Fixed part of internal-dev resource references

Author: robertnovac1

terraform/Makefile

@@ -19,7 +19,7 @@ init-reconfigure:
 	$(tf_cmd) init $(tf_state) -upgrade $(tf_vars) -reconfigure
 
 plan: workspace
-	 $(tf_cmd) plan $(tf_vars)
+	 $(tf_cmd) plan $(tf_vars) -out=tfplan
 
 plan-changes: workspace
 	 $(tf_cmd) plan $(tf_vars) -out=plan && $(tf_cmd) show -no-color -json plan | jq -r '.resource_changes[] | select(.change.actions[0]=="update" or .change.actions[0]=="create" or .change.actions[0]=="add") | .address'

terraform/ack_lambda.tf

@@ -216,7 +216,7 @@ resource "aws_lambda_function" "ack_processor_lambda" {
     variables = {
       ACK_BUCKET_NAME            = aws_s3_bucket.batch_data_destination_bucket.bucket
       SPLUNK_FIREHOSE_NAME       = module.splunk.firehose_stream_name
-      ENVIRONMENT                = terraform.workspace
+      ENVIRONMENT                = var.sub_environment
       AUDIT_TABLE_NAME           = aws_dynamodb_table.audit-table.name
       FILE_NAME_PROC_LAMBDA_NAME = aws_lambda_function.file_processor_lambda.function_name
     }

terraform/endpoints.tf

@@ -23,10 +23,10 @@ locals {
   imms_table_name = aws_dynamodb_table.events-dynamodb-table.name
   imms_lambda_env_vars = {
     "DYNAMODB_TABLE_NAME"    = local.imms_table_name,
-    "IMMUNIZATION_ENV"       = var.environment,
-    "IMMUNIZATION_BASE_PATH" = strcontains(var.environment, "pr-") ? "immunisation-fhir-api-${var.environment}" : "immunisation-fhir-api"
+    "IMMUNIZATION_ENV"       = var.sub_environment,
+    "IMMUNIZATION_BASE_PATH" = strcontains(terraform.workspace, "pr-") ? "immunisation-fhir-api-${terraform.workspace}" : "immunisation-fhir-api"
     # except for prod and ref, any other env uses PDS int environment
-    "PDS_ENV"              = var.environment == "prod" ? "prod" : var.environment == "ref" ? "ref" : "int",
+    "PDS_ENV"              = var.pds_environment
     "PDS_CHECK_ENABLED"    = tostring(var.environment != "int")
     "SPLUNK_FIREHOSE_NAME" = module.splunk.firehose_stream_name
     "SQS_QUEUE_URL"        = "https://sqs.eu-west-2.amazonaws.com/${var.immunisation_account_id}/${local.short_prefix}-ack-metadata-queue.fifo"

terraform/environments/non-prod/ref/variables.tfvars

@@ -2,3 +2,4 @@ environment             = "dev"
 sub_environment         = "ref"
 immunisation_account_id = "345594581768"
 dspp_core_account_id    = "603871901111"
+pds_environment         = "ref"

terraform/environments/prod/blue/variables.tfvars

@@ -1,3 +1,4 @@
 environment             = "prod"
 sub_environment         = "blue"
 immunisation_account_id = "664418956997"
+pds_environment         = "prod"

terraform/environments/prod/green/variables.tfvars

@@ -1,3 +1,4 @@
 environment             = "prod"
 sub_environment         = "green"
 immunisation_account_id = "664418956997"
+pds_environment         = "prod"

terraform/main.tf

@@ -17,12 +17,12 @@ terraform {
 }
 
 provider "aws" {
-  region  = var.aws_region
-  profile = "apim-dev"
+  region = var.aws_region
+  #profile = "apim-dev"
   default_tags {
     tags = {
       Project     = var.project_name
-      Environment = var.environment
+      Environment = var.sub_environment
       Service     = var.service
     }
   }

terraform/mesh_processor.tf

@@ -1,4 +1,3 @@
-# Note: This is all disabled in the preprod environment
 # Define the directory containing the Docker image and calculate its SHA-256 hash for triggering redeployments
 locals {
   mesh_processor_lambda_dir     = abspath("${path.root}/../mesh_processor")
@@ -8,7 +7,6 @@ locals {
 
 
 resource "aws_ecr_repository" "mesh_file_converter_lambda_repository" {
-  count = var.environment == "int" ? 0 : 1
   image_scanning_configuration {
     scan_on_push = true
   }
@@ -18,12 +16,11 @@ resource "aws_ecr_repository" "mesh_file_converter_lambda_repository" {
 
