From 6021430ac4ff3c4b32d4790b2440bf86b1173ee8 Mon Sep 17 00:00:00 2001 From: robertnovac1 <196046006+robertnovac1@users.noreply.github.com> Date: Thu, 10 Jul 2025 12:00:39 +0100 Subject: [PATCH 01/18] Refactor --- azure/templates/post-deploy.yml | 3 +- terraform/Makefile | 15 +-- terraform/api_gateway/acm_cert.tf | 42 ++++---- terraform/api_gateway/mtls_cert.tf | 8 +- terraform/api_gateway/variables.tf | 4 +- terraform/configs.tf | 6 -- terraform/endpoints.tf | 1 + .../environments/int/blue/variables.tfvars | 3 + .../environments/int/green/variables.tfvars | 3 + .../non-prod/blue/variables.tfvars | 3 + .../non-prod/green/variables.tfvars | 3 + .../non-prod/internal-dev/variables.tfvars | 3 + .../environments/non-prod/pr/variables.tfvars | 3 + .../non-prod/ref/variables.tfvars | 3 + .../environments/prod/blue/variables.tfvars | 3 + .../environments/prod/green/variables.tfvars | 3 + terraform/lambda.tf | 4 +- terraform/main.tf | 62 +++++++++++- terraform/mesh_processor.tf | 41 +++++--- terraform/variables.tf | 97 ++++--------------- 20 files changed, 174 insertions(+), 136 deletions(-) delete mode 100644 terraform/configs.tf create mode 100644 terraform/environments/int/blue/variables.tfvars create mode 100644 terraform/environments/int/green/variables.tfvars create mode 100644 terraform/environments/non-prod/blue/variables.tfvars create mode 100644 terraform/environments/non-prod/green/variables.tfvars create mode 100644 terraform/environments/non-prod/internal-dev/variables.tfvars create mode 100644 terraform/environments/non-prod/pr/variables.tfvars create mode 100644 terraform/environments/non-prod/ref/variables.tfvars create mode 100644 terraform/environments/prod/blue/variables.tfvars create mode 100644 terraform/environments/prod/green/variables.tfvars diff --git a/azure/templates/post-deploy.yml b/azure/templates/post-deploy.yml index 77448ce6c7..ccaa530ab5 100644 --- a/azure/templates/post-deploy.yml +++ b/azure/templates/post-deploy.yml @@ -61,7 +61,8 @@ steps: cd terraform make init - make apply aws_account_no=${aws_account_no} environment=$workspace + make plan aws_account_no=${aws_account_no} environment=$workspace + # make apply aws_account_no=${aws_account_no} environment=$workspace AWS_DOMAIN_NAME=$(make -s output name=service_domain_name) IMMS_DELTA_TABLE_NAME=$(make -s output name=imms_delta_table_name) diff --git a/terraform/Makefile b/terraform/Makefile index 0fc66c2d9d..566bca9d54 100644 --- a/terraform/Makefile +++ b/terraform/Makefile @@ -1,13 +1,13 @@ -include .env -interactionId=$(environment) - -aws_profile = apim-dev +interactionId = $(ENVIRONMENT)# to change to lower case +environment = $(ENVIRONMENT) +aws_profile = $(AWS_PROFILE)#apim-dev # Leave this here for pipeline tf_cmd = AWS_PROFILE=$(aws_profile) terraform project_name = immunisation project_short_name = imms -state_bucket = $(project_name)-$(APIGEE_ENVIRONMENT)-terraform-state-files +state_bucket = $(BUCKET_NAME)#$(project_name)-$(APIGEE_ENVIRONMENT)-terraform-state-files tf_state= -backend-config="bucket=$(state_bucket)" tf_vars= -var="project_name=$(project_name)" -var="project_short_name=$(project_short_name)" @@ -20,11 +20,14 @@ lock-provider: $(tf_cmd) providers lock -platform=darwin_arm64 -platform=darwin_amd64 -platform=linux_amd64 -platform=windows_amd64 workspace: - $(tf_cmd) workspace new $(environment) || $(tf_cmd) workspace select $(environment) && echo "Switched to workspace/environment: $(environment)" + $(tf_cmd) workspace new $(ENVIRONMENT) || $(tf_cmd) workspace select $(ENVIRONMENT) && echo "Switched to workspace/environment: $(ENVIRONMENT)" init: $(tf_cmd) init $(tf_state) -upgrade $(tf_vars) +init-reconfigure: + $(tf_cmd) init $(tf_state) -upgrade $(tf_vars) -reconfigure + plan: workspace $(tf_cmd) plan $(tf_vars) @@ -40,7 +43,7 @@ clean: destroy: workspace $(tf_cmd) destroy $(tf_vars) -auto-approve $(tf_cmd) workspace select default - $(tf_cmd) workspace delete $(environment) + $(tf_cmd) workspace delete $(ENVIRONMENT) output: $(tf_cmd) output -raw $(name) diff --git a/terraform/api_gateway/acm_cert.tf b/terraform/api_gateway/acm_cert.tf index dab9fe55d1..14d00f436e 100644 --- a/terraform/api_gateway/acm_cert.tf +++ b/terraform/api_gateway/acm_cert.tf @@ -1,31 +1,33 @@ resource "aws_acm_certificate" "service_certificate" { - domain_name = var.api_domain_name - subject_alternative_names = [] - validation_method = "DNS" + domain_name = var.api_domain_name + subject_alternative_names = [] + validation_method = "DNS" - lifecycle { - create_before_destroy = true - } + lifecycle { + create_before_destroy = true + } } resource "aws_acm_certificate_validation" "service_certificate" { - certificate_arn = aws_acm_certificate.service_certificate.arn - validation_record_fqdns = [for record in aws_route53_record.dns_validation : record.fqdn] + certificate_arn = aws_acm_certificate.service_certificate.arn + validation_record_fqdns = [for record in aws_route53_record.dns_validation : record.fqdn] + depends_on = [aws_acm_certificate.service_certificate, aws_route53_record.dns_validation] } resource "aws_route53_record" "dns_validation" { - for_each = { - for dvo in aws_acm_certificate.service_certificate.domain_validation_options : dvo.domain_name => { - name = dvo.resource_record_name - record = dvo.resource_record_value - type = dvo.resource_record_type - } + for_each = { + for dvo in aws_acm_certificate.service_certificate.domain_validation_options : dvo.domain_name => { + name = dvo.resource_record_name + record = dvo.resource_record_value + type = dvo.resource_record_type } + } - allow_overwrite = true - name = each.value.name - records = [each.value.record] - ttl = 60 - type = each.value.type - zone_id = var.zone_id + allow_overwrite = true + name = each.value.name + records = [each.value.record] + ttl = 60 + type = each.value.type + zone_id = var.zone_id + depends_on = [aws_acm_certificate.service_certificate] } diff --git a/terraform/api_gateway/mtls_cert.tf b/terraform/api_gateway/mtls_cert.tf index 4424f0c512..69159234b1 100644 --- a/terraform/api_gateway/mtls_cert.tf +++ b/terraform/api_gateway/mtls_cert.tf @@ -4,21 +4,21 @@ locals { } data "aws_s3_bucket" "cert_storage" { - bucket = "imms-fhir-${local.config_env}-cert-storage" + bucket = "imms-fhir-${var.config_env}-cert-storage" } data "aws_s3_object" "cert" { bucket = data.aws_s3_bucket.cert_storage.bucket - key = local.truststore_file_name + key = local.truststore_file_name } resource "aws_s3_bucket" "truststore_bucket" { - bucket = "${var.prefix}-truststores" + bucket = "${var.prefix}-truststores" force_destroy = true } resource "aws_s3_object_copy" "copy_cert_from_storage" { bucket = aws_s3_bucket.truststore_bucket.bucket key = local.truststore_file_name - source ="${data.aws_s3_object.cert.bucket}/${local.truststore_file_name}" + source = "${data.aws_s3_object.cert.bucket}/${local.truststore_file_name}" } diff --git a/terraform/api_gateway/variables.tf b/terraform/api_gateway/variables.tf index f2b578b3c5..bc89040621 100644 --- a/terraform/api_gateway/variables.tf +++ b/terraform/api_gateway/variables.tf @@ -4,8 +4,8 @@ variable "zone_id" {} variable "api_domain_name" {} variable "environment" {} variable "oas" {} +variable "config_env" {} locals { - environment = terraform.workspace == "green" ? "prod" : terraform.workspace == "blue" ? "prod" : terraform.workspace - config_env = local.environment == "prod" ? "prod" : "dev" + environment = terraform.workspace == "green" ? "prod" : terraform.workspace == "blue" ? "prod" : terraform.workspace } diff --git a/terraform/configs.tf b/terraform/configs.tf deleted file mode 100644 index fc3f074380..0000000000 --- a/terraform/configs.tf +++ /dev/null @@ -1,6 +0,0 @@ -locals { - // Flag so we can force delete s3 buckets with items in for pr and shortcode environments only. - is_temp = length(regexall("[a-z]{2,4}-?[0-9]+", local.env)) > 0 - dspp_core_account_id = local.environment == "prod" ? 232116723729 : 603871901111 - immunisation_account_id = local.environment == "prod" ? 664418956997 : 345594581768 -} diff --git a/terraform/endpoints.tf b/terraform/endpoints.tf index 5424c32c3a..86f69f7172 100644 --- a/terraform/endpoints.tf +++ b/terraform/endpoints.tf @@ -114,6 +114,7 @@ module "api_gateway" { api_domain_name = local.service_domain_name environment = local.environment oas = local.oas + config_env = local.config_env } resource "aws_lambda_permission" "api_gw" { diff --git a/terraform/environments/int/blue/variables.tfvars b/terraform/environments/int/blue/variables.tfvars new file mode 100644 index 0000000000..ca6154c0df --- /dev/null +++ b/terraform/environments/int/blue/variables.tfvars @@ -0,0 +1,3 @@ +environment = "int" +sub_environment = "blue" +immunisation_account_id = "084828561157" diff --git a/terraform/environments/int/green/variables.tfvars b/terraform/environments/int/green/variables.tfvars new file mode 100644 index 0000000000..371e04ef33 --- /dev/null +++ b/terraform/environments/int/green/variables.tfvars @@ -0,0 +1,3 @@ +environment = "int" +sub_environment = "green" +immunisation_account_id = "084828561157" diff --git a/terraform/environments/non-prod/blue/variables.tfvars b/terraform/environments/non-prod/blue/variables.tfvars new file mode 100644 index 0000000000..ca6154c0df --- /dev/null +++ b/terraform/environments/non-prod/blue/variables.tfvars @@ -0,0 +1,3 @@ +environment = "int" +sub_environment = "blue" +immunisation_account_id = "084828561157" diff --git a/terraform/environments/non-prod/green/variables.tfvars b/terraform/environments/non-prod/green/variables.tfvars new file mode 100644 index 0000000000..8969e7ec6e --- /dev/null +++ b/terraform/environments/non-prod/green/variables.tfvars @@ -0,0 +1,3 @@ +environment = "int" +sub_environment = "blue" +immunisation_account_id = "345594581768" diff --git a/terraform/environments/non-prod/internal-dev/variables.tfvars b/terraform/environments/non-prod/internal-dev/variables.tfvars new file mode 100644 index 0000000000..b6c7a77326 --- /dev/null +++ b/terraform/environments/non-prod/internal-dev/variables.tfvars @@ -0,0 +1,3 @@ +environment = "non-prod" +sub_environment = "internal-dev" +immunisation_account_id = "345594581768" diff --git a/terraform/environments/non-prod/pr/variables.tfvars b/terraform/environments/non-prod/pr/variables.tfvars new file mode 100644 index 0000000000..7aa6a403ea --- /dev/null +++ b/terraform/environments/non-prod/pr/variables.tfvars @@ -0,0 +1,3 @@ +environment = "non-prod" +sub_environment = "pr" +immunisation_account_id = "345594581768" diff --git a/terraform/environments/non-prod/ref/variables.tfvars b/terraform/environments/non-prod/ref/variables.tfvars new file mode 100644 index 0000000000..83c1f7850d --- /dev/null +++ b/terraform/environments/non-prod/ref/variables.tfvars @@ -0,0 +1,3 @@ +environment = "non-prod" +sub_environment = "ref" +immunisation_account_id = "345594581768" diff --git a/terraform/environments/prod/blue/variables.tfvars b/terraform/environments/prod/blue/variables.tfvars new file mode 100644 index 0000000000..c777bb6a0f --- /dev/null +++ b/terraform/environments/prod/blue/variables.tfvars @@ -0,0 +1,3 @@ +environment = "prod" +sub_environment = "blue" +immunisation_account_id = "664418956997" diff --git a/terraform/environments/prod/green/variables.tfvars b/terraform/environments/prod/green/variables.tfvars new file mode 100644 index 0000000000..37505742d0 --- /dev/null +++ b/terraform/environments/prod/green/variables.tfvars @@ -0,0 +1,3 @@ +environment = "prod" +sub_environment = "green" +immunisation_account_id = "664418956997" diff --git a/terraform/lambda.tf b/terraform/lambda.tf index d1ad8f28db..c3506ab59c 100644 --- a/terraform/lambda.tf +++ b/terraform/lambda.tf @@ -15,13 +15,13 @@ resource "aws_ecr_repository" "operation_lambda_repository" { scan_on_push = true } name = "${local.prefix}-operation-lambda-repo" - force_delete = local.is_temp + force_delete = true #local.is_temp } #resource "docker_image" "lambda_function_docker" { module "docker_image" { source = "terraform-aws-modules/lambda/aws//modules/docker-build" - version = "8.0.1" + version = "7.21.1" create_ecr_repo = false ecr_repo = "${local.prefix}-operation-lambda-repo" diff --git a/terraform/main.tf b/terraform/main.tf index 029ae5c145..6cc51d0438 100644 --- a/terraform/main.tf +++ b/terraform/main.tf @@ -28,9 +28,7 @@ provider "aws" { } } -data "aws_region" "current" {} -data "aws_caller_identity" "current" {} -data "aws_ecr_authorization_token" "token" {} + provider "docker" { registry_auth { @@ -39,3 +37,61 @@ provider "docker" { password = data.aws_ecr_authorization_token.token.password } } + + +data "aws_region" "current" {} +data "aws_caller_identity" "current" {} +data "aws_ecr_authorization_token" "token" {} + +data "aws_vpc" "default" { + filter { + name = "tag:Name" + values = [local.vpc_name] + } +} + +data "aws_subnets" "default" { + filter { + name = "vpc-id" + values = [data.aws_vpc.default.id] + } +} + +data "aws_kms_key" "existing_s3_encryption_key" { + key_id = "alias/imms-batch-s3-shared-key" +} + +data "aws_kms_key" "existing_dynamo_encryption_key" { + key_id = "alias/imms-event-dynamodb-encryption" +} + +data "aws_elasticache_cluster" "existing_redis" { + cluster_id = "immunisation-redis-cluster" +} + +data "aws_security_group" "existing_securitygroup" { + filter { + name = "group-name" + values = ["immunisation-security-group"] + } +} + +data "aws_s3_bucket" "existing_config_bucket" { + # For now, look up the internal-dev bucket during int, ref and PR branch deploys. + count = local.create_config_bucket ? 0 : 1 + + bucket = "imms-${local.config_bucket_env}-supplier-config" +} + +data "aws_kms_key" "existing_lambda_encryption_key" { + key_id = "alias/imms-batch-lambda-env-encryption" +} + +data "aws_kms_key" "existing_kinesis_encryption_key" { + key_id = "alias/imms-batch-kinesis-stream-encryption" +} + +data "aws_kms_key" "mesh_s3_encryption_key" { + count = local.config_env == "int" ? 0 : 1 + key_id = "alias/local-immunisation-mesh" +} diff --git a/terraform/mesh_processor.tf b/terraform/mesh_processor.tf index ff43bd7de6..8afa04a008 100644 --- a/terraform/mesh_processor.tf +++ b/terraform/mesh_processor.tf @@ -1,3 +1,4 @@ +# Note: This is all disabled in the preprod environment # Define the directory containing the Docker image and calculate its SHA-256 hash for triggering redeployments locals { mesh_processor_lambda_dir = abspath("${path.root}/../mesh_processor") @@ -7,6 +8,7 @@ locals { resource "aws_ecr_repository" "mesh_file_converter_lambda_repository" { + count = local.config_env == "int" ? 0 : 1 image_scanning_configuration { scan_on_push = true } @@ -16,11 +18,12 @@ resource "aws_ecr_repository" "mesh_file_converter_lambda_repository" { # Module for building and pushing Docker image to ECR module "mesh_processor_docker_image" { + count = local.config_env == "int" ? 0 : 1 source = "terraform-aws-modules/lambda/aws//modules/docker-build" - version = "8.0.1" + version = "7.21.1" create_ecr_repo = false - ecr_repo = aws_ecr_repository.mesh_file_converter_lambda_repository.name + ecr_repo = aws_ecr_repository.mesh_file_converter_lambda_repository[0].name ecr_repo_lifecycle_policy = jsonencode({ "rules" : [ { @@ -48,7 +51,8 @@ module "mesh_processor_docker_image" { # Define the lambdaECRImageRetreival policy resource "aws_ecr_repository_policy" "mesh_processor_lambda_ECRImageRetreival_policy" { - repository = aws_ecr_repository.mesh_file_converter_lambda_repository.name + count = local.config_env == "int" ? 0 : 1 + repository = aws_ecr_repository.mesh_file_converter_lambda_repository[0].name policy = jsonencode({ Version = "2012-10-17" @@ -78,7 +82,8 @@ resource "aws_ecr_repository_policy" "mesh_processor_lambda_ECRImageRetreival_po # IAM Role for Lambda resource "aws_iam_role" "mesh_processor_lambda_exec_role" { - name = "${local.short_prefix}-mesh_processor-lambda-exec-role" + count = local.config_env == "int" ? 0 : 1 + name = "${local.short_prefix}-mesh_processor-lambda-exec-role" assume_role_policy = jsonencode({ Version = "2012-10-17", Statement = [{ @@ -94,7 +99,8 @@ resource "aws_iam_role" "mesh_processor_lambda_exec_role" { # Policy for Lambda execution role resource "aws_iam_policy" "mesh_processor_lambda_exec_policy" { - name = "${local.short_prefix}-mesh_processor-lambda-exec-policy" + count = local.config_env == "int" ? 0 : 1 + name = "${local.short_prefix}-mesh_processor-lambda-exec-policy" policy = jsonencode({ Version = "2012-10-17", Statement = [ @@ -140,6 +146,7 @@ resource "aws_iam_policy" "mesh_processor_lambda_exec_policy" { } resource "aws_iam_policy" "mesh_processor_lambda_kms_access_policy" { + count = local.config_env == "int" ? 0 : 1 name = "${local.short_prefix}-mesh_processor-lambda-kms-policy" description = "Allow Lambda to decrypt environment variables" @@ -154,7 +161,7 @@ resource "aws_iam_policy" "mesh_processor_lambda_kms_access_policy" { "kms:GenerateDataKey*" ] Resource = [ - data.aws_kms_key.mesh_s3_encryption_key.arn + data.aws_kms_key.mesh_s3_encryption_key[0].arn # "arn:aws:kms:eu-west-2:345594581768:key/9b756762-bc6f-42fb-ba56-2c0c00c15289" ] } @@ -164,23 +171,26 @@ resource "aws_iam_policy" "mesh_processor_lambda_kms_access_policy" { # Attach the execution policy to the Lambda role resource "aws_iam_role_policy_attachment" "mesh_processor_lambda_exec_policy_attachment" { - role = aws_iam_role.mesh_processor_lambda_exec_role.name - policy_arn = aws_iam_policy.mesh_processor_lambda_exec_policy.arn + count = local.config_env == "int" ? 0 : 1 + role = aws_iam_role.mesh_processor_lambda_exec_role[0].name + policy_arn = aws_iam_policy.mesh_processor_lambda_exec_policy[0].arn } # Attach the kms policy to the Lambda role resource "aws_iam_role_policy_attachment" "mesh_processor_lambda_kms_policy_attachment" { - role = aws_iam_role.mesh_processor_lambda_exec_role.name - policy_arn = aws_iam_policy.mesh_processor_lambda_kms_access_policy.arn + count = local.config_env == "int" ? 0 : 1 + role = aws_iam_role.mesh_processor_lambda_exec_role[0].name + policy_arn = aws_iam_policy.mesh_processor_lambda_kms_access_policy[0].arn } # Lambda Function with Security Group and VPC. resource "aws_lambda_function" "mesh_file_converter_lambda" { + count = local.config_env == "int" ? 0 : 1 function_name = "${local.short_prefix}-mesh_processor_lambda" - role = aws_iam_role.mesh_processor_lambda_exec_role.arn + role = aws_iam_role.mesh_processor_lambda_exec_role[0].arn package_type = "Image" - image_uri = module.mesh_processor_docker_image.image_uri + image_uri = module.mesh_processor_docker_image[0].image_uri architectures = ["x86_64"] timeout = 360 @@ -195,9 +205,10 @@ resource "aws_lambda_function" "mesh_file_converter_lambda" { # Permission for S3 to invoke Lambda function resource "aws_lambda_permission" "mesh_s3_invoke_permission" { + count = local.config_env == "int" ? 0 : 1 statement_id = "AllowExecutionFromS3" action = "lambda:InvokeFunction" - function_name = aws_lambda_function.mesh_file_converter_lambda.function_name + function_name = aws_lambda_function.mesh_file_converter_lambda[0].function_name principal = "s3.amazonaws.com" source_arn = "arn:aws:s3:::local-immunisation-mesh" } @@ -207,16 +218,18 @@ resource "aws_lambda_permission" "mesh_s3_invoke_permission" { # S3 Bucket notification to trigger Lambda function resource "aws_s3_bucket_notification" "mesh_datasources_lambda_notification" { # TODO - what is this bucket and why isn't it managed by Terraform? + count = local.config_env == "int" ? 0 : 1 bucket = "local-immunisation-mesh" lambda_function { - lambda_function_arn = aws_lambda_function.mesh_file_converter_lambda.arn + lambda_function_arn = aws_lambda_function.mesh_file_converter_lambda[0].arn events = ["s3:ObjectCreated:*"] #filter_prefix ="" } } resource "aws_cloudwatch_log_group" "mesh_file_converter_log_group" { + count = local.config_env == "int" ? 