Update resource naming

jameslinnell · jameslinnell · commit 7ac90335c98d · 2025-08-14T15:13:44.000+01:00
diff --git a/infrastructure/modules/kms/README.md b/infrastructure/modules/kms/README.md
@@ -73,6 +73,7 @@ module "kms_key" {
 | <a name="input_allowed_arn"></a> [allowed\_arn](#input\_allowed\_arn) | List of ARNs that are allowed full encrypt/decrypt access to the KMS key. | `list(string)` | `[]` | no |
 | <a name="input_aws_identifiers"></a> [aws\_identifiers](#input\_aws\_identifiers) | List of ARNs that will be granted decrypt-only access. | `list(string)` | `[]` | no |
 | <a name="input_environment"></a> [environment](#input\_environment) | Deployment environment (e.g., dev, staging, prod). | `string` | n/a | yes |
+| <a name="input_kms_deletion_window"></a> [kms\_deletion\_window](#input\_kms\_deletion\_window) | Lambda KMS time to deletion in days | `number` | `30` | no |
 | <a name="input_kms_key_description"></a> [kms\_key\_description](#input\_kms\_key\_description) | Description of the KMS key. | `string` | n/a | yes |
 | <a name="input_kms_key_name"></a> [kms\_key\_name](#input\_kms\_key\_name) | Name of the KMS key to be created. | `string` | n/a | yes |
 | <a name="input_kms_key_rotation_enabled"></a> [kms\_key\_rotation\_enabled](#input\_kms\_key\_rotation\_enabled) | Enable automatic KMS key rotation. | `bool` | `true` | no |
diff --git a/infrastructure/modules/lambda/README.md b/infrastructure/modules/lambda/README.md
@@ -78,31 +78,42 @@ module "lambda" {
 | Name | Type |
 |------|------|
 | [aws_api_gateway_integration.lambda_integration](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/api_gateway_integration) | resource |
+| [aws_cloudwatch_log_group.lambda_logs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_group) | resource |
 | [aws_iam_policy.combined_policies](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
 | [aws_iam_role.lambda_execution_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
+| [aws_iam_role_policy.lambda](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource |
 | [aws_iam_role_policy_attachment.default_policies](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
 | [aws_iam_role_policy_attachment.lambda_execution_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
+| [aws_kms_alias.lambda](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_alias) | resource |
+| [aws_kms_key.lambda](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_key) | resource |
 | [aws_lambda_function.lambda](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_function) | resource |
 | [aws_lambda_permission.lambda_permission](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_permission) | resource |
 | [archive_file.lambda](https://registry.terraform.io/providers/hashicorp/archive/latest/docs/data-sources/file) | data source |
+| [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
+| [aws_iam_policy_document.admin](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_iam_policy_document.assume_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [aws_iam_policy_document.lambda](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_iam_policy_document.merged_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 ## Inputs
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
 | <a name="input_api_execution_arn"></a> [api\_execution\_arn](#input\_api\_execution\_arn) | Execution ARN of the API Gateway used for granting invoke permissions. | `string` | `""` | no |
+| <a name="input_default_lambda_layers"></a> [default\_lambda\_layers](#input\_default\_lambda\_layers) | n/a | `list(string)` | <pre>[<br/>  "arn:aws:lambda:eu-west-2:282860088358:layer:AWS-AppConfig-Extension:120"<br/>]</pre> | no |
 | <a name="input_default_policies"></a> [default\_policies](#input\_default\_policies) | List of default IAM policy ARNs to attach to the Lambda execution role. | `list(string)` | <pre>[<br/>  "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole",<br/>  "arn:aws:iam::aws:policy/CloudWatchLambdaInsightsExecutionRolePolicy"<br/>]</pre> | no |
+| <a name="input_extra_lambda_layers"></a> [extra\_lambda\_layers](#input\_extra\_lambda\_layers) | n/a | `list(string)` | <pre>[<br/>  "arn:aws:lambda:eu-west-2:580247275435:layer:LambdaInsightsExtension:53"<br/>]</pre> | no |
 | <a name="input_handler"></a> [handler](#input\_handler) | Function entry point in the codebase (e.g., 'index.handler'). | `string` | n/a | yes |
 | <a name="input_http_methods"></a> [http\_methods](#input\_http\_methods) | List of HTTP methods to integrate with the Lambda function. | `list(string)` | `[]` | no |
 | <a name="input_iam_role_policy_documents"></a> [iam\_role\_policy\_documents](#input\_iam\_role\_policy\_documents) | List of IAM policy document ARNs to attach to the Lambda execution role. | `list(string)` | `[]` | no |
 | <a name="input_is_gateway_integration_needed"></a> [is\_gateway\_integration\_needed](#input\_is\_gateway\_integration\_needed) | Indicate whether the lambda need an aws\_api\_gateway\_integration resource block | `bool` | `true` | no |
 | <a name="input_is_invoked_from_gateway"></a> [is\_invoked\_from\_gateway](#input\_is\_invoked\_from\_gateway) | Indicate whether the lambda is supposed to be invoked by API gateway. Should be true for authoriser lambda. | `bool` | `true` | no |
+| <a name="input_kms_deletion_window"></a> [kms\_deletion\_window](#input\_kms\_deletion\_window) | Lambda KMS time to deletion in days | `number` | `30` | no |
 | <a name="input_lambda_environment_variables"></a> [lambda\_environment\_variables](#input\_lambda\_environment\_variables) | Map of environment variables to set in the Lambda function. | `map(string)` | `{}` | no |
 | <a name="input_lambda_ephemeral_storage"></a> [lambda\_ephemeral\_storage](#input\_lambda\_ephemeral\_storage) | Amount of ephemeral storage (in MB) to allocate to the Lambda function. | `number` | `512` | no |
 | <a name="input_lambda_timeout"></a> [lambda\_timeout](#input\_lambda\_timeout) | Function timeout in seconds. | `number` | `30` | no |
 | <a name="input_memory_size"></a> [memory\_size](#input\_memory\_size) | Amount of memory to allocate to the Lambda function (in MB). | `number` | `512` | no |
 | <a name="input_name"></a> [name](#input\_name) | Unique name for the Lambda function. | `string` | n/a | yes |
+| <a name="input_persistent_workspaces"></a> [persistent\_workspaces](#input\_persistent\_workspaces) | A list of workspaces that require persistent logs | `list(string)` | <pre>[<br/>  "ndr-dev",<br/>  "ndr-test",<br/>  "pre-prod",<br/>  "prod"<br/>]</pre> | no |
 | <a name="input_reserved_concurrent_executions"></a> [reserved\_concurrent\_executions](#input\_reserved\_concurrent\_executions) | The number of concurrent execution allowed for lambda. A value of 0 will stop lambda from running, and -1 removes any concurrency limitations. Default to -1. | `number` | `-1` | no |
 | <a name="input_resource_id"></a> [resource\_id](#input\_resource\_id) | ID of the API Gateway resource (path) to attach Lambda to. | `string` | `""` | no |
 | <a name="input_rest_api_id"></a> [rest\_api\_id](#input\_rest\_api\_id) | ID of the associated API Gateway REST API. | `string` | `""` | no |
diff --git a/infrastructure/modules/lambda/main.tf b/infrastructure/modules/lambda/main.tf
@@ -10,7 +10,7 @@ resource "aws_lambda_function" "lambda" {
   timeout                        = var.lambda_timeout
   memory_size                    = var.memory_size
   reserved_concurrent_executions = var.reserved_concurrent_executions
-  kms_key_arn                    = aws_kms_key.lambda_kms_key.arn
+  kms_key_arn                    = aws_kms_key.lambda.arn
   ephemeral_storage {
     size = var.lambda_ephemeral_storage
   }
@@ -35,7 +35,7 @@ resource "aws_cloudwatch_log_group" "lambda_logs" {
 
