Skip to content

Commit 890ead7

Browse files
nhsdevwsmfjarvis
nhsdevws
and
mfjarvis
authored
VED-355: Add MESH client and update mailbox details. (#643)
* initial code * wip * add s3 buckets to locals * bucket names & dev id * TODO Marker * rename & tidy * remove mesh_processor from terraform folder * tidy * comments * tidy & delete mesh file * missing KMS * VED-355: Move mesh processor back to terraform folder as it depends on the batch sources bucket. --------- Co-authored-by: Matt Jarvis <[email protected]>
1 parent 41be795 commit 890ead7

File tree

11 files changed

+163
-90
lines changed

11 files changed

+163
-90
lines changed

.github/dependabot.yml

Lines changed: 0 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -71,7 +71,6 @@ updates:
7171
directories:
7272
- "/grafana/non-prod/terraform"
7373
- "/infra"
74-
- "/mesh-infra"
7574
- "/terraform"
7675
- "/terraform_aws_backup/**"
7776
schedule:

README.md

Lines changed: 0 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -45,7 +45,6 @@ See https://nhsd-confluence.digital.nhs.uk/display/APM/Glossary.
4545
| `terraform_old` | Old tf code used to create INT to mimic prod. |
4646
| `terraform_sandbox` | Sandbox environment for testing infrastructure changes. |
4747
| `terraform_aws_backup` | Streamlined backup processing with AWS. |
48-
| `mesh-infra` | Infrastructure setup for Imms batch MESH integration. |
4948
| `proxies` | Apigee API proxy definitions. |
5049
---
5150

infra/.terraform.lock.hcl

Lines changed: 78 additions & 18 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

infra/environments/int/variables.tfvars

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -7,3 +7,5 @@ dspp_admin_role = "root"
77
environment = "int"
88
parent_route53_zone_name = "int.vds.platform.nhs.uk"
99
child_route53_zone_name = "imms.int.vds.platform.nhs.uk"
10+
mesh_mailbox_id = "X26OT303"
11+
mesh_dlq_mailbox_id = "X26OT304"

infra/environments/non-prod/variables.tfvars

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -7,3 +7,8 @@ dspp_admin_role = "root"
77
environment = "dev"
88
parent_route53_zone_name = "dev.vds.platform.nhs.uk"
99
child_route53_zone_name = "imms.dev.vds.platform.nhs.uk"
10+
# TODO - null these out once we're using the int account
11+
# mesh_mailbox_id = null
12+
# mesh_dlq_mailbox_id = null
13+
mesh_mailbox_id = "X26OT303"
14+
mesh_dlq_mailbox_id = "X26OT304"

infra/environments/prod/variables.tfvars

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -7,3 +7,5 @@ dspp_admin_role = "root"
77
environment = "prod"
88
parent_route53_zone_name = "prod.vds.platform.nhs.uk"
99
child_route53_zone_name = "imms.prod.vds.platform.nhs.uk"
10+
mesh_mailbox_id = "X26HC138"
11+
mesh_dlq_mailbox_id = null

infra/mesh.tf

Lines changed: 15 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,15 @@
1+
# MESH Client Module - conditionally created based on environment configuration
2+
module "mesh" {
3+
count = var.mesh_mailbox_id != null ? 1 : 0
4+
source = "git::https://github.com/nhsdigital/terraform-aws-mesh-client.git//module?ref=v2.1.5"
5+
6+
name_prefix = "imms-${var.environment}"
7+
account_id = var.imms_account_id
8+
mesh_env = var.environment == "prod"? "production" : "integration"
9+
subnet_ids = toset([])
10+
mailbox_ids = [var.mesh_mailbox_id]
11+
12+
compress_threshold = 1 * 1024 * 1024
13+
get_message_max_concurrency = 10
14+
handshake_schedule = "rate(24 hours)"
15+
}

infra/variables.tf

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -16,3 +16,9 @@ variable "build_agent_account_id" {
1616
variable "environment" {
1717
default = "non-prod"
1818
}
19+
variable "mesh_mailbox_id" {
20+
default = null
21+
}
22+
variable "mesh_dlq_mailbox_id" {
23+
default = null
24+
}

mesh-infra/main.tf

Lines changed: 0 additions & 41 deletions
This file was deleted.