0 : 1 name = "/aws/lambda/${local.short_prefix}-mesh_processor_lambda" retention_in_days = 30 } diff --git a/terraform/variables.tf b/terraform/variables.tf index 629fb1d02d..c02e432570 100644 --- a/terraform/variables.tf +++ b/terraform/variables.tf @@ -1,11 +1,18 @@ +variable "environment" {} +variable "sub_environment" {} +variable "aws_account_name" {} +variable "immunisation_account_id" {} variable "project_name" { - default = "immunisations" + default = "immunisation" } variable "project_short_name" { default = "imms" } +variable "use_new_aws_preprod_account" { + default = true +} variable "service" { default = "fhir-api" } @@ -15,85 +22,19 @@ variable "aws_region" { } locals { - environment = terraform.workspace == "green" ? "prod" : terraform.workspace == "blue" ? "prod" : terraform.workspace - env = terraform.workspace - prefix = "${var.project_name}-${var.service}-${local.env}" - short_prefix = "${var.project_short_name}-${local.env}" - batch_prefix = "immunisation-batch-${local.env}" - config_env = local.environment == "prod" ? "prod" : "dev" + prefix = "${var.project_name}-${var.service}-${var.sub_environment}" + short_prefix = "${var.project_short_name}-${var.sub_environment}" + batch_prefix = "immunisation-batch-${var.sub_environment}" - root_domain = "${local.config_env}.vds.platform.nhs.uk" - project_domain_name = data.aws_route53_zone.project_zone.name + vpc_name = "imms-${var.environment}-fhir-api-vpc" + root_domain = "${var.sub_environment}.${var.environment}.vds.platform.nhs.uk" service_domain_name = "${local.env}.${local.project_domain_name}" + project_domain_name = data.aws_route53_zone.project_zone.name - config_bucket_arn = aws_s3_bucket.batch_config_bucket.arn - config_bucket_name = aws_s3_bucket.batch_config_bucket.bucket - - - # Public subnet - The subnet has a direct route to an internet gateway. Resources in a public subnet can access the public internet. - # public_subnet_ids = [for k, v in data.aws_route.internet_traffic_route_by_subnet : k if length(v.gateway_id) > 0] - # Private subnet - The subnet does not have a direct route to an internet gateway. Resources in a private subnet require a NAT device to access the public internet. - private_subnet_ids = [for k, v in data.aws_route.internet_traffic_route_by_subnet : k if length(v.nat_gateway_id) > 0] -} - -check "private_subnets" { - assert { - condition = length(local.private_subnet_ids) > 0 - error_message = "No private subnets with internet access found in VPC ${data.aws_vpc.default.id}" - } -} - -data "aws_vpc" "default" { - default = true -} - -data "aws_subnets" "all" { - filter { - name = "vpc-id" - values = [data.aws_vpc.default.id] - } -} - -data "aws_route_table" "route_table_by_subnet" { - for_each = toset(data.aws_subnets.all.ids) - - subnet_id = each.value -} - -data "aws_route" "internet_traffic_route_by_subnet" { - for_each = data.aws_route_table.route_table_by_subnet - - route_table_id = each.value.id - destination_cidr_block = "0.0.0.0/0" -} - -data "aws_kms_key" "existing_s3_encryption_key" { - key_id = "alias/imms-batch-s3-shared-key" -} - -data "aws_kms_key" "existing_dynamo_encryption_key" { - key_id = "alias/imms-event-dynamodb-encryption" -} - -data "aws_elasticache_cluster" "existing_redis" { - cluster_id = "immunisation-redis-cluster" -} - -data "aws_security_group" "existing_securitygroup" { - filter { - name = "group-name" - values = ["immunisation-security-group"] - } -} - -data "aws_kms_key" "existing_lambda_encryption_key" { - key_id = "alias/imms-batch-lambda-env-encryption" -} - -data "aws_kms_key" "existing_kinesis_encryption_key" { - key_id = "alias/imms-batch-kinesis-stream-encryption" -} + # For now, only create the config bucket in internal-dev and prod as we only have one Redis instance per account. + create_config_bucket = local.environment == local.config_bucket_env + config_bucket_arn = local.create_config_bucket ? aws_s3_bucket.batch_config_bucket[0].arn : data.aws_s3_bucket.existing_config_bucket[0].arn + config_bucket_name = local.create_config_bucket ? aws_s3_bucket.batch_config_bucket[0].bucket : data.aws_s3_bucket.existing_config_bucket[0].bucket -data "aws_kms_key" "mesh_s3_encryption_key" { - key_id = "alias/local-immunisation-mesh" + is_temp = length(regexall("[a-z]{2,4}-?[0-9]+", local.env)) > 0 } From fda28c68afbee004161bcc348ac288d9962e4679 Mon Sep 17 00:00:00 2001 From: robertnovac1 <196046006+robertnovac1@users.noreply.github.com> Date: Fri, 11 Jul 2025 12:30:50 +0100 Subject: [PATCH 02/18] overhaul --- terraform/ack_lambda.tf | 6 +- terraform/api_gateway/api.tf | 66 ------------------- terraform/api_gateway/variables.tf | 11 ---- terraform/delta.tf | 2 +- terraform/dps_role_creation.tf | 4 +- terraform/dynamodb.tf | 12 ++-- terraform/ecs_batch_processor_config.tf | 14 ++-- terraform/endpoints.tf | 23 ++++--- .../non-prod/blue/variables.tfvars | 3 - .../non-prod/green/variables.tfvars | 3 - .../non-prod/int/variables.tfvars | 3 + .../non-prod/internal-dev/variables.tfvars | 1 + terraform/file_name_processor.tf | 8 +-- terraform/forwarder_lambda.tf | 4 +- terraform/lambda.tf | 14 ++-- terraform/lambda/lambda.tf | 52 --------------- terraform/lambda/variables.tf | 34 ---------- terraform/main.tf | 14 +--- terraform/mesh_processor.tf | 30 ++++----- .../{ => modules}/api_gateway/acm_cert.tf | 0 terraform/modules/api_gateway/api.tf | 63 ++++++++++++++++++ terraform/{ => modules}/api_gateway/logs.tf | 16 ++--- .../{ => modules}/api_gateway/mtls_cert.tf | 2 +- .../{ => modules}/api_gateway/outputs.tf | 0 terraform/modules/api_gateway/variables.tf | 6 ++ terraform/{ => modules}/lambda/iam.tf | 0 terraform/modules/lambda/lambda.tf | 52 +++++++++++++++ terraform/{ => modules}/lambda/outputs.tf | 0 terraform/modules/lambda/variables.tf | 34 ++++++++++ .../{ => modules}/policies/aws_sns_topic.json | 0 .../{ => modules}/policies/aws_sqs_queue.json | 0 .../policies/dynamo_key_access.json | 0 .../{ => modules}/policies/dynamodb.json | 0 .../policies/dynamodb_stream.json | 0 .../policies/ec2_network_interfaces.json | 0 .../{ => modules}/policies/lambda_to_sqs.json | 0 terraform/{ => modules}/policies/log.json | 0 .../{ => modules}/policies/log_kinesis.json | 0 .../policies/secret_manager.json | 0 terraform/modules/splunk/backup.tf | 10 +++ terraform/{ => modules}/splunk/firehose.tf | 0 terraform/{ => modules}/splunk/iam.tf | 0 terraform/{ => modules}/splunk/outputs.tf | 0 terraform/{ => modules}/splunk/variables.tf | 3 +- terraform/redis_sync_lambda.tf | 8 +-- terraform/s3_config.tf | 12 ++-- terraform/splunk.tf | 4 +- terraform/splunk/backup.tf | 10 --- terraform/variables.tf | 24 ++++--- 49 files changed, 268 insertions(+), 280 deletions(-) delete mode 100644 terraform/api_gateway/api.tf delete mode 100644 terraform/api_gateway/variables.tf delete mode 100644 terraform/environments/non-prod/blue/variables.tfvars delete mode 100644 terraform/environments/non-prod/green/variables.tfvars create mode 100644 terraform/environments/non-prod/int/variables.tfvars delete mode 100644 terraform/lambda/lambda.tf delete mode 100644 terraform/lambda/variables.tf rename terraform/{ => modules}/api_gateway/acm_cert.tf (100%) create mode 100644 terraform/modules/api_gateway/api.tf rename terraform/{ => modules}/api_gateway/logs.tf (72%) rename terraform/{ => modules}/api_gateway/mtls_cert.tf (91%) rename terraform/{ => modules}/api_gateway/outputs.tf (100%) create mode 100644 terraform/modules/api_gateway/variables.tf rename terraform/{ => modules}/lambda/iam.tf (100%) create mode 100644 terraform/modules/lambda/lambda.tf rename terraform/{ => modules}/lambda/outputs.tf (100%) create mode 100644 terraform/modules/lambda/variables.tf rename terraform/{ => modules}/policies/aws_sns_topic.json (100%) rename terraform/{ => modules}/policies/aws_sqs_queue.json (100%) rename terraform/{ => modules}/policies/dynamo_key_access.json (100%) rename terraform/{ => modules}/policies/dynamodb.json (100%) rename terraform/{ => modules}/policies/dynamodb_stream.json (100%) rename terraform/{ => modules}/policies/ec2_network_interfaces.json (100%) rename terraform/{ => modules}/policies/lambda_to_sqs.json (100%) rename terraform/{ => modules}/policies/log.json (100%) rename terraform/{ => modules}/policies/log_kinesis.json (100%) rename terraform/{ => modules}/policies/secret_manager.json (100%) create mode 100644 terraform/modules/splunk/backup.tf rename terraform/{ => modules}/splunk/firehose.tf (100%) rename terraform/{ => modules}/splunk/iam.tf (100%) rename terraform/{ => modules}/splunk/outputs.tf (100%) rename terraform/{ => modules}/splunk/variables.tf (58%) delete mode 100644 terraform/splunk/backup.tf diff --git a/terraform/ack_lambda.tf b/terraform/ack_lambda.tf index c517bedde3..87055e8098 100644 --- a/terraform/ack_lambda.tf +++ b/terraform/ack_lambda.tf @@ -68,7 +68,7 @@ resource "aws_ecr_repository_policy" "ack_lambda_ECRImageRetreival_policy" { ], "Condition" : { "StringLike" : { - "aws:sourceArn" : "arn:aws:lambda:eu-west-2:${local.immunisation_account_id}:function:${local.short_prefix}-ack-lambda" + "aws:sourceArn" : "arn:aws:lambda:eu-west-2:${var.immunisation_account_id}:function:${local.short_prefix}-ack-lambda" } } } @@ -105,7 +105,7 @@ resource "aws_iam_policy" "ack_lambda_exec_policy" { "logs:CreateLogStream", "logs:PutLogEvents" ] - Resource = "arn:aws:logs:eu-west-2:${local.immunisation_account_id}:log-group:/aws/lambda/${local.short_prefix}-ack-lambda:*" + Resource = "arn:aws:logs:eu-west-2:${var.immunisation_account_id}:log-group:/aws/lambda/${local.short_prefix}-ack-lambda:*" }, { Effect = "Allow" @@ -148,7 +148,7 @@ resource "aws_iam_policy" "ack_lambda_exec_policy" { "sqs:DeleteMessage", "sqs:GetQueueAttributes" ], - Resource = "arn:aws:sqs:eu-west-2:${local.immunisation_account_id}:${local.short_prefix}-ack-metadata-queue.fifo" }, + Resource = "arn:aws:sqs:eu-west-2:${var.immunisation_account_id}:${local.short_prefix}-ack-metadata-queue.fifo" }, { "Effect" : "Allow", "Action" : [ diff --git a/terraform/api_gateway/api.tf b/terraform/api_gateway/api.tf deleted file mode 100644 index d949d4f3e0..0000000000 --- a/terraform/api_gateway/api.tf +++ /dev/null @@ -1,66 +0,0 @@ -locals { - api_stage_name = var.environment -} - -resource "aws_apigatewayv2_api" "service_api" { - name = "${var.prefix}-api" - description = "Immunisation FHIR API - ${var.environment}" - protocol_type = "HTTP" - disable_execute_api_endpoint = true - body = var.oas -} - -resource "aws_apigatewayv2_stage" "default" { - depends_on = [aws_cloudwatch_log_group.api_access_log] - api_id = aws_apigatewayv2_api.service_api.id - name = local.api_stage_name - auto_deploy = true - - default_route_settings { - logging_level = "INFO" - throttling_burst_limit = 500 - throttling_rate_limit = 500 - detailed_metrics_enabled = true - } - access_log_settings { - destination_arn = aws_cloudwatch_log_group.api_access_log.arn - format = "{ \"requestId\":\"$context.requestId\", \"extendedRequestId\":\"$context.extendedRequestId\", \"ip\": \"$context.identity.sourceIp\", \"caller\":\"$context.identity.caller\", \"user\":\"$context.identity.user\", \"requestTime\":\"$context.requestTime\", \"httpMethod\":\"$context.httpMethod\", \"resourcePath\":\"$context.resourcePath\", \"status\":\"$context.status\", \"protocol\":\"$context.protocol\", \"responseLength\":\"$context.responseLength\", \"authorizerError\":\"$context.authorizer.error\", \"authorizerStatus\":\"$context.authorizer.status\", \"requestIsValid\":\"$context.authorizer.is_valid\"\"environment\":\"$context.authorizer.environment\" }" - } - - # Bug in terraform-aws-provider with perpetual diff - lifecycle { - ignore_changes = [deployment_id] - } -} - -resource "aws_apigatewayv2_domain_name" "service_api_domain_name" { - domain_name = var.api_domain_name - domain_name_configuration { - certificate_arn = aws_acm_certificate_validation.service_certificate.certificate_arn - endpoint_type = "REGIONAL" - security_policy = "TLS_1_2" - } - mutual_tls_authentication { - truststore_uri = "s3://${aws_s3_bucket.truststore_bucket.bucket}/${local.truststore_file_name}" - } - tags = { - Name = "${var.prefix}-api-domain-name" - } -} - -resource "aws_apigatewayv2_api_mapping" "api_mapping" { - api_id = aws_apigatewayv2_api.service_api.id - domain_name = aws_apigatewayv2_domain_name.service_api_domain_name.id - stage = aws_apigatewayv2_stage.default.id -} - -resource "aws_route53_record" "api_domain" { - zone_id = var.zone_id - name = aws_apigatewayv2_domain_name.service_api_domain_name.domain_name - type = "A" - alias { - evaluate_target_health = true - name = aws_apigatewayv2_domain_name.service_api_domain_name.domain_name_configuration[0].target_domain_name - zone_id = aws_apigatewayv2_domain_name.service_api_domain_name.domain_name_configuration[0].hosted_zone_id - } -} diff --git a/terraform/api_gateway/variables.tf b/terraform/api_gateway/variables.tf deleted file mode 100644 index bc89040621..0000000000 --- a/terraform/api_gateway/variables.tf +++ /dev/null @@ -1,11 +0,0 @@ -variable "prefix" {} -variable "short_prefix" {} -variable "zone_id" {} -variable "api_domain_name" {} -variable "environment" {} -variable "oas" {} -variable "config_env" {} - -locals { - environment = terraform.workspace == "green" ? "prod" : terraform.workspace == "blue" ? "prod" : terraform.workspace -} diff --git a/terraform/delta.tf b/terraform/delta.tf index 7c10b7fce1..78e68a2f3b 100644 --- a/terraform/delta.tf +++ b/terraform/delta.tf @@ -69,7 +69,7 @@ resource "aws_ecr_repository_policy" "delta_lambda_ECRImageRetreival_policy" { ], "Condition" : { "StringLike" : { - "aws:sourceArn" : "arn:aws:lambda:eu-west-2:${local.immunisation_account_id}:function:${local.short_prefix}-${local.function_name}" + "aws:sourceArn" : "arn:aws:lambda:eu-west-2:${var.immunisation_account_id}:function:${local.short_prefix}-${local.function_name}" } } } diff --git a/terraform/dps_role_creation.tf b/terraform/dps_role_creation.tf index 220cd007d8..dd91402aa1 100644 --- a/terraform/dps_role_creation.tf +++ b/terraform/dps_role_creation.tf @@ -6,7 +6,7 @@ resource "aws_iam_role" "dynamo_s3_access_role" { { Effect : "Allow", Principal : { - AWS : "arn:aws:iam::${local.dspp_core_account_id}:root" + AWS : "arn:aws:iam::${var.dspp_core_account_id}:root" }, Action : "sts:AssumeRole" } @@ -22,7 +22,7 @@ resource "aws_iam_role_policy" "dynamo_s3_access_policy" { Statement = [ { Effect = "Allow", - Action = local.environment == "prod" ? [ + Action = var.environment == "prod" ? [ "dynamodb:GetItem", "dynamodb:Query" ] : [ diff --git a/terraform/dynamodb.tf b/terraform/dynamodb.tf index 0866d46ef6..ef752fdb78 100644 --- a/terraform/dynamodb.tf +++ b/terraform/dynamodb.tf @@ -1,5 +1,5 @@ resource "aws_dynamodb_table" "audit-table" { - name = "immunisation-batch-${local.environment}-audit-table" + name = "immunisation-batch-${var.sub_environment}-audit-table" billing_mode = "PAY_PER_REQUEST" hash_key = "message_id" @@ -37,7 +37,7 @@ resource "aws_dynamodb_table" "audit-table" { } point_in_time_recovery { - enabled = local.environment == "prod" + enabled = var.environment == "prod" } server_side_encryption { @@ -47,7 +47,7 @@ resource "aws_dynamodb_table" "audit-table" { } resource "aws_dynamodb_table" "delta-dynamodb-table" { - name = "imms-${local.environment}-delta" + name = "imms-${var.sub_environment}-delta" billing_mode = "PAY_PER_REQUEST" hash_key = "PK" @@ -96,7 +96,7 @@ resource "aws_dynamodb_table" "delta-dynamodb-table" { } point_in_time_recovery { - enabled = local.environment == "prod" + enabled = var.environment == "prod" } server_side_encryption { @@ -106,7 +106,7 @@ resource "aws_dynamodb_table" "delta-dynamodb-table" { } resource "aws_dynamodb_table" "events-dynamodb-table" { - name = "imms-${local.environment}-imms-events" + name = "imms-${var.sub_environment}-imms-events" billing_mode = "PAY_PER_REQUEST" hash_key = "PK" stream_enabled = true @@ -147,7 +147,7 @@ resource "aws_dynamodb_table" "events-dynamodb-table" { } point_in_time_recovery { - enabled = local.environment == "prod" + enabled = var.environment == "prod" } server_side_encryption { diff --git a/terraform/ecs_batch_processor_config.tf b/terraform/ecs_batch_processor_config.tf index c6a26c5cc0..dc02c5e58c 100644 --- a/terraform/ecs_batch_processor_config.tf +++ b/terraform/ecs_batch_processor_config.tf @@ -93,7 +93,7 @@ resource "aws_iam_policy" "ecs_task_exec_policy" { "logs:CreateLogStream", "logs:PutLogEvents" ], - Resource = "arn:aws:logs:${var.aws_region}:${local.immunisation_account_id}:log-group:/aws/vendedlogs/ecs/${local.short_prefix}-processor-task:*" + Resource = "arn:aws:logs:${var.aws_region}:${var.immunisation_account_id}:log-group:/aws/vendedlogs/ecs/${local.short_prefix}-processor-task:*" }, { Effect = "Allow", @@ -148,7 +148,7 @@ resource "aws_iam_policy" "ecs_task_exec_policy" { Action = [ "ecr:GetAuthorizationToken" ], - Resource = "arn:aws:ecr:${var.aws_region}:${local.immunisation_account_id}:repository/${local.short_prefix}-processing-repo" + Resource = "arn:aws:ecr:${var.aws_region}:${var.immunisation_account_id}:repository/${local.short_prefix}-processing-repo" }, { Effect = "Allow" @@ -279,7 +279,7 @@ resource "aws_iam_policy" "fifo_pipe_policy" { "pipes:DescribePipe" ], Resource = [ - "arn:aws:pipes:${var.aws_region}:${local.immunisation_account_id}:pipe/${local.short_prefix}-pipe", + "arn:aws:pipes:${var.aws_region}:${var.immunisation_account_id}:pipe/${local.short_prefix}-pipe", aws_ecs_task_definition.ecs_task.arn ] }, @@ -296,11 +296,11 @@ resource "aws_iam_policy" "fifo_pipe_policy" { ], Effect = "Allow", Resource = [ - "arn:aws:logs:${var.aws_region}:${local.immunisation_account_id}:log-group:/aws/vendedlogs/pipes/${local.short_prefix}-pipe-logs:*", - "arn:aws:ecs:${var.aws_region}:${local.immunisation_account_id}:task/${local.short_prefix}-ecs-cluster/*", - "arn:aws:logs:${var.aws_region}:${local.immunisation_account_id}:log-group:/aws/vendedlogs/ecs/${local.short_prefix}-processor-task:*", + "arn:aws:logs:${var.aws_region}:${var.immunisation_account_id}:log-group:/aws/vendedlogs/pipes/${local.short_prefix}-pipe-logs:*", + "arn:aws:ecs:${var.aws_region}:${var.immunisation_account_id}:task/${local.short_prefix}-ecs-cluster/*", + "arn:aws:logs:${var.aws_region}:${var.immunisation_account_id}:log-group:/aws/vendedlogs/ecs/${local.short_prefix}-processor-task:*", aws_sqs_queue.supplier_fifo_queue.arn, - "arn:aws:ecs:${var.aws_region}:${local.immunisation_account_id}:cluster/${local.short_prefix}-ecs-cluster", + "arn:aws:ecs:${var.aws_region}:${var.immunisation_account_id}:cluster/${local.short_prefix}-ecs-cluster", aws_ecs_task_definition.ecs_task.arn ] }, diff --git a/terraform/endpoints.tf b/terraform/endpoints.tf index 86f69f7172..602aa4fdab 100644 --- a/terraform/endpoints.tf +++ b/terraform/endpoints.tf @@ -8,7 +8,7 @@ data "aws_iam_policy_document" "logs_policy_document" { source_policy_documents = [templatefile("${local.policy_path}/log.json", {})] } module "get_status" { - source = "./lambda" + source = "./modules/lambda" prefix = local.prefix short_prefix = local.short_prefix function_name = "get_status" @@ -23,13 +23,13 @@ locals { imms_table_name = aws_dynamodb_table.events-dynamodb-table.name imms_lambda_env_vars = { "DYNAMODB_TABLE_NAME" = local.imms_table_name, - "IMMUNIZATION_ENV" = local.environment, - "IMMUNIZATION_BASE_PATH" = strcontains(local.environment, "pr-") ? "immunisation-fhir-api-${local.environment}" : "immunisation-fhir-api" + "IMMUNIZATION_ENV" = var.environment, + "IMMUNIZATION_BASE_PATH" = strcontains(var.environment, "pr-") ? "immunisation-fhir-api-${var.environment}" : "immunisation-fhir-api" # except for prod and ref, any other env uses PDS int environment - "PDS_ENV" = local.environment == "prod" ? "prod" : local.environment == "ref" ? "ref" : "int", - "PDS_CHECK_ENABLED" = tostring(local.environment != "int") + "PDS_ENV" = var.environment == "prod" ? "prod" : var.environment == "ref" ? "ref" : "int", + "PDS_CHECK_ENABLED" = tostring(var.environment != "int") "SPLUNK_FIREHOSE_NAME" = module.splunk.firehose_stream_name - "SQS_QUEUE_URL" = "https://sqs.eu-west-2.amazonaws.com/${local.immunisation_account_id}/${local.short_prefix}-ack-metadata-queue.fifo" + "SQS_QUEUE_URL" = "https://sqs.eu-west-2.amazonaws.com/${var.immunisation_account_id}/${local.short_prefix}-ack-metadata-queue.fifo" "REDIS_HOST" = data.aws_elasticache_cluster.existing_redis.cache_nodes[0].address "REDIS_PORT" = data.aws_elasticache_cluster.existing_redis.cache_nodes[0].port } @@ -41,7 +41,7 @@ data "aws_iam_policy_document" "imms_policy_document" { }), templatefile("${local.policy_path}/log.json", {}), templatefile("${local.policy_path}/lambda_to_sqs.json", { - "local_account" : local.immunisation_account_id + "local_account" : var.immunisation_account_id "queue_prefix" : local.short_prefix }), templatefile("${local.policy_path}/dynamo_key_access.json", { @@ -58,7 +58,7 @@ data "aws_iam_policy_document" "imms_policy_document" { } module "imms_event_endpoint_lambdas" { - source = "./lambda" + source = "./modules/lambda" count = length(local.imms_endpoints) prefix = local.prefix @@ -66,7 +66,7 @@ module "imms_event_endpoint_lambdas" { function_name = local.imms_endpoints[count.index] image_uri = module.docker_image.image_uri policy_json = data.aws_iam_policy_document.imms_policy_document.json - environments = local.imms_lambda_env_vars + environment_variables = local.imms_lambda_env_vars vpc_subnet_ids = local.private_subnet_ids vpc_security_group_ids = [data.aws_security_group.existing_securitygroup.id] } @@ -106,15 +106,14 @@ output "oas" { } module "api_gateway" { - source = "./api_gateway" + source = "./modules/api_gateway" prefix = local.prefix short_prefix = local.short_prefix zone_id = data.aws_route53_zone.project_zone.zone_id api_domain_name = local.service_domain_name - environment = local.environment + environment = var.sub_environment oas = local.oas - config_env = local.config_env } resource "aws_lambda_permission" "api_gw" { diff --git a/terraform/environments/non-prod/blue/variables.tfvars b/terraform/environments/non-prod/blue/variables.tfvars deleted file mode 100644 index ca6154c0df..0000000000 --- a/terraform/environments/non-prod/blue/variables.tfvars +++ /dev/null @@ -1,3 +0,0 @@ -environment = "int" -sub_environment = "blue" -immunisation_account_id = "084828561157" diff --git a/terraform/environments/non-prod/green/variables.tfvars b/terraform/environments/non-prod/green/variables.tfvars deleted file mode 100644 index 8969e7ec6e..0000000000 --- a/terraform/environments/non-prod/green/variables.tfvars +++ /dev/null @@ -1,3 +0,0 @@ -environment = "int" -sub_environment = "blue" -immunisation_account_id = "345594581768" diff --git a/terraform/environments/non-prod/int/variables.tfvars b/terraform/environments/non-prod/int/variables.tfvars new file mode 100644 index 0000000000..ad900c8614 --- /dev/null +++ b/terraform/environments/non-prod/int/variables.tfvars @@ -0,0 +1,3 @@ +environment = "non-prod" +sub_environment = "int" +immunisation_account_id = "345594581768" diff --git a/terraform/environments/non-prod/internal-dev/variables.tfvars b/terraform/environments/non-prod/internal-dev/variables.tfvars index b6c7a77326..392ceec8d1 100644 --- a/terraform/environments/non-prod/internal-dev/variables.tfvars +++ b/terraform/environments/non-prod/internal-dev/variables.tfvars @@ -1,3 +1,4 @@ environment = "non-prod" sub_environment = "internal-dev" immunisation_account_id = "345594581768" +create_config_bucket = true diff --git a/terraform/file_name_processor.tf b/terraform/file_name_processor.tf index 118e5d48c1..1d9b83ccd9 100644 --- a/terraform/file_name_processor.tf +++ b/terraform/file_name_processor.tf @@ -68,7 +68,7 @@ resource "aws_ecr_repository_policy" "filenameprocessor_lambda_ECRImageRetreival ], "Condition" : { "StringLike" : { - "aws:sourceArn" : "arn:aws:lambda:eu-west-2:${local.immunisation_account_id}:function:${local.short_prefix}-filenameproc_lambda" + "aws:sourceArn" : "arn:aws:lambda:eu-west-2:${var.immunisation_account_id}:function:${local.short_prefix}-filenameproc_lambda" } } } @@ -105,7 +105,7 @@ resource "aws_iam_policy" "filenameprocessor_lambda_exec_policy" { "logs:CreateLogStream", "logs:PutLogEvents" ] - Resource = "arn:aws:logs:${var.aws_region}:${local.immunisation_account_id}:log-group:/aws/lambda/${local.short_prefix}-filenameproc_lambda:*" + Resource = "arn:aws:logs:${var.aws_region}:${var.immunisation_account_id}:log-group:/aws/lambda/${local.short_prefix}-filenameproc_lambda:*" }, { Effect = "Allow" @@ -166,7 +166,7 @@ resource "aws_iam_policy" "filenameprocessor_lambda_exec_policy" { Effect = "Allow" Action = "lambda:InvokeFunction" Resource = [ - "arn:aws:lambda:${var.aws_region}:${local.immunisation_account_id}:function:imms-${local.env}-filenameproc_lambda", + "arn:aws:lambda:${var.aws_region}:${var.immunisation_account_id}:function:imms-${var.sub_environment}-filenameproc_lambda", ] } ] @@ -291,7 +291,7 @@ resource "aws_lambda_function" "file_processor_lambda" { SPLUNK_FIREHOSE_NAME = module.splunk.firehose_stream_name AUDIT_TABLE_NAME = aws_dynamodb_table.audit-table.name FILE_NAME_GSI = "filename_index" - FILE_NAME_PROC_LAMBDA_NAME = "imms-${local.env}-filenameproc_lambda" + FILE_NAME_PROC_LAMBDA_NAME = "imms-${var.sub_environment}-filenameproc_lambda" } } diff --git a/terraform/forwarder_lambda.tf b/terraform/forwarder_lambda.tf index 1f1aa2c457..dde81ab346 100644 --- a/terraform/forwarder_lambda.tf +++ b/terraform/forwarder_lambda.tf @@ -72,7 +72,7 @@ resource "aws_ecr_repository_policy" "forwarder_lambda_ECRImageRetreival_policy" ], "Condition" : { "StringLike" : { - "aws:sourceArn" : "arn:aws:lambda:eu-west-2:${local.immunisation_account_id}:function:${local.short_prefix}-forwarding_lambda" + "aws:sourceArn" : "arn:aws:lambda:eu-west-2:${var.immunisation_account_id}:function:${local.short_prefix}-forwarding_lambda" } } } @@ -109,7 +109,7 @@ resource "aws_iam_policy" "forwarding_lambda_exec_policy" { "logs:CreateLogStream", "logs:PutLogEvents" ] - Resource = "arn:aws:logs:${var.aws_region}:${local.immunisation_account_id}:log-group:/aws/lambda/${local.short_prefix}-forwarding_lambda:*", + Resource = "arn:aws:logs:${var.aws_region}:${var.immunisation_account_id}:log-group:/aws/lambda/${local.short_prefix}-forwarding_lambda:*", }, { Effect = "Allow" diff --git a/terraform/lambda.tf b/terraform/lambda.tf index c3506ab59c..5fc26a43a4 100644 --- a/terraform/lambda.tf +++ b/terraform/lambda.tf @@ -74,13 +74,13 @@ resource "aws_ecr_repository_policy" "operation_lambda_ECRImageRetreival_policy" "Condition" : { "StringLike" : { "aws:sourceArn" : [ - "arn:aws:lambda:eu-west-2:${local.immunisation_account_id}:function:${local.short_prefix}_get_status", - "arn:aws:lambda:eu-west-2:${local.immunisation_account_id}:function:${local.short_prefix}_not_found", - "arn:aws:lambda:eu-west-2:${local.immunisation_account_id}:function:${local.short_prefix}_search_imms", - "arn:aws:lambda:eu-west-2:${local.immunisation_account_id}:function:${local.short_prefix}_get_imms", - "arn:aws:lambda:eu-west-2:${local.immunisation_account_id}:function:${local.short_prefix}_delete_imms", - "arn:aws:lambda:eu-west-2:${local.immunisation_account_id}:function:${local.short_prefix}_create_imms", - "arn:aws:lambda:eu-west-2:${local.immunisation_account_id}:function:${local.short_prefix}_update_imms" + "arn:aws:lambda:eu-west-2:${var.immunisation_account_id}:function:${local.short_prefix}_get_status", + "arn:aws:lambda:eu-west-2:${var.immunisation_account_id}:function:${local.short_prefix}_not_found", + "arn:aws:lambda:eu-west-2:${var.immunisation_account_id}:function:${local.short_prefix}_search_imms", + "arn:aws:lambda:eu-west-2:${var.immunisation_account_id}:function:${local.short_prefix}_get_imms", + "arn:aws:lambda:eu-west-2:${var.immunisation_account_id}:function:${local.short_prefix}_delete_imms", + "arn:aws:lambda:eu-west-2:${var.immunisation_account_id}:function:${local.short_prefix}_create_imms", + "arn:aws:lambda:eu-west-2:${var.immunisation_account_id}:function:${local.short_prefix}_update_imms" ] } } diff --git a/terraform/lambda/lambda.tf b/terraform/lambda/lambda.tf deleted file mode 100644 index 7cc24e1dd8..0000000000 --- a/terraform/lambda/lambda.tf +++ /dev/null @@ -1,52 +0,0 @@ -module "lambda_function_container_image" { - source = "terraform-aws-modules/lambda/aws" - version = "7.20.2" - - create_role = false - lambda_role = aws_iam_role.lambda_role.arn - function_name = "${var.short_prefix}_${var.function_name}" - handler = "${var.function_name}_handler.${var.function_name}_handler" - cloudwatch_logs_retention_in_days = 30 - create_package = false - image_uri = var.image_uri - package_type = "Image" - architectures = ["x86_64"] - timeout = 6 - - vpc_subnet_ids = var.vpc_subnet_ids - vpc_security_group_ids = var.vpc_security_group_ids - - # A JWT encode took 7 seconds at default memory size of 128 and 0.8 seconds at 1024. - # 2048 gets it down to around 0.5 but since Lambda is charged at GB * ms then it costs more for minimal benefit. - memory_size = 1024 - - environment_variables = var.environments - image_config_command = ["${var.function_name}_handler.${var.function_name}_handler"] -} - -resource "aws_cloudwatch_metric_alarm" "memory_alarm" { - alarm_name = "${var.short_prefix}_${var.function_name} memory alarm" - comparison_operator = "GreaterThanOrEqualToThreshold" - evaluation_periods = 1 - metric_name = aws_cloudwatch_log_metric_filter.max_memory_used_metric.metric_transformation[0].name - namespace = aws_cloudwatch_log_metric_filter.max_memory_used_metric.metric_transformation[0].namespace - period = 600 - statistic = "Maximum" - threshold = 256 - alarm_description = "This metric monitors Lambda memory usage" - insufficient_data_actions = [] - -} - -resource "aws_cloudwatch_log_metric_filter" "max_memory_used_metric" { - name = "${var.short_prefix}_${var.function_name} max memory used" - pattern = "[type=REPORT, ...]" - - log_group_name = module.lambda_function_container_image.lambda_cloudwatch_log_group_name - - metric_transformation { - name = "max-memory-used" - namespace = "${var.short_prefix}_${var.function_name}" - value = "$18" - } -} diff --git a/terraform/lambda/variables.tf b/terraform/lambda/variables.tf deleted file mode 100644 index f4984553a9..0000000000 --- a/terraform/lambda/variables.tf +++ /dev/null @@ -1,34 +0,0 @@ -variable "prefix" { - type = string -} - -variable "short_prefix" { - type = string -} - -variable "function_name" { - type = string -} - -variable "image_uri" { - type = string -} - -variable "environments" { - type = map(string) - default = {} -} - -variable "policy_json" { - type = string -} - -variable "vpc_security_group_ids" { - type = list(string) - default = null -} - -variable "vpc_subnet_ids" { - type = list(string) - default = null -} diff --git a/terraform/main.tf b/terraform/main.tf index 6cc51d0438..f51baaec22 100644 --- a/terraform/main.tf +++ b/terraform/main.tf @@ -22,14 +22,12 @@ provider "aws" { default_tags { tags = { Project = var.project_name - Environment = local.environment + Environment = var.environment Service = var.service } } } - - provider "docker" { registry_auth { address = "${data.aws_caller_identity.current.account_id}.dkr.ecr.${data.aws_region.current.name}.amazonaws.com" @@ -38,7 +36,6 @@ provider "docker" { } } - data "aws_region" "current" {} data "aws_caller_identity" "current" {} data "aws_ecr_authorization_token" "token" {} @@ -76,13 +73,6 @@ data "aws_security_group" "existing_securitygroup" { } } -data "aws_s3_bucket" "existing_config_bucket" { - # For now, look up the internal-dev bucket during int, ref and PR branch deploys. - count = local.create_config_bucket ? 0 : 1 - - bucket = "imms-${local.config_bucket_env}-supplier-config" -} - data "aws_kms_key" "existing_lambda_encryption_key" { key_id = "alias/imms-batch-lambda-env-encryption" } @@ -92,6 +82,6 @@ data "aws_kms_key" "existing_kinesis_encryption_key" { } data "aws_kms_key" "mesh_s3_encryption_key" { - count = local.config_env == "int" ? 0 : 1 + count = var.environment == "int" ? 0 : 1 key_id = "alias/local-immunisation-mesh" } diff --git a/terraform/mesh_processor.tf b/terraform/mesh_processor.tf index 8afa04a008..7b64d32a1d 100644 --- a/terraform/mesh_processor.tf +++ b/terraform/mesh_processor.tf @@ -8,7 +8,7 @@ locals { resource "aws_ecr_repository" "mesh_file_converter_lambda_repository" { - count = local.config_env == "int" ? 0 : 1 + count = var.environment == "int" ? 0 : 1 image_scanning_configuration { scan_on_push = true } @@ -18,7 +18,7 @@ resource "aws_ecr_repository" "mesh_file_converter_lambda_repository" { # Module for building and pushing Docker image to ECR module "mesh_processor_docker_image" { - count = local.config_env == "int" ? 0 : 1 + count = var.environment == "int" ? 0 : 1 source = "terraform-aws-modules/lambda/aws//modules/docker-build" version = "7.21.1" @@ -51,7 +51,7 @@ module "mesh_processor_docker_image" { # Define the lambdaECRImageRetreival policy resource "aws_ecr_repository_policy" "mesh_processor_lambda_ECRImageRetreival_policy" { - count = local.config_env == "int" ? 0 : 1 + count = var.environment == "int" ? 0 : 1 repository = aws_ecr_repository.mesh_file_converter_lambda_repository[0].name policy = jsonencode({ @@ -72,7 +72,7 @@ resource "aws_ecr_repository_policy" "mesh_processor_lambda_ECRImageRetreival_po ], "Condition" : { "StringLike" : { - "aws:sourceArn" : "arn:aws:lambda:eu-west-2:${local.immunisation_account_id}:function:${local.short_prefix}-mesh_processor_lambda" + "aws:sourceArn" : "arn:aws:lambda:eu-west-2:${var.immunisation_account_id}:function:${local.short_prefix}-mesh_processor_lambda" } } } @@ -82,7 +82,7 @@ resource "aws_ecr_repository_policy" "mesh_processor_lambda_ECRImageRetreival_po # IAM Role for Lambda resource "aws_iam_role" "mesh_processor_lambda_exec_role" { - count = local.config_env == "int" ? 0 : 1 + count = var.environment == "int" ? 0 : 1 name = "${local.short_prefix}-mesh_processor-lambda-exec-role" assume_role_policy = jsonencode({ Version = "2012-10-17", @@ -99,7 +99,7 @@ resource "aws_iam_role" "mesh_processor_lambda_exec_role" { # Policy for Lambda execution role resource "aws_iam_policy" "mesh_processor_lambda_exec_policy" { - count = local.config_env == "int" ? 0 : 1 + count = var.environment == "int" ? 0 : 1 name = "${local.short_prefix}-mesh_processor-lambda-exec-policy" policy = jsonencode({ Version = "2012-10-17", @@ -111,7 +111,7 @@ resource "aws_iam_policy" "mesh_processor_lambda_exec_policy" { "logs:CreateLogStream", "logs:PutLogEvents" ] - Resource = "arn:aws:logs:${var.aws_region}:${local.immunisation_account_id}:log-group:/aws/lambda/${local.short_prefix}-mesh_processor_lambda:*" + Resource = "arn:aws:logs:${var.aws_region}:${var.immunisation_account_id}:log-group:/aws/lambda/${local.short_prefix}-mesh_processor_lambda:*" }, { Effect = "Allow" @@ -146,7 +146,7 @@ resource "aws_iam_policy" "mesh_processor_lambda_exec_policy" { } resource "aws_iam_policy" "mesh_processor_lambda_kms_access_policy" { - count = local.config_env == "int" ? 0 : 1 + count = var.environment == "int" ? 0 : 1 name = "${local.short_prefix}-mesh_processor-lambda-kms-policy" description = "Allow Lambda to decrypt environment variables" @@ -171,7 +171,7 @@ resource "aws_iam_policy" "mesh_processor_lambda_kms_access_policy" { # Attach the execution policy to the Lambda role resource "aws_iam_role_policy_attachment" "mesh_processor_lambda_exec_policy_attachment" { - count = local.config_env == "int" ? 0 : 1 + count = var.environment == "int" ? 0 : 1 role = aws_iam_role.mesh_processor_lambda_exec_role[0].name policy_arn = aws_iam_policy.mesh_processor_lambda_exec_policy[0].arn } @@ -179,14 +179,14 @@ resource "aws_iam_role_policy_attachment" "mesh_processor_lambda_exec_policy_att # Attach the kms policy to the Lambda role resource "aws_iam_role_policy_attachment" "mesh_processor_lambda_kms_policy_attachment" { - count = local.config_env == "int" ? 0 : 1 + count = var.environment == "int" ? 0 : 1 role = aws_iam_role.mesh_processor_lambda_exec_role[0].name policy_arn = aws_iam_policy.mesh_processor_lambda_kms_access_policy[0].arn } # Lambda Function with Security Group and VPC. resource "aws_lambda_function" "mesh_file_converter_lambda" { - count = local.config_env == "int" ? 0 : 1 + count = var.environment == "int" ? 0 : 1 function_name = "${local.short_prefix}-mesh_processor_lambda" role = aws_iam_role.mesh_processor_lambda_exec_role[0].arn package_type = "Image" @@ -197,7 +197,7 @@ resource "aws_lambda_function" "mesh_file_converter_lambda" { environment { variables = { Destination_BUCKET_NAME = aws_s3_bucket.batch_data_source_bucket.bucket - MESH_FILE_PROC_LAMBDA_NAME = "imms-${local.env}-meshfileproc_lambda" + MESH_FILE_PROC_LAMBDA_NAME = "imms-${var.sub_environment}-meshfileproc_lambda" } } @@ -205,7 +205,7 @@ resource "aws_lambda_function" "mesh_file_converter_lambda" { # Permission for S3 to invoke Lambda function resource "aws_lambda_permission" "mesh_s3_invoke_permission" { - count = local.config_env == "int" ? 0 : 1 + count = var.environment == "int" ? 0 : 1 statement_id = "AllowExecutionFromS3" action = "lambda:InvokeFunction" function_name = aws_lambda_function.mesh_file_converter_lambda[0].function_name @@ -218,7 +218,7 @@ resource "aws_lambda_permission" "mesh_s3_invoke_permission" { # S3 Bucket notification to trigger Lambda function resource "aws_s3_bucket_notification" "mesh_datasources_lambda_notification" { # TODO - what is this bucket and why isn't it managed by Terraform? - count = local.config_env == "int" ? 0 : 1 + count = var.environment == "int" ? 0 : 1 bucket = "local-immunisation-mesh" lambda_function { @@ -229,7 +229,7 @@ resource "aws_s3_bucket_notification" "mesh_datasources_lambda_notification" { } resource "aws_cloudwatch_log_group" "mesh_file_converter_log_group" { - count = local.config_env == "int" ? 0 : 1 + count = var.environment == "int" ? 