 # Module for building and pushing Docker image to ECR
 module "mesh_processor_docker_image" {
-  count   = var.environment == "int" ? 0 : 1
   source  = "terraform-aws-modules/lambda/aws//modules/docker-build"
   version = "8.0.1"
 
   create_ecr_repo = false
-  ecr_repo        = aws_ecr_repository.mesh_file_converter_lambda_repository[0].name
+  ecr_repo        = aws_ecr_repository.mesh_file_converter_lambda_repository.name
   ecr_repo_lifecycle_policy = jsonencode({
     "rules" : [
       {
@@ -51,8 +48,7 @@ module "mesh_processor_docker_image" {
 
 # Define the lambdaECRImageRetreival policy
 resource "aws_ecr_repository_policy" "mesh_processor_lambda_ECRImageRetreival_policy" {
-  count      = var.environment == "int" ? 0 : 1
-  repository = aws_ecr_repository.mesh_file_converter_lambda_repository[0].name
+  repository = aws_ecr_repository.mesh_file_converter_lambda_repository.name
 
   policy = jsonencode({
     Version = "2012-10-17"
@@ -82,8 +78,7 @@ resource "aws_ecr_repository_policy" "mesh_processor_lambda_ECRImageRetreival_po
 
 # IAM Role for Lambda
 resource "aws_iam_role" "mesh_processor_lambda_exec_role" {
-  count = var.environment == "int" ? 0 : 1
-  name  = "${local.short_prefix}-mesh_processor-lambda-exec-role"
+  name = "${local.short_prefix}-mesh_processor-lambda-exec-role"
   assume_role_policy = jsonencode({
     Version = "2012-10-17",
     Statement = [{
@@ -99,8 +94,7 @@ resource "aws_iam_role" "mesh_processor_lambda_exec_role" {
 
 # Policy for Lambda execution role
 resource "aws_iam_policy" "mesh_processor_lambda_exec_policy" {
-  count = var.environment == "int" ? 0 : 1
-  name  = "${local.short_prefix}-mesh_processor-lambda-exec-policy"
+  name = "${local.short_prefix}-mesh_processor-lambda-exec-policy"
   policy = jsonencode({
     Version = "2012-10-17",
     Statement = [
@@ -146,7 +140,6 @@ resource "aws_iam_policy" "mesh_processor_lambda_exec_policy" {
 }
 
 resource "aws_iam_policy" "mesh_processor_lambda_kms_access_policy" {
-  count       = var.environment == "int" ? 0 : 1
   name        = "${local.short_prefix}-mesh_processor-lambda-kms-policy"
   description = "Allow Lambda to decrypt environment variables"
 
@@ -161,7 +154,7 @@ resource "aws_iam_policy" "mesh_processor_lambda_kms_access_policy" {
           "kms:GenerateDataKey*"
         ]
         Resource = [
-          data.aws_kms_key.mesh_s3_encryption_key[0].arn
+          data.aws_kms_key.mesh_s3_encryption_key.arn
           # "arn:aws:kms:eu-west-2:345594581768:key/9b756762-bc6f-42fb-ba56-2c0c00c15289"
         ]
       }
@@ -171,44 +164,39 @@ resource "aws_iam_policy" "mesh_processor_lambda_kms_access_policy" {
 
 # Attach the execution policy to the Lambda role
 resource "aws_iam_role_policy_attachment" "mesh_processor_lambda_exec_policy_attachment" {
-  count      = var.environment == "int" ? 0 : 1
-  role       = aws_iam_role.mesh_processor_lambda_exec_role[0].name
-  policy_arn = aws_iam_policy.mesh_processor_lambda_exec_policy[0].arn
+  role       = aws_iam_role.mesh_processor_lambda_exec_role.name
+  policy_arn = aws_iam_policy.mesh_processor_lambda_exec_policy.arn
 }
 
