rename & tidy

Author: nhsdevws

infra/environments/int/variables.tfvars

@@ -7,3 +7,5 @@ dspp_admin_role          = "root"
 environment              = "int"
 parent_route53_zone_name = "int.vds.platform.nhs.uk"
 child_route53_zone_name  = "imms.int.vds.platform.nhs.uk"
+mesh_mailbox_id          = "X26OT303"
+mesh_dlq_mailbox_id      = "X26OT304"

infra/environments/non-prod/variables.tfvars

@@ -7,3 +7,5 @@ dspp_admin_role          = "root"
 environment              = "dev"
 parent_route53_zone_name = "dev.vds.platform.nhs.uk"
 child_route53_zone_name  = "imms.dev.vds.platform.nhs.uk"
+mesh_mailbox_id          = null
+mesh_dlq_mailbox_id      = null

infra/environments/prod/variables.tfvars

@@ -7,3 +7,5 @@ dspp_admin_role          = "root"
 environment              = "prod"
 parent_route53_zone_name = "prod.vds.platform.nhs.uk"
 child_route53_zone_name  = "imms.prod.vds.platform.nhs.uk"
+mesh_mailbox_id          = "X26HC138"
+mesh_dlq_mailbox_id      = null

infra/mesh.tf

@@ -0,0 +1,20 @@
+module "mesh" {
+  source = "git::https://github.com/nhsdigital/terraform-aws-mesh-client.git//module?ref=v2.1.5"
+
+  name_prefix                    = "local-immunisation"
+  mesh_env                       = "integration"
+  subnet_ids                     = data.aws_subnets.default.ids
+
+  # TODO single or many mailbox ids
+  mailbox_ids                    = [var.mesh_mailbox_id]
+  dlq_mailbox_id                 = var.mesh_dlq_mailbox_id
+  verify_ssl                     = "true"
+  get_message_max_concurrency    = 10
+  compress_threshold             = 1 * 1024 * 1024
+  handshake_schedule             = "rate(24 hours)"
+
+  account_id                     = local.immunisation_account_id
+  # TODO these bucket names need attention - enviroment specific names to avoid conflicts
+  mesh_bucket_name              = "imms-${var.environment}-mesh-data-sources"
+  mesh_logs_bucket_name         = "imms-${var.environment}-mesh-s3logs"
+}

