config update and refactor mesh

robertnovac1 · robertnovac1 · commit 6005b17715be · 2025-07-16T12:48:55.000+01:00
diff --git a/terraform/environments/dev/int/variables.tfvars b/terraform/environments/dev/int/variables.tfvars
@@ -1,4 +1,6 @@
 environment             = "dev"
 immunisation_account_id = "345594581768"
 dspp_core_account_id    = "603871901111"
+pds_environment         = "int"
 pds_check_enabled       = false
+create_mesh_processor   = true
diff --git a/terraform/environments/dev/internal-dev/variables.tfvars b/terraform/environments/dev/internal-dev/variables.tfvars
@@ -1,4 +1,6 @@
 environment             = "dev"
 immunisation_account_id = "345594581768"
 dspp_core_account_id    = "603871901111"
-create_config_bucket    = true
+pds_environment         = "int"
+pds_check_enabled       = true
+create_mesh_processor   = false
diff --git a/terraform/environments/dev/pr/variables.tfvars b/terraform/environments/dev/pr/variables.tfvars
@@ -1,3 +1,6 @@
 environment             = "dev"
 immunisation_account_id = "345594581768"
 dspp_core_account_id    = "603871901111"
+pds_environment         = "int"
+pds_check_enabled       = true
+create_mesh_processor   = false
diff --git a/terraform/environments/dev/ref/variables.tfvars b/terraform/environments/dev/ref/variables.tfvars
@@ -2,3 +2,5 @@ environment             = "dev"
 immunisation_account_id = "345594581768"
 dspp_core_account_id    = "603871901111"
 pds_environment         = "ref"
+pds_check_enabled       = true
+create_mesh_processor   = false
diff --git a/terraform/environments/int/blue/variables.tfvars b/terraform/environments/int/blue/variables.tfvars
@@ -1,4 +1,6 @@
 environment             = "int"
 immunisation_account_id = "084828561157"
 dspp_core_account_id    = "603871901111"
+pds_environment         = "int"
 pds_check_enabled       = false
+create_mesh_processor   = true
diff --git a/terraform/environments/int/green/variables.tfvars b/terraform/environments/int/green/variables.tfvars
@@ -1,4 +1,6 @@
 environment             = "int"
 immunisation_account_id = "084828561157"
 dspp_core_account_id    = "603871901111"
+pds_environment         = "int"
 pds_check_enabled       = false
+create_mesh_processor   = true
diff --git a/terraform/environments/prod/blue/variables.tfvars b/terraform/environments/prod/blue/variables.tfvars
@@ -1,3 +1,7 @@
 environment             = "prod"
 immunisation_account_id = "664418956997"
+dspp_core_account_id    = "603871901111"
 pds_environment         = "prod"
+pds_check_enabled       = true
+create_mesh_processor   = true
+
diff --git a/terraform/environments/prod/green/variables.tfvars b/terraform/environments/prod/green/variables.tfvars
@@ -1,3 +1,6 @@
 environment             = "prod"
 immunisation_account_id = "664418956997"
+dspp_core_account_id    = "603871901111"
 pds_environment         = "prod"
+pds_check_enabled       = true
+create_mesh_processor   = true
diff --git a/terraform/mesh_processor.tf b/terraform/mesh_processor.tf
@@ -1,27 +1,26 @@
 # Define the directory containing the Docker image and calculate its SHA-256 hash for triggering redeployments
 locals {
-  create_mesh_processor         = local.environment == "int" || local.environment == "prod"
   mesh_processor_lambda_dir     = abspath("${path.root}/../mesh_processor")
   mesh_processor_lambda_files   = fileset(local.mesh_processor_lambda_dir, "**")
   mesh_processor_lambda_dir_sha = sha1(join("", [for f in local.mesh_processor_lambda_files : filesha1("${local.mesh_processor_lambda_dir}/${f}")]))
   # This should match the prefix used in the infra Terraform
-  mesh_module_prefix = "imms-${local.config_env}"
+  mesh_s3_bucket_name = "imms-${var.environment}-mesh"
 }
 
 data "aws_s3_bucket" "mesh" {
-  count = local.create_mesh_processor ? 1 : 0
+  count = var.create_mesh_processor ? 1 : 0
 
-  bucket = "${local.mesh_module_prefix}-mesh"
+  bucket = local.mesh_s3_bucket_name
 }
 
 data "aws_kms_key" "mesh" {
-  count = local.create_mesh_processor ? 1 : 0
+  count = var.create_mesh_processor ? 1 : 0
 
-  key_id = "alias/${local.mesh_module_prefix}-mesh"
+  key_id = "alias/${local.mesh_s3_bucket_name}"
 }
 
 resource "aws_ecr_repository" "mesh_file_converter_lambda_repository" {
-  count = local.create_mesh_processor ? 1 : 0
+  count = var.create_mesh_processor ? 1 : 0
 
   image_scanning_configuration {
     scan_on_push = true
@@ -32,7 +31,7 @@ resource "aws_ecr_repository" "mesh_file_converter_lambda_repository" {
 
 # Module for building and pushing Docker image to ECR
 module "mesh_processor_docker_image" {
-  count = local.create_mesh_processor ? 1 : 0
+  count = var.create_mesh_processor ? 1 : 0
 
   source  = "terraform-aws-modules/lambda/aws//modules/docker-build"
   version = "8.0.1"
@@ -66,7 +65,7 @@ module "mesh_processor_docker_image" {
 
