+  bucket = local.bucket_name
 }
 
 resource "aws_s3_bucket_public_access_block" "batch_data_source_bucket_public_access_block" {
-  count  = local.account == "prod" ? 1 : 0
+  count  = 1
   bucket = aws_s3_bucket.batch_data_source_bucket[0].id
 
   block_public_acls       = true
@@ -15,7 +19,7 @@ resource "aws_s3_bucket_public_access_block" "batch_data_source_bucket_public_ac
 }
 
 resource "aws_s3_bucket_policy" "batch_data_source_bucket_policy" {
-  count  = local.account == "prod" ? 1 : 0
+  count  = 1
   bucket = aws_s3_bucket.batch_data_source_bucket[0].bucket
   policy = jsonencode({
     Version : "2012-10-17",
@@ -67,7 +71,7 @@ resource "aws_s3_bucket_policy" "batch_data_source_bucket_policy" {
 # }
 
 resource "aws_s3_bucket_lifecycle_configuration" "datasources_lifecycle" {
-  count  = local.account == "prod" ? 1 : 0
+  count  = 1
   bucket = aws_s3_bucket.batch_data_source_bucket[0].bucket
 
   rule {

infra/s3_source_bucket.tf

@@ -1,5 +1,5 @@
 data "aws_vpc" "default" {
-  default = true
+  id = "vpc-0c87d4383f6f013c3"
 }
 
 data "aws_subnets" "default" {
@@ -19,8 +19,8 @@ variable "aws_region" {
 
 locals {
   account                 = terraform.workspace # non-prod or prod
-  dspp_core_account_id    = local.account == "prod" ? 232116723729 : 603871901111
-  immunisation_account_id = local.account == "prod" ? 664418956997 : 084828561157
+  dspp_core_account_id    = local.account == "prod" ? "232116723729" : "603871901111"
+  immunisation_account_id = local.account == "prod" ? "664418956997" : "084828561157"
   # TODO - add new accounts for CDP migration
 }