infra/mesh_processor.tf

@@ -0,0 +1,241 @@
+# Only create MESH processor resources if MESH is configured for this environment
+locals {
+  create_mesh_processor = var.mesh_mailbox_id != null 
+}
+
+# Define the directory containing the Docker image and calculate its SHA-256 hash for triggering redeployments
+locals {
+  mesh_processor_lambda_dir     = abspath("${path.root}/../mesh_processor")
+  mesh_processor_lambda_files   = fileset(local.mesh_processor_lambda_dir, "**")
+  mesh_processor_lambda_dir_sha = sha1(join("", [for f in local.mesh_processor_lambda_files : filesha1("${local.mesh_processor_lambda_dir}/${f}")]))
+  mesh_s3_bucket_name          = local.create_mesh_processor ? module.mesh[0].mesh_bucket_name : null
+  mesh_s3_logs_bucket_name      = local.create_mesh_processor ? module.mesh[0].mesh_logs_bucket_name : null
+  mesh_processor_name           = "imms-${var.environment}-mesh-processor"
+  mesh_processor_lambda_name    = "${local.mesh_processor_name}-lambda"
+}
+
+resource "aws_ecr_repository" "mesh_file_converter_lambda_repository" {
+  count = local.create_mesh_processor ? 1 : 0
+  
+  image_scanning_configuration {
+    scan_on_push = true
+  }
+  name         = "${local.mesh_processor_name}-repo"
+  force_delete = false
+}
+
+# Module for building and pushing Docker image to ECR
+module "mesh_processor_docker_image" {
+  count   = local.create_mesh_processor ? 1 : 0
+  source  = "terraform-aws-modules/lambda/aws//modules/docker-build"
+  version = "8.0.1"
+
+  create_ecr_repo = false
+  ecr_repo        = aws_ecr_repository.mesh_file_converter_lambda_repository[0].name
+  ecr_repo_lifecycle_policy = jsonencode({
+    "rules" : [
+      {
+        "rulePriority" : 1,
+        "description" : "Keep only the last 2 images",
+        "selection" : {
+          "tagStatus" : "any",
+          "countType" : "imageCountMoreThan",
+          "countNumber" : 2
+        },
+        "action" : {
+          "type" : "expire"
+        }
+      }
+    ]
+  })
+
+  platform      = "linux/amd64"
+  use_image_tag = false
+  source_path   = local.mesh_processor_lambda_dir
+  triggers = {
+    dir_sha = local.mesh_processor_lambda_dir_sha
+  }
+}
+
+# Define the lambdaECRImageRetreival policy
+resource "aws_ecr_repository_policy" "mesh_processor_lambda_ECRImageRetreival_policy" {
+  count      = local.create_mesh_processor ? 1 : 0
+  repository = aws_ecr_repository.mesh_file_converter_lambda_repository[0].name
+
+  policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [
+      {
+        "Sid" : "LambdaECRImageRetrievalPolicy",
+        "Effect" : "Allow",
+        "Principal" : {
+          "Service" : "lambda.amazonaws.com"
+        },
+        "Action" : [
+          "ecr:BatchGetImage",
+          "ecr:DeleteRepositoryPolicy",
+          "ecr:GetDownloadUrlForLayer",
+          "ecr:GetRepositoryPolicy",
+          "ecr:SetRepositoryPolicy"
+        ],
+        "Condition" : {
+          "StringLike" : {
+            "aws:sourceArn" : "arn:aws:lambda:eu-west-2:${var.imms_account_id}:function:${local.mesh_processor_lambda_name}"
+          }
+        }
+      }
+    ]
+  })
+}
+
+# IAM Role for Lambda
+resource "aws_iam_role" "mesh_processor_lambda_exec_role" {
+  count = local.create_mesh_processor ? 1 : 0
+  name  = "${local.mesh_processor_lambda_name}-exec-role"
+  assume_role_policy = jsonencode({
+    Version = "2012-10-17",
+    Statement = [{
+      Effect = "Allow",
+      Sid    = "",
+      Principal = {
+        Service = "lambda.amazonaws.com"
+      },
+      Action = "sts:AssumeRole"
+    }]
+  })
+}
+
+# Policy for Lambda execution role
+resource "aws_iam_policy" "mesh_processor_lambda_exec_policy" {
+  count = local.create_mesh_processor ? 1 : 0
+  name  = "imms-${var.environment}-mesh_processor-lambda-exec-policy"
+  policy = jsonencode({
+    Version = "2012-10-17",
+    Statement = [
+      {
+        Effect = "Allow"
+        Action = [
+          "logs:CreateLogGroup",
+          "logs:CreateLogStream",
+          "logs:PutLogEvents"
+        ]
+        Resource = "arn:aws:logs:${var.aws_region}:${var.imms_account_id}:log-group:/aws/lambda/${local.mesh_processor_lambda_name}:*"
+      },
+      {
+        Effect = "Allow"
+        Action = [
+          "s3:GetObject",
+          "s3:ListBucket",
+          "s3:PutObject",
+          "s3:CopyObject"
+        ]
+        Resource = [
+          aws_s3_bucket.batch_data_source_bucket.arn,
+          "${aws_s3_bucket.batch_data_source_bucket.arn}/*"
+        ]
+      },
+      {
+        Effect = "Allow"
+        Action = [
+          "s3:GetObject",
+          "s3:ListBucket",
+          "s3:PutObject",
+          "s3:CopyObject",
+          "s3:DeleteObject"
+        ]
+        Resource = [
+          "arn:aws:s3:::${local.mesh_s3_bucket_name}",
+          "arn:aws:s3:::${local.mesh_s3_bucket_name}/*",
+          "arn:aws:s3:::${local.mesh_s3_logs_bucket_name}/*",
+          "arn:aws:s3:::local-immunisation-mesh",
+          "arn:aws:s3:::local-immunisation-mesh/*",
+          "arn:aws:s3:::local-immunisation-mesh-s3logs/*"
+        ]
+      }
+    ]
+  })
+}
+
+resource "aws_iam_policy" "mesh_processor_lambda_kms_access_policy" {
+  count       = local.create_mesh_processor ? 1 : 0
+  name        = "${aws_lambda_function.mesh_file_converter_lambda[0].function_name}-kms-policy"
+  description = "Allow Lambda to decrypt environment variables"
+
+  policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [
+      {
+        Effect = "Allow"
+        Action = [
+          "kms:Encrypt",
+          "kms:Decrypt",
+          "kms:GenerateDataKey*"
+        ]
+        Resource = [
+          data.aws_kms_key.mesh_s3_encryption_key.arn
+        ]
+      }
+    ]
+  })
+}
+
+# Attach the execution policy to the Lambda role
+resource "aws_iam_role_policy_attachment" "mesh_processor_lambda_exec_policy_attachment" {
+  count      = local.create_mesh_processor ? 1 : 0
+  role       = aws_iam_role.mesh_processor_lambda_exec_role[0].name
+  policy_arn = aws_iam_policy.mesh_processor_lambda_exec_policy[0].arn
+}
+
+# Attach the kms policy to the Lambda role
+resource "aws_iam_role_policy_attachment" "mesh_processor_lambda_kms_policy_attachment" {
+  count      = local.create_mesh_processor ? 1 : 0
+  role       = aws_iam_role.mesh_processor_lambda_exec_role[0].name
+  policy_arn = aws_iam_policy.mesh_processor_lambda_kms_access_policy[0].arn
+}
+
+# Lambda Function with Security Group and VPC.
+resource "aws_lambda_function" "mesh_file_converter_lambda" {
+  count         = local.create_mesh_processor ? 1 : 0
+  function_name = "${local.mesh_processor_name}_lambda"
+  role          = aws_iam_role.mesh_processor_lambda_exec_role[0].arn
+  package_type  = "Image"
+  image_uri     = module.mesh_processor_docker_image[0].image_uri
+  architectures = ["x86_64"]
+  timeout       = 360
+
+  environment {
+    variables = {
+      Destination_BUCKET_NAME    = aws_s3_bucket.batch_data_source_bucket.bucket
+      MESH_FILE_PROC_LAMBDA_NAME = "${local.mesh_processor_lambda_name}"
+    }
+  }
+}
+
+# Permission for S3 to invoke Lambda function
+resource "aws_lambda_permission" "mesh_s3_invoke_permission" {
+  count         = local.create_mesh_processor ? 1 : 0
+  statement_id  = "AllowExecutionFromS3"
+  action        = "lambda:InvokeFunction"
+  function_name = aws_lambda_function.mesh_file_converter_lambda[0].function_name
+  principal     = "s3.amazonaws.com"
+  source_arn    = "arn:aws:s3:::${local.mesh_s3_bucket_name}"
+}
+
+# S3 Bucket notification to trigger Lambda function
+resource "aws_s3_bucket_notification" "mesh_datasources_lambda_notification" {
+  count  = local.create_mesh_processor ? 1 : 0
+  bucket = local.mesh_s3_bucket_name
+
+  lambda_function {
+    lambda_function_arn = aws_lambda_function.mesh_file_converter_lambda[0].arn
+    events              = ["s3:ObjectCreated:*"]
+  }
+
+  depends_on = [aws_lambda_permission.mesh_s3_invoke_permission]
+}
+
+resource "aws_cloudwatch_log_group" "mesh_file_converter_log_group" {
+  count             = local.create_mesh_processor ? 1 : 0
+  name              = "/aws/lambda/${aws_lambda_function.mesh_file_converter_lambda[0].function_name}"
+  retention_in_days = 30
+}

