changes to allow use of lambda shared module

alexnuttall · alexnuttall · commit 27a9c4d304e6 · 2025-05-13T11:39:40.000+01:00
diff --git a/infrastructure/terraform/components/acct/module_s3bucket_artefacts.tf  b/infrastructure/terraform/components/acct/module_s3bucket_artefacts.tf 
@@ -0,0 +1,130 @@
+module "s3bucket_artefacts" {
+  source = "git::https://github.com/NHSDigital/nhs-notify-shared-modules.git//infrastructure/modules/s3bucket?ref=v2.0.2"
+
+  name = "artefacts"
+
+  aws_account_id = var.aws_account_id
+  region         = var.region
+  project        = var.project
+  environment    = var.environment
+  component      = var.component
+
+  acl           = "private"
+  force_destroy = false
+  versioning    = true
+
+  lifecycle_rules = [
+    {
+      prefix  = ""
+      enabled = true
+
+      noncurrent_version_transition = [
+        {
+          noncurrent_days = "30"
+          storage_class   = "STANDARD_IA"
+        }
+      ]
+
+      noncurrent_version_expiration = {
+        noncurrent_days = "90"
+      }
+
+      abort_incomplete_multipart_upload = {
+        days = "1"
+      }
+    }
+  ]
+
+  policy_documents = [
+    data.aws_iam_policy_document.s3bucket_artefacts.json
+  ]
+
+  bucket_logging_target = {
+    bucket = module.s3bucket_access_logs.id
+  }
+
+  public_access = {
+    block_public_acls       = true
+    block_public_policy     = true
+    ignore_public_acls      = true
+    restrict_public_buckets = true
+  }
+
+
+  default_tags = {
+    Name = "Artefact bucket"
+  }
+}
+
+data "aws_iam_policy_document" "s3bucket_artefacts" {
+  statement {
+    sid    = "DontAllowNonSecureConnection"
+    effect = "Deny"
+
+    actions = [
+      "s3:*",
+    ]
+
+    resources = [
+      module.s3bucket_artefacts.arn,
+      "${module.s3bucket_artefacts.arn}/*",
+    ]
+
+    principals {
+      type = "AWS"
+
+      identifiers = [
+        "*",
+      ]
+    }
+
+    condition {
+      test     = "Bool"
+      variable = "aws:SecureTransport"
+
+      values = [
+        "false",
+      ]
+    }
+  }
+
+  statement {
+    sid    = "AllowManagedAccountsToList"
+    effect = "Allow"
+
+    actions = [
+      "s3:ListBucket",
+    ]
+
+    resources = [
+      module.s3bucket_artefacts.arn,
+    ]
+
+    principals {
+      type = "AWS"
+      identifiers = [
+        "arn:aws:iam::${var.aws_account_id}:root"
+      ]
+    }
+  }
+
+  statement {
+    sid    = "AllowManagedAccountsToGet"
+    effect = "Allow"
+
+    actions = [
+      "s3:GetObject",
+    ]
+
+    resources = [
+      "${module.s3bucket_artefacts.arn}/*",
+    ]
+
+    principals {
+      type = "AWS"
+      identifiers = [
+        "arn:aws:iam::${var.aws_account_id}:root"
+      ]
+    }
+  }
+}
diff --git a/infrastructure/terraform/components/acct/outputs.tf b/infrastructure/terraform/components/acct/outputs.tf
@@ -12,6 +12,11 @@ output "github_pat_ssm_param_name" {
 
 output "s3_buckets" {
   value = {
+    artefacts = {
+      arn    = module.s3bucket_artefacts.arn
+      bucket = module.s3bucket_artefacts.bucket
+      id     = module.s3bucket_artefacts.id
+    }
     backup_reports = {
       arn    = module.s3bucket_backup_reports.arn
       bucket = module.s3bucket_backup_reports.bucket
diff --git a/infrastructure/terraform/components/app/module_download_authorizer_lambda.tf b/infrastructure/terraform/components/app/module_download_authorizer_lambda.tf
@@ -22,7 +22,7 @@ module "download_authorizer_lambda" {
     body = data.aws_iam_policy_document.authorizer.json
   }
 
-  function_s3_bucket       = local.acct.s3_buckets["lambda_function_artefacts"]["id"]
+  function_s3_bucket       = local.acct.s3_buckets["artefacts"]["id"]
   function_code_base_path  = local.lambdas_source_code_dir
   function_code_dir        = "download-authorizer/dist"
   handler_function_name    = "handler"
diff --git a/infrastructure/terraform/components/app/pre.sh b/infrastructure/terraform/components/app/pre.sh
@@ -2,4 +2,6 @@ npm ci
 
 npm run generate-dependencies --workspaces --if-present
 
+npm run lambda-build --workspaces --if-present
+
 $(git rev-parse --show-toplevel)/lambdas/layers/pdfjs/build.sh
diff --git a/lambdas/download-authorizer/package.json b/lambdas/download-authorizer/package.json
@@ -3,9 +3,10 @@
   "version": "0.0.1",
   "private": true,
   "scripts": {
-    "test:unit": "jest",
-    "lint": "eslint .",
+    "lambda-build": "rm -rf dist && npx esbuild --bundle --minify --sourcemap --target=es2020 --platform=node --loader:.node=file --entry-names=[name] --outdir=dist src/index.ts",
     "lint:fix": "eslint . --fix",
+    "lint": "eslint .",
+    "test:unit": "jest",
     "typecheck": "tsc --noEmit"
   },
   "devDependencies": {

Original file line number	Diff line number	Diff line change
`@@ -22,7 +22,7 @@ module "download_authorizer_lambda" {`
`22`	`22`	`body = data.aws_iam_policy_document.authorizer.json`
`23`	`23`	`}`
`24`	`24`
`25`		`- function_s3_bucket = local.acct.s3_buckets["lambda_function_artefacts"]["id"]`
	`25`	`+ function_s3_bucket = local.acct.s3_buckets["artefacts"]["id"]`
`26`	`26`	`function_code_base_path = local.lambdas_source_code_dir`
`27`	`27`	`function_code_dir = "download-authorizer/dist"`
`28`	`28`	`handler_function_name = "handler"`