wip

nhsdevws · nhsdevws · commit 46b775c2ac1b · 2025-07-09T21:21:48.000+01:00
diff --git a/terraform/configs.tf b/terraform/configs.tf
@@ -3,4 +3,20 @@ locals {
   is_temp                 = length(regexall("[a-z]{2,4}-?[0-9]+", local.env)) > 0
   dspp_core_account_id    = local.environment == "prod" ? 232116723729 : 603871901111
   immunisation_account_id = local.environment == "prod" ? 664418956997 : 345594581768
-}
+  
+  // MESH Mailbox IDs by environment
+  prod_mesh_mailbox_id = "X26HC138"
+  int_mesh_mailbox_id  = "X26OT303"
+  int_mesh_dlq_mailbox_id = "X26OT304"
+  
+  // Environment-specific MESH configuration
+  mesh_mailbox_id = local.environment == "prod" ? local.prod_mesh_mailbox_id : (
+    local.environment == "int" ? local.int_mesh_mailbox_id : var.dev_mesh_mailbox_id
+  )
+  
+  // DLQ Mailbox for int only - Not currently implemented TODO
+  mesh_dlq_mailbox_id = local.environment == "int" ? local.int_mesh_dlq_mailbox_id : null
+  
+  // MESH enabled if mailbox ID not null
+  is_mesh_enabled = local.mesh_mailbox_id != null
+}
diff --git a/terraform/mesh.tf b/terraform/mesh.tf
@@ -6,10 +6,11 @@ module "mesh" {
   subnet_ids                     = data.aws_subnets.default.ids
 
   mailbox_ids                    = [local.mesh_mailbox_id]
+  dlq_mailbox_id                 = local.mesh_dlq_mailbox_id
   verify_ssl                     = "true"
   get_message_max_concurrency    = 10
   compress_threshold             = 1 * 1024 * 1024
   handshake_schedule             = "rate(24 hours)"
 
-  account_id                     = 345594581768
+  account_id                     = local.immunisation_account_id
 }
diff --git a/terraform/mesh_processor.tf b/terraform/mesh_processor.tf
@@ -1,12 +1,18 @@
+# Only create MESH processor resources if MESH is configured for this environment
+locals {
+  create_mesh_processor = local.is_mesh_enabled
+}
+
 # Define the directory containing the Docker image and calculate its SHA-256 hash for triggering redeployments
 locals {
   mesh_processor_lambda_dir     = abspath("${path.root}/../mesh_processor")
   mesh_processor_lambda_files   = fileset(local.mesh_processor_lambda_dir, "**")
   mesh_processor_lambda_dir_sha = sha1(join("", [for f in local.mesh_processor_lambda_files : filesha1("${local.mesh_processor_lambda_dir}/${f}")]))
 }
 
-
 resource "aws_ecr_repository" "mesh_file_converter_lambda_repository" {
+  count = local.create_mesh_processor ? 1 : 0
+  
   image_scanning_configuration {
     scan_on_push = true
   }
@@ -16,11 +22,12 @@ resource "aws_ecr_repository" "mesh_file_converter_lambda_repository" {
 
 # Module for building and pushing Docker image to ECR
 module "mesh_processor_docker_image" {
+  count   = local.create_mesh_processor ? 1 : 0
   source  = "terraform-aws-modules/lambda/aws//modules/docker-build"
   version = "8.0.1"
 
   create_ecr_repo = false
-  ecr_repo        = aws_ecr_repository.mesh_file_converter_lambda_repository.name
+  ecr_repo        = aws_ecr_repository.mesh_file_converter_lambda_repository[0].name
   ecr_repo_lifecycle_policy = jsonencode({
     "rules" : [
       {
@@ -48,7 +55,8 @@ module "mesh_processor_docker_image" {
 
 # Define the lambdaECRImageRetreival policy
 resource "aws_ecr_repository_policy" "mesh_processor_lambda_ECRImageRetreival_policy" {
-  repository = aws_ecr_repository.mesh_file_converter_lambda_repository.name
+  count      = local.create_mesh_processor ? 1 : 0
+  repository = aws_ecr_repository.mesh_file_converter_lambda_repository[0].name
 
   policy = jsonencode({
     Version = "2012-10-17"
@@ -78,7 +86,8 @@ resource "aws_ecr_repository_policy" "mesh_processor_lambda_ECRImageRetreival_po
 
 # IAM Role for Lambda
 resource "aws_iam_role" "mesh_processor_lambda_exec_role" {
-  name = "${local.short_prefix}-mesh_processor-lambda-exec-role"
+  count = local.create_mesh_processor ? 1 : 0
+  name  = "${local.short_prefix}-mesh_processor-lambda-exec-role"
   assume_role_policy = jsonencode({
     Version = "2012-10-17",
     Statement = [{
@@ -94,7 +103,8 @@ resource "aws_iam_role" "mesh_processor_lambda_exec_role" {
 
 # Policy for Lambda execution role
 resource "aws_iam_policy" "mesh_processor_lambda_exec_policy" {
-  name = "${local.short_prefix}-mesh_processor-lambda-exec-policy"
+  count = local.create_mesh_processor ? 1 : 0
+  name  = "${local.short_prefix}-mesh_processor-lambda-exec-policy"
   policy = jsonencode({
     Version = "2012-10-17",
     Statement = [
@@ -140,6 +150,7 @@ resource "aws_iam_policy" "mesh_processor_lambda_exec_policy" {
 }
 
 resource "aws_iam_policy" "mesh_processor_lambda_kms_access_policy" {
+  count       = local.create_mesh_processor ? 1 : 0
   name        = "${local.short_prefix}-mesh_processor-lambda-kms-policy"
   description = "Allow Lambda to decrypt environment variables"
 