infra/variables.tf

@@ -16,3 +16,9 @@ variable "build_agent_account_id" {
 variable "environment" {
   default = "non-prod"
 }
+variable "mesh_mailbox_id" {
+  default = null
+}
+variable "mesh_dlq_mailbox_id" {
+  default = null
+}

terraform/configs.tf

@@ -3,25 +3,5 @@ locals {
   is_temp                 = length(regexall("[a-z]{2,4}-?[0-9]+", local.env)) > 0
   dspp_core_account_id    = local.environment == "prod" ? 232116723729 : 603871901111
   immunisation_account_id = local.environment == "prod" ? 664418956997 : 345594581768
-  
-  // MESH Mailbox IDs by environment
-  prod_mesh_mailbox_id = "X26HC138"
-  prod_mesh_dlq_mailbox_id = null
-  int_mesh_mailbox_id  = "X26OT303"
-  int_mesh_dlq_mailbox_id = "X26OT304"
-  
-  // Environment-specific MESH configuration
-  // Note: Prod and int names are hardcoded, dev is variable
-  mesh_mailbox_id = local.environment == "prod" ? local.prod_mesh_mailbox_id : (
-    local.environment == "int" ? local.int_mesh_mailbox_id : var.dev_mesh_mailbox_id
-  )
-  
-  // DLQ Mailbox for int only - Not currently implemented TODO
-  mesh_dlq_mailbox_id = local.environment == "prod" ? local.prod_mesh_dlq_mailbox_id : (
-    local.environment == "int" ? local.int_mesh_dlq_mailbox_id :
-    var.dev_mesh_dlq_mailbox_id
-  )
 
-  // MESH enabled if mailbox ID not null
-  is_mesh_enabled = local.mesh_mailbox_id != null
 }

terraform/mesh_processor.tf

@@ -1,6 +1,6 @@
 # Only create MESH processor resources if MESH is configured for this environment
 locals {
-  create_mesh_processor = local.is_mesh_enabled
+  create_mesh_processor = var.me
 }
 
 # Define the directory containing the Docker image and calculate its SHA-256 hash for triggering redeployments

terraform/variables.tf

@@ -98,14 +98,3 @@ data "aws_kms_key" "mesh_s3_encryption_key" {
   key_id = "alias/local-immunisation-mesh"
 }
 
-variable "dev_mesh_mailbox_id" {
-  description = "MESH mailbox ID for dev environment. If null, MESH is disabled. If set, MESH is enabled."
-  type        = string
-  default     = null
-}
-# Dev DLQ only used if dev mesh mailbox is set
-variable "dev_mesh_dlq_mailbox_id" {
-  description = "MESH DLQ mailbox ID for dev environment. If null, MESH is disabled. If set, MESH is enabled."
-  type        = string
-  default     = null
-}