VED-26: Add batch forwarding Lambda to VPC. (#641)

* VED-26: Add forwarder Lambda to VPC.

* VED-26: Add missing permissions for VPC access.

Author: mfjarvis

terraform/forwarder_lambda.tf

@@ -185,6 +185,15 @@ resource "aws_iam_policy" "forwarding_lambda_exec_policy" {
           "sqs:SendMessage"
         ]
         Resource = aws_sqs_queue.fifo_queue.arn
+      },
+      {
+        Effect = "Allow",
+        Action = [
+          "ec2:CreateNetworkInterface",
+          "ec2:DescribeNetworkInterfaces",
+          "ec2:DeleteNetworkInterface"
+        ],
+        Resource = "*"
       }
     ]
   })
@@ -209,12 +218,19 @@ resource "aws_lambda_function" "forwarding_lambda" {
     size = 1024
   }
 
+  vpc_config {
+    subnet_ids         = local.private_subnet_ids
+    security_group_ids = [data.aws_security_group.existing_securitygroup.id]
+  }
+
   environment {
     variables = {
       SOURCE_BUCKET_NAME  = aws_s3_bucket.batch_data_source_bucket.bucket
       ACK_BUCKET_NAME     = aws_s3_bucket.batch_data_destination_bucket.bucket
       DYNAMODB_TABLE_NAME = aws_dynamodb_table.events-dynamodb-table.name
       SQS_QUEUE_URL       = aws_sqs_queue.fifo_queue.url
+      REDIS_HOST          = data.aws_elasticache_cluster.existing_redis.cache_nodes[0].address
+      REDIS_PORT          = data.aws_elasticache_cluster.existing_redis.cache_nodes[0].port
     }
   }
   kms_key_arn = data.aws_kms_key.existing_lambda_encryption_key.arn

terraform/variables.tf

@@ -15,19 +15,19 @@ variable "aws_region" {
 }
 
 locals {
-  environment       = terraform.workspace == "green" ? "prod" : terraform.workspace == "blue" ? "prod" : terraform.workspace
-  env               = terraform.workspace
-  prefix            = "${var.project_name}-${var.service}-${local.env}"
-  short_prefix      = "${var.project_short_name}-${local.env}"
-  batch_prefix      = "immunisation-batch-${local.env}"
-  config_env        = local.environment == "prod" ? "prod" : "dev"
+  environment  = terraform.workspace == "green" ? "prod" : terraform.workspace == "blue" ? "prod" : terraform.workspace
+  env          = terraform.workspace
+  prefix       = "${var.project_name}-${var.service}-${local.env}"
+  short_prefix = "${var.project_short_name}-${local.env}"
+  batch_prefix = "immunisation-batch-${local.env}"
+  config_env   = local.environment == "prod" ? "prod" : "dev"
 
   root_domain         = "${local.config_env}.vds.platform.nhs.uk"
   project_domain_name = data.aws_route53_zone.project_zone.name
   service_domain_name = "${local.env}.${local.project_domain_name}"
 
-  config_bucket_arn    = aws_s3_bucket.batch_config_bucket.arn
-  config_bucket_name   = aws_s3_bucket.batch_config_bucket.bucket
+  config_bucket_arn  = aws_s3_bucket.batch_config_bucket.arn
+  config_bucket_name = aws_s3_bucket.batch_config_bucket.bucket
 
 
   # Public subnet - The subnet has a direct route to an internet gateway. Resources in a public subnet can access the public internet.