for flat folder structure

Author: JamesW1-NHS

id_sync/Dockerfile

@@ -0,0 +1,40 @@
+FROM public.ecr.aws/lambda/python:3.11 AS base
+
+# Create non-root user
+RUN mkdir -p /home/appuser && \
+    echo 'appuser:x:1001:1001::/home/appuser:/sbin/nologin' >> /etc/passwd && \
+    echo 'appuser:x:1001:' >> /etc/group && \
+    chown -R 1001:1001 /home/appuser && pip install "poetry~=1.5.0"
+
+# Install Poetry dependencies
+# Copy id_sync Poetry files
+COPY id_sync/poetry.lock id_sync/pyproject.toml id_sync/README.md ./
+# Copy shared/src/common to ./src/common
+COPY shared/src/common ./src/common
+
+RUN echo "Listing /var/task after source code copy:" && ls -R /var/task
+
+# Install id_sync dependencies
+WORKDIR /var/task
+RUN poetry config virtualenvs.create false && poetry install --no-interaction --no-ansi --no-root --only main
+
+# -----------------------------
+FROM base AS build
+
+# Set working directory back to Lambda task root
+WORKDIR /var/task
+
+# Copy shared source code
+COPY shared/src/common ./common
+
+# Copy id_sync source code
+COPY id_sync/src .
+
+# Set correct permissions
+RUN chmod 644 $(find . -type f) && chmod 755 $(find . -type d)
+
+# Build as non-root user
+USER 1001:1001
+
+# Set the Lambda handler
+CMD ["id_sync.handler"]

terraform/id_sync_lambda.tf

@@ -1,75 +1,8 @@
 # Define the directory containing the Docker image and calculate its SHA-256 hash for triggering redeployments
 locals {
-  lambdas_dir            = abspath("${path.root}/../lambdas")
-  shared_dir             = "${local.lambdas_dir}/shared"
-  id_sync_lambda_dir     = "${local.lambdas_dir}/id_sync"
-  id_sync_dockerfile     = "${local.lambdas_dir}/id_sync.Dockerfile"
-
-  # Get files from both directories
-  shared_files           = fileset(local.shared_dir, "**")
+  id_sync_lambda_dir     = abspath("${path.root}/../id_sync")
   id_sync_lambda_files   = fileset(local.id_sync_lambda_dir, "**")
-
-  # Calculate SHA for both directories
-  shared_dir_sha         = sha1(join("", [for f in local.shared_files : filesha1("${local.shared_dir}/${f}")]))
   id_sync_lambda_dir_sha = sha1(join("", [for f in local.id_sync_lambda_files : filesha1("${local.id_sync_lambda_dir}/${f}")]))
-
-  # Combined SHA to trigger rebuild when either directory changes
-  combined_sha           = sha1("${local.shared_dir_sha}${local.id_sync_lambda_dir_sha}")
-	repo_root = abspath("${path.root}/..")
-	is_azure_devops = can(regex("^/agent/_work", path.root))
-
-  debug_paths = {
-    terraform_root   = path.root
-    repo_root       = local.repo_root
-    lambdas_dir     = local.lambdas_dir
-    dockerfile_path = local.id_sync_dockerfile
-    is_azure        = local.is_azure_devops
-  }
-}
-
-resource "null_resource" "find_dockerfile" {
-  provisioner "local-exec" {
-    command = <<-EOT
-      echo "=== FINDING DOCKERFILE ==="
-
-	  ls -la "${local.lambdas_dir}/" || echo "lambdas directory not found"
-	  ls -la .. || echo "parent directory not found"
-	  ls -la ${path.root}/.. || echo "grandparent directory not found"
-
-    EOT
-  }
-}
-
-resource "null_resource" "debug_directory_structure" {
-  provisioner "local-exec" {
-    command = <<-EOT
-      echo "=== AZURE DEVOPS DIRECTORY DEBUG ==="
-      echo "Current working directory: $(pwd)"
-      echo "Terraform root: ${path.root}"
-      echo ""
-      echo "=== DIRECTORY CONTENTS ==="
-      echo "Contents of current directory:"
-      ls -la
-      echo ""
-      echo "Contents of parent directory:"
-      ls -la ..
-      echo ""
-      echo "Contents of grandparent directory:"
-      ls -la ../..
-      echo ""
-      echo "Looking for lambdas directory at various levels:"
-      echo "Level 1 (../lambdas):"
-      ls -la ../lambdas 2>/dev/null || echo "Not found at ../lambdas"
-      echo "Level 2 (../../lambdas):"
-      ls -la ../../lambdas 2>/dev/null || echo "Not found at ../../lambdas"
-      echo "Level 3 (../../../lambdas):"
-      ls -la ../../../lambdas 2>/dev/null || echo "Not found at ../../../lambdas"
-      echo ""
-      echo "Looking for Dockerfiles:"
-      find .. -name "*.Dockerfile" -type f 2>/dev/null || echo "No Dockerfiles found"
-      echo "=== END DEBUG ==="
-    EOT
-  }
 }
 
 resource "aws_ecr_repository" "id_sync_lambda_repository" {
@@ -79,35 +12,14 @@ resource "aws_ecr_repository" "id_sync_lambda_repository" {
   name         = "${local.short_prefix}-id-sync-repo"
   force_delete = local.is_temp
 }
-resource "null_resource" "validate_dockerfile" {
-  triggers = {
-    dockerfile_path = "${local.lambdas_dir}/id_sync.Dockerfile"
-  }
 