0 : 1 name = "/aws/lambda/${local.short_prefix}-mesh_processor_lambda" retention_in_days = 30 } diff --git a/terraform/api_gateway/acm_cert.tf b/terraform/modules/api_gateway/acm_cert.tf similarity index 100% rename from terraform/api_gateway/acm_cert.tf rename to terraform/modules/api_gateway/acm_cert.tf diff --git a/terraform/modules/api_gateway/api.tf b/terraform/modules/api_gateway/api.tf new file mode 100644 index 0000000000..77ff3964ac --- /dev/null +++ b/terraform/modules/api_gateway/api.tf @@ -0,0 +1,63 @@ + +resource "aws_apigatewayv2_api" "service_api" { + name = "${var.prefix}-api" + description = "Immunisation FHIR API - ${var.environment}" + protocol_type = "HTTP" + disable_execute_api_endpoint = true + body = var.oas +} + +resource "aws_apigatewayv2_stage" "default" { + depends_on = [aws_cloudwatch_log_group.api_access_log] + api_id = aws_apigatewayv2_api.service_api.id + name = var.environment + auto_deploy = true + + default_route_settings { + logging_level = "INFO" + throttling_burst_limit = 500 + throttling_rate_limit = 500 + detailed_metrics_enabled = true + } + access_log_settings { + destination_arn = aws_cloudwatch_log_group.api_access_log.arn + format = "{ \"requestId\":\"$context.requestId\", \"extendedRequestId\":\"$context.extendedRequestId\", \"ip\": \"$context.identity.sourceIp\", \"caller\":\"$context.identity.caller\", \"user\":\"$context.identity.user\", \"requestTime\":\"$context.requestTime\", \"httpMethod\":\"$context.httpMethod\", \"resourcePath\":\"$context.resourcePath\", \"status\":\"$context.status\", \"protocol\":\"$context.protocol\", \"responseLength\":\"$context.responseLength\", \"authorizerError\":\"$context.authorizer.error\", \"authorizerStatus\":\"$context.authorizer.status\", \"requestIsValid\":\"$context.authorizer.is_valid\"\"environment\":\"$context.authorizer.environment\" }" + } + + # Bug in terraform-aws-provider with perpetual diff + lifecycle { + ignore_changes = [deployment_id] + } +} + +resource "aws_apigatewayv2_domain_name" "service_api_domain_name" { + domain_name = var.api_domain_name + domain_name_configuration { + certificate_arn = aws_acm_certificate_validation.service_certificate.certificate_arn + endpoint_type = "REGIONAL" + security_policy = "TLS_1_2" + } + mutual_tls_authentication { + truststore_uri = "s3://${aws_s3_bucket.truststore_bucket.bucket}/${local.truststore_file_name}" + } + tags = { + Name = "${var.prefix}-api-domain-name" + } +} + +resource "aws_apigatewayv2_api_mapping" "api_mapping" { + api_id = aws_apigatewayv2_api.service_api.id + domain_name = aws_apigatewayv2_domain_name.service_api_domain_name.id + stage = aws_apigatewayv2_stage.default.id +} + +resource "aws_route53_record" "api_domain" { + zone_id = var.zone_id + name = aws_apigatewayv2_domain_name.service_api_domain_name.domain_name + type = "A" + alias { + evaluate_target_health = true + name = aws_apigatewayv2_domain_name.service_api_domain_name.domain_name_configuration[0].target_domain_name + zone_id = aws_apigatewayv2_domain_name.service_api_domain_name.domain_name_configuration[0].hosted_zone_id + } +} diff --git a/terraform/api_gateway/logs.tf b/terraform/modules/api_gateway/logs.tf similarity index 72% rename from terraform/api_gateway/logs.tf rename to terraform/modules/api_gateway/logs.tf index 4a286a6685..2ac4ea05f7 100644 --- a/terraform/api_gateway/logs.tf +++ b/terraform/modules/api_gateway/logs.tf @@ -1,17 +1,17 @@ resource "aws_cloudwatch_log_group" "api_access_log" { - name = "/aws/vendedlogs/${aws_apigatewayv2_api.service_api.id}/${local.api_stage_name}" - retention_in_days = 30 + name = "/aws/vendedlogs/${aws_apigatewayv2_api.service_api.id}/${var.environment}" + retention_in_days = 30 } # TODO - This is global, so is overwritten by each deployment - move to infra Terraform? resource "aws_api_gateway_account" "api_account" { - cloudwatch_role_arn = aws_iam_role.api_cloudwatch.arn + cloudwatch_role_arn = aws_iam_role.api_cloudwatch.arn } resource "aws_iam_role" "api_cloudwatch" { - name = "${var.short_prefix}-api-logs" + name = "${var.short_prefix}-api-logs" - assume_role_policy = < 0 +} +resource "aws_s3_bucket" "failed_logs_backup" { + bucket = "${local.prefix}-failure-logs" + // To facilitate deletion of non empty busckets + force_destroy = local.is_temp +} diff --git a/terraform/splunk/firehose.tf b/terraform/modules/splunk/firehose.tf similarity index 100% rename from terraform/splunk/firehose.tf rename to terraform/modules/splunk/firehose.tf diff --git a/terraform/splunk/iam.tf b/terraform/modules/splunk/iam.tf similarity index 100% rename from terraform/splunk/iam.tf rename to terraform/modules/splunk/iam.tf diff --git a/terraform/splunk/outputs.tf b/terraform/modules/splunk/outputs.tf similarity index 100% rename from terraform/splunk/outputs.tf rename to terraform/modules/splunk/outputs.tf diff --git a/terraform/splunk/variables.tf b/terraform/modules/splunk/variables.tf similarity index 58% rename from terraform/splunk/variables.tf rename to terraform/modules/splunk/variables.tf index 1466bdfb95..cef2485c34 100644 --- a/terraform/splunk/variables.tf +++ b/terraform/modules/splunk/variables.tf @@ -1,6 +1,7 @@ variable "prefix" {} locals { - prefix = "${var.prefix}-splunk" + prefix = "${var.prefix}-splunk" } variable "splunk_endpoint" {} variable "hec_token" {} +variable "environment" {} diff --git a/terraform/redis_sync_lambda.tf b/terraform/redis_sync_lambda.tf index 75102c0dbf..cc438e0f87 100644 --- a/terraform/redis_sync_lambda.tf +++ b/terraform/redis_sync_lambda.tf @@ -67,7 +67,7 @@ resource "aws_ecr_repository_policy" "redis_sync_lambda_ECRImageRetreival_policy ], Condition : { StringLike : { - # "aws:sourceArn" : "arn:aws:lambda:eu-west-2:${local.immunisation_account_id}:function:${local.short_prefix}-redis_sync_lambda" + # "aws:sourceArn" : "arn:aws:lambda:eu-west-2:${var.immunisation_account_id}:function:${local.short_prefix}-redis_sync_lambda" "aws:sourceArn" : aws_lambda_function.redis_sync_lambda.arn } } @@ -105,7 +105,7 @@ resource "aws_iam_policy" "redis_sync_lambda_exec_policy" { "logs:CreateLogStream", "logs:PutLogEvents" ] - Resource = "arn:aws:logs:${var.aws_region}:${local.immunisation_account_id}:log-group:/aws/lambda/${local.short_prefix}-redis_sync_lambda:*" + Resource = "arn:aws:logs:${var.aws_region}:${var.immunisation_account_id}:log-group:/aws/lambda/${local.short_prefix}-redis_sync_lambda:*" }, { Effect = "Allow" @@ -166,7 +166,7 @@ resource "aws_iam_policy" "redis_sync_lambda_exec_policy" { Effect = "Allow" Action = "lambda:InvokeFunction" Resource = [ - "arn:aws:lambda:${var.aws_region}:${local.immunisation_account_id}:function:imms-${local.env}-redis_sync_lambda", + "arn:aws:lambda:${var.aws_region}:${var.immunisation_account_id}:function:imms-${var.sub_environment}-redis_sync_lambda", ] } ] @@ -233,7 +233,7 @@ resource "aws_lambda_function" "redis_sync_lambda" { CONFIG_BUCKET_NAME = local.config_bucket_name REDIS_HOST = data.aws_elasticache_cluster.existing_redis.cache_nodes[0].address REDIS_PORT = data.aws_elasticache_cluster.existing_redis.cache_nodes[0].port - REDIS_SYNC_PROC_LAMBDA_NAME = "imms-${local.env}-redis_sync_lambda" + REDIS_SYNC_PROC_LAMBDA_NAME = "imms-${var.sub_environment}-redis_sync_lambda" SPLUNK_FIREHOSE_NAME = module.splunk.firehose_stream_name } } diff --git a/terraform/s3_config.tf b/terraform/s3_config.tf index 9197a76000..44b38c464f 100644 --- a/terraform/s3_config.tf +++ b/terraform/s3_config.tf @@ -20,9 +20,9 @@ resource "aws_s3_bucket_policy" "batch_data_source_bucket_policy" { { Effect : "Allow", Principal : { - AWS : "arn:aws:iam::${local.dspp_core_account_id}:root" + AWS : "arn:aws:iam::${var.dspp_core_account_id}:root" }, - Action : local.environment == "prod" ? [ + Action : var.environment == "prod" ? [ "s3:PutObject" ] : [ "s3:ListBucket", @@ -93,7 +93,7 @@ resource "aws_s3_bucket_lifecycle_configuration" "datasources_lifecycle" { resource "aws_s3_bucket" "batch_data_destination_bucket" { # Deliberately not using `local.batch_prefix` as we don't want separate blue / green destinations in prod. - bucket = "immunisation-batch-${local.environment}-data-destinations" + bucket = "immunisation-batch-${var.environment}-data-destinations" force_destroy = local.is_temp } @@ -114,9 +114,9 @@ resource "aws_s3_bucket_policy" "batch_data_destination_bucket_policy" { { Effect : "Allow", Principal : { - AWS : "arn:aws:iam::${local.dspp_core_account_id}:root" + AWS : "arn:aws:iam::${var.dspp_core_account_id}:root" }, - Action : local.environment == "prod" ? [ + Action : var.environment == "prod" ? [ "s3:ListBucket", "s3:GetObject", ] : [ @@ -192,7 +192,7 @@ resource "aws_s3_bucket_lifecycle_configuration" "data_destinations" { } resource "aws_s3_bucket" "batch_config_bucket" { - bucket = "imms-${local.environment}-fhir-config" + bucket = "imms-${var.environment}-fhir-config" } resource "aws_s3_bucket_public_access_block" "batch_config_bucket_public_access_block" { diff --git a/terraform/splunk.tf b/terraform/splunk.tf index 7664a8805c..8425f03606 100644 --- a/terraform/splunk.tf +++ b/terraform/splunk.tf @@ -1,5 +1,5 @@ locals { - splunk_env = local.environment == "prod" ? "prod" : local.environment == "int" ? "int" : "dev" + splunk_env = var.environment == "prod" ? "prod" : var.sub_environment == "int" ? "int" : "dev" } data "aws_secretsmanager_secret" "splunk_token" { name = "imms/splunk/${local.splunk_env}/hec" @@ -9,7 +9,7 @@ data "aws_secretsmanager_secret_version" "splunk_token_id" { } module "splunk" { - source = "./splunk" + source = "./modules/splunk" prefix = local.prefix splunk_endpoint = "https://firehose.inputs.splunk.aws.digital.nhs.uk/services/collector/event" hec_token = data.aws_secretsmanager_secret_version.splunk_token_id.secret_string diff --git a/terraform/splunk/backup.tf b/terraform/splunk/backup.tf deleted file mode 100644 index 3f8ebd82e1..0000000000 --- a/terraform/splunk/backup.tf +++ /dev/null @@ -1,10 +0,0 @@ -locals { - environment = terraform.workspace == "green" ? "prod" : terraform.workspace == "blue" ? "prod" : terraform.workspace - // Flag so we can force delete s3 buckets with items in for pr and shortcode environments only. - is_temp = length(regexall("[a-z]{2,4}-?[0-9]+", local.environment)) > 0 -} -resource "aws_s3_bucket" "failed_logs_backup" { - bucket = "${local.prefix}-failure-logs" - // To facilitate deletion of non empty busckets - force_destroy = local.is_temp -} diff --git a/terraform/variables.tf b/terraform/variables.tf index c02e432570..dddc12cd25 100644 --- a/terraform/variables.tf +++ b/terraform/variables.tf @@ -1,7 +1,13 @@ variable "environment" {} variable "sub_environment" {} -variable "aws_account_name" {} variable "immunisation_account_id" {} +variable "dspp_core_account_id" {} +variable "splunk_environment" {} +# For now, only create the config bucket in internal-dev and prod as we only have one Redis instance per account. +variable "create_config_bucket" { + default = false +} + variable "project_name" { default = "immunisation" } @@ -26,15 +32,17 @@ locals { short_prefix = "${var.project_short_name}-${var.sub_environment}" batch_prefix = "immunisation-batch-${var.sub_environment}" - vpc_name = "imms-${var.environment}-fhir-api-vpc" + vpc_name = "imms-${var.sub_environment}-fhir-api-vpc" root_domain = "${var.sub_environment}.${var.environment}.vds.platform.nhs.uk" - service_domain_name = "${local.env}.${local.project_domain_name}" project_domain_name = data.aws_route53_zone.project_zone.name + service_domain_name = "${var.sub_environment}.${local.project_domain_name}" - # For now, only create the config bucket in internal-dev and prod as we only have one Redis instance per account. - create_config_bucket = local.environment == local.config_bucket_env - config_bucket_arn = local.create_config_bucket ? aws_s3_bucket.batch_config_bucket[0].arn : data.aws_s3_bucket.existing_config_bucket[0].arn - config_bucket_name = local.create_config_bucket ? aws_s3_bucket.batch_config_bucket[0].bucket : data.aws_s3_bucket.existing_config_bucket[0].bucket + config_bucket_arn = aws_s3_bucket.batch_config_bucket.arn + config_bucket_name = aws_s3_bucket.batch_config_bucket.bucket + is_temp = length(regexall("[a-z]{2,4}-?[0-9]+", var.sub_environment)) > 0 - is_temp = length(regexall("[a-z]{2,4}-?[0-9]+", local.env)) > 0 + # Public subnet - The subnet has a direct route to an internet gateway. Resources in a public subnet can access the public internet. + # public_subnet_ids = [for k, v in data.aws_route.internet_traffic_route_by_subnet : k if length(v.gateway_id) > 0] + # Private subnet - The subnet does not have a direct route to an internet gateway. Resources in a private subnet require a NAT device to access the public internet. + private_subnet_ids = [for k, v in data.aws_route.internet_traffic_route_by_subnet : k if length(v.nat_gateway_id) > 0] } From 24feded4647c0e27e05a7cd536f0bb53329e3106 Mon Sep 17 00:00:00 2001 From: robertnovac1 <196046006+robertnovac1@users.noreply.github.com> Date: Fri, 11 Jul 2025 14:31:09 +0100 Subject: [PATCH 03/18] Refactoring --- terraform/.terraform.lock.hcl | 37 ++++++++++--------- terraform/Makefile | 22 ++++------- .../environments/int/blue/variables.tfvars | 1 + .../environments/int/green/variables.tfvars | 1 + .../non-prod/int/variables.tfvars | 1 + .../non-prod/internal-dev/variables.tfvars | 1 + .../environments/non-prod/pr/variables.tfvars | 1 + .../non-prod/ref/variables.tfvars | 1 + terraform/lambda.tf | 2 +- terraform/mesh_processor.tf | 2 +- terraform/modules/lambda/lambda.tf | 2 +- terraform/modules/splunk/backup.tf | 7 +--- terraform/modules/splunk/variables.tf | 2 +- .../{modules => }/policies/aws_sns_topic.json | 0 .../{modules => }/policies/aws_sqs_queue.json | 0 .../policies/dynamo_key_access.json | 0 .../{modules => }/policies/dynamodb.json | 0 .../policies/dynamodb_stream.json | 0 .../policies/ec2_network_interfaces.json | 0 .../{modules => }/policies/lambda_to_sqs.json | 0 terraform/{modules => }/policies/log.json | 0 .../{modules => }/policies/log_kinesis.json | 0 .../policies/secret_manager.json | 0 terraform/splunk.tf | 1 + terraform/variables.tf | 1 - 25 files changed, 39 insertions(+), 43 deletions(-) rename terraform/{modules => }/policies/aws_sns_topic.json (100%) rename terraform/{modules => }/policies/aws_sqs_queue.json (100%) rename terraform/{modules => }/policies/dynamo_key_access.json (100%) rename terraform/{modules => }/policies/dynamodb.json (100%) rename terraform/{modules => }/policies/dynamodb_stream.json (100%) rename terraform/{modules => }/policies/ec2_network_interfaces.json (100%) rename terraform/{modules => }/policies/lambda_to_sqs.json (100%) rename terraform/{modules => }/policies/log.json (100%) rename terraform/{modules => }/policies/log_kinesis.json (100%) rename terraform/{modules => }/policies/secret_manager.json (100%) diff --git a/terraform/.terraform.lock.hcl b/terraform/.terraform.lock.hcl index aa623431d5..253a92f08e 100644 --- a/terraform/.terraform.lock.hcl +++ b/terraform/.terraform.lock.hcl @@ -2,25 +2,25 @@ # Manual edits may be lost in future updates. provider "registry.terraform.io/hashicorp/aws" { - version = "6.2.0" - constraints = ">= 4.22.0, >= 5.79.0, ~> 6.0" + version = "6.3.0" + constraints = ">= 4.22.0, >= 5.79.0, >= 6.0.0, ~> 6.0" hashes = [ - "h1:ziUjk3KGwBa7bAwZaPuQklfcQ3Qlx2d0rlYFvdZn4g8=", - "zh:224b20371f7c7ce14d69a84e16ae94baa0a06c132474d4bc4d192d86936bc750", - "zh:2c079ad275c32b9abae7616d07c24901340207a85995ce0025ac38af16b317b7", - "zh:2d139c99d6e8e48cc5439c2945eee583bb3a2d7faf484639cdfd4590ebc294f2", - "zh:2f2dc72de43d845e5df5a1adeadd4a48f3cacfe413b89b95f50294a386a90124", - "zh:304d4e706ac34aba080a81867209c65cdd28f8e596c02b3565f6530ab697cf94", - "zh:40e69328ae11fe1711b34226d45aa4c685f73e8f958c76c49f4f6a6627a1a54f", - "zh:5c5c9faab6fe242b77f0d0ab6664313dd89409371123e2ec376c72e8f2cd97b3", - "zh:7824709f0226afec5e3ad41392233b4bd7d925bae0d35f4a2ac854b3516e955c", + "h1:CeYTPZ8FvkzsvCavg2F7UExDFkSFHlnJ7Fj40RN7aNU=", + "zh:0502dc1889cca94c89bfc00b214970bffa2d81a2cdb55e05ab6192484ddb1532", + "zh:0a009c6f643410dc29fe2c07aee57e726ac86335fad84788fc7412abbd3a55be", + "zh:0ddd577e5f23dc0be23b87d62dff1f5694b88b1fbc01bdd3046b4b51cc18a00c", + "zh:1b2754cb01fa2c1a6a59c4195212f6bd4b3d1602e3f4ffb94ab609e01f2ea11a", + "zh:2bc0edb35a1411670d74e827db58ef32a07e11757fdaa17934dce5451511e55a", + "zh:703415b5c58d9232bdb686816e90525dfe96b0a374062bd8e27bec553cac5538", + "zh:8c4f1f41722aacb4b128dfb269f5b3f0aa1239a5742f22abb012f87095b2244c", + "zh:9815c0cc480acfef7c9b6b31505070bb0247a0982d98b4b6e51b1923b3a65f7e", "zh:9b12af85486a96aedd8d7984b0ff811a4b42e3d88dad1a3fb4c0b580d04fa425", - "zh:ab5417435121e8f9a6f539a6972f20c060ebc78624c1ce7c190671f163c423e4", - "zh:d6939385de4931f9fe07c87b744468fbfa96bd4b47861020d68e7ba1efb4185f", - "zh:e51434d1ba106c55d04fdc223aaf403b897ff96cba9bfce4c51854c805c36ed8", - "zh:e6d1012bafe338759ac42a59f566f8c4ad64a67faa3152c7fb758704d890cd75", - "zh:ee24b989ee3b6be79a7f24e97c144535bf7053471ae65343220db3ae78c7632a", - "zh:f61ec9482b9887c4901946407992874531b0c2eadab0c743fdfca4e6cd6dd889", + "zh:b3563ce1e4c40fa139c045a1db06c3308fcf8aa9722c0a586a18bfbcedc111b5", + "zh:bbcf01aa5188416cb0f31425c2dfc3a4df41248d4dce9ebab709d416177a3011", + "zh:bc49559699e6a03ff57675172fc367db9993df74a502e0c6f273127af82990a9", + "zh:c89bbeee5db6bbe80ce152481b85a4d44b733d7c1e1a37924f36c9cde0b7ce2d", + "zh:d26793472e127a98dfa5d32a71adc4c960b573afc427604c9815bae9cda31a72", + "zh:eb8db004ccbf52b3ed8b15189c59560c233abd2c2f5ac5ee68768841c3c8e206", ] } @@ -29,6 +29,7 @@ provider "registry.terraform.io/hashicorp/external" { constraints = ">= 1.0.0" hashes = [ "h1:FnUk98MI5nOh3VJ16cHf8mchQLewLfN1qZG/MqNgPrI=", + "h1:smKSos4zs57pJjQrNuvGBpSWth2el9SgePPbPHo0aps=", "zh:6e89509d056091266532fa64de8c06950010498adf9070bf6ff85bc485a82562", "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3", "zh:86868aec05b58dc0aa1904646a2c26b9367d69b890c9ad70c33c0d3aa7b1485a", @@ -48,6 +49,7 @@ provider "registry.terraform.io/hashicorp/local" { version = "2.5.3" constraints = ">= 1.0.0" hashes = [ + "h1:1Nkh16jQJMp0EuDmvP/96f5Unnir0z12WyDuoR6HjMo=", "h1:MCzg+hs1/ZQ32u56VzJMWP9ONRQPAAqAjuHuzbyshvI=", "zh:284d4b5b572eacd456e605e94372f740f6de27b71b4e1fd49b63745d8ecd4927", "zh:40d9dfc9c549e406b5aab73c023aa485633c1b6b730c933d7bcc2fa67fd1ae6e", @@ -69,6 +71,7 @@ provider "registry.terraform.io/hashicorp/null" { constraints = ">= 2.0.0" hashes = [ "h1:L5V05xwp/Gto1leRryuesxjMfgZwjb7oool4WS1UEFQ=", + "h1:hkf5w5B6q8e2A42ND2CjAvgvSN3puAosDmOJb3zCVQM=", "zh:59f6b52ab4ff35739647f9509ee6d93d7c032985d9f8c6237d1f8a59471bbbe2", "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3", "zh:795c897119ff082133150121d39ff26cb5f89a730a2c8c26f3a9c1abf81a9c43", diff --git a/terraform/Makefile b/terraform/Makefile index 566bca9d54..203c1a5230 100644 --- a/terraform/Makefile +++ b/terraform/Makefile @@ -1,18 +1,8 @@ -include .env -interactionId = $(ENVIRONMENT)# to change to lower case -environment = $(ENVIRONMENT) -aws_profile = $(AWS_PROFILE)#apim-dev # Leave this here for pipeline -tf_cmd = AWS_PROFILE=$(aws_profile) terraform - -project_name = immunisation -project_short_name = imms -state_bucket = $(BUCKET_NAME)#$(project_name)-$(APIGEE_ENVIRONMENT)-terraform-state-files -tf_state= -backend-config="bucket=$(state_bucket)" - -tf_vars= -var="project_name=$(project_name)" -var="project_short_name=$(project_short_name)" - -.PHONY : lock-provider workspace init plan apply clean destroy output state-list lambda-zip catch-all-zip +tf_cmd = AWS_PROFILE=$(AWS_PROFILE) terraform +tf_state= -backend-config="bucket=$(STATE_BUCKET_NAME)" +tf_vars= -var-file="./environments/$(ENVIRONMENT)/$(SUB_ENVIRONMENT)/variables.tfvars" lock-provider: # Run this only when you install a new terraform provider. This will generate sha code in lock file for all platform @@ -20,7 +10,7 @@ lock-provider: $(tf_cmd) providers lock -platform=darwin_arm64 -platform=darwin_amd64 -platform=linux_amd64 -platform=windows_amd64 workspace: - $(tf_cmd) workspace new $(ENVIRONMENT) || $(tf_cmd) workspace select $(ENVIRONMENT) && echo "Switched to workspace/environment: $(ENVIRONMENT)" + $(tf_cmd) workspace new $(SUB_ENVIRONMENT) || $(tf_cmd) workspace select $(SUB_ENVIRONMENT) && echo "Switched to workspace/environment: $(SUB_ENVIRONMENT)" init: $(tf_cmd) init $(tf_state) -upgrade $(tf_vars) @@ -43,7 +33,7 @@ clean: destroy: workspace $(tf_cmd) destroy $(tf_vars) -auto-approve $(tf_cmd) workspace select default - $(tf_cmd) workspace delete $(ENVIRONMENT) + $(tf_cmd) workspace delete $(SUB_ENVIRONMENT) output: $(tf_cmd) output -raw $(name) @@ -62,3 +52,5 @@ catch-all-zip: tf-%: $(tf_cmd) $* + +.PHONY : lock-provider workspace init plan apply clean destroy output state-list lambda-zip catch-all-zip diff --git a/terraform/environments/int/blue/variables.tfvars b/terraform/environments/int/blue/variables.tfvars index ca6154c0df..507eb63f72 100644 --- a/terraform/environments/int/blue/variables.tfvars +++ b/terraform/environments/int/blue/variables.tfvars @@ -1,3 +1,4 @@ environment = "int" sub_environment = "blue" immunisation_account_id = "084828561157" +dspp_core_account_id = "603871901111" diff --git a/terraform/environments/int/green/variables.tfvars b/terraform/environments/int/green/variables.tfvars index 371e04ef33..a4e67ff8fe 100644 --- a/terraform/environments/int/green/variables.tfvars +++ b/terraform/environments/int/green/variables.tfvars @@ -1,3 +1,4 @@ environment = "int" sub_environment = "green" immunisation_account_id = "084828561157" +dspp_core_account_id = "603871901111" diff --git a/terraform/environments/non-prod/int/variables.tfvars b/terraform/environments/non-prod/int/variables.tfvars index ad900c8614..36053d1124 100644 --- a/terraform/environments/non-prod/int/variables.tfvars +++ b/terraform/environments/non-prod/int/variables.tfvars @@ -1,3 +1,4 @@ environment = "non-prod" sub_environment = "int" immunisation_account_id = "345594581768" +dspp_core_account_id = "603871901111" diff --git a/terraform/environments/non-prod/internal-dev/variables.tfvars b/terraform/environments/non-prod/internal-dev/variables.tfvars index 392ceec8d1..c0d0b3e661 100644 --- a/terraform/environments/non-prod/internal-dev/variables.tfvars +++ b/terraform/environments/non-prod/internal-dev/variables.tfvars @@ -1,4 +1,5 @@ environment = "non-prod" sub_environment = "internal-dev" immunisation_account_id = "345594581768" +dspp_core_account_id = "603871901111" create_config_bucket = true diff --git a/terraform/environments/non-prod/pr/variables.tfvars b/terraform/environments/non-prod/pr/variables.tfvars index 7aa6a403ea..44c4fc5e0a 100644 --- a/terraform/environments/non-prod/pr/variables.tfvars +++ b/terraform/environments/non-prod/pr/variables.tfvars @@ -1,3 +1,4 @@ environment = "non-prod" sub_environment = "pr" immunisation_account_id = "345594581768" +dspp_core_account_id = "603871901111" diff --git a/terraform/environments/non-prod/ref/variables.tfvars b/terraform/environments/non-prod/ref/variables.tfvars index 83c1f7850d..a4ed23ae28 100644 --- a/terraform/environments/non-prod/ref/variables.tfvars +++ b/terraform/environments/non-prod/ref/variables.tfvars @@ -1,3 +1,4 @@ environment = "non-prod" sub_environment = "ref" immunisation_account_id = "345594581768" +dspp_core_account_id = "603871901111" diff --git a/terraform/lambda.tf b/terraform/lambda.tf index 5fc26a43a4..95a00b4705 100644 --- a/terraform/lambda.tf +++ b/terraform/lambda.tf @@ -21,7 +21,7 @@ resource "aws_ecr_repository" "operation_lambda_repository" { #resource "docker_image" "lambda_function_docker" { module "docker_image" { source = "terraform-aws-modules/lambda/aws//modules/docker-build" - version = "7.21.1" + version = "8.0.1" create_ecr_repo = false ecr_repo = "${local.prefix}-operation-lambda-repo" diff --git a/terraform/mesh_processor.tf b/terraform/mesh_processor.tf index 7b64d32a1d..adb9370070 100644 --- a/terraform/mesh_processor.tf +++ b/terraform/mesh_processor.tf @@ -20,7 +20,7 @@ resource "aws_ecr_repository" "mesh_file_converter_lambda_repository" { module "mesh_processor_docker_image" { count = var.environment == "int" ? 