 
 # Attach the kms policy to the Lambda role
 resource "aws_iam_role_policy_attachment" "mesh_processor_lambda_kms_policy_attachment" {
-  count      = var.environment == "int" ? 0 : 1
-  role       = aws_iam_role.mesh_processor_lambda_exec_role[0].name
-  policy_arn = aws_iam_policy.mesh_processor_lambda_kms_access_policy[0].arn
+  role       = aws_iam_role.mesh_processor_lambda_exec_role.name
+  policy_arn = aws_iam_policy.mesh_processor_lambda_kms_access_policy.arn
 }
 
 # Lambda Function with Security Group and VPC.
 resource "aws_lambda_function" "mesh_file_converter_lambda" {
-  count         = var.environment == "int" ? 0 : 1
   function_name = "${local.short_prefix}-mesh_processor_lambda"
-  role          = aws_iam_role.mesh_processor_lambda_exec_role[0].arn
+  role          = aws_iam_role.mesh_processor_lambda_exec_role.arn
   package_type  = "Image"
-  image_uri     = module.mesh_processor_docker_image[0].image_uri
+  image_uri     = module.mesh_processor_docker_image.image_uri
   architectures = ["x86_64"]
   timeout       = 360
 
   environment {
     variables = {
-      Destination_BUCKET_NAME    = aws_s3_bucket.batch_data_source_bucket.bucket
-      MESH_FILE_PROC_LAMBDA_NAME = "imms-${var.sub_environment}-meshfileproc_lambda"
+      Destination_BUCKET_NAME = aws_s3_bucket.batch_data_source_bucket.bucket
     }
   }
 
 }
 
 # Permission for S3 to invoke Lambda function
 resource "aws_lambda_permission" "mesh_s3_invoke_permission" {
-  count         = var.environment == "int" ? 0 : 1
   statement_id  = "AllowExecutionFromS3"
   action        = "lambda:InvokeFunction"
-  function_name = aws_lambda_function.mesh_file_converter_lambda[0].function_name
+  function_name = aws_lambda_function.mesh_file_converter_lambda.function_name
   principal     = "s3.amazonaws.com"
   source_arn    = "arn:aws:s3:::local-immunisation-mesh"
 }
@@ -218,18 +206,16 @@ resource "aws_lambda_permission" "mesh_s3_invoke_permission" {
 # S3 Bucket notification to trigger Lambda function
 resource "aws_s3_bucket_notification" "mesh_datasources_lambda_notification" {
   # TODO - what is this bucket and why isn't it managed by Terraform?
-  count  = var.environment == "int" ? 0 : 1
   bucket = "local-immunisation-mesh"
 
   lambda_function {
-    lambda_function_arn = aws_lambda_function.mesh_file_converter_lambda[0].arn
+    lambda_function_arn = aws_lambda_function.mesh_file_converter_lambda.arn
     events              = ["s3:ObjectCreated:*"]
     #filter_prefix      =""
   }
 }
 
 resource "aws_cloudwatch_log_group" "mesh_file_converter_log_group" {
-  count             = var.environment == "int" ? 0 : 1
   name              = "/aws/lambda/${local.short_prefix}-mesh_processor_lambda"
   retention_in_days = 30
 }

terraform/s3_config.tf

@@ -93,7 +93,7 @@ resource "aws_s3_bucket_lifecycle_configuration" "datasources_lifecycle" {
 
 resource "aws_s3_bucket" "batch_data_destination_bucket" {
   # Deliberately not using `local.batch_prefix` as we don't want separate blue / green destinations in prod.
-  bucket        = "immunisation-batch-${var.environment}-data-destinations"
+  bucket        = "immunisation-batch-${var.sub_environment}-data-destinations"
   force_destroy = local.is_temp
 }
 
@@ -192,7 +192,7 @@ resource "aws_s3_bucket_lifecycle_configuration" "data_destinations" {
 }
 
 resource "aws_s3_bucket" "batch_config_bucket" {
-  bucket = "imms-${var.environment}-fhir-config"
+  bucket = "imms-${var.sub_environment}-fhir-config"
 }
 
 resource "aws_s3_bucket_public_access_block" "batch_config_bucket_public_access_block" {

terraform/variables.tf

@@ -26,6 +26,10 @@ variable "aws_region" {
   default = "eu-west-2"
 }
 
+variable "pds_environment" {
+  default = "int"
+}
+
 locals {
   prefix       = "${var.project_name}-${var.service}-${var.sub_environment}"
   short_prefix = "${var.project_short_name}-${var.sub_environment}"