@@ -155,7 +166,6 @@ resource "aws_iam_policy" "mesh_processor_lambda_kms_access_policy" {
         ]
         Resource = [
           data.aws_kms_key.mesh_s3_encryption_key.arn
-          # "arn:aws:kms:eu-west-2:345594581768:key/9b756762-bc6f-42fb-ba56-2c0c00c15289"
         ]
       }
     ]
@@ -164,23 +174,25 @@ resource "aws_iam_policy" "mesh_processor_lambda_kms_access_policy" {
 
 # Attach the execution policy to the Lambda role
 resource "aws_iam_role_policy_attachment" "mesh_processor_lambda_exec_policy_attachment" {
-  role       = aws_iam_role.mesh_processor_lambda_exec_role.name
-  policy_arn = aws_iam_policy.mesh_processor_lambda_exec_policy.arn
+  count      = local.create_mesh_processor ? 1 : 0
+  role       = aws_iam_role.mesh_processor_lambda_exec_role[0].name
+  policy_arn = aws_iam_policy.mesh_processor_lambda_exec_policy[0].arn
 }
 
-
 # Attach the kms policy to the Lambda role
 resource "aws_iam_role_policy_attachment" "mesh_processor_lambda_kms_policy_attachment" {
-  role       = aws_iam_role.mesh_processor_lambda_exec_role.name
-  policy_arn = aws_iam_policy.mesh_processor_lambda_kms_access_policy.arn
+  count      = local.create_mesh_processor ? 1 : 0
+  role       = aws_iam_role.mesh_processor_lambda_exec_role[0].name
+  policy_arn = aws_iam_policy.mesh_processor_lambda_kms_access_policy[0].arn
 }
 
 # Lambda Function with Security Group and VPC.
 resource "aws_lambda_function" "mesh_file_converter_lambda" {
+  count         = local.create_mesh_processor ? 1 : 0
   function_name = "${local.short_prefix}-mesh_processor_lambda"
-  role          = aws_iam_role.mesh_processor_lambda_exec_role.arn
+  role          = aws_iam_role.mesh_processor_lambda_exec_role[0].arn
   package_type  = "Image"
-  image_uri     = module.mesh_processor_docker_image.image_uri
+  image_uri     = module.mesh_processor_docker_image[0].image_uri
   architectures = ["x86_64"]
   timeout       = 360
 
@@ -190,33 +202,33 @@ resource "aws_lambda_function" "mesh_file_converter_lambda" {
       MESH_FILE_PROC_LAMBDA_NAME = "imms-${local.env}-meshfileproc_lambda"
     }
   }
-
 }
 
 # Permission for S3 to invoke Lambda function
 resource "aws_lambda_permission" "mesh_s3_invoke_permission" {
+  count         = local.create_mesh_processor ? 1 : 0
   statement_id  = "AllowExecutionFromS3"
   action        = "lambda:InvokeFunction"
-  function_name = aws_lambda_function.mesh_file_converter_lambda.function_name
+  function_name = aws_lambda_function.mesh_file_converter_lambda[0].function_name
   principal     = "s3.amazonaws.com"
-  source_arn    = "arn:aws:s3:::local-immunisation-mesh"
+  source_arn    = "arn:aws:s3:::${local.mesh_s3_bucket_name}"
 }
 
-# TODO - This is scoped to the bucket, so is overwritten by each deployment
-# That might be intentional in prod, to switch between blue and green, but surely isn't in non-prod
 # S3 Bucket notification to trigger Lambda function
 resource "aws_s3_bucket_notification" "mesh_datasources_lambda_notification" {
-  # TODO - what is this bucket and why isn't it managed by Terraform?
-  bucket = "local-immunisation-mesh"
+  count  = local.create_mesh_processor ? 1 : 0
+  bucket = local.mesh_s3_bucket_name
 
   lambda_function {
-    lambda_function_arn = aws_lambda_function.mesh_file_converter_lambda.arn
+    lambda_function_arn = aws_lambda_function.mesh_file_converter_lambda[0].arn
     events              = ["s3:ObjectCreated:*"]
-    #filter_prefix      =""
   }
+
+  depends_on = [aws_lambda_permission.mesh_s3_invoke_permission]
 }
 
 resource "aws_cloudwatch_log_group" "mesh_file_converter_log_group" {
+  count             = local.create_mesh_processor ? 1 : 0
   name              = "/aws/lambda/${local.short_prefix}-mesh_processor_lambda"
   retention_in_days = 30
-}
+}
diff --git a/terraform/variables.tf b/terraform/variables.tf
@@ -97,3 +97,15 @@ data "aws_kms_key" "existing_kinesis_encryption_key" {
 data "aws_kms_key" "mesh_s3_encryption_key" {
   key_id = "alias/local-immunisation-mesh"
 }
+
+variable "dev_mesh_mailbox_id" {
+  description = "MESH mailbox ID for dev environment. If null, MESH is disabled. If set, MESH is enabled."
+  type        = string
+  default     = null
+}
+# Dev DLQ only used if dev mesh mailbox is set
+variable "dev_mesh_dlq_mailbox_id" {
+  description = "MESH DLQ mailbox ID for dev environment. If null, MESH is disabled. If set, MESH is enabled."
+  type        = string
+  default     = null
+}