0 : 1 source = "terraform-aws-modules/lambda/aws//modules/docker-build" - version = "7.21.1" + version = "8.0.1" create_ecr_repo = false ecr_repo = aws_ecr_repository.mesh_file_converter_lambda_repository[0].name diff --git a/terraform/modules/lambda/lambda.tf b/terraform/modules/lambda/lambda.tf index e8f3012062..55b52d690d 100644 --- a/terraform/modules/lambda/lambda.tf +++ b/terraform/modules/lambda/lambda.tf @@ -1,6 +1,6 @@ module "lambda_function_container_image" { source = "terraform-aws-modules/lambda/aws" - version = "7.20.2" + version = "8.0.1" create_role = false lambda_role = aws_iam_role.lambda_role.arn diff --git a/terraform/modules/splunk/backup.tf b/terraform/modules/splunk/backup.tf index df2a107871..77450ce335 100644 --- a/terraform/modules/splunk/backup.tf +++ b/terraform/modules/splunk/backup.tf @@ -1,10 +1,5 @@ -locals { - environment = terraform.workspace == "green" ? "prod" : terraform.workspace == "blue" ? "prod" : terraform.workspace - // Flag so we can force delete s3 buckets with items in for pr and shortcode environments only. - is_temp = length(regexall("[a-z]{2,4}-?[0-9]+", var.environment)) > 0 -} resource "aws_s3_bucket" "failed_logs_backup" { bucket = "${local.prefix}-failure-logs" // To facilitate deletion of non empty busckets - force_destroy = local.is_temp + force_destroy = var.force_destroy } diff --git a/terraform/modules/splunk/variables.tf b/terraform/modules/splunk/variables.tf index cef2485c34..7f4ac4f86a 100644 --- a/terraform/modules/splunk/variables.tf +++ b/terraform/modules/splunk/variables.tf @@ -4,4 +4,4 @@ locals { } variable "splunk_endpoint" {} variable "hec_token" {} -variable "environment" {} +variable "force_destroy" {} diff --git a/terraform/modules/policies/aws_sns_topic.json b/terraform/policies/aws_sns_topic.json similarity index 100% rename from terraform/modules/policies/aws_sns_topic.json rename to terraform/policies/aws_sns_topic.json diff --git a/terraform/modules/policies/aws_sqs_queue.json b/terraform/policies/aws_sqs_queue.json similarity index 100% rename from terraform/modules/policies/aws_sqs_queue.json rename to terraform/policies/aws_sqs_queue.json diff --git a/terraform/modules/policies/dynamo_key_access.json b/terraform/policies/dynamo_key_access.json similarity index 100% rename from terraform/modules/policies/dynamo_key_access.json rename to terraform/policies/dynamo_key_access.json diff --git a/terraform/modules/policies/dynamodb.json b/terraform/policies/dynamodb.json similarity index 100% rename from terraform/modules/policies/dynamodb.json rename to terraform/policies/dynamodb.json diff --git a/terraform/modules/policies/dynamodb_stream.json b/terraform/policies/dynamodb_stream.json similarity index 100% rename from terraform/modules/policies/dynamodb_stream.json rename to terraform/policies/dynamodb_stream.json diff --git a/terraform/modules/policies/ec2_network_interfaces.json b/terraform/policies/ec2_network_interfaces.json similarity index 100% rename from terraform/modules/policies/ec2_network_interfaces.json rename to terraform/policies/ec2_network_interfaces.json diff --git a/terraform/modules/policies/lambda_to_sqs.json b/terraform/policies/lambda_to_sqs.json similarity index 100% rename from terraform/modules/policies/lambda_to_sqs.json rename to terraform/policies/lambda_to_sqs.json diff --git a/terraform/modules/policies/log.json b/terraform/policies/log.json similarity index 100% rename from terraform/modules/policies/log.json rename to terraform/policies/log.json diff --git a/terraform/modules/policies/log_kinesis.json b/terraform/policies/log_kinesis.json similarity index 100% rename from terraform/modules/policies/log_kinesis.json rename to terraform/policies/log_kinesis.json diff --git a/terraform/modules/policies/secret_manager.json b/terraform/policies/secret_manager.json similarity index 100% rename from terraform/modules/policies/secret_manager.json rename to terraform/policies/secret_manager.json diff --git a/terraform/splunk.tf b/terraform/splunk.tf index 8425f03606..f261b914b0 100644 --- a/terraform/splunk.tf +++ b/terraform/splunk.tf @@ -13,4 +13,5 @@ module "splunk" { prefix = local.prefix splunk_endpoint = "https://firehose.inputs.splunk.aws.digital.nhs.uk/services/collector/event" hec_token = data.aws_secretsmanager_secret_version.splunk_token_id.secret_string + force_destroy = local.is_temp } diff --git a/terraform/variables.tf b/terraform/variables.tf index dddc12cd25..8b3533d1e7 100644 --- a/terraform/variables.tf +++ b/terraform/variables.tf @@ -2,7 +2,6 @@ variable "environment" {} variable "sub_environment" {} variable "immunisation_account_id" {} variable "dspp_core_account_id" {} -variable "splunk_environment" {} # For now, only create the config bucket in internal-dev and prod as we only have one Redis instance per account. variable "create_config_bucket" { default = false From cbb8758e9b12ba6aa29e3b6c228277e657dcdf13 Mon Sep 17 00:00:00 2001 From: robertnovac1 <196046006+robertnovac1@users.noreply.github.com> Date: Fri, 11 Jul 2025 15:12:58 +0100 Subject: [PATCH 04/18] Environment var value changed to dev --- .../non-prod/int/variables.tfvars | 2 +- .../non-prod/internal-dev/variables.tfvars | 2 +- .../environments/non-prod/pr/variables.tfvars | 2 +- .../non-prod/ref/variables.tfvars | 2 +- terraform/main.tf | 28 +++++++++++++++---- terraform/splunk.tf | 5 +--- 6 files changed, 27 insertions(+), 14 deletions(-) diff --git a/terraform/environments/non-prod/int/variables.tfvars b/terraform/environments/non-prod/int/variables.tfvars index 36053d1124..ec610ea44f 100644 --- a/terraform/environments/non-prod/int/variables.tfvars +++ b/terraform/environments/non-prod/int/variables.tfvars @@ -1,4 +1,4 @@ -environment = "non-prod" +environment = "dev" sub_environment = "int" immunisation_account_id = "345594581768" dspp_core_account_id = "603871901111" diff --git a/terraform/environments/non-prod/internal-dev/variables.tfvars b/terraform/environments/non-prod/internal-dev/variables.tfvars index c0d0b3e661..60e5c7eccc 100644 --- a/terraform/environments/non-prod/internal-dev/variables.tfvars +++ b/terraform/environments/non-prod/internal-dev/variables.tfvars @@ -1,4 +1,4 @@ -environment = "non-prod" +environment = "dev" sub_environment = "internal-dev" immunisation_account_id = "345594581768" dspp_core_account_id = "603871901111" diff --git a/terraform/environments/non-prod/pr/variables.tfvars b/terraform/environments/non-prod/pr/variables.tfvars index 44c4fc5e0a..3b976dc379 100644 --- a/terraform/environments/non-prod/pr/variables.tfvars +++ b/terraform/environments/non-prod/pr/variables.tfvars @@ -1,4 +1,4 @@ -environment = "non-prod" +environment = "dev" sub_environment = "pr" immunisation_account_id = "345594581768" dspp_core_account_id = "603871901111" diff --git a/terraform/environments/non-prod/ref/variables.tfvars b/terraform/environments/non-prod/ref/variables.tfvars index a4ed23ae28..0bf25a3568 100644 --- a/terraform/environments/non-prod/ref/variables.tfvars +++ b/terraform/environments/non-prod/ref/variables.tfvars @@ -1,4 +1,4 @@ -environment = "non-prod" +environment = "dev" sub_environment = "ref" immunisation_account_id = "345594581768" dspp_core_account_id = "603871901111" diff --git a/terraform/main.tf b/terraform/main.tf index c4eb310742..95d51aa387 100644 --- a/terraform/main.tf +++ b/terraform/main.tf @@ -40,20 +40,37 @@ data "aws_region" "current" {} data "aws_caller_identity" "current" {} data "aws_ecr_authorization_token" "token" {} -data "aws_vpc" "default" { - filter { - name = "tag:Name" - values = [local.vpc_name] +check "private_subnets" { + assert { + condition = length(local.private_subnet_ids) > 0 + error_message = "No private subnets with internet access found in VPC ${data.aws_vpc.default.id}" } } -data "aws_subnets" "default" { +data "aws_vpc" "default" { + default = true +} + +data "aws_subnets" "all" { filter { name = "vpc-id" values = [data.aws_vpc.default.id] } } +data "aws_route_table" "route_table_by_subnet" { + for_each = toset(data.aws_subnets.all.ids) + + subnet_id = each.value +} + +data "aws_route" "internet_traffic_route_by_subnet" { + for_each = data.aws_route_table.route_table_by_subnet + + route_table_id = each.value.id + destination_cidr_block = "0.0.0.0/0" +} + data "aws_kms_key" "existing_s3_encryption_key" { key_id = "alias/imms-batch-s3-shared-key" } @@ -82,6 +99,5 @@ data "aws_kms_key" "existing_kinesis_encryption_key" { } data "aws_kms_key" "mesh_s3_encryption_key" { - count = var.environment == "int" ? 0 : 1 key_id = "alias/local-immunisation-mesh" } diff --git a/terraform/splunk.tf b/terraform/splunk.tf index f261b914b0..21ce6d7510 100644 --- a/terraform/splunk.tf +++ b/terraform/splunk.tf @@ -1,8 +1,5 @@ -locals { - splunk_env = var.environment == "prod" ? "prod" : var.sub_environment == "int" ? "int" : "dev" -} data "aws_secretsmanager_secret" "splunk_token" { - name = "imms/splunk/${local.splunk_env}/hec" + name = "imms/splunk/${var.environment}/hec" } data "aws_secretsmanager_secret_version" "splunk_token_id" { secret_id = data.aws_secretsmanager_secret.splunk_token.id From a4043e90ca13e2b5baefeb6e5510a53b794d1b61 Mon Sep 17 00:00:00 2001 From: robertnovac1 <196046006+robertnovac1@users.noreply.github.com> Date: Fri, 11 Jul 2025 16:29:46 +0100 Subject: [PATCH 05/18] Fixed part of internal-dev resource references --- terraform/Makefile | 2 +- terraform/ack_lambda.tf | 2 +- terraform/endpoints.tf | 6 +-- .../non-prod/ref/variables.tfvars | 1 + .../environments/prod/blue/variables.tfvars | 1 + .../environments/prod/green/variables.tfvars | 1 + terraform/main.tf | 6 +-- terraform/mesh_processor.tf | 42 +++++++------------ terraform/s3_config.tf | 4 +- terraform/variables.tf | 4 ++ 10 files changed, 31 insertions(+), 38 deletions(-) diff --git a/terraform/Makefile b/terraform/Makefile index 203c1a5230..1133ee2245 100644 --- a/terraform/Makefile +++ b/terraform/Makefile @@ -19,7 +19,7 @@ init-reconfigure: $(tf_cmd) init $(tf_state) -upgrade $(tf_vars) -reconfigure plan: workspace - $(tf_cmd) plan $(tf_vars) + $(tf_cmd) plan $(tf_vars) -out=tfplan plan-changes: workspace $(tf_cmd) plan $(tf_vars) -out=plan && $(tf_cmd) show -no-color -json plan | jq -r '.resource_changes[] | select(.change.actions[0]=="update" or .change.actions[0]=="create" or .change.actions[0]=="add") | .address' diff --git a/terraform/ack_lambda.tf b/terraform/ack_lambda.tf index 87055e8098..0da24ef9ab 100644 --- a/terraform/ack_lambda.tf +++ b/terraform/ack_lambda.tf @@ -216,7 +216,7 @@ resource "aws_lambda_function" "ack_processor_lambda" { variables = { ACK_BUCKET_NAME = aws_s3_bucket.batch_data_destination_bucket.bucket SPLUNK_FIREHOSE_NAME = module.splunk.firehose_stream_name - ENVIRONMENT = terraform.workspace + ENVIRONMENT = var.sub_environment AUDIT_TABLE_NAME = aws_dynamodb_table.audit-table.name FILE_NAME_PROC_LAMBDA_NAME = aws_lambda_function.file_processor_lambda.function_name } diff --git a/terraform/endpoints.tf b/terraform/endpoints.tf index 602aa4fdab..1a7a74cb44 100644 --- a/terraform/endpoints.tf +++ b/terraform/endpoints.tf @@ -23,10 +23,10 @@ locals { imms_table_name = aws_dynamodb_table.events-dynamodb-table.name imms_lambda_env_vars = { "DYNAMODB_TABLE_NAME" = local.imms_table_name, - "IMMUNIZATION_ENV" = var.environment, - "IMMUNIZATION_BASE_PATH" = strcontains(var.environment, "pr-") ? "immunisation-fhir-api-${var.environment}" : "immunisation-fhir-api" + "IMMUNIZATION_ENV" = var.sub_environment, + "IMMUNIZATION_BASE_PATH" = strcontains(terraform.workspace, "pr-") ? "immunisation-fhir-api-${terraform.workspace}" : "immunisation-fhir-api" # except for prod and ref, any other env uses PDS int environment - "PDS_ENV" = var.environment == "prod" ? "prod" : var.environment == "ref" ? "ref" : "int", + "PDS_ENV" = var.pds_environment "PDS_CHECK_ENABLED" = tostring(var.environment != "int") "SPLUNK_FIREHOSE_NAME" = module.splunk.firehose_stream_name "SQS_QUEUE_URL" = "https://sqs.eu-west-2.amazonaws.com/${var.immunisation_account_id}/${local.short_prefix}-ack-metadata-queue.fifo" diff --git a/terraform/environments/non-prod/ref/variables.tfvars b/terraform/environments/non-prod/ref/variables.tfvars index 0bf25a3568..4a1f28f709 100644 --- a/terraform/environments/non-prod/ref/variables.tfvars +++ b/terraform/environments/non-prod/ref/variables.tfvars @@ -2,3 +2,4 @@ environment = "dev" sub_environment = "ref" immunisation_account_id = "345594581768" dspp_core_account_id = "603871901111" +pds_environment = "ref" diff --git a/terraform/environments/prod/blue/variables.tfvars b/terraform/environments/prod/blue/variables.tfvars index c777bb6a0f..5752fb4c45 100644 --- a/terraform/environments/prod/blue/variables.tfvars +++ b/terraform/environments/prod/blue/variables.tfvars @@ -1,3 +1,4 @@ environment = "prod" sub_environment = "blue" immunisation_account_id = "664418956997" +pds_environment = "prod" diff --git a/terraform/environments/prod/green/variables.tfvars b/terraform/environments/prod/green/variables.tfvars index 37505742d0..68e4f0c3aa 100644 --- a/terraform/environments/prod/green/variables.tfvars +++ b/terraform/environments/prod/green/variables.tfvars @@ -1,3 +1,4 @@ environment = "prod" sub_environment = "green" immunisation_account_id = "664418956997" +pds_environment = "prod" diff --git a/terraform/main.tf b/terraform/main.tf index 95d51aa387..7ec0e2656e 100644 --- a/terraform/main.tf +++ b/terraform/main.tf @@ -17,12 +17,12 @@ terraform { } provider "aws" { - region = var.aws_region - profile = "apim-dev" + region = var.aws_region + #profile = "apim-dev" default_tags { tags = { Project = var.project_name - Environment = var.environment + Environment = var.sub_environment Service = var.service } } diff --git a/terraform/mesh_processor.tf b/terraform/mesh_processor.tf index adb9370070..fb370822f6 100644 --- a/terraform/mesh_processor.tf +++ b/terraform/mesh_processor.tf @@ -1,4 +1,3 @@ -# Note: This is all disabled in the preprod environment # Define the directory containing the Docker image and calculate its SHA-256 hash for triggering redeployments locals { mesh_processor_lambda_dir = abspath("${path.root}/../mesh_processor") @@ -8,7 +7,6 @@ locals { resource "aws_ecr_repository" "mesh_file_converter_lambda_repository" { - count = var.environment == "int" ? 0 : 1 image_scanning_configuration { scan_on_push = true } @@ -18,12 +16,11 @@ resource "aws_ecr_repository" "mesh_file_converter_lambda_repository" { # Module for building and pushing Docker image to ECR module "mesh_processor_docker_image" { - count = var.environment == "int" ? 0 : 1 source = "terraform-aws-modules/lambda/aws//modules/docker-build" version = "8.0.1" create_ecr_repo = false - ecr_repo = aws_ecr_repository.mesh_file_converter_lambda_repository[0].name + ecr_repo = aws_ecr_repository.mesh_file_converter_lambda_repository.name ecr_repo_lifecycle_policy = jsonencode({ "rules" : [ { @@ -51,8 +48,7 @@ module "mesh_processor_docker_image" { # Define the lambdaECRImageRetreival policy resource "aws_ecr_repository_policy" "mesh_processor_lambda_ECRImageRetreival_policy" { - count = var.environment == "int" ? 0 : 1 - repository = aws_ecr_repository.mesh_file_converter_lambda_repository[0].name + repository = aws_ecr_repository.mesh_file_converter_lambda_repository.name policy = jsonencode({ Version = "2012-10-17" @@ -82,8 +78,7 @@ resource "aws_ecr_repository_policy" "mesh_processor_lambda_ECRImageRetreival_po # IAM Role for Lambda resource "aws_iam_role" "mesh_processor_lambda_exec_role" { - count = var.environment == "int" ? 0 : 1 - name = "${local.short_prefix}-mesh_processor-lambda-exec-role" + name = "${local.short_prefix}-mesh_processor-lambda-exec-role" assume_role_policy = jsonencode({ Version = "2012-10-17", Statement = [{ @@ -99,8 +94,7 @@ resource "aws_iam_role" "mesh_processor_lambda_exec_role" { # Policy for Lambda execution role resource "aws_iam_policy" "mesh_processor_lambda_exec_policy" { - count = var.environment == "int" ? 0 : 1 - name = "${local.short_prefix}-mesh_processor-lambda-exec-policy" + name = "${local.short_prefix}-mesh_processor-lambda-exec-policy" policy = jsonencode({ Version = "2012-10-17", Statement = [ @@ -146,7 +140,6 @@ resource "aws_iam_policy" "mesh_processor_lambda_exec_policy" { } resource "aws_iam_policy" "mesh_processor_lambda_kms_access_policy" { - count = var.environment == "int" ? 0 : 1 name = "${local.short_prefix}-mesh_processor-lambda-kms-policy" description = "Allow Lambda to decrypt environment variables" @@ -161,7 +154,7 @@ resource "aws_iam_policy" "mesh_processor_lambda_kms_access_policy" { "kms:GenerateDataKey*" ] Resource = [ - data.aws_kms_key.mesh_s3_encryption_key[0].arn + data.aws_kms_key.mesh_s3_encryption_key.arn # "arn:aws:kms:eu-west-2:345594581768:key/9b756762-bc6f-42fb-ba56-2c0c00c15289" ] } @@ -171,33 +164,29 @@ resource "aws_iam_policy" "mesh_processor_lambda_kms_access_policy" { # Attach the execution policy to the Lambda role resource "aws_iam_role_policy_attachment" "mesh_processor_lambda_exec_policy_attachment" { - count = var.environment == "int" ? 