back to shared lamdba mod, again

Author: alexnuttall

infrastructure/terraform/components/acct/README.md

@@ -36,6 +36,7 @@
 | <a name="module_kms_sandbox"></a> [kms\_sandbox](#module\_kms\_sandbox) | git::https://github.com/NHSDigital/nhs-notify-shared-modules.git//infrastructure/modules/kms | v1.0.8 |
 | <a name="module_obs_datasource"></a> [obs\_datasource](#module\_obs\_datasource) | git::https://github.com/NHSDigital/nhs-notify-shared-modules.git//infrastructure/modules/obs-datasource | v2.0.3 |
 | <a name="module_s3bucket_access_logs"></a> [s3bucket\_access\_logs](#module\_s3bucket\_access\_logs) | git::https://github.com/NHSDigital/nhs-notify-shared-modules.git//infrastructure/modules/s3bucket | v1.0.9 |
+| <a name="module_s3bucket_artefacts"></a> [s3bucket\_artefacts](#module\_s3bucket\_artefacts) | git::https://github.com/NHSDigital/nhs-notify-shared-modules.git//infrastructure/modules/s3bucket | v2.0.2 |
 | <a name="module_s3bucket_backup_reports"></a> [s3bucket\_backup\_reports](#module\_s3bucket\_backup\_reports) | git::https://github.com/NHSDigital/nhs-notify-shared-modules.git//infrastructure/modules/s3bucket | v1.0.8 |
 | <a name="module_vpc"></a> [vpc](#module\_vpc) | terraform-aws-modules/vpc/aws | 5.19.0 |
 ## Outputs

infrastructure/terraform/components/acct/module_s3bucket_artefacts.tf

@@ -0,0 +1,130 @@
+module "s3bucket_artefacts" {
+  source = "git::https://github.com/NHSDigital/nhs-notify-shared-modules.git//infrastructure/modules/s3bucket?ref=v2.0.2"
+
+  name = "artefacts"
+
+  aws_account_id = var.aws_account_id
+  region         = var.region
+  project        = var.project
+  environment    = var.environment
+  component      = var.component
+
+  acl           = "private"
+  force_destroy = false
+  versioning    = true
+
+  lifecycle_rules = [
+    {
+      prefix  = ""
+      enabled = true
+
+      noncurrent_version_transition = [
+        {
+          noncurrent_days = "30"
+          storage_class   = "STANDARD_IA"
+        }
+      ]
+
+      noncurrent_version_expiration = {
+        noncurrent_days = "90"
+      }
+
+      abort_incomplete_multipart_upload = {
+        days = "1"
+      }
+    }
+  ]
+
+  policy_documents = [
+    data.aws_iam_policy_document.s3bucket_artefacts.json
+  ]
+
+  bucket_logging_target = {
+    bucket = module.s3bucket_access_logs.id
+  }
+
+  public_access = {
+    block_public_acls       = true
+    block_public_policy     = true
+    ignore_public_acls      = true
+    restrict_public_buckets = true
+  }
+
+
+  default_tags = {
+    Name = "Artefact bucket"
+  }
+}
+
+data "aws_iam_policy_document" "s3bucket_artefacts" {
+  statement {
+    sid    = "DontAllowNonSecureConnection"
+    effect = "Deny"
+
+    actions = [
+      "s3:*",
+    ]
+
+    resources = [
+      module.s3bucket_artefacts.arn,
+      "${module.s3bucket_artefacts.arn}/*",
+    ]
+
+    principals {
+      type = "AWS"
+
+      identifiers = [
+        "*",
+      ]
+    }
+
+    condition {
+      test     = "Bool"
+      variable = "aws:SecureTransport"
+
+      values = [
+        "false",
+      ]
+    }
+  }
+
+  statement {
+    sid    = "AllowManagedAccountsToList"
+    effect = "Allow"
+
+    actions = [
+      "s3:ListBucket",
+    ]
+
+    resources = [
+      module.s3bucket_artefacts.arn,
+    ]
+
+    principals {
+      type = "AWS"
+      identifiers = [
+        "arn:aws:iam::${var.aws_account_id}:root"
+      ]
+    }
+  }
+
+  statement {
+    sid    = "AllowManagedAccountsToGet"
+    effect = "Allow"
+
+    actions = [
+      "s3:GetObject",
+    ]
+
+    resources = [
+      "${module.s3bucket_artefacts.arn}/*",
+    ]
+
+    principals {
+      type = "AWS"
+      identifiers = [
+        "arn:aws:iam::${var.aws_account_id}:root"
+      ]
+    }
+  }
+}