 data "aws_caller_identity" "current" {}
 
-data "aws_iam_policy_document" "lambda_kms_policy" {
+data "aws_iam_policy_document" "admin" {
   statement {
     sid    = "AllowRootAccountAccess"
     effect = "Allow"
@@ -75,7 +75,7 @@ data "aws_iam_policy_document" "lambda_kms_policy" {
   }
 }
 
-data "aws_iam_policy_document" "lambda_kms_usage" {
+data "aws_iam_policy_document" "lambda" {
   statement {
     effect = "Allow"
     actions = [
@@ -84,27 +84,27 @@ data "aws_iam_policy_document" "lambda_kms_usage" {
       "kms:GenerateDataKey"
     ]
     resources = [
-      aws_kms_key.lambda_kms_key.arn
+      aws_kms_key.lambda.arn
     ]
   }
 }
 
-resource "aws_iam_role_policy" "lambda_kms_usage" {
+resource "aws_iam_role_policy" "lambda" {
   name   = "lambda_kms_usage"
   role   = aws_iam_role.lambda_execution_role.id
-  policy = data.aws_iam_policy_document.lambda_kms_usage.json
+  policy = data.aws_iam_policy_document.lambda.json
 }
 
-resource "aws_kms_key" "lambda_kms_key" {
+resource "aws_kms_key" "lambda" {
   deletion_window_in_days = var.kms_deletion_window
   description             = "Custom KMS Key for ${terraform.workspace}_${var.name}"
   enable_key_rotation     = true
-  policy                  = data.aws_iam_policy_document.lambda_kms_policy.json
+  policy                  = data.aws_iam_policy_document.admin.json
 }
 