0 : 1 - role = aws_iam_role.mesh_processor_lambda_exec_role[0].name - policy_arn = aws_iam_policy.mesh_processor_lambda_exec_policy[0].arn + role = aws_iam_role.mesh_processor_lambda_exec_role.name + policy_arn = aws_iam_policy.mesh_processor_lambda_exec_policy.arn } # Attach the kms policy to the Lambda role resource "aws_iam_role_policy_attachment" "mesh_processor_lambda_kms_policy_attachment" { - count = var.environment == "int" ? 0 : 1 - role = aws_iam_role.mesh_processor_lambda_exec_role[0].name - policy_arn = aws_iam_policy.mesh_processor_lambda_kms_access_policy[0].arn + role = aws_iam_role.mesh_processor_lambda_exec_role.name + policy_arn = aws_iam_policy.mesh_processor_lambda_kms_access_policy.arn } # Lambda Function with Security Group and VPC. resource "aws_lambda_function" "mesh_file_converter_lambda" { - count = var.environment == "int" ? 0 : 1 function_name = "${local.short_prefix}-mesh_processor_lambda" - role = aws_iam_role.mesh_processor_lambda_exec_role[0].arn + role = aws_iam_role.mesh_processor_lambda_exec_role.arn package_type = "Image" - image_uri = module.mesh_processor_docker_image[0].image_uri + image_uri = module.mesh_processor_docker_image.image_uri architectures = ["x86_64"] timeout = 360 environment { variables = { - Destination_BUCKET_NAME = aws_s3_bucket.batch_data_source_bucket.bucket - MESH_FILE_PROC_LAMBDA_NAME = "imms-${var.sub_environment}-meshfileproc_lambda" + Destination_BUCKET_NAME = aws_s3_bucket.batch_data_source_bucket.bucket } } @@ -205,10 +194,9 @@ resource "aws_lambda_function" "mesh_file_converter_lambda" { # Permission for S3 to invoke Lambda function resource "aws_lambda_permission" "mesh_s3_invoke_permission" { - count = var.environment == "int" ? 0 : 1 statement_id = "AllowExecutionFromS3" action = "lambda:InvokeFunction" - function_name = aws_lambda_function.mesh_file_converter_lambda[0].function_name + function_name = aws_lambda_function.mesh_file_converter_lambda.function_name principal = "s3.amazonaws.com" source_arn = "arn:aws:s3:::local-immunisation-mesh" } @@ -218,18 +206,16 @@ resource "aws_lambda_permission" "mesh_s3_invoke_permission" { # S3 Bucket notification to trigger Lambda function resource "aws_s3_bucket_notification" "mesh_datasources_lambda_notification" { # TODO - what is this bucket and why isn't it managed by Terraform? - count = var.environment == "int" ? 0 : 1 bucket = "local-immunisation-mesh" lambda_function { - lambda_function_arn = aws_lambda_function.mesh_file_converter_lambda[0].arn + lambda_function_arn = aws_lambda_function.mesh_file_converter_lambda.arn events = ["s3:ObjectCreated:*"] #filter_prefix ="" } } resource "aws_cloudwatch_log_group" "mesh_file_converter_log_group" { - count = var.environment == "int" ? 0 : 1 name = "/aws/lambda/${local.short_prefix}-mesh_processor_lambda" retention_in_days = 30 } diff --git a/terraform/s3_config.tf b/terraform/s3_config.tf index 44b38c464f..bb94320010 100644 --- a/terraform/s3_config.tf +++ b/terraform/s3_config.tf @@ -93,7 +93,7 @@ resource "aws_s3_bucket_lifecycle_configuration" "datasources_lifecycle" { resource "aws_s3_bucket" "batch_data_destination_bucket" { # Deliberately not using `local.batch_prefix` as we don't want separate blue / green destinations in prod. - bucket = "immunisation-batch-${var.environment}-data-destinations" + bucket = "immunisation-batch-${var.sub_environment}-data-destinations" force_destroy = local.is_temp } @@ -192,7 +192,7 @@ resource "aws_s3_bucket_lifecycle_configuration" "data_destinations" { } resource "aws_s3_bucket" "batch_config_bucket" { - bucket = "imms-${var.environment}-fhir-config" + bucket = "imms-${var.sub_environment}-fhir-config" } resource "aws_s3_bucket_public_access_block" "batch_config_bucket_public_access_block" { diff --git a/terraform/variables.tf b/terraform/variables.tf index 8b3533d1e7..2770b7645b 100644 --- a/terraform/variables.tf +++ b/terraform/variables.tf @@ -26,6 +26,10 @@ variable "aws_region" { default = "eu-west-2" } +variable "pds_environment" { + default = "int" +} + locals { prefix = "${var.project_name}-${var.service}-${var.sub_environment}" short_prefix = "${var.project_short_name}-${var.sub_environment}" From 175ee546524f642f9b3452d6a9af246d13792f4d Mon Sep 17 00:00:00 2001 From: robertnovac1 <196046006+robertnovac1@users.noreply.github.com> Date: Tue, 15 Jul 2025 10:48:21 +0100 Subject: [PATCH 06/18] Cleanup and removed unused resources --- terraform/Makefile | 2 +- terraform/endpoints.tf | 3 ++- terraform/main.tf | 4 ++++ terraform/modules/api_gateway/variables.tf | 1 + terraform/route53.tf | 15 ------------- terraform/variables.tf | 25 ++++++++++++---------- 6 files changed, 22 insertions(+), 28 deletions(-) delete mode 100644 terraform/route53.tf diff --git a/terraform/Makefile b/terraform/Makefile index 1133ee2245..203c1a5230 100644 --- a/terraform/Makefile +++ b/terraform/Makefile @@ -19,7 +19,7 @@ init-reconfigure: $(tf_cmd) init $(tf_state) -upgrade $(tf_vars) -reconfigure plan: workspace - $(tf_cmd) plan $(tf_vars) -out=tfplan + $(tf_cmd) plan $(tf_vars) plan-changes: workspace $(tf_cmd) plan $(tf_vars) -out=plan && $(tf_cmd) show -no-color -json plan | jq -r '.resource_changes[] | select(.change.actions[0]=="update" or .change.actions[0]=="create" or .change.actions[0]=="add") | .address' diff --git a/terraform/endpoints.tf b/terraform/endpoints.tf index 1a7a74cb44..7b4d30d0bd 100644 --- a/terraform/endpoints.tf +++ b/terraform/endpoints.tf @@ -112,7 +112,8 @@ module "api_gateway" { short_prefix = local.short_prefix zone_id = data.aws_route53_zone.project_zone.zone_id api_domain_name = local.service_domain_name - environment = var.sub_environment + environment = var.environment + sub_environment = var.sub_environment oas = local.oas } diff --git a/terraform/main.tf b/terraform/main.tf index 7ec0e2656e..31ff651199 100644 --- a/terraform/main.tf +++ b/terraform/main.tf @@ -101,3 +101,7 @@ data "aws_kms_key" "existing_kinesis_encryption_key" { data "aws_kms_key" "mesh_s3_encryption_key" { key_id = "alias/local-immunisation-mesh" } + +data "aws_route53_zone" "project_zone" { + name = local.project_domain_name +} diff --git a/terraform/modules/api_gateway/variables.tf b/terraform/modules/api_gateway/variables.tf index d36d336c00..1e37689e08 100644 --- a/terraform/modules/api_gateway/variables.tf +++ b/terraform/modules/api_gateway/variables.tf @@ -3,4 +3,5 @@ variable "short_prefix" {} variable "zone_id" {} variable "api_domain_name" {} variable "environment" {} +variable "sub_environment" {} variable "oas" {} diff --git a/terraform/route53.tf b/terraform/route53.tf deleted file mode 100644 index d99d7beba6..0000000000 --- a/terraform/route53.tf +++ /dev/null @@ -1,15 +0,0 @@ -locals { - zone_subdomain = var.project_short_name -} - -data "aws_route53_zone" "root_zone" { - name = local.root_domain -} - -locals { - project_zone_name = "${local.zone_subdomain}.${data.aws_route53_zone.root_zone.name}" -} - -data "aws_route53_zone" "project_zone" { - name = local.project_zone_name -} diff --git a/terraform/variables.tf b/terraform/variables.tf index 2770b7645b..1df2bfa789 100644 --- a/terraform/variables.tf +++ b/terraform/variables.tf @@ -30,19 +30,22 @@ variable "pds_environment" { default = "int" } -locals { - prefix = "${var.project_name}-${var.service}-${var.sub_environment}" - short_prefix = "${var.project_short_name}-${var.sub_environment}" - batch_prefix = "immunisation-batch-${var.sub_environment}" +variable "root_domain" { + default = "imms.dev.vds.platform.nhs.uk" +} - vpc_name = "imms-${var.sub_environment}-fhir-api-vpc" - root_domain = "${var.sub_environment}.${var.environment}.vds.platform.nhs.uk" - project_domain_name = data.aws_route53_zone.project_zone.name +locals { + sub_environment = can(regex("pr-", var.sub_environment)) ? terraform.workspace : var.sub_environment + prefix = "${var.project_name}-${var.service}-${var.sub_environment}" + short_prefix = "${var.project_short_name}-${var.sub_environment}" + batch_prefix = "immunisation-batch-${var.sub_environment}" + vpc_name = "imms-${var.environment}-fhir-api-vpc" + root_domain_name = "${var.environment}.vds.platform.nhs.uk" + project_domain_name = "imms.${local.root_domain_name}" service_domain_name = "${var.sub_environment}.${local.project_domain_name}" - - config_bucket_arn = aws_s3_bucket.batch_config_bucket.arn - config_bucket_name = aws_s3_bucket.batch_config_bucket.bucket - is_temp = length(regexall("[a-z]{2,4}-?[0-9]+", var.sub_environment)) > 0 + config_bucket_arn = aws_s3_bucket.batch_config_bucket.arn + config_bucket_name = aws_s3_bucket.batch_config_bucket.bucket + is_temp = length(regexall("[a-z]{2,4}-?[0-9]+", var.sub_environment)) > 0 # Public subnet - The subnet has a direct route to an internet gateway. Resources in a public subnet can access the public internet. # public_subnet_ids = [for k, v in data.aws_route.internet_traffic_route_by_subnet : k if length(v.gateway_id) > 0] From 854947fbf8b8b0ffbe455fcf71e7770aaa51e7da Mon Sep 17 00:00:00 2001 From: robertnovac1 <196046006+robertnovac1@users.noreply.github.com> Date: Tue, 15 Jul 2025 12:07:05 +0100 Subject: [PATCH 07/18] PDS check variable --- terraform/endpoints.tf | 2 +- terraform/environments/int/blue/variables.tfvars | 1 + terraform/environments/int/green/variables.tfvars | 1 + terraform/environments/non-prod/int/variables.tfvars | 1 + terraform/modules/api_gateway/api.tf | 4 ++-- terraform/modules/api_gateway/logs.tf | 2 +- terraform/variables.tf | 4 ++++ 7 files changed, 11 insertions(+), 4 deletions(-) diff --git a/terraform/endpoints.tf b/terraform/endpoints.tf index 7b4d30d0bd..1fba64ca2d 100644 --- a/terraform/endpoints.tf +++ b/terraform/endpoints.tf @@ -27,7 +27,7 @@ locals { "IMMUNIZATION_BASE_PATH" = strcontains(terraform.workspace, "pr-") ? "immunisation-fhir-api-${terraform.workspace}" : "immunisation-fhir-api" # except for prod and ref, any other env uses PDS int environment "PDS_ENV" = var.pds_environment - "PDS_CHECK_ENABLED" = tostring(var.environment != "int") + "PDS_CHECK_ENABLED" = tostring(var.pds_check_enabled) "SPLUNK_FIREHOSE_NAME" = module.splunk.firehose_stream_name "SQS_QUEUE_URL" = "https://sqs.eu-west-2.amazonaws.com/${var.immunisation_account_id}/${local.short_prefix}-ack-metadata-queue.fifo" "REDIS_HOST" = data.aws_elasticache_cluster.existing_redis.cache_nodes[0].address diff --git a/terraform/environments/int/blue/variables.tfvars b/terraform/environments/int/blue/variables.tfvars index 507eb63f72..e1ebada96a 100644 --- a/terraform/environments/int/blue/variables.tfvars +++ b/terraform/environments/int/blue/variables.tfvars @@ -2,3 +2,4 @@ environment = "int" sub_environment = "blue" immunisation_account_id = "084828561157" dspp_core_account_id = "603871901111" +pds_check_enabled = false diff --git a/terraform/environments/int/green/variables.tfvars b/terraform/environments/int/green/variables.tfvars index a4e67ff8fe..6dd435463d 100644 --- a/terraform/environments/int/green/variables.tfvars +++ b/terraform/environments/int/green/variables.tfvars @@ -2,3 +2,4 @@ environment = "int" sub_environment = "green" immunisation_account_id = "084828561157" dspp_core_account_id = "603871901111" +pds_check_enabled = false diff --git a/terraform/environments/non-prod/int/variables.tfvars b/terraform/environments/non-prod/int/variables.tfvars index ec610ea44f..bbe69427d4 100644 --- a/terraform/environments/non-prod/int/variables.tfvars +++ b/terraform/environments/non-prod/int/variables.tfvars @@ -2,3 +2,4 @@ environment = "dev" sub_environment = "int" immunisation_account_id = "345594581768" dspp_core_account_id = "603871901111" +pds_check_enabled = false diff --git a/terraform/modules/api_gateway/api.tf b/terraform/modules/api_gateway/api.tf index 77ff3964ac..b151577b09 100644 --- a/terraform/modules/api_gateway/api.tf +++ b/terraform/modules/api_gateway/api.tf @@ -1,7 +1,7 @@ resource "aws_apigatewayv2_api" "service_api" { name = "${var.prefix}-api" - description = "Immunisation FHIR API - ${var.environment}" + description = "Immunisation FHIR API - ${var.sub_environment}" protocol_type = "HTTP" disable_execute_api_endpoint = true body = var.oas @@ -10,7 +10,7 @@ resource "aws_apigatewayv2_api" "service_api" { resource "aws_apigatewayv2_stage" "default" { depends_on = [aws_cloudwatch_log_group.api_access_log] api_id = aws_apigatewayv2_api.service_api.id - name = var.environment + name = var.sub_environment auto_deploy = true default_route_settings { diff --git a/terraform/modules/api_gateway/logs.tf b/terraform/modules/api_gateway/logs.tf index 2ac4ea05f7..719a55712d 100644 --- a/terraform/modules/api_gateway/logs.tf +++ b/terraform/modules/api_gateway/logs.tf @@ -1,5 +1,5 @@ resource "aws_cloudwatch_log_group" "api_access_log" { - name = "/aws/vendedlogs/${aws_apigatewayv2_api.service_api.id}/${var.environment}" + name = "/aws/vendedlogs/${aws_apigatewayv2_api.service_api.id}/${var.sub_environment}" retention_in_days = 30 } diff --git a/terraform/variables.tf b/terraform/variables.tf index 1df2bfa789..909ddd781c 100644 --- a/terraform/variables.tf +++ b/terraform/variables.tf @@ -30,6 +30,10 @@ variable "pds_environment" { default = "int" } +variable "pds_check_enabled" { + default = true +} + variable "root_domain" { default = "imms.dev.vds.platform.nhs.uk" } From 76fa46f16c69480c64b5f265f31a389949d12aed Mon Sep 17 00:00:00 2001 From: robertnovac1 <196046006+robertnovac1@users.noreply.github.com> Date: Tue, 15 Jul 2025 15:17:11 +0100 Subject: [PATCH 08/18] Sub envs value coming from makefile --- terraform/Makefile | 4 +++- terraform/environments/int/blue/variables.tfvars | 1 - terraform/environments/int/green/variables.tfvars | 1 - terraform/environments/non-prod/int/variables.tfvars | 1 - .../environments/non-prod/internal-dev/variables.tfvars | 1 - terraform/environments/non-prod/pr/variables.tfvars | 1 - terraform/environments/non-prod/ref/variables.tfvars | 1 - terraform/environments/prod/blue/variables.tfvars | 1 - terraform/environments/prod/green/variables.tfvars | 1 - terraform/variables.tf | 7 +++++-- 10 files changed, 8 insertions(+), 11 deletions(-) diff --git a/terraform/Makefile b/terraform/Makefile index 203c1a5230..f98b7d2b07 100644 --- a/terraform/Makefile +++ b/terraform/Makefile @@ -2,7 +2,9 @@ tf_cmd = AWS_PROFILE=$(AWS_PROFILE) terraform tf_state= -backend-config="bucket=$(STATE_BUCKET_NAME)" -tf_vars= -var-file="./environments/$(ENVIRONMENT)/$(SUB_ENVIRONMENT)/variables.tfvars" + +sub_env_folder := $(if $(findstring pr-,$(SUB_ENVIRONMENT)),pr,$(SUB_ENVIRONMENT)) +tf_vars= -var="sub_environment=$(SUB_ENVIRONMENT)" -var-file="./environments/$(ENVIRONMENT)/$(sub_env_folder)/variables.tfvars" lock-provider: # Run this only when you install a new terraform provider. This will generate sha code in lock file for all platform diff --git a/terraform/environments/int/blue/variables.tfvars b/terraform/environments/int/blue/variables.tfvars index e1ebada96a..a2d554f71a 100644 --- a/terraform/environments/int/blue/variables.tfvars +++ b/terraform/environments/int/blue/variables.tfvars @@ -1,5 +1,4 @@ environment = "int" -sub_environment = "blue" immunisation_account_id = "084828561157" dspp_core_account_id = "603871901111" pds_check_enabled = false diff --git a/terraform/environments/int/green/variables.tfvars b/terraform/environments/int/green/variables.tfvars index 6dd435463d..a2d554f71a 100644 --- a/terraform/environments/int/green/variables.tfvars +++ b/terraform/environments/int/green/variables.tfvars @@ -1,5 +1,4 @@ environment = "int" -sub_environment = "green" immunisation_account_id = "084828561157" dspp_core_account_id = "603871901111" pds_check_enabled = false diff --git a/terraform/environments/non-prod/int/variables.tfvars b/terraform/environments/non-prod/int/variables.tfvars index bbe69427d4..6ab24e1be0 100644 --- a/terraform/environments/non-prod/int/variables.tfvars +++ b/terraform/environments/non-prod/int/variables.tfvars @@ -1,5 +1,4 @@ environment = "dev" -sub_environment = "int" immunisation_account_id = "345594581768" dspp_core_account_id = "603871901111" pds_check_enabled = false diff --git a/terraform/environments/non-prod/internal-dev/variables.tfvars b/terraform/environments/non-prod/internal-dev/variables.tfvars index 60e5c7eccc..bfe1a6cda0 100644 --- a/terraform/environments/non-prod/internal-dev/variables.tfvars +++ b/terraform/environments/non-prod/internal-dev/variables.tfvars @@ -1,5 +1,4 @@ environment = "dev" -sub_environment = "internal-dev" immunisation_account_id = "345594581768" dspp_core_account_id = "603871901111" create_config_bucket = true diff --git a/terraform/environments/non-prod/pr/variables.tfvars b/terraform/environments/non-prod/pr/variables.tfvars index 3b976dc379..9491497c36 100644 --- a/terraform/environments/non-prod/pr/variables.tfvars +++ b/terraform/environments/non-prod/pr/variables.tfvars @@ -1,4 +1,3 @@ environment = "dev" -sub_environment = "pr" immunisation_account_id = "345594581768" dspp_core_account_id = "603871901111" diff --git a/terraform/environments/non-prod/ref/variables.tfvars b/terraform/environments/non-prod/ref/variables.tfvars index 4a1f28f709..6d923611f1 100644 --- a/terraform/environments/non-prod/ref/variables.tfvars +++ b/terraform/environments/non-prod/ref/variables.tfvars @@ -1,5 +1,4 @@ environment = "dev" -sub_environment = "ref" immunisation_account_id = "345594581768" dspp_core_account_id = "603871901111" pds_environment = "ref" diff --git a/terraform/environments/prod/blue/variables.tfvars b/terraform/environments/prod/blue/variables.tfvars index 5752fb4c45..391c78501b 100644 --- a/terraform/environments/prod/blue/variables.tfvars +++ b/terraform/environments/prod/blue/variables.tfvars @@ -1,4 +1,3 @@ environment = "prod" -sub_environment = "blue" immunisation_account_id = "664418956997" pds_environment = "prod" diff --git a/terraform/environments/prod/green/variables.tfvars b/terraform/environments/prod/green/variables.tfvars index 68e4f0c3aa..391c78501b 100644 --- a/terraform/environments/prod/green/variables.tfvars +++ b/terraform/environments/prod/green/variables.tfvars @@ -1,4 +1,3 @@ environment = "prod" -sub_environment = "green" immunisation_account_id = "664418956997" pds_environment = "prod" diff --git a/terraform/variables.tf b/terraform/variables.tf index 909ddd781c..ce99bcabe7 100644 --- a/terraform/variables.tf +++ b/terraform/variables.tf @@ -1,5 +1,9 @@ variable "environment" {} -variable "sub_environment" {} + +variable "sub_environment" { + description = "The value is passed in the makefile" +} + variable "immunisation_account_id" {} variable "dspp_core_account_id" {} # For now, only create the config bucket in internal-dev and prod as we only have one Redis instance per account. @@ -39,7 +43,6 @@ variable "root_domain" { } locals { - sub_environment = can(regex("pr-", var.sub_environment)) ? terraform.workspace : var.sub_environment prefix = "${var.project_name}-${var.service}-${var.sub_environment}" short_prefix = "${var.project_short_name}-${var.sub_environment}" batch_prefix = "immunisation-batch-${var.sub_environment}" From 93dcb3059e0cdc08e26fcfcdb515f981e008118b Mon Sep 17 00:00:00 2001 From: robertnovac1 <196046006+robertnovac1@users.noreply.github.com> Date: Tue, 15 Jul 2025 15:36:17 +0100 Subject: [PATCH 09/18] Renamed non-prod to dev --- terraform/environments/{non-prod => dev}/int/variables.tfvars | 0 .../environments/{non-prod => dev}/internal-dev/variables.tfvars | 0 terraform/environments/{non-prod => dev}/pr/variables.tfvars | 0 terraform/environments/{non-prod => dev}/ref/variables.tfvars | 0 4 files changed, 0 insertions(+), 0 deletions(-) rename terraform/environments/{non-prod => dev}/int/variables.tfvars (100%) rename terraform/environments/{non-prod => dev}/internal-dev/variables.tfvars (100%) rename terraform/environments/{non-prod => dev}/pr/variables.tfvars (100%) rename terraform/environments/{non-prod => dev}/ref/variables.tfvars (100%) diff --git a/terraform/environments/non-prod/int/variables.tfvars b/terraform/environments/dev/int/variables.tfvars similarity index 100% rename from terraform/environments/non-prod/int/variables.tfvars rename to terraform/environments/dev/int/variables.tfvars diff --git a/terraform/environments/non-prod/internal-dev/variables.tfvars b/terraform/environments/dev/internal-dev/variables.tfvars similarity index 100% rename from terraform/environments/non-prod/internal-dev/variables.tfvars rename to terraform/environments/dev/internal-dev/variables.tfvars diff --git a/terraform/environments/non-prod/pr/variables.tfvars b/terraform/environments/dev/pr/variables.tfvars similarity index 100% rename from terraform/environments/non-prod/pr/variables.tfvars rename to terraform/environments/dev/pr/variables.tfvars diff --git a/terraform/environments/non-prod/ref/variables.tfvars b/terraform/environments/dev/ref/variables.tfvars similarity index 100% rename from terraform/environments/non-prod/ref/variables.tfvars rename to terraform/environments/dev/ref/variables.tfvars From 34a1a0b5548298d245b127cb201b9fe0f9f1151a Mon Sep 17 00:00:00 2001 From: robertnovac1 <196046006+robertnovac1@users.noreply.github.com> Date: Tue, 15 Jul 2025 18:01:57 +0100 Subject: [PATCH 10/18] Updated readme, pipeline and makefile --- azure/templates/post-deploy.yml | 8 +++----- terraform/Makefile | 18 ++++++++++++----- terraform/README.md | 34 +++++++++++++++++++++++---------- terraform/main.tf | 1 - 4 files changed, 40 insertions(+), 21 deletions(-) diff --git a/azure/templates/post-deploy.yml b/azure/templates/post-deploy.yml index ccaa530ab5..a47b750cb8 100644 --- a/azure/templates/post-deploy.yml +++ b/azure/templates/post-deploy.yml @@ -41,8 +41,6 @@ steps: set -e if ! [[ $APIGEE_ENVIRONMENT =~ .