infrastructure/terraform/components/acct/outputs.tf

@@ -12,6 +12,11 @@ output "github_pat_ssm_param_name" {
 
 output "s3_buckets" {
   value = {
+    artefacts = {
+      arn    = module.s3bucket_artefacts.arn
+      bucket = module.s3bucket_artefacts.bucket
+      id     = module.s3bucket_artefacts.id
+    }
     backup_reports = {
       arn    = module.s3bucket_backup_reports.arn
       bucket = module.s3bucket_backup_reports.bucket

infrastructure/terraform/components/app/README.md

@@ -51,8 +51,7 @@
 |------|--------|---------|
 | <a name="module_amplify_branch"></a> [amplify\_branch](#module\_amplify\_branch) | git::https://github.com/NHSDigital/nhs-notify-shared-modules.git//infrastructure/modules/amp_branch | v1.0.0 |
 | <a name="module_backend_api"></a> [backend\_api](#module\_backend\_api) | ../../modules/backend-api | n/a |
-| <a name="module_download_authorizer_build"></a> [download\_authorizer\_build](#module\_download\_authorizer\_build) | ../../modules/typescript-build-zip | n/a |
-| <a name="module_download_authorizer_lambda"></a> [download\_authorizer\_lambda](#module\_download\_authorizer\_lambda) | ../../modules/lambda-function | n/a |
+| <a name="module_download_authorizer_lambda"></a> [download\_authorizer\_lambda](#module\_download\_authorizer\_lambda) | git::https://github.com/NHSDigital/nhs-notify-shared-modules.git//infrastructure/modules/lambda | v2.0.2 |
 | <a name="module_eventpub"></a> [eventpub](#module\_eventpub) | git::https://github.com/NHSDigital/nhs-notify-shared-modules.git//infrastructure/modules/eventpub | v1.0.13 |
 | <a name="module_kms"></a> [kms](#module\_kms) | git::https://github.com/NHSDigital/nhs-notify-shared-modules.git//infrastructure/modules/kms | v1.0.8 |
 | <a name="module_nhse_backup_vault"></a> [nhse\_backup\_vault](#module\_nhse\_backup\_vault) | git::https://github.com/NHSDigital/nhs-notify-shared-modules.git//infrastructure/modules/aws-backup-source | v1.0.8 |

infrastructure/terraform/components/app/module_download_authorizer_lambda.tf

@@ -1,60 +1,37 @@
 module "download_authorizer_lambda" {
-  source      = "../../modules/lambda-function"
-  description = "templates api download authorizer"
-
-  function_name    = "${local.csi}-download-authorizer"
-  filename         = module.download_authorizer_build.zips[local.authorizer_entrypoint].path
-  source_code_hash = module.download_authorizer_build.zips[local.authorizer_entrypoint].base64sha256
-  runtime          = "nodejs20.x"
-  handler          = "index.handler"
-  publish          = true
-
-  log_retention_in_days = var.log_retention_in_days
-  # source = "git::https://github.com/NHSDigital/nhs-notify-shared-modules.git//infrastructure/modules/lambda?ref=v2.0.2"
+  source = "git::https://github.com/NHSDigital/nhs-notify-shared-modules.git//infrastructure/modules/lambda?ref=v2.0.2"
 
   providers = {
     aws = aws.us-east-1
   }
 
-  # function_name = "download-authorizer"
-  # description   = "Download authorizer for s3 download bucket"
-
-  # aws_account_id = var.aws_account_id
-  # component      = var.component
-  # environment    = var.environment
-  # project        = var.project
-  # region         = "us-east-1"
-  # group          = var.group
-
-  # log_retention_in_days = var.log_retention_in_days
-  # kms_key_arn           = module.kms.key_arn
+  function_name = "download-authorizer"
+  description   = "Download authorizer for s3 download bucket"
 
-  # iam_policy_document = {
-  #   body = data.aws_iam_policy_document.authorizer.json
-  # }
+  aws_account_id = var.aws_account_id
+  component      = var.component
+  environment    = var.environment
+  project        = var.project
+  region         = "us-east-1"
+  group          = var.group
 