-  provisioner "local-exec" {
-    command = <<-EOT
-      echo "Checking for Dockerfile at: ${local.lambdas_dir}/id_sync.Dockerfile"
-      if [ ! -f "${local.lambdas_dir}/id_sync.Dockerfile" ]; then
-        echo "ERROR: Dockerfile not found!"
-        echo "Current directory: $(pwd)"
-        echo "Looking for: ${local.lambdas_dir}/id_sync.Dockerfile"
-        echo "Files in lambdas directory:"
-        ls -la "${local.lambdas_dir}/" || echo "lambdas directory not found"
-        exit 1
-      else
-        echo "✅ Dockerfile found!"
-      fi
-    EOT
-  }
-}
 # Module for building and pushing Docker image to ECR
 module "id_sync_docker_image" {
   source  = "terraform-aws-modules/lambda/aws//modules/docker-build"
   version = "8.0.1"
 
   create_ecr_repo = false
   ecr_repo        = aws_ecr_repository.id_sync_lambda_repository.name
-  docker_file_path = "id_sync.Dockerfile"
   ecr_repo_lifecycle_policy = jsonencode({
     "rules" : [
       {
@@ -127,7 +39,7 @@ module "id_sync_docker_image" {
 
   platform      = "linux/amd64"
   use_image_tag = false
-  source_path      = local.lambdas_dir
+  source_path   = local.id_sync_lambda_dir
   triggers = {
     dir_sha = local.id_sync_lambda_dir_sha
   }
@@ -256,8 +168,6 @@ resource "aws_iam_policy" "id_sync_lambda_exec_policy" {
           "arn:aws:lambda:${var.aws_region}:${var.immunisation_account_id}:function:imms-${var.sub_environment}-id_sync_lambda",
         ]
       },
-      # NEW
-      # NB anomaly: do we want this in "id_sync_lambda_sqs_access_policy"?
       {
         Effect = "Allow",
         Action = [
@@ -267,7 +177,6 @@ resource "aws_iam_policy" "id_sync_lambda_exec_policy" {
         ],
         Resource = "arn:aws:sqs:eu-west-2:${var.immunisation_account_id}:${local.short_prefix}-id-sync-queue"
       },
-      # NB anomaly: in redis_sync this appears in "redis_sync_lambda_kms_access_policy"
       {
         Effect = "Allow",
         Action = [
@@ -364,7 +273,6 @@ resource "aws_lambda_function" "id_sync_lambda" {
       REDIS_HOST                  = data.aws_elasticache_cluster.existing_redis.cache_nodes[0].address
       REDIS_PORT                  = data.aws_elasticache_cluster.existing_redis.cache_nodes[0].port
       ID_SYNC_PROC_LAMBDA_NAME    = "imms-${var.sub_environment}-id_sync_lambda"
-      # NEW
       DELTA_TABLE_NAME            = aws_dynamodb_table.delta-dynamodb-table.name
       IEDS_TABLE_NAME             = aws_dynamodb_table.events-dynamodb-table.name
       PDS_ENV                     = var.pds_environment
@@ -384,9 +292,6 @@ resource "aws_cloudwatch_log_group" "id_sync_log_group" {
   retention_in_days = 30
 }
 
-# delete config_lambda_notification / new_s3_invoke_permission - not required; duplicate
-
-# NEW
 resource "aws_lambda_event_source_mapping" "id_sync_sqs_trigger" {
   event_source_arn = "arn:aws:sqs:eu-west-2:${var.immunisation_account_id}:${local.short_prefix}-id-sync-queue"
   function_name    = aws_lambda_function.id_sync_lambda.arn # TODO

terraform/sqs_id_sync.tf

@@ -1,7 +1,6 @@
 resource "aws_sqs_queue" "id_sync_queue" {
   name                        = "${local.short_prefix}-id-sync-queue"
   kms_master_key_id           = data.aws_kms_key.existing_id_sync_sqs_encryption_key.arn
-  # TODO: visibility_timeout_seconds must not be less than aws_lambda_function.id_sync_lambda_timeout
   visibility_timeout_seconds  = 360
   redrive_policy = jsonencode({
     deadLetterTargetArn = aws_sqs_queue.id_sync_dlq.arn