*-*sandbox ]]; then export AWS_PROFILE=apim-dev - aws_account_no="$(aws sts get-caller-identity --query Account --output text)" - service_name=$(FULLY_QUALIFIED_SERVICE_NAME) pr_no=$(echo $service_name | { grep -oE '[0-9]+$' || true; }) @@ -58,11 +56,11 @@ steps: echo Apigee environment: $APIGEE_ENVIRONMENT echo pr_no: $pr_no - cd terraform + cd terraform make init - make plan aws_account_no=${aws_account_no} environment=$workspace - # make apply aws_account_no=${aws_account_no} environment=$workspace + make plan environment=${{ parameters.aws_account_type }} sub_environment=$workspace + # make apply environment=${{ parameters.aws_account_type }} sub_environment=$workspace AWS_DOMAIN_NAME=$(make -s output name=service_domain_name) IMMS_DELTA_TABLE_NAME=$(make -s output name=imms_delta_table_name) diff --git a/terraform/Makefile b/terraform/Makefile index f98b7d2b07..c0ce50de0d 100644 --- a/terraform/Makefile +++ b/terraform/Makefile @@ -1,10 +1,18 @@ -include .env +environment ?= $(ENVIRONMENT) +sub_environment ?= $(SUB_ENVIRONMENT) +sub_environment_dir := $(if $(findstring pr-,$(sub_environment)),pr,$(sub_environment)) + tf_cmd = AWS_PROFILE=$(AWS_PROFILE) terraform -tf_state= -backend-config="bucket=$(STATE_BUCKET_NAME)" -sub_env_folder := $(if $(findstring pr-,$(SUB_ENVIRONMENT)),pr,$(SUB_ENVIRONMENT)) -tf_vars= -var="sub_environment=$(SUB_ENVIRONMENT)" -var-file="./environments/$(ENVIRONMENT)/$(sub_env_folder)/variables.tfvars" +bucket_name = $(if $(filter dev,$(environment)),immunisation-$(sub_environment),immunisation-$(environment))-terraform-state-files + +tf_state = -backend-config="bucket=$(bucket_name)" + +tf_vars = \ + -var="sub_environment=$(sub_environment)" \ + -var-file="./environments/$(environment)/$(sub_environment_dir)/variables.tfvars" lock-provider: # Run this only when you install a new terraform provider. This will generate sha code in lock file for all platform @@ -12,7 +20,7 @@ lock-provider: $(tf_cmd) providers lock -platform=darwin_arm64 -platform=darwin_amd64 -platform=linux_amd64 -platform=windows_amd64 workspace: - $(tf_cmd) workspace new $(SUB_ENVIRONMENT) || $(tf_cmd) workspace select $(SUB_ENVIRONMENT) && echo "Switched to workspace/environment: $(SUB_ENVIRONMENT)" + $(tf_cmd) workspace new $(sub_environment) || $(tf_cmd) workspace select $(sub_environment) && echo "Switched to workspace/environment: $(sub_environment)" init: $(tf_cmd) init $(tf_state) -upgrade $(tf_vars) @@ -35,7 +43,7 @@ clean: destroy: workspace $(tf_cmd) destroy $(tf_vars) -auto-approve $(tf_cmd) workspace select default - $(tf_cmd) workspace delete $(SUB_ENVIRONMENT) + $(tf_cmd) workspace delete $(sub_environment) output: $(tf_cmd) output -raw $(name) diff --git a/terraform/README.md b/terraform/README.md index 921dae4043..41d936b49a 100644 --- a/terraform/README.md +++ b/terraform/README.md @@ -1,17 +1,31 @@ -# immunisation-fhir-api Terraform +# About +The terraform from this folder runs in each PR and sets up lambdas associated with the PR. Once the PR is merged, it will be used by the release pipeline to deploy to INT and REF. This is also run by the prod release pipeline to deploy the lambdas to the prod blue and green sub environments. -## Setup for local dev +## Environments Structure -Add your workspace name to the env file. This is usually your shortcode. +Terraform is executed via a `Makefile`. +The environment-specific configuration is structured as follows: -```shell -echo environment=your-shortcode >> .env -make init -make workspace -make apply + environments/ + └── / # e.g. dev, int, prod (AWS account name) + └── / # e.g. pr, internal-dev + └── variables.tfvars + +The `Makefile` automatically reads the `.env` file to determine the correct `variables.tfvars` file to use, allowing customization of infrastructure for each sub-environment. + +## Run locally +1. Create a `.env` file with the following values: +```dotenv +ENVIRONMENT=dev # Target AWS account (e.g., dev, int, prod) +SUB_ENVIRONMENT=pr-123 # Sub-environment (e.g., pr-57, internal-dev) +AWS_REGION=eu-west-2 +AWS_PROFILE=your-aws-profile ``` +2. Run `make init` to download provisioners and dependencies +3. Run `make plan` to output plan with the changes that terraform will perform +4. **WARNING**: Run `make apply` only after thoroughly reviewing the plan as this might destroy or modify existing infrastructure -See the Makefile for other commands. +Note: If you switch environment configuration in .env ensure that you run `make init-reconfigure` to reconfigure the backend to prevent migrating the existing state to the new backend. -If you want to apply Terraform to a workspace created by a PR you can set the above environment to the PR number. +If you want to apply Terraform to a workspace created by a PR you can set the above SUB_ENVIRONMENT to the `PR-number` and ENVIRONMENT set to `dev`. E.g. `pr-57`. You can use this to test out changes when tests fail in CI. diff --git a/terraform/main.tf b/terraform/main.tf index 31ff651199..ce9bd9f29a 100644 --- a/terraform/main.tf +++ b/terraform/main.tf @@ -18,7 +18,6 @@ terraform { provider "aws" { region = var.aws_region - #profile = "apim-dev" default_tags { tags = { Project = var.project_name From ea142fe66655e66990f8877e8cfb772747d5e46b Mon Sep 17 00:00:00 2001 From: robertnovac1 <196046006+robertnovac1@users.noreply.github.com> Date: Tue, 15 Jul 2025 18:07:32 +0100 Subject: [PATCH 11/18] readme.md --- terraform/README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/terraform/README.md b/terraform/README.md index 41d936b49a..9d9d090bbe 100644 --- a/terraform/README.md +++ b/terraform/README.md @@ -1,5 +1,5 @@ # About -The terraform from this folder runs in each PR and sets up lambdas associated with the PR. Once the PR is merged, it will be used by the release pipeline to deploy to INT and REF. This is also run by the prod release pipeline to deploy the lambdas to the prod blue and green sub environments. +The Terraform configuration in this folder is executed in each PR and sets up lambdas associated with the PR. Once the PR is merged, it will be used by the release pipeline to deploy to INT and REF. This is also run by the production release pipeline to deploy the lambdas to the prod blue and green sub environments. ## Environments Structure @@ -21,7 +21,7 @@ SUB_ENVIRONMENT=pr-123 # Sub-environment (e.g., pr-57, internal-dev) AWS_REGION=eu-west-2 AWS_PROFILE=your-aws-profile ``` -2. Run `make init` to download provisioners and dependencies +2. Run `make init` to download providers and dependencies 3. Run `make plan` to output plan with the changes that terraform will perform 4. **WARNING**: Run `make apply` only after thoroughly reviewing the plan as this might destroy or modify existing infrastructure From 97e8cb56e365a2c765d0d9acd8c2663f500f67f0 Mon Sep 17 00:00:00 2001 From: robertnovac1 <196046006+robertnovac1@users.noreply.github.com> Date: Wed, 16 Jul 2025 09:11:43 +0100 Subject: [PATCH 12/18] Switched to apply --- azure/templates/post-deploy.yml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/azure/templates/post-deploy.yml b/azure/templates/post-deploy.yml index a47b750cb8..7e0050c0e1 100644 --- a/azure/templates/post-deploy.yml +++ b/azure/templates/post-deploy.yml @@ -59,8 +59,7 @@ steps: cd terraform make init - make plan environment=${{ parameters.aws_account_type }} sub_environment=$workspace - # make apply environment=${{ parameters.aws_account_type }} sub_environment=$workspace + make apply environment=${{ parameters.aws_account_type }} sub_environment=$workspace AWS_DOMAIN_NAME=$(make -s output name=service_domain_name) IMMS_DELTA_TABLE_NAME=$(make -s output name=imms_delta_table_name) From 8845e06be35817bd5175e1936cc1735988a5109b Mon Sep 17 00:00:00 2001 From: robertnovac1 <196046006+robertnovac1@users.noreply.github.com> Date: Wed, 16 Jul 2025 09:35:15 +0100 Subject: [PATCH 13/18] Space --- terraform/redis_sync_lambda.tf | 1 - 1 file changed, 1 deletion(-) diff --git a/terraform/redis_sync_lambda.tf b/terraform/redis_sync_lambda.tf index cc438e0f87..df0a9494ed 100644 --- a/terraform/redis_sync_lambda.tf +++ b/terraform/redis_sync_lambda.tf @@ -250,7 +250,6 @@ resource "aws_cloudwatch_log_group" "redis_sync_log_group" { retention_in_days = 30 } - # S3 Bucket notification to trigger Lambda function for config bucket resource "aws_s3_bucket_notification" "config_lambda_notification" { From 6005b17715becd27f6394f4d1e5215a4d7977865 Mon Sep 17 00:00:00 2001 From: robertnovac1 <196046006+robertnovac1@users.noreply.github.com> Date: Wed, 16 Jul 2025 12:48:55 +0100 Subject: [PATCH 14/18] config update and refactor mesh --- .../environments/dev/int/variables.tfvars | 2 ++ .../dev/internal-dev/variables.tfvars | 4 ++- .../environments/dev/pr/variables.tfvars | 3 ++ .../environments/dev/ref/variables.tfvars | 2 ++ .../environments/int/blue/variables.tfvars | 2 ++ .../environments/int/green/variables.tfvars | 2 ++ .../environments/prod/blue/variables.tfvars | 4 +++ .../environments/prod/green/variables.tfvars | 3 ++ terraform/mesh_processor.tf | 35 +++++++++---------- terraform/variables.tf | 10 ++---- 10 files changed, 41 insertions(+), 26 deletions(-) diff --git a/terraform/environments/dev/int/variables.tfvars b/terraform/environments/dev/int/variables.tfvars index 6ab24e1be0..79ba7b0e06 100644 --- a/terraform/environments/dev/int/variables.tfvars +++ b/terraform/environments/dev/int/variables.tfvars @@ -1,4 +1,6 @@ environment = "dev" immunisation_account_id = "345594581768" dspp_core_account_id = "603871901111" +pds_environment = "int" pds_check_enabled = false +create_mesh_processor = true diff --git a/terraform/environments/dev/internal-dev/variables.tfvars b/terraform/environments/dev/internal-dev/variables.tfvars index bfe1a6cda0..5494b5b254 100644 --- a/terraform/environments/dev/internal-dev/variables.tfvars +++ b/terraform/environments/dev/internal-dev/variables.tfvars @@ -1,4 +1,6 @@ environment = "dev" immunisation_account_id = "345594581768" dspp_core_account_id = "603871901111" -create_config_bucket = true +pds_environment = "int" +pds_check_enabled = true +create_mesh_processor = false diff --git a/terraform/environments/dev/pr/variables.tfvars b/terraform/environments/dev/pr/variables.tfvars index 9491497c36..5494b5b254 100644 --- a/terraform/environments/dev/pr/variables.tfvars +++ b/terraform/environments/dev/pr/variables.tfvars @@ -1,3 +1,6 @@ environment = "dev" immunisation_account_id = "345594581768" dspp_core_account_id = "603871901111" +pds_environment = "int" +pds_check_enabled = true +create_mesh_processor = false diff --git a/terraform/environments/dev/ref/variables.tfvars b/terraform/environments/dev/ref/variables.tfvars index 6d923611f1..f33465b249 100644 --- a/terraform/environments/dev/ref/variables.tfvars +++ b/terraform/environments/dev/ref/variables.tfvars @@ -2,3 +2,5 @@ environment = "dev" immunisation_account_id = "345594581768" dspp_core_account_id = "603871901111" pds_environment = "ref" +pds_check_enabled = true +create_mesh_processor = false diff --git a/terraform/environments/int/blue/variables.tfvars b/terraform/environments/int/blue/variables.tfvars index a2d554f71a..64e59cfe76 100644 --- a/terraform/environments/int/blue/variables.tfvars +++ b/terraform/environments/int/blue/variables.tfvars @@ -1,4 +1,6 @@ environment = "int" immunisation_account_id = "084828561157" dspp_core_account_id = "603871901111" +pds_environment = "int" pds_check_enabled = false +create_mesh_processor = true diff --git a/terraform/environments/int/green/variables.tfvars b/terraform/environments/int/green/variables.tfvars index a2d554f71a..64e59cfe76 100644 --- a/terraform/environments/int/green/variables.tfvars +++ b/terraform/environments/int/green/variables.tfvars @@ -1,4 +1,6 @@ environment = "int" immunisation_account_id = "084828561157" dspp_core_account_id = "603871901111" +pds_environment = "int" pds_check_enabled = false +create_mesh_processor = true diff --git a/terraform/environments/prod/blue/variables.tfvars b/terraform/environments/prod/blue/variables.tfvars index 391c78501b..b62bc2fe60 100644 --- a/terraform/environments/prod/blue/variables.tfvars +++ b/terraform/environments/prod/blue/variables.tfvars @@ -1,3 +1,7 @@ environment = "prod" immunisation_account_id = "664418956997" +dspp_core_account_id = "603871901111" pds_environment = "prod" +pds_check_enabled = true +create_mesh_processor = true + diff --git a/terraform/environments/prod/green/variables.tfvars b/terraform/environments/prod/green/variables.tfvars index 391c78501b..f73ee08a97 100644 --- a/terraform/environments/prod/green/variables.tfvars +++ b/terraform/environments/prod/green/variables.tfvars @@ -1,3 +1,6 @@ environment = "prod" immunisation_account_id = "664418956997" +dspp_core_account_id = "603871901111" pds_environment = "prod" +pds_check_enabled = true +create_mesh_processor = true diff --git a/terraform/mesh_processor.tf b/terraform/mesh_processor.tf index 4330cad400..db0a3b23b1 100644 --- a/terraform/mesh_processor.tf +++ b/terraform/mesh_processor.tf @@ -1,27 +1,26 @@ # Define the directory containing the Docker image and calculate its SHA-256 hash for triggering redeployments locals { - create_mesh_processor = local.environment == "int" || local.environment == "prod" mesh_processor_lambda_dir = abspath("${path.root}/../mesh_processor") mesh_processor_lambda_files = fileset(local.mesh_processor_lambda_dir, "**") mesh_processor_lambda_dir_sha = sha1(join("", [for f in local.mesh_processor_lambda_files : filesha1("${local.mesh_processor_lambda_dir}/${f}")])) # This should match the prefix used in the infra Terraform - mesh_module_prefix = "imms-${local.config_env}" + mesh_s3_bucket_name = "imms-${var.environment}-mesh" } data "aws_s3_bucket" "mesh" { - count = local.create_mesh_processor ? 1 : 0 + count = var.create_mesh_processor ? 1 : 0 - bucket = "${local.mesh_module_prefix}-mesh" + bucket = local.mesh_s3_bucket_name } data "aws_kms_key" "mesh" { - count = local.create_mesh_processor ? 1 : 0 + count = var.create_mesh_processor ? 1 : 0 - key_id = "alias/${local.mesh_module_prefix}-mesh" + key_id = "alias/${local.mesh_s3_bucket_name}" } resource "aws_ecr_repository" "mesh_file_converter_lambda_repository" { - count = local.create_mesh_processor ? 1 : 0 + count = var.create_mesh_processor ? 1 : 0 image_scanning_configuration { scan_on_push = true @@ -32,7 +31,7 @@ resource "aws_ecr_repository" "mesh_file_converter_lambda_repository" { # Module for building and pushing Docker image to ECR module "mesh_processor_docker_image" { - count = local.create_mesh_processor ? 1 : 0 + count = var.create_mesh_processor ? 1 : 0 source = "terraform-aws-modules/lambda/aws//modules/docker-build" version = "8.0.1" @@ -66,7 +65,7 @@ module "mesh_processor_docker_image" { # Define the lambdaECRImageRetreival policy resource "aws_ecr_repository_policy" "mesh_processor_lambda_ECRImageRetreival_policy" { - count = local.create_mesh_processor ? 1 : 0 + count = var.create_mesh_processor ? 1 : 0 repository = aws_ecr_repository.mesh_file_converter_lambda_repository[0].name @@ -98,7 +97,7 @@ resource "aws_ecr_repository_policy" "mesh_processor_lambda_ECRImageRetreival_po # IAM Role for Lambda resource "aws_iam_role" "mesh_processor_lambda_exec_role" { - count = local.create_mesh_processor ? 1 : 0 + count = var.create_mesh_processor ? 1 : 0 name = "${local.short_prefix}-mesh_processor-lambda-exec-role" assume_role_policy = jsonencode({ @@ -116,7 +115,7 @@ resource "aws_iam_role" "mesh_processor_lambda_exec_role" { # Policy for Lambda execution role resource "aws_iam_policy" "mesh_processor_lambda_exec_policy" { - count = local.create_mesh_processor ? 1 : 0 + count = var.create_mesh_processor ? 1 : 0 name = "${local.short_prefix}-mesh_processor-lambda-exec-policy" policy = jsonencode({ @@ -163,7 +162,7 @@ resource "aws_iam_policy" "mesh_processor_lambda_exec_policy" { } resource "aws_iam_policy" "mesh_processor_lambda_kms_access_policy" { - count = local.create_mesh_processor ? 1 : 0 + count = var.create_mesh_processor ? 1 : 0 name = "${local.short_prefix}-mesh_processor-lambda-kms-policy" description = "Allow Lambda to decrypt environment variables" @@ -188,7 +187,7 @@ resource "aws_iam_policy" "mesh_processor_lambda_kms_access_policy" { # Attach the execution policy to the Lambda role resource "aws_iam_role_policy_attachment" "mesh_processor_lambda_exec_policy_attachment" { - count = local.create_mesh_processor ? 1 : 0 + count = var.create_mesh_processor ? 1 : 0 role = aws_iam_role.mesh_processor_lambda_exec_role[0].name policy_arn = aws_iam_policy.mesh_processor_lambda_exec_policy[0].arn @@ -197,7 +196,7 @@ resource "aws_iam_role_policy_attachment" "mesh_processor_lambda_exec_policy_att # Attach the kms policy to the Lambda role resource "aws_iam_role_policy_attachment" "mesh_processor_lambda_kms_policy_attachment" { - count = local.create_mesh_processor ? 1 : 0 + count = var.create_mesh_processor ? 1 : 0 role = aws_iam_role.mesh_processor_lambda_exec_role[0].name policy_arn = aws_iam_policy.mesh_processor_lambda_kms_access_policy[0].arn @@ -205,7 +204,7 @@ resource "aws_iam_role_policy_attachment" "mesh_processor_lambda_kms_policy_atta # Lambda Function with Security Group and VPC. resource "aws_lambda_function" "mesh_file_converter_lambda" { - count = local.create_mesh_processor ? 1 : 0 + count = var.create_mesh_processor ? 1 : 0 function_name = "${local.short_prefix}-mesh_processor_lambda" role = aws_iam_role.mesh_processor_lambda_exec_role[0].arn @@ -223,7 +222,7 @@ resource "aws_lambda_function" "mesh_file_converter_lambda" { # Permission for S3 to invoke Lambda function resource "aws_lambda_permission" "mesh_s3_invoke_permission" { - count = local.create_mesh_processor ? 1 : 0 + count = var.create_mesh_processor ? 1 : 0 statement_id = "AllowExecutionFromS3" action = "lambda:InvokeFunction" @@ -233,7 +232,7 @@ resource "aws_lambda_permission" "mesh_s3_invoke_permission" { } resource "aws_s3_bucket_notification" "mesh_datasources_lambda_notification" { - count = local.create_mesh_processor ? 