VED-355: Move mesh processor back to terraform folder as it depends on the batch sources bucket.

Author: mfjarvis

infra/environments/non-prod/variables.tfvars

@@ -7,5 +7,8 @@ dspp_admin_role          = "root"
 environment              = "dev"
 parent_route53_zone_name = "dev.vds.platform.nhs.uk"
 child_route53_zone_name  = "imms.dev.vds.platform.nhs.uk"
-mesh_mailbox_id          = null
-mesh_dlq_mailbox_id      = null
+# TODO - null these out once we're using the int account
+# mesh_mailbox_id          = null
+# mesh_dlq_mailbox_id      = null
+mesh_mailbox_id          = "X26OT303"
+mesh_dlq_mailbox_id      = "X26OT304"

infra/mesh.tf

@@ -0,0 +1,15 @@
+# MESH Client Module - conditionally created based on environment configuration
+module "mesh" {
+  count  = var.mesh_mailbox_id != null ? 1 : 0
+  source = "git::https://github.com/nhsdigital/terraform-aws-mesh-client.git//module?ref=v2.1.5"
+
+  name_prefix                    = "imms-${var.environment}"
+  account_id                     = var.imms_account_id
+  mesh_env                       = var.environment == "prod"? "production" : "integration"
+  subnet_ids                     = toset([])
+  mailbox_ids                    = [var.mesh_mailbox_id]
+
+  compress_threshold             = 1 * 1024 * 1024
+  get_message_max_concurrency    = 10
+  handshake_schedule             = "rate(24 hours)"
+}

infra/mesh_processor.tf terraform/mesh_processor.tfinfra/mesh_processor.tf renamed to terraform/mesh_processor.tf

@@ -1,59 +1,39 @@
-# Only create MESH processor resources if MESH is configured for this environment
+# Define the directory containing the Docker image and calculate its SHA-256 hash for triggering redeployments
 locals {
-  create_mesh_processor = var.mesh_mailbox_id != null 
-  vpc_default = aws_vpc.default.id
-}
-
-data "aws_subnets" "default" {
-  filter {
-    name   = "vpc-id"
-    values = [aws_vpc.default.id]
-  }
+  create_mesh_processor         = local.environment == "int" || local.environment == "prod"
+  mesh_processor_lambda_dir     = abspath("${path.root}/../mesh_processor")
+  mesh_processor_lambda_files   = fileset(local.mesh_processor_lambda_dir, "**")
+  mesh_processor_lambda_dir_sha = sha1(join("", [for f in local.mesh_processor_lambda_files : filesha1("${local.mesh_processor_lambda_dir}/${f}")]))
+  # This should match the prefix used in the infra Terraform
+  mesh_module_prefix = "imms-${local.config_env}"
 }
 
+data "aws_s3_bucket" "mesh" {
+  count = local.create_mesh_processor ? 1 : 0
 
-# MESH Client Module - conditionally created based on environment configuration
-module "mesh" {
-  count  = local.create_mesh_processor ? 1 : 0
-  source = "git::https://github.com/nhsdigital/terraform-aws-mesh-client.git//module?ref=v2.1.5"
-
-  name_prefix                    = "imms-${var.environment}"
-  mesh_env                       = var.environment == "prod"? "production" : "integration"
-  subnet_ids                     = data.aws_subnets.default.ids
-
-  mailbox_ids                    = [var.mesh_mailbox_id]
-  verify_ssl                     = "true"
-  get_message_max_concurrency    = 10
-  compress_threshold             = 1 * 1024 * 1024
-  handshake_schedule             = "rate(24 hours)"
-
-  account_id                     = var.imms_account_id
+  bucket = "${local.mesh_module_prefix}-mesh"
 }
 
-# Define the directory containing the Docker image and calculate its SHA-256 hash for triggering redeployments
-locals {
-  mesh_processor_lambda_dir     = abspath("${path.root}/../mesh_processor")
-  mesh_processor_lambda_files   = fileset(local.mesh_processor_lambda_dir, "**")
-  mesh_processor_lambda_dir_sha = sha1(join("", [for f in local.mesh_processor_lambda_files : filesha1("${local.mesh_processor_lambda_dir}/${f}")]))
-  mesh_s3_bucket_name          = local.create_mesh_processor ? module.mesh[0].mesh_bucket_name : null
-  mesh_s3_logs_bucket_name      = local.create_mesh_processor ? module.mesh[0].mesh_logs_bucket_name : null
-  mesh_processor_name           = "imms-${var.environment}-mesh-processor"
-  mesh_processor_lambda_name    = "${local.mesh_processor_name}-lambda"
+data "aws_kms_key" "mesh" {
+  count = local.create_mesh_processor ? 1 : 0
+
+  key_id = "alias/${local.mesh_module_prefix}-mesh"
 }
 
 resource "aws_ecr_repository" "mesh_file_converter_lambda_repository" {
   count = local.create_mesh_processor ? 1 : 0
-  
+
   image_scanning_configuration {
     scan_on_push = true
   }
-  name         = "${local.mesh_processor_name}-repo"
-  force_delete = false
+  name         = "${local.short_prefix}-mesh_processor-repo"
+  force_delete = local.is_temp
 }
 