terraform/mesh_processor.tf

Lines changed: 53 additions & 24 deletions
Original file line numberDiff line numberDiff line change
@@ -1,12 +1,28 @@
11
# Define the directory containing the Docker image and calculate its SHA-256 hash for triggering redeployments
22
locals {
3+
create_mesh_processor = local.environment == "int" || local.environment == "prod"
34
mesh_processor_lambda_dir = abspath("${path.root}/../mesh_processor")
45
mesh_processor_lambda_files = fileset(local.mesh_processor_lambda_dir, "**")
56
mesh_processor_lambda_dir_sha = sha1(join("", [for f in local.mesh_processor_lambda_files : filesha1("${local.mesh_processor_lambda_dir}/${f}")]))
7+
# This should match the prefix used in the infra Terraform
8+
mesh_module_prefix = "imms-${local.config_env}"
69
}
710

11+
data "aws_s3_bucket" "mesh" {
12+
count = local.create_mesh_processor ? 1 : 0
13+
14+
bucket = "${local.mesh_module_prefix}-mesh"
15+
}
16+
17+
data "aws_kms_key" "mesh" {
18+
count = local.create_mesh_processor ? 1 : 0
19+
20+
key_id = "alias/${local.mesh_module_prefix}-mesh"
21+
}
822

923
resource "aws_ecr_repository" "mesh_file_converter_lambda_repository" {
24+
count = local.create_mesh_processor ? 1 : 0
25+
1026
image_scanning_configuration {
1127
scan_on_push = true
1228
}
@@ -16,11 +32,13 @@ resource "aws_ecr_repository" "mesh_file_converter_lambda_repository" {
1632

1733
# Module for building and pushing Docker image to ECR
1834
module "mesh_processor_docker_image" {
35+
count = local.create_mesh_processor ? 1 : 0
36+
1937
source = "terraform-aws-modules/lambda/aws//modules/docker-build"
2038
version = "8.0.1"
2139

2240
create_ecr_repo = false
23-
ecr_repo = aws_ecr_repository.mesh_file_converter_lambda_repository.name
41+
ecr_repo = aws_ecr_repository.mesh_file_converter_lambda_repository[0].name
2442
ecr_repo_lifecycle_policy = jsonencode({
2543
"rules" : [
2644
{
@@ -48,7 +66,9 @@ module "mesh_processor_docker_image" {
4866

4967
# Define the lambdaECRImageRetreival policy
5068
resource "aws_ecr_repository_policy" "mesh_processor_lambda_ECRImageRetreival_policy" {
51-
repository = aws_ecr_repository.mesh_file_converter_lambda_repository.name
69+
count = local.create_mesh_processor ? 1 : 0
70+
71+
repository = aws_ecr_repository.mesh_file_converter_lambda_repository[0].name
5272

5373
policy = jsonencode({
5474
Version = "2012-10-17"
@@ -78,6 +98,8 @@ resource "aws_ecr_repository_policy" "mesh_processor_lambda_ECRImageRetreival_po
7898

7999
# IAM Role for Lambda
80100
resource "aws_iam_role" "mesh_processor_lambda_exec_role" {
101+
count = local.create_mesh_processor ? 1 : 0
102+
81103
name = "${local.short_prefix}-mesh_processor-lambda-exec-role"
82104
assume_role_policy = jsonencode({
83105
Version = "2012-10-17",
@@ -94,6 +116,8 @@ resource "aws_iam_role" "mesh_processor_lambda_exec_role" {
94116

95117
# Policy for Lambda execution role
96118
resource "aws_iam_policy" "mesh_processor_lambda_exec_policy" {
119+
count = local.create_mesh_processor ? 1 : 0
120+
97121
name = "${local.short_prefix}-mesh_processor-lambda-exec-policy"
98122
policy = jsonencode({
99123
Version = "2012-10-17",
@@ -130,16 +154,17 @@ resource "aws_iam_policy" "mesh_processor_lambda_exec_policy" {
130154
"s3:DeleteObject"
131155
]
132156
Resource = [
133-
"arn:aws:s3:::local-immunisation-mesh",
134-
"arn:aws:s3:::local-immunisation-mesh/*",
135-
"arn:aws:s3:::local-immunisation-mesh-s3logs/*"
157+
data.aws_s3_bucket.mesh[0].arn,
158+
"${data.aws_s3_bucket.mesh[0].arn}/*"
136159
]
137160
}
138161
]
139162
})
140163
}
141164

142165
resource "aws_iam_policy" "mesh_processor_lambda_kms_access_policy" {
166+
count = local.create_mesh_processor ? 1 : 0
167+
143168
name = "${local.short_prefix}-mesh_processor-lambda-kms-policy"
144169
description = "Allow Lambda to decrypt environment variables"
145170