1 : 0 + count = var.create_mesh_processor ? 1 : 0 bucket = data.aws_s3_bucket.mesh[0].bucket @@ -244,7 +243,7 @@ resource "aws_s3_bucket_notification" "mesh_datasources_lambda_notification" { } resource "aws_cloudwatch_log_group" "mesh_file_converter_log_group" { - count = local.create_mesh_processor ? 1 : 0 + count = var.create_mesh_processor ? 1 : 0 name = "/aws/lambda/${local.short_prefix}-mesh_processor_lambda" retention_in_days = 30 diff --git a/terraform/variables.tf b/terraform/variables.tf index ce99bcabe7..d4e55f9418 100644 --- a/terraform/variables.tf +++ b/terraform/variables.tf @@ -1,13 +1,13 @@ variable "environment" {} variable "sub_environment" { - description = "The value is passed in the makefile" + description = "The value is set in the makefile" } variable "immunisation_account_id" {} variable "dspp_core_account_id" {} -# For now, only create the config bucket in internal-dev and prod as we only have one Redis instance per account. -variable "create_config_bucket" { + +variable "create_mesh_processor" { default = false } @@ -38,10 +38,6 @@ variable "pds_check_enabled" { default = true } -variable "root_domain" { - default = "imms.dev.vds.platform.nhs.uk" -} - locals { prefix = "${var.project_name}-${var.service}-${var.sub_environment}" short_prefix = "${var.project_short_name}-${var.sub_environment}" From ecde31ad2ea068b1bd7a4acff85e4f29fd928e6c Mon Sep 17 00:00:00 2001 From: robertnovac1 <196046006+robertnovac1@users.noreply.github.com> Date: Wed, 16 Jul 2025 14:58:38 +0100 Subject: [PATCH 15/18] Comments sorted --- terraform/endpoints.tf | 2 +- terraform/environments/prod/blue/variables.tfvars | 2 +- terraform/environments/prod/green/variables.tfvars | 2 +- terraform/lambda.tf | 2 +- terraform/mesh_processor.tf | 6 +++--- 5 files changed, 7 insertions(+), 7 deletions(-) diff --git a/terraform/endpoints.tf b/terraform/endpoints.tf index 1fba64ca2d..11ab9da3ec 100644 --- a/terraform/endpoints.tf +++ b/terraform/endpoints.tf @@ -24,7 +24,7 @@ locals { imms_lambda_env_vars = { "DYNAMODB_TABLE_NAME" = local.imms_table_name, "IMMUNIZATION_ENV" = var.sub_environment, - "IMMUNIZATION_BASE_PATH" = strcontains(terraform.workspace, "pr-") ? "immunisation-fhir-api-${terraform.workspace}" : "immunisation-fhir-api" + "IMMUNIZATION_BASE_PATH" = strcontains(var.sub_environment, "pr-") ? "immunisation-fhir-api-${var.sub_environment}" : "immunisation-fhir-api" # except for prod and ref, any other env uses PDS int environment "PDS_ENV" = var.pds_environment "PDS_CHECK_ENABLED" = tostring(var.pds_check_enabled) diff --git a/terraform/environments/prod/blue/variables.tfvars b/terraform/environments/prod/blue/variables.tfvars index b62bc2fe60..10295ace47 100644 --- a/terraform/environments/prod/blue/variables.tfvars +++ b/terraform/environments/prod/blue/variables.tfvars @@ -1,6 +1,6 @@ environment = "prod" immunisation_account_id = "664418956997" -dspp_core_account_id = "603871901111" +dspp_core_account_id = "232116723729" pds_environment = "prod" pds_check_enabled = true create_mesh_processor = true diff --git a/terraform/environments/prod/green/variables.tfvars b/terraform/environments/prod/green/variables.tfvars index f73ee08a97..adde2c8a6f 100644 --- a/terraform/environments/prod/green/variables.tfvars +++ b/terraform/environments/prod/green/variables.tfvars @@ -1,6 +1,6 @@ environment = "prod" immunisation_account_id = "664418956997" -dspp_core_account_id = "603871901111" +dspp_core_account_id = "232116723729" pds_environment = "prod" pds_check_enabled = true create_mesh_processor = true diff --git a/terraform/lambda.tf b/terraform/lambda.tf index 95a00b4705..5410066f1f 100644 --- a/terraform/lambda.tf +++ b/terraform/lambda.tf @@ -15,7 +15,7 @@ resource "aws_ecr_repository" "operation_lambda_repository" { scan_on_push = true } name = "${local.prefix}-operation-lambda-repo" - force_delete = true #local.is_temp + force_delete = local.is_temp } #resource "docker_image" "lambda_function_docker" { diff --git a/terraform/mesh_processor.tf b/terraform/mesh_processor.tf index 250a503490..1e53798922 100644 --- a/terraform/mesh_processor.tf +++ b/terraform/mesh_processor.tf @@ -4,19 +4,19 @@ locals { mesh_processor_lambda_files = fileset(local.mesh_processor_lambda_dir, "**") mesh_processor_lambda_dir_sha = sha1(join("", [for f in local.mesh_processor_lambda_files : filesha1("${local.mesh_processor_lambda_dir}/${f}")])) # This should match the prefix used in the infra Terraform - mesh_s3_bucket_name = "imms-${var.environment}-mesh" + mesh_module_prefix = "imms-${var.environment}-mesh" } data "aws_s3_bucket" "mesh" { count = var.create_mesh_processor ? 1 : 0 - bucket = local.mesh_s3_bucket_name + bucket = local.mesh_module_prefix } data "aws_kms_key" "mesh" { count = var.create_mesh_processor ? 1 : 0 - key_id = "alias/${local.mesh_s3_bucket_name}" + key_id = "alias/${local.mesh_module_prefix}" } resource "aws_ecr_repository" "mesh_file_converter_lambda_repository" { From 95fb1c57db4f91b2e65a0c5813c9b754ee0b720a Mon Sep 17 00:00:00 2001 From: robertnovac1 <196046006+robertnovac1@users.noreply.github.com> Date: Wed, 16 Jul 2025 17:55:54 +0100 Subject: [PATCH 16/18] Set scope for s3 and dynamo resources --- terraform/dynamodb.tf | 6 +++--- terraform/environments/dev/int/variables.tfvars | 13 +++++++------ .../environments/dev/internal-dev/variables.tfvars | 13 +++++++------ terraform/environments/dev/pr/variables.tfvars | 13 +++++++------ terraform/environments/dev/ref/variables.tfvars | 13 +++++++------ terraform/environments/int/blue/variables.tfvars | 13 +++++++------ terraform/environments/int/green/variables.tfvars | 13 +++++++------ terraform/environments/prod/blue/variables.tfvars | 14 +++++++------- terraform/environments/prod/green/variables.tfvars | 13 +++++++------ terraform/main.tf | 2 +- terraform/s3_config.tf | 4 ++-- terraform/variables.tf | 6 +++++- 12 files changed, 67 insertions(+), 56 deletions(-) diff --git a/terraform/dynamodb.tf b/terraform/dynamodb.tf index ef752fdb78..5ed73f4a13 100644 --- a/terraform/dynamodb.tf +++ b/terraform/dynamodb.tf @@ -1,5 +1,5 @@ resource "aws_dynamodb_table" "audit-table" { - name = "immunisation-batch-${var.sub_environment}-audit-table" + name = "immunisation-batch-${local.resource_scope}-audit-table" billing_mode = "PAY_PER_REQUEST" hash_key = "message_id" @@ -47,7 +47,7 @@ resource "aws_dynamodb_table" "audit-table" { } resource "aws_dynamodb_table" "delta-dynamodb-table" { - name = "imms-${var.sub_environment}-delta" + name = "imms-${local.resource_scope}-delta" billing_mode = "PAY_PER_REQUEST" hash_key = "PK" @@ -106,7 +106,7 @@ resource "aws_dynamodb_table" "delta-dynamodb-table" { } resource "aws_dynamodb_table" "events-dynamodb-table" { - name = "imms-${var.sub_environment}-imms-events" + name = "imms-${local.resource_scope}-imms-events" billing_mode = "PAY_PER_REQUEST" hash_key = "PK" stream_enabled = true diff --git a/terraform/environments/dev/int/variables.tfvars b/terraform/environments/dev/int/variables.tfvars index 79ba7b0e06..21dae85961 100644 --- a/terraform/environments/dev/int/variables.tfvars +++ b/terraform/environments/dev/int/variables.tfvars @@ -1,6 +1,7 @@ -environment = "dev" -immunisation_account_id = "345594581768" -dspp_core_account_id = "603871901111" -pds_environment = "int" -pds_check_enabled = false -create_mesh_processor = true +environment = "dev" +immunisation_account_id = "345594581768" +dspp_core_account_id = "603871901111" +pds_environment = "int" +pds_check_enabled = false +create_mesh_processor = true +has_sub_environment_scope = true diff --git a/terraform/environments/dev/internal-dev/variables.tfvars b/terraform/environments/dev/internal-dev/variables.tfvars index 5494b5b254..0c410efe95 100644 --- a/terraform/environments/dev/internal-dev/variables.tfvars +++ b/terraform/environments/dev/internal-dev/variables.tfvars @@ -1,6 +1,7 @@ -environment = "dev" -immunisation_account_id = "345594581768" -dspp_core_account_id = "603871901111" -pds_environment = "int" -pds_check_enabled = true -create_mesh_processor = false +environment = "dev" +immunisation_account_id = "345594581768" +dspp_core_account_id = "603871901111" +pds_environment = "int" +pds_check_enabled = true +create_mesh_processor = false +has_sub_environment_scope = true diff --git a/terraform/environments/dev/pr/variables.tfvars b/terraform/environments/dev/pr/variables.tfvars index 5494b5b254..0c410efe95 100644 --- a/terraform/environments/dev/pr/variables.tfvars +++ b/terraform/environments/dev/pr/variables.tfvars @@ -1,6 +1,7 @@ -environment = "dev" -immunisation_account_id = "345594581768" -dspp_core_account_id = "603871901111" -pds_environment = "int" -pds_check_enabled = true -create_mesh_processor = false +environment = "dev" +immunisation_account_id = "345594581768" +dspp_core_account_id = "603871901111" +pds_environment = "int" +pds_check_enabled = true +create_mesh_processor = false +has_sub_environment_scope = true diff --git a/terraform/environments/dev/ref/variables.tfvars b/terraform/environments/dev/ref/variables.tfvars index f33465b249..c54c315677 100644 --- a/terraform/environments/dev/ref/variables.tfvars +++ b/terraform/environments/dev/ref/variables.tfvars @@ -1,6 +1,7 @@ -environment = "dev" -immunisation_account_id = "345594581768" -dspp_core_account_id = "603871901111" -pds_environment = "ref" -pds_check_enabled = true -create_mesh_processor = false +environment = "dev" +immunisation_account_id = "345594581768" +dspp_core_account_id = "603871901111" +pds_environment = "ref" +pds_check_enabled = true +create_mesh_processor = false +has_sub_environment_scope = true diff --git a/terraform/environments/int/blue/variables.tfvars b/terraform/environments/int/blue/variables.tfvars index 64e59cfe76..f76c0b46ae 100644 --- a/terraform/environments/int/blue/variables.tfvars +++ b/terraform/environments/int/blue/variables.tfvars @@ -1,6 +1,7 @@ -environment = "int" -immunisation_account_id = "084828561157" -dspp_core_account_id = "603871901111" -pds_environment = "int" -pds_check_enabled = false -create_mesh_processor = true +environment = "int" +immunisation_account_id = "084828561157" +dspp_core_account_id = "603871901111" +pds_environment = "int" +pds_check_enabled = false +create_mesh_processor = true +has_sub_environment_scope = false diff --git a/terraform/environments/int/green/variables.tfvars b/terraform/environments/int/green/variables.tfvars index 64e59cfe76..f76c0b46ae 100644 --- a/terraform/environments/int/green/variables.tfvars +++ b/terraform/environments/int/green/variables.tfvars @@ -1,6 +1,7 @@ -environment = "int" -immunisation_account_id = "084828561157" -dspp_core_account_id = "603871901111" -pds_environment = "int" -pds_check_enabled = false -create_mesh_processor = true +environment = "int" +immunisation_account_id = "084828561157" +dspp_core_account_id = "603871901111" +pds_environment = "int" +pds_check_enabled = false +create_mesh_processor = true +has_sub_environment_scope = false diff --git a/terraform/environments/prod/blue/variables.tfvars b/terraform/environments/prod/blue/variables.tfvars index 10295ace47..7cb2d4f652 100644 --- a/terraform/environments/prod/blue/variables.tfvars +++ b/terraform/environments/prod/blue/variables.tfvars @@ -1,7 +1,7 @@ -environment = "prod" -immunisation_account_id = "664418956997" -dspp_core_account_id = "232116723729" -pds_environment = "prod" -pds_check_enabled = true -create_mesh_processor = true - +environment = "prod" +immunisation_account_id = "664418956997" +dspp_core_account_id = "232116723729" +pds_environment = "prod" +pds_check_enabled = true +create_mesh_processor = true +has_sub_environment_scope = false diff --git a/terraform/environments/prod/green/variables.tfvars b/terraform/environments/prod/green/variables.tfvars index adde2c8a6f..7cb2d4f652 100644 --- a/terraform/environments/prod/green/variables.tfvars +++ b/terraform/environments/prod/green/variables.tfvars @@ -1,6 +1,7 @@ -environment = "prod" -immunisation_account_id = "664418956997" -dspp_core_account_id = "232116723729" -pds_environment = "prod" -pds_check_enabled = true -create_mesh_processor = true +environment = "prod" +immunisation_account_id = "664418956997" +dspp_core_account_id = "232116723729" +pds_environment = "prod" +pds_check_enabled = true +create_mesh_processor = true +has_sub_environment_scope = false diff --git a/terraform/main.tf b/terraform/main.tf index ce9bd9f29a..6d04f46a8a 100644 --- a/terraform/main.tf +++ b/terraform/main.tf @@ -21,7 +21,7 @@ provider "aws" { default_tags { tags = { Project = var.project_name - Environment = var.sub_environment + Environment = var.has_sub_environment_scope ? var.sub_environment : var.environment Service = var.service } } diff --git a/terraform/s3_config.tf b/terraform/s3_config.tf index bb94320010..0cb2d39d74 100644 --- a/terraform/s3_config.tf +++ b/terraform/s3_config.tf @@ -93,7 +93,7 @@ resource "aws_s3_bucket_lifecycle_configuration" "datasources_lifecycle" { resource "aws_s3_bucket" "batch_data_destination_bucket" { # Deliberately not using `local.batch_prefix` as we don't want separate blue / green destinations in prod. - bucket = "immunisation-batch-${var.sub_environment}-data-destinations" + bucket = "immunisation-batch-${local.resource_scope}-data-destinations" force_destroy = local.is_temp } @@ -192,7 +192,7 @@ resource "aws_s3_bucket_lifecycle_configuration" "data_destinations" { } resource "aws_s3_bucket" "batch_config_bucket" { - bucket = "imms-${var.sub_environment}-fhir-config" + bucket = "imms-${local.resource_scope}-fhir-config" } resource "aws_s3_bucket_public_access_block" "batch_config_bucket_public_access_block" { diff --git a/terraform/variables.tf b/terraform/variables.tf index d4e55f9418..8cb2ea0dd6 100644 --- a/terraform/variables.tf +++ b/terraform/variables.tf @@ -38,6 +38,10 @@ variable "pds_check_enabled" { default = true } +variable "has_sub_environment_scope" { + default = false +} + locals { prefix = "${var.project_name}-${var.service}-${var.sub_environment}" short_prefix = "${var.project_short_name}-${var.sub_environment}" @@ -49,7 +53,7 @@ locals { config_bucket_arn = aws_s3_bucket.batch_config_bucket.arn config_bucket_name = aws_s3_bucket.batch_config_bucket.bucket is_temp = length(regexall("[a-z]{2,4}-?[0-9]+", var.sub_environment)) > 0 - + resource_scope = var.has_sub_environment_scope ? var.sub_environment : var.environment # Public subnet - The subnet has a direct route to an internet gateway. Resources in a public subnet can access the public internet. # public_subnet_ids = [for k, v in data.aws_route.internet_traffic_route_by_subnet : k if length(v.gateway_id) > 0] # Private subnet - The subnet does not have a direct route to an internet gateway. Resources in a private subnet require a NAT device to access the public internet. From b5e2bd3d4785130303aa3c4108931362a7aa2cd2 Mon Sep 17 00:00:00 2001 From: robertnovac1 <196046006+robertnovac1@users.noreply.github.com> Date: Wed, 23 Jul 2025 10:54:25 +0100 Subject: [PATCH 17/18] Resolved comments --- terraform/.terraform.lock.hcl | 34 +++++++++++++++++----------------- terraform/main.tf | 2 +- terraform/redis_sync_lambda.tf | 1 - 3 files changed, 18 insertions(+), 19 deletions(-) diff --git a/terraform/.terraform.lock.hcl b/terraform/.terraform.lock.hcl index 253a92f08e..999de00cd6 100644 --- a/terraform/.terraform.lock.hcl +++ b/terraform/.terraform.lock.hcl @@ -2,25 +2,25 @@ # Manual edits may be lost in future updates. provider "registry.terraform.io/hashicorp/aws" { - version = "6.3.0" - constraints = ">= 4.22.0, >= 5.79.0, >= 6.0.0, ~> 6.0" + version = "6.4.0" + constraints = ">= 6.0.0, ~> 6.0" hashes = [ - "h1:CeYTPZ8FvkzsvCavg2F7UExDFkSFHlnJ7Fj40RN7aNU=", - "zh:0502dc1889cca94c89bfc00b214970bffa2d81a2cdb55e05ab6192484ddb1532", - "zh:0a009c6f643410dc29fe2c07aee57e726ac86335fad84788fc7412abbd3a55be", - "zh:0ddd577e5f23dc0be23b87d62dff1f5694b88b1fbc01bdd3046b4b51cc18a00c", - "zh:1b2754cb01fa2c1a6a59c4195212f6bd4b3d1602e3f4ffb94ab609e01f2ea11a", - "zh:2bc0edb35a1411670d74e827db58ef32a07e11757fdaa17934dce5451511e55a", - "zh:703415b5c58d9232bdb686816e90525dfe96b0a374062bd8e27bec553cac5538", - "zh:8c4f1f41722aacb4b128dfb269f5b3f0aa1239a5742f22abb012f87095b2244c", - "zh:9815c0cc480acfef7c9b6b31505070bb0247a0982d98b4b6e51b1923b3a65f7e", + "h1:hUzF9bzWMJKPJ3Q0b13sQAOTU5vHOc9m/S5HFPJl5Sk=", + "zh:05946a97a2d98d3a77f2dfb1133b39d61b1166f717f051a8aa44eca22a7446b0", + "zh:07278697234332b254e990fff84fa5608aabdb256a0dbed05dfe336905d385a1", + "zh:1b1ad46267c84fa474618048a9ad94a634cf5d0e5ec3c8e56a854638129ae4da", + "zh:1ff04914571b1dfa485358badbc81306e34d8ebec4aa1f96b8c1c3d2eb0e4d4a", + "zh:43d7fb899186ca1b355af908d0904ea94a1e06de220de0b9752f06465386f66f", + "zh:49ce34c359d5b05ba684482dace5e9c418f3beabcc2b0d129b21687cb7673cab", + "zh:4bbad3a23dd704b1548da40e9c81befb617a0c02e5a9776ef0eff5ef920881c5", + "zh:680aa4bd542c7a847f7df91cd1fa33fe8d19914aa80a2570ea6c82ab2d1f5740", + "zh:792a74fe4d6b501571c582c25067f7f4dbdce2305d559d09981e7f99025c98ef", + "zh:7c06b331b6a6f160d2d64245b9aee32922a9cb9947b7a9ad8c0ec93a702ecb1b", "zh:9b12af85486a96aedd8d7984b0ff811a4b42e3d88dad1a3fb4c0b580d04fa425", - "zh:b3563ce1e4c40fa139c045a1db06c3308fcf8aa9722c0a586a18bfbcedc111b5", - "zh:bbcf01aa5188416cb0f31425c2dfc3a4df41248d4dce9ebab709d416177a3011", - "zh:bc49559699e6a03ff57675172fc367db9993df74a502e0c6f273127af82990a9", - "zh:c89bbeee5db6bbe80ce152481b85a4d44b733d7c1e1a37924f36c9cde0b7ce2d", - "zh:d26793472e127a98dfa5d32a71adc4c960b573afc427604c9815bae9cda31a72", - "zh:eb8db004ccbf52b3ed8b15189c59560c233abd2c2f5ac5ee68768841c3c8e206", + "zh:9f40add95d4f3e1c62df46bf37e13c30023d97eda47d4940904792f3b1a1827e", + "zh:b763c7c1bf5d8077d6499fd270cad249a712dd9522c6a6e4de49b278280806c5", + "zh:db69df59bef6f9d8bcb164414b4efa52c0c531c346d6b8b232917afa9b1c4a96", + "zh:dd9f98f64530386b8faaf9c55ec4b08e58725788c38683272a34684d82f866f7", ] } diff --git a/terraform/main.tf b/terraform/main.tf index 6d04f46a8a..e3a8724d15 100644 --- a/terraform/main.tf +++ b/terraform/main.tf @@ -21,7 +21,7 @@ provider "aws" { default_tags { tags = { Project = var.project_name - Environment = var.has_sub_environment_scope ? var.sub_environment : var.environment + Environment = local.resource_scope Service = var.service } } diff --git a/terraform/redis_sync_lambda.tf b/terraform/redis_sync_lambda.tf index df0a9494ed..ec7e34945b 100644 --- a/terraform/redis_sync_lambda.tf +++ b/terraform/redis_sync_lambda.tf @@ -67,7 +67,6 @@ resource "aws_ecr_repository_policy" "redis_sync_lambda_ECRImageRetreival_policy ], Condition : { StringLike : { - # "aws:sourceArn" : "arn:aws:lambda:eu-west-2:${var.immunisation_account_id}:function:${local.short_prefix}-redis_sync_lambda" "aws:sourceArn" : aws_lambda_function.redis_sync_lambda.arn } } From 66f916b7ef845a4f433faae9ff625d811377b51f Mon Sep 17 00:00:00 2001 From: robertnovac1 <196046006+robertnovac1@users.noreply.github.com> Date: Wed, 23 Jul 2025 11:03:24 +0100 Subject: [PATCH 18/18] Resolved cooment --- terraform/endpoints.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/terraform/endpoints.tf b/terraform/endpoints.tf index 11ab9da3ec..ad59840b68 100644 --- a/terraform/endpoints.tf +++ b/terraform/endpoints.tf @@ -23,7 +23,7 @@ locals { imms_table_name = aws_dynamodb_table.events-dynamodb-table.name imms_lambda_env_vars = { "DYNAMODB_TABLE_NAME" = local.imms_table_name, - "IMMUNIZATION_ENV" = var.sub_environment, + "IMMUNIZATION_ENV" = local.resource_scope, "IMMUNIZATION_BASE_PATH" = strcontains(var.sub_environment, "pr-") ? "immunisation-fhir-api-${var.sub_environment}" : "immunisation-fhir-api" # except for prod and ref, any other env uses PDS int environment "PDS_ENV" = var.pds_environment