 # Module for building and pushing Docker image to ECR
 module "mesh_processor_docker_image" {
-  count   = local.create_mesh_processor ? 1 : 0
+  count = local.create_mesh_processor ? 1 : 0
+
   source  = "terraform-aws-modules/lambda/aws//modules/docker-build"
   version = "8.0.1"
 
@@ -86,7 +66,8 @@ module "mesh_processor_docker_image" {
 
 # Define the lambdaECRImageRetreival policy
 resource "aws_ecr_repository_policy" "mesh_processor_lambda_ECRImageRetreival_policy" {
-  count      = local.create_mesh_processor ? 1 : 0
+  count = local.create_mesh_processor ? 1 : 0
+
   repository = aws_ecr_repository.mesh_file_converter_lambda_repository[0].name
 
   policy = jsonencode({
@@ -107,7 +88,7 @@ resource "aws_ecr_repository_policy" "mesh_processor_lambda_ECRImageRetreival_po
         ],
         "Condition" : {
           "StringLike" : {
-            "aws:sourceArn" : "arn:aws:lambda:eu-west-2:${var.imms_account_id}:function:${local.mesh_processor_lambda_name}"
+            "aws:sourceArn" : "arn:aws:lambda:eu-west-2:${local.immunisation_account_id}:function:${local.short_prefix}-mesh_processor_lambda"
           }
         }
       }
@@ -118,7 +99,8 @@ resource "aws_ecr_repository_policy" "mesh_processor_lambda_ECRImageRetreival_po
 # IAM Role for Lambda
 resource "aws_iam_role" "mesh_processor_lambda_exec_role" {
   count = local.create_mesh_processor ? 1 : 0
-  name  = "${local.mesh_processor_lambda_name}-exec-role"
+
+  name = "${local.short_prefix}-mesh_processor-lambda-exec-role"
   assume_role_policy = jsonencode({
     Version = "2012-10-17",
     Statement = [{
@@ -135,7 +117,8 @@ resource "aws_iam_role" "mesh_processor_lambda_exec_role" {
 # Policy for Lambda execution role
 resource "aws_iam_policy" "mesh_processor_lambda_exec_policy" {
   count = local.create_mesh_processor ? 1 : 0
-  name  = "${local.mesh_processor_lambda_name}-exec-policy"
+
+  name = "${local.short_prefix}-mesh_processor-lambda-exec-policy"
   policy = jsonencode({
     Version = "2012-10-17",
     Statement = [
@@ -146,7 +129,7 @@ resource "aws_iam_policy" "mesh_processor_lambda_exec_policy" {
           "logs:CreateLogStream",
           "logs:PutLogEvents"
         ]
-        Resource = "arn:aws:logs:${var.aws_region}:${var.imms_account_id}:log-group:/aws/lambda/${local.mesh_processor_lambda_name}:*"
+        Resource = "arn:aws:logs:${var.aws_region}:${local.immunisation_account_id}:log-group:/aws/lambda/${local.short_prefix}-mesh_processor_lambda:*"
       },
       {
         Effect = "Allow"
@@ -157,8 +140,8 @@ resource "aws_iam_policy" "mesh_processor_lambda_exec_policy" {
           "s3:CopyObject"
         ]
         Resource = [
-          aws_s3_bucket.batch_data_source_bucket[0].arn,
-          "${aws_s3_bucket.batch_data_source_bucket[0].arn}/*"
+          aws_s3_bucket.batch_data_source_bucket.arn,
+          "${aws_s3_bucket.batch_data_source_bucket.arn}/*"
         ]
       },
       {
@@ -171,18 +154,18 @@ resource "aws_iam_policy" "mesh_processor_lambda_exec_policy" {
           "s3:DeleteObject"
         ]
         Resource = [
-          "arn:aws:s3:::${local.mesh_s3_bucket_name}",
-          "arn:aws:s3:::${local.mesh_s3_bucket_name}/*",
-          "arn:aws:s3:::${local.mesh_s3_logs_bucket_name}/*"
+          data.aws_s3_bucket.mesh[0].arn,
+          "${data.aws_s3_bucket.mesh[0].arn}/*"
         ]
       }
     ]
   })
 }
 
 resource "aws_iam_policy" "mesh_processor_lambda_kms_access_policy" {
-  count       = local.create_mesh_processor ? 1 : 0
-  name        = "${aws_lambda_function.mesh_file_converter_lambda[0].function_name}-kms-policy"
+  count = local.create_mesh_processor ? 1 : 0
+
+  name        = "${local.short_prefix}-mesh_processor-lambda-kms-policy"
   description = "Allow Lambda to decrypt environment variables"
 
   policy = jsonencode({
@@ -196,7 +179,7 @@ resource "aws_iam_policy" "mesh_processor_lambda_kms_access_policy" {
           "kms:GenerateDataKey*"
         ]
         Resource = [
-          data.aws_kms_key.mesh_s3_encryption_key.arn
+          data.aws_kms_key.mesh[0].arn
         ]
       }
     ]
@@ -205,22 +188,26 @@ resource "aws_iam_policy" "mesh_processor_lambda_kms_access_policy" {
 