@@ -154,8 +179,7 @@ resource "aws_iam_policy" "mesh_processor_lambda_kms_access_policy" {
154179
"kms:GenerateDataKey*"
155180
]
156181
Resource = [
157-
data.aws_kms_key.mesh_s3_encryption_key.arn
158-
# "arn:aws:kms:eu-west-2:345594581768:key/9b756762-bc6f-42fb-ba56-2c0c00c15289"
182+
data.aws_kms_key.mesh[0].arn
159183
]
160184
}
161185
]
@@ -164,59 +188,64 @@ resource "aws_iam_policy" "mesh_processor_lambda_kms_access_policy" {
164188

165189
# Attach the execution policy to the Lambda role
166190
resource "aws_iam_role_policy_attachment" "mesh_processor_lambda_exec_policy_attachment" {
167-
role = aws_iam_role.mesh_processor_lambda_exec_role.name
168-
policy_arn = aws_iam_policy.mesh_processor_lambda_exec_policy.arn
191+
count = local.create_mesh_processor ? 1 : 0
192+
193+
role = aws_iam_role.mesh_processor_lambda_exec_role[0].name
194+
policy_arn = aws_iam_policy.mesh_processor_lambda_exec_policy[0].arn
169195
}
170196

171197

172198
# Attach the kms policy to the Lambda role
173199
resource "aws_iam_role_policy_attachment" "mesh_processor_lambda_kms_policy_attachment" {
174-
role = aws_iam_role.mesh_processor_lambda_exec_role.name
175-
policy_arn = aws_iam_policy.mesh_processor_lambda_kms_access_policy.arn
200+
count = local.create_mesh_processor ? 1 : 0
201+
202+
role = aws_iam_role.mesh_processor_lambda_exec_role[0].name
203+
policy_arn = aws_iam_policy.mesh_processor_lambda_kms_access_policy[0].arn
176204
}
177205

178206
# Lambda Function with Security Group and VPC.
179207
resource "aws_lambda_function" "mesh_file_converter_lambda" {
208+
count = local.create_mesh_processor ? 1 : 0
209+
180210
function_name = "${local.short_prefix}-mesh_processor_lambda"
181-
role = aws_iam_role.mesh_processor_lambda_exec_role.arn
211+
role = aws_iam_role.mesh_processor_lambda_exec_role[0].arn
182212
package_type = "Image"
183-
image_uri = module.mesh_processor_docker_image.image_uri
213+
image_uri = module.mesh_processor_docker_image[0].image_uri
184214
architectures = ["x86_64"]
185215
timeout = 360
186216

187217
environment {
188218
variables = {
189-
Destination_BUCKET_NAME = aws_s3_bucket.batch_data_source_bucket.bucket
190-
MESH_FILE_PROC_LAMBDA_NAME = "imms-${local.env}-meshfileproc_lambda"
219+
Destination_BUCKET_NAME = aws_s3_bucket.batch_data_source_bucket.bucket
191220
}
192221
}
193-
194222
}
195223

196224
# Permission for S3 to invoke Lambda function
197225
resource "aws_lambda_permission" "mesh_s3_invoke_permission" {
226+
count = local.create_mesh_processor ? 1 : 0
227+
198228
statement_id = "AllowExecutionFromS3"
199229
action = "lambda:InvokeFunction"
200-
function_name = aws_lambda_function.mesh_file_converter_lambda.function_name
230+
function_name = aws_lambda_function.mesh_file_converter_lambda[0].function_name
201231
principal = "s3.amazonaws.com"
202232
source_arn = "arn:aws:s3:::local-immunisation-mesh"
203233
}
204234

205-
# TODO - This is scoped to the bucket, so is overwritten by each deployment
206-
# That might be intentional in prod, to switch between blue and green, but surely isn't in non-prod
207-
# S3 Bucket notification to trigger Lambda function
208235
resource "aws_s3_bucket_notification" "mesh_datasources_lambda_notification" {
209-
# TODO - what is this bucket and why isn't it managed by Terraform?
210-
bucket = "local-immunisation-mesh"
236+
count = local.create_mesh_processor ? 1 : 0
237+
238+
bucket = data.aws_s3_bucket.mesh[0].bucket
211239

212240
lambda_function {
213-
lambda_function_arn = aws_lambda_function.mesh_file_converter_lambda.arn
241+
lambda_function_arn = aws_lambda_function.mesh_file_converter_lambda[0].arn
214242
events = ["s3:ObjectCreated:*"]
215-
#filter_prefix =""
216243
}
217244
}
218245

219246
resource "aws_cloudwatch_log_group" "mesh_file_converter_log_group" {
247+
count = local.create_mesh_processor ? 1 : 0
248+
220249
name = "/aws/lambda/${local.short_prefix}-mesh_processor_lambda"
221250
retention_in_days = 30
222251
}

0 commit comments

Comments
 (0)