 # Define the lambdaECRImageRetreival policy
 resource "aws_ecr_repository_policy" "mesh_processor_lambda_ECRImageRetreival_policy" {
-  count = local.create_mesh_processor ? 1 : 0
+  count = var.create_mesh_processor ? 1 : 0
 
   repository = aws_ecr_repository.mesh_file_converter_lambda_repository[0].name
 
@@ -98,7 +97,7 @@ resource "aws_ecr_repository_policy" "mesh_processor_lambda_ECRImageRetreival_po
 
 # IAM Role for Lambda
 resource "aws_iam_role" "mesh_processor_lambda_exec_role" {
-  count = local.create_mesh_processor ? 1 : 0
+  count = var.create_mesh_processor ? 1 : 0
 
   name = "${local.short_prefix}-mesh_processor-lambda-exec-role"
   assume_role_policy = jsonencode({
@@ -116,7 +115,7 @@ resource "aws_iam_role" "mesh_processor_lambda_exec_role" {
 
 # Policy for Lambda execution role
 resource "aws_iam_policy" "mesh_processor_lambda_exec_policy" {
-  count = local.create_mesh_processor ? 1 : 0
+  count = var.create_mesh_processor ? 1 : 0
 
   name = "${local.short_prefix}-mesh_processor-lambda-exec-policy"
   policy = jsonencode({
@@ -163,7 +162,7 @@ resource "aws_iam_policy" "mesh_processor_lambda_exec_policy" {
 }
 
 resource "aws_iam_policy" "mesh_processor_lambda_kms_access_policy" {
-  count = local.create_mesh_processor ? 1 : 0
+  count = var.create_mesh_processor ? 1 : 0
 
   name        = "${local.short_prefix}-mesh_processor-lambda-kms-policy"
   description = "Allow Lambda to decrypt environment variables"
@@ -188,7 +187,7 @@ resource "aws_iam_policy" "mesh_processor_lambda_kms_access_policy" {
 
 # Attach the execution policy to the Lambda role
 resource "aws_iam_role_policy_attachment" "mesh_processor_lambda_exec_policy_attachment" {
-  count = local.create_mesh_processor ? 1 : 0
+  count = var.create_mesh_processor ? 1 : 0
 
   role       = aws_iam_role.mesh_processor_lambda_exec_role[0].name
   policy_arn = aws_iam_policy.mesh_processor_lambda_exec_policy[0].arn
@@ -197,15 +196,15 @@ resource "aws_iam_role_policy_attachment" "mesh_processor_lambda_exec_policy_att
 
 # Attach the kms policy to the Lambda role
 resource "aws_iam_role_policy_attachment" "mesh_processor_lambda_kms_policy_attachment" {
-  count = local.create_mesh_processor ? 1 : 0
+  count = var.create_mesh_processor ? 1 : 0
 
   role       = aws_iam_role.mesh_processor_lambda_exec_role[0].name
   policy_arn = aws_iam_policy.mesh_processor_lambda_kms_access_policy[0].arn
 }
 
 # Lambda Function with Security Group and VPC.
 resource "aws_lambda_function" "mesh_file_converter_lambda" {
-  count = local.create_mesh_processor ? 1 : 0
+  count = var.create_mesh_processor ? 1 : 0
 
   function_name = "${local.short_prefix}-mesh_processor_lambda"
   role          = aws_iam_role.mesh_processor_lambda_exec_role[0].arn
@@ -223,7 +222,7 @@ resource "aws_lambda_function" "mesh_file_converter_lambda" {
 
 # Permission for S3 to invoke Lambda function
 resource "aws_lambda_permission" "mesh_s3_invoke_permission" {
-  count = local.create_mesh_processor ? 1 : 0
+  count = var.create_mesh_processor ? 1 : 0
 
   statement_id  = "AllowExecutionFromS3"
   action        = "lambda:InvokeFunction"
@@ -233,7 +232,7 @@ resource "aws_lambda_permission" "mesh_s3_invoke_permission" {
 }
 
 resource "aws_s3_bucket_notification" "mesh_datasources_lambda_notification" {
-  count = local.create_mesh_processor ? 1 : 0
+  count = var.create_mesh_processor ? 1 : 0
 
   bucket = data.aws_s3_bucket.mesh[0].bucket
 
@@ -244,7 +243,7 @@ resource "aws_s3_bucket_notification" "mesh_datasources_lambda_notification" {
 }
 
 resource "aws_cloudwatch_log_group" "mesh_file_converter_log_group" {
-  count = local.create_mesh_processor ? 1 : 0
+  count = var.create_mesh_processor ? 1 : 0
 
   name              = "/aws/lambda/${local.short_prefix}-mesh_processor_lambda"
   retention_in_days = 30
diff --git a/terraform/variables.tf b/terraform/variables.tf
@@ -1,13 +1,13 @@
 variable "environment" {}
 
 variable "sub_environment" {
-  description = "The value is passed in the makefile"
+  description = "The value is set in the makefile"
 }
 
 variable "immunisation_account_id" {}
 variable "dspp_core_account_id" {}
-# For now, only create the config bucket in internal-dev and prod as we only have one Redis instance per account.
-variable "create_config_bucket" {
+
+variable "create_mesh_processor" {
   default = false
 }
 
@@ -38,10 +38,6 @@ variable "pds_check_enabled" {
   default = true
 }
 
-variable "root_domain" {
-  default = "imms.dev.vds.platform.nhs.uk"
-}
-
 locals {
   prefix              = "${var.project_name}-${var.service}-${var.sub_environment}"
   short_prefix        = "${var.project_short_name}-${var.sub_environment}"