 # Attach the execution policy to the Lambda role
 resource "aws_iam_role_policy_attachment" "mesh_processor_lambda_exec_policy_attachment" {
-  count      = local.create_mesh_processor ? 1 : 0
+  count = local.create_mesh_processor ? 1 : 0
+
   role       = aws_iam_role.mesh_processor_lambda_exec_role[0].name
   policy_arn = aws_iam_policy.mesh_processor_lambda_exec_policy[0].arn
 }
 
+
 # Attach the kms policy to the Lambda role
 resource "aws_iam_role_policy_attachment" "mesh_processor_lambda_kms_policy_attachment" {
-  count      = local.create_mesh_processor ? 1 : 0
+  count = local.create_mesh_processor ? 1 : 0
+
   role       = aws_iam_role.mesh_processor_lambda_exec_role[0].name
   policy_arn = aws_iam_policy.mesh_processor_lambda_kms_access_policy[0].arn
 }
 
 # Lambda Function with Security Group and VPC.
 resource "aws_lambda_function" "mesh_file_converter_lambda" {
-  count         = local.create_mesh_processor ? 1 : 0
-  function_name = "${local.mesh_processor_name}_lambda"
+  count = local.create_mesh_processor ? 1 : 0
+
+  function_name = "${local.short_prefix}-mesh_processor_lambda"
   role          = aws_iam_role.mesh_processor_lambda_exec_role[0].arn
   package_type  = "Image"
   image_uri     = module.mesh_processor_docker_image[0].image_uri
@@ -229,37 +216,36 @@ resource "aws_lambda_function" "mesh_file_converter_lambda" {
 
   environment {
     variables = {
-      Destination_BUCKET_NAME    = aws_s3_bucket.batch_data_source_bucket[0].bucket
-      MESH_FILE_PROC_LAMBDA_NAME = "${local.mesh_processor_lambda_name}"
+      Destination_BUCKET_NAME = aws_s3_bucket.batch_data_source_bucket.bucket
     }
   }
 }
 
 # Permission for S3 to invoke Lambda function
 resource "aws_lambda_permission" "mesh_s3_invoke_permission" {
-  count         = local.create_mesh_processor ? 1 : 0
+  count = local.create_mesh_processor ? 1 : 0
+
   statement_id  = "AllowExecutionFromS3"
   action        = "lambda:InvokeFunction"
   function_name = aws_lambda_function.mesh_file_converter_lambda[0].function_name
   principal     = "s3.amazonaws.com"
-  source_arn    = "arn:aws:s3:::${local.mesh_s3_bucket_name}"
+  source_arn    = "arn:aws:s3:::local-immunisation-mesh"
 }
 
-# S3 Bucket notification to trigger Lambda function
 resource "aws_s3_bucket_notification" "mesh_datasources_lambda_notification" {
-  count  = local.create_mesh_processor ? 1 : 0
-  bucket = local.mesh_s3_bucket_name
+  count = local.create_mesh_processor ? 1 : 0
+
+  bucket = data.aws_s3_bucket.mesh[0].bucket
 
   lambda_function {
     lambda_function_arn = aws_lambda_function.mesh_file_converter_lambda[0].arn
     events              = ["s3:ObjectCreated:*"]
   }
-
-  depends_on = [aws_lambda_permission.mesh_s3_invoke_permission]
 }
 
 resource "aws_cloudwatch_log_group" "mesh_file_converter_log_group" {
-  count             = local.create_mesh_processor ? 1 : 0
-  name              = "/aws/lambda/${aws_lambda_function.mesh_file_converter_lambda[0].function_name}"
+  count = local.create_mesh_processor ? 1 : 0
+
+  name              = "/aws/lambda/${local.short_prefix}-mesh_processor_lambda"
   retention_in_days = 30
-}
+}

terraform/variables.tf

@@ -20,7 +20,8 @@ locals {
   prefix       = "${var.project_name}-${var.service}-${local.env}"
   short_prefix = "${var.project_short_name}-${local.env}"
   batch_prefix = "immunisation-batch-${local.env}"
-  config_env   = local.environment == "prod" ? "prod" : "dev"
+  # TODO - add int when we switch to the new account
+  config_env = local.environment == "prod" ? "prod" : "dev"
 
   root_domain         = "${local.config_env}.vds.platform.nhs.uk"
   project_domain_name = data.aws_route53_zone.project_zone.name
@@ -93,7 +94,3 @@ data "aws_kms_key" "existing_lambda_encryption_key" {
 data "aws_kms_key" "existing_kinesis_encryption_key" {
   key_id = "alias/imms-batch-kinesis-stream-encryption"
 }
-
-data "aws_kms_key" "mesh_s3_encryption_key" {
-  key_id = "alias/local-immunisation-mesh"
-}