-  # function_s3_bucket       = local.acct.s3_buckets["artefacts"]["id"]
-  # function_code_base_path  = local.lambdas_source_code_dir
-  # function_code_dir        = "download-authorizer/dist"
-  # handler_function_name    = "handler"
-  # runtime                  = "nodejs20.x"
-  # memory                   = 128
-  # timeout                  = 3
-  # lambda_at_edge           = true
-  # enable_lambda_insights   = false
-  # force_lambda_code_deploy = true
-}
-
-// temp
-module "download_authorizer_build" {
-  source = "../../modules/typescript-build-zip"
+  log_retention_in_days = var.log_retention_in_days
+  kms_key_arn           = module.kms.key_arn
 
-  source_code_dir = "${local.lambdas_source_code_dir}/authorizer"
-  entrypoints     = [local.authorizer_entrypoint]
-}
+  iam_policy_document = {
+    body = data.aws_iam_policy_document.authorizer.json
+  }
 
-locals {
-  authorizer_entrypoint = "src/index.ts"
+  function_s3_bucket       = local.acct.s3_buckets["artefacts"]["id"]
+  function_code_base_path  = local.lambdas_source_code_dir
+  function_code_dir        = "download-authorizer/dist"
+  handler_function_name    = "handler"
+  runtime                  = "nodejs20.x"
+  memory                   = 128
+  timeout                  = 3
+  lambda_at_edge           = true
+  enable_lambda_insights   = false
+  force_lambda_code_deploy = true
 }
 
 data "aws_iam_policy_document" "authorizer" {

infrastructure/terraform/components/app/pre.sh

@@ -2,4 +2,6 @@ npm ci
 
 npm run generate-dependencies --workspaces --if-present
 
+npm run lambda-build --workspaces --if-present
+
 $(git rev-parse --show-toplevel)/lambdas/layers/pdfjs/build.sh

infrastructure/terraform/modules/lambda-function/README.md

@@ -19,7 +19,6 @@ No requirements.
 | <a name="input_layer_arns"></a> [layer\_arns](#input\_layer\_arns) | List of Lambda Layer Version ARNs (maximum of 5) to attach to your Lambda Function. | `list(string)` | `null` | no |
 | <a name="input_log_retention_in_days"></a> [log\_retention\_in\_days](#input\_log\_retention\_in\_days) | Specifies the number of days you want to retain log events in the log group for this Lambda | `number` | `0` | no |
 | <a name="input_memory_size"></a> [memory\_size](#input\_memory\_size) | Lambda memory size | `number` | `128` | no |
-| <a name="input_publish"></a> [publish](#input\_publish) | Whether to publish creation/change as new Lambda Function Version | `bool` | `false` | no |
 | <a name="input_runtime"></a> [runtime](#input\_runtime) | Identifier of the function's runtime | `string` | `"nodejs20.x"` | no |
 | <a name="input_source_code_hash"></a> [source\_code\_hash](#input\_source\_code\_hash) | Base64-encoded SHA256 hash of the package file specified by `filename` | `string` | n/a | yes |
 | <a name="input_sqs_event_source_mapping"></a> [sqs\_event\_source\_mapping](#input\_sqs\_event\_source\_mapping) | Configuration for SQS event source mapping | <pre>object({<br/>    sqs_queue_arn                      = string<br/>    batch_size                         = optional(number, 10)<br/>    maximum_batching_window_in_seconds = optional(number, 0)<br/>    scaling_config = optional(object({<br/>      maximum_concurrency = number<br/>    }), null)<br/>  })</pre> | `null` | no |

infrastructure/terraform/modules/lambda-function/lambda_function_main.tf

@@ -9,7 +9,6 @@ resource "aws_lambda_function" "main" {
   memory_size      = var.memory_size
   layers           = var.layer_arns
   timeout          = var.timeout
-  publish          = var.publish
 
   environment {
     variables = var.environment_variables

infrastructure/terraform/modules/lambda-function/variables.tf

@@ -94,9 +94,3 @@ variable "sqs_event_source_mapping" {
   })
   default = null
 }
-
-variable "publish" {
-  type        = bool
-  description = "Whether to publish creation/change as new Lambda Function Version"
-  default     = false
-}