-resource "aws_kms_alias" "lambda_kms_key_alias" {
+resource "aws_kms_alias" "lambda" {
   name          = "alias/${terraform.workspace}_${var.name}"
-  target_key_id = aws_kms_key.lambda_kms_key.key_id
+  target_key_id = aws_kms_key.lambda.key_id
 }
 
 resource "aws_api_gateway_integration" "lambda_integration" {
@@ -146,7 +146,7 @@ resource "aws_iam_role" "lambda_execution_role" {
 }
 
 data "aws_iam_policy_document" "merged_policy" {
-  source_policy_documents = concat(var.iam_role_policy_documents, [data.aws_iam_policy_document.lambda_kms_usage.json])
+  source_policy_documents = concat(var.iam_role_policy_documents, [data.aws_iam_policy_document.lambda.json])
 }
 
 resource "aws_iam_policy" "combined_policies" {

Original file line number	Diff line number	Diff line change
`@@ -10,7 +10,7 @@ resource "aws_lambda_function" "lambda" {`
`10`	`10`	`timeout = var.lambda_timeout`
`11`	`11`	`memory_size = var.memory_size`
`12`	`12`	`reserved_concurrent_executions = var.reserved_concurrent_executions`
`13`		`- kms_key_arn = aws_kms_key.lambda_kms_key.arn`
	`13`	`+ kms_key_arn = aws_kms_key.lambda.arn`
`14`	`14`	`ephemeral_storage {`
`15`	`15`	`size = var.lambda_ephemeral_storage`
`16`	`16`	`}`
`@@ -35,7 +35,7 @@ resource "aws_cloudwatch_log_group" "lambda_logs" {`
`35`	`35`
`36`	`36`	`data "aws_caller_identity" "current" {}`
`37`	`37`
`38`		`-data "aws_iam_policy_document" "lambda_kms_policy" {`
	`38`	`+data "aws_iam_policy_document" "admin" {`
`39`	`39`	`statement {`
`40`	`40`	`sid = "AllowRootAccountAccess"`
`41`	`41`	`effect = "Allow"`
`@@ -75,7 +75,7 @@ data "aws_iam_policy_document" "lambda_kms_policy" {`
`75`	`75`	`}`
`76`	`76`	`}`
`77`	`77`
`78`		`-data "aws_iam_policy_document" "lambda_kms_usage" {`
	`78`	`+data "aws_iam_policy_document" "lambda" {`
`79`	`79`	`statement {`
`80`	`80`	`effect = "Allow"`
`81`	`81`	`actions = [`
`@@ -84,27 +84,27 @@ data "aws_iam_policy_document" "lambda_kms_usage" {`
`84`	`84`	`"kms:GenerateDataKey"`
`85`	`85`	`]`
`86`	`86`	`resources = [`
`87`		`- aws_kms_key.lambda_kms_key.arn`
	`87`	`+ aws_kms_key.lambda.arn`
`88`	`88`	`]`
`89`	`89`	`}`
`90`	`90`	`}`
`91`	`91`
`92`		`-resource "aws_iam_role_policy" "lambda_kms_usage" {`
	`92`	`+resource "aws_iam_role_policy" "lambda" {`
`93`	`93`	`name = "lambda_kms_usage"`
`94`	`94`	`role = aws_iam_role.lambda_execution_role.id`
`95`		`- policy = data.aws_iam_policy_document.lambda_kms_usage.json`
	`95`	`+ policy = data.aws_iam_policy_document.lambda.json`
`96`	`96`	`}`
`97`	`97`
`98`		`-resource "aws_kms_key" "lambda_kms_key" {`
	`98`	`+resource "aws_kms_key" "lambda" {`
`99`	`99`	`deletion_window_in_days = var.kms_deletion_window`
`100`	`100`	`description = "Custom KMS Key for ${terraform.workspace}_${var.name}"`
`101`	`101`	`enable_key_rotation = true`
`102`		`- policy = data.aws_iam_policy_document.lambda_kms_policy.json`
	`102`	`+ policy = data.aws_iam_policy_document.admin.json`
`103`	`103`	`}`
`104`	`104`
`105`		`-resource "aws_kms_alias" "lambda_kms_key_alias" {`
	`105`	`+resource "aws_kms_alias" "lambda" {`
`106`	`106`	`name = "alias/${terraform.workspace}_${var.name}"`
`107`		`- target_key_id = aws_kms_key.lambda_kms_key.key_id`
	`107`	`+ target_key_id = aws_kms_key.lambda.key_id`
`108`	`108`	`}`
`109`	`109`
`110`	`110`	`resource "aws_api_gateway_integration" "lambda_integration" {`
`@@ -146,7 +146,7 @@ resource "aws_iam_role" "lambda_execution_role" {`
`146`	`146`	`}`
`147`	`147`
`148`	`148`	`data "aws_iam_policy_document" "merged_policy" {`
`149`		`- source_policy_documents = concat(var.iam_role_policy_documents, [data.aws_iam_policy_document.lambda_kms_usage.json])`
	`149`	`+ source_policy_documents = concat(var.iam_role_policy_documents, [data.aws_iam_policy_document.lambda.json])`
`150`	`150`	`}`
`151`	`151`
`152`	`152`	`resource "aws_iam_policy" "combined_policies" {`