Merge pull request #21 from NHSDigital/amb-1688-batch-processing-lambda

AMB-1688: Batch Processing Lambda

Author: ChewieCB

terraform/batch-processing.tf

@@ -0,0 +1,6 @@
+module "batch-processing" {
+    source = "./batch-processing"
+    environment = local.environment
+    prefix = local.prefix
+    short_prefix = local.short_prefix
+}

terraform/batch-processing/iam.tf

@@ -0,0 +1,80 @@
+resource "aws_iam_role" batch_processing_lambda_role {
+  name = "${var.short_prefix}-batch-processing-lambda-role"
+  assume_role_policy = <<EOF
+    {
+      "Version": "2012-10-17",
+      "Statement": [
+        {
+          "Action": [
+            "sts:AssumeRole"
+          ],
+          "Principal": {
+            "Service": "lambda.amazonaws.com"
+          },
+          "Effect": "Allow",
+          "Sid": ""
+        }
+      ]
+    }
+    EOF
+}
+
+resource "aws_iam_policy" batch_processing_lambda_policy {
+    name = "${var.short_prefix}-batch-processing-lambda-policy"
+    policy = <<EOF
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Action": [
+        "s3:ListBucket",
+        "s3:GetObject",
+        "s3:CopyObject",
+        "s3:HeadObject"
+      ],
+      "Effect": "Allow",
+      "Resource": [
+        "arn:aws:s3:::${var.prefix}-batch-lambda-source",
+        "arn:aws:s3:::${var.prefix}-batch-lambda-source/*"
+      ]
+    },
+    {
+      "Action": [
+        "s3:ListBucket",
+        "s3:PutObject",
+        "s3:PutObjectAcl",
+        "s3:CopyObject",
+        "s3:HeadObject"
+      ],
+      "Effect": "Allow",
+      "Resource": [
+        "arn:aws:s3:::${var.prefix}-batch-lambda-destination",
+        "arn:aws:s3:::${var.prefix}-batch-lambda-destination/*"
+      ]
+    },
+    {
+      "Action": [
+        "logs:CreateLogGroup",
+        "logs:CreateLogStream",
+        "logs:PutLogEvents"
+      ],
+      "Effect": "Allow",
+      "Resource": "*"
+    }
+  ]
+}
+EOF
+}
+
+resource "aws_iam_role_policy_attachment" "apig_lambda_role_to_policy" {
+  role       = aws_iam_role.batch_processing_lambda_role.name
+  policy_arn = aws_iam_policy.batch_processing_lambda_policy.arn
+}
+
+resource "aws_lambda_permission" "allow_terraform_bucket" {
+   statement_id = "AllowExecutionFromS3Bucket"
+   action = "lambda:InvokeFunction"
+   function_name = "${aws_lambda_function.batch_processing_lambda.arn}"
+   principal = "s3.amazonaws.com"
+   source_arn = "${aws_s3_bucket.batch_lambda_source_bucket.arn}"
+}

terraform/batch-processing/lambda.tf

@@ -0,0 +1,19 @@
+locals {
+  lambda_file_name = "batch_processing.py"
+}
+
+data "archive_file" "lambda_zip" {
+  type        = "zip"
+  source_file = "${path.module}/src/${local.lambda_file_name}"
+  output_path = "build/batch_processing_lambda.zip"
+}
+
+resource "aws_lambda_function" "batch_processing_lambda" {
+    role             = aws_iam_role.batch_processing_lambda_role.arn
+    timeout          = 300
+    filename         = data.archive_file.lambda_zip.output_path
+    function_name    = "${var.short_prefix}_batch_processing_lambda"
+    handler          = "batch_processing.lambda_handler"
+    runtime          = "python3.9"
+    source_code_hash = data.archive_file.lambda_zip.output_base64sha256
+}

terraform/batch-processing/s3.tf

@@ -0,0 +1,23 @@
+locals {
+    // Flag so we can force delete s3 buckets with items in for pr and shortcode environments only.
+    is_temp = length(regexall("[a-z]{2,4}-?[0-9]+", var.environment)) > 0
+}
+
+resource "aws_s3_bucket" "batch_lambda_source_bucket" {
+    bucket = "${var.prefix}-batch-lambda-source"
+    force_destroy = local.is_temp
+}
+
+resource "aws_s3_bucket" "batch_lambda_destination_bucket" {
+    bucket = "${var.prefix}-batch-lambda-destination"
+    force_destroy = local.is_temp
+}
+
+resource "aws_s3_bucket_notification" "batch_processing_source_lambda_trigger" {
+    bucket = "${aws_s3_bucket.batch_lambda_source_bucket.id}"
+    lambda_function {
+        lambda_function_arn = "${aws_lambda_function.batch_processing_lambda.arn}"
+        events = ["s3:ObjectCreated:*"]
+    }
+    depends_on = [ aws_lambda_permission.allow_terraform_bucket ]
+}

terraform/batch-processing/src/batch_processing.py

@@ -0,0 +1,20 @@
+from time import time
+from boto3 import resource
+
+
+def lambda_handler(_event, _context):
+    source_bucket_name = _event.get("Records")[0].get("s3").get("bucket").get("name")
+    dest_bucket_name = source_bucket_name.replace("source", "destination")
+    output_bucket = resource('s3').Bucket(dest_bucket_name)
+
+    # Write some placeholder bytestring data to a file in the bucket,
+    # so we can test that the lambda writes to the correct output bucket.
+    filename = f"output_report_{time()}.txt"
+    data = (b'Test file to see if the lambda writes to the correct s3 bucket. '
+            b'If our AWS bill skyrockets, this file has been written to the wrong bucket!')
+
+    output_bucket.put_object(Body=data, Key=filename)
+
+    return {
+        'statusCode': 200
+    }

terraform/batch-processing/variables.tf

@@ -0,0 +1,3 @@
+variable "prefix" {}
+variable "short_prefix" {}
+variable "environment" {}