feat: lambda pdv reconciler (#867)

* feat: add lambda-pdv-reconciler deploy lambda

* feat: add lambda-pdv-reconciler lambda code

* feat: remove lambda from vpc

* feat: add PDV_BASE_URL env var and pdv_base_url tf var

* feat: add logs

* Potential fix for code scanning alert no. 57: Workflow does not contain permissions

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>

---------

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>

Author: Benito Visone

.github/workflows/deploy-lambda-pdv-reconciler.yml

@@ -0,0 +1,102 @@
+name: Deploy Lambda PDV reconciler
+permissions:
+  contents: read
+
+on:
+  push:
+    branches:
+      - "main"
+    paths:
+      - "**/src/oneid/oneid-lambda-pdv-reconciler/**"
+  workflow_dispatch:
+    inputs:
+      environment:
+        description: 'Choose environment'
+        type: choice
+        required: true
+        default: dev
+        options:
+          - dev
+          - uat
+          - prod
+jobs:
+  setup:
+    runs-on: ubuntu-22.04
+    outputs:
+      matrix: ${{ steps.setmatrix.outputs.matrix }}
+
+    steps:
+      - name: Set Dynamic Env Matrix
+        id: setmatrix
+        run: |
+          echo "github.ref ${{ github.ref }}"
+          echo "event name ${{ github.event_name }}"
+          
+          if [ "${{ github.event_name }}" == "workflow_dispatch" ]; then
+            if [ "${{ github.event.inputs.environment }}" == "prod" ]; then
+              matrixStringifiedObject="{\"include\":[{\"environment\":\"prod\", \"region\":\"eu-south-1\"}, {\"environment\":\"prod\", \"region\":\"eu-central-1\"}]}"
+            else
+              matrixStringifiedObject="{\"include\":[{\"environment\":\"${{ github.event.inputs.environment }}\", \"region\":\"eu-south-1\"}]}"
+            fi
+          else
+            matrixStringifiedObject="{\"include\":[{\"environment\":\"dev\", \"region\":\"eu-south-1\"}, {\"environment\":\"uat\", \"region\":\"eu-south-1\"}, {\"environment\":\"prod\", \"region\":\"eu-south-1\"}, {\"environment\":\"prod\", \"region\":\"eu-central-1\"}]}"
+          fi
+
+          echo "matrix=$matrixStringifiedObject" >> $GITHUB_OUTPUT
+
+  build:
+    runs-on: ubuntu-22.04
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332
+
+      - name: Zip Lambda
+        working-directory: src/oneid/oneid-lambda-pdv-reconciler
+        run: |
+          mkdir -p ./target && zip -r target/oneid-lambda-pdv-reconciler.zip . -x "*.dist-info/*" -x "target/*"
+
+      - name: Archive build artifacts
+        uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808
+        with:
+          name: pdv-reconciler-lambda
+          path: ./src/oneid/oneid-lambda-pdv-reconciler/target/oneid-lambda-pdv-reconciler.zip
+
+  deploy:
+    name: Deploy lambda pdv reconciler ${{ matrix.environment }}-${{ matrix.region }}
+    if: ${{ needs.setup.outputs.matrix != '' }}
+    runs-on: ubuntu-22.04
+    needs: [ setup, build ]
+    strategy:
+      matrix: ${{ fromJson(needs.setup.outputs.matrix) }}
+
+    continue-on-error: false
+    environment: ${{ matrix.environment == 'prod' && format('{0}/{1}', matrix.environment, matrix.region) || matrix.environment }}
+    env:
+      ENV_SHORT: ${{ fromJSON('{"dev":"d","uat":"u","prod":"p"}')[matrix.environment] }}
+      REGION_SHORT: ${{ fromJSON('{"eu-south-1":"es-1","eu-central-1":"ec-1"}')[matrix.region] }}
+    permissions:
+      id-token: write
+      contents: read
+
+    steps:
+      - name: Download build artifacts
+        uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e
+        with:
+          name: pdv-reconciler-lambda
+          path: ./src/oneid/oneid-lambda-pdv-reconciler/target
+
+      - name: Configure AWS Credentials
+        uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502
+        with:
+          role-to-assume: ${{ vars.IAM_ROLE_DEPLOY_LAMBDA }}
+          aws-region: ${{ matrix.region }}
+
+      - name: Update Lambda function (${{ matrix.environment }})
+        run: |
+          aws s3 cp src/oneid/oneid-lambda-pdv-reconciler/target/oneid-lambda-pdv-reconciler.zip s3://${{vars.LAMBDA_CODE_BUCKET_NAME}}/${{vars.LAMBDA_PDV_RECONCILER_KEY}}
+
+      - name: Deploy Lambda function (${{ matrix.environment }})
+        run: |
+          aws lambda update-function-code \
+          --function-name oneid-${{ env.REGION_SHORT }}-${{ env.ENV_SHORT }}-pdv-reconciler \
+          --s3-bucket ${{vars.LAMBDA_CODE_BUCKET_NAME}} --s3-key ${{vars.LAMBDA_PDV_RECONCILER_KEY}}

src/infra/dev/eu-south-1/README.md

@@ -176,6 +176,7 @@
 | <a name="input_metadata_info"></a> [metadata\_info](#input\_metadata\_info) | # Metadata Info variables## | <pre>object({<br/>    acs_url = string<br/>    slo_url = string<br/>  })</pre> | <pre>{<br/>  "acs_url": "/saml/acs",<br/>  "slo_url": "/saml/slo"<br/>}</pre> | no |
 | <a name="input_number_of_images_to_keep"></a> [number\_of\_images\_to\_keep](#input\_number\_of\_images\_to\_keep) | Number of images to keeps in ECR. | `number` | `5` | no |
 | <a name="input_pairwise_enabled"></a> [pairwise\_enabled](#input\_pairwise\_enabled) | Enable PDV pairwise feature | `bool` | `true` | no |
+| <a name="input_pdv_base_url"></a> [pdv\_base\_url](#input\_pdv\_base\_url) | PDV base URL | `string` | `"https://api.dev.pdv.pagopa.it"` | no |
 | <a name="input_r53_dns_zone"></a> [r53\_dns\_zone](#input\_r53\_dns\_zone) | # R53 DNS zone ## | <pre>object({<br/>    name    = string<br/>    comment = string<br/>  })</pre> | <pre>{<br/>  "comment": "Oneidentity dev zone.",<br/>  "name": "dev.oneid.pagopa.it"<br/>}</pre> | no |
 | <a name="input_repository_image_tag_mutability"></a> [repository\_image\_tag\_mutability](#input\_repository\_image\_tag\_mutability) | The tag mutability setting for the repository. Must be one of: MUTABLE or IMMUTABLE. Defaults to IMMUTABLE | `string` | `"MUTABLE"` | no |
 | <a name="input_rest_api_throttle_settings"></a> [rest\_api\_throttle\_settings](#input\_rest\_api\_throttle\_settings) | Rest api throttle settings. | <pre>object({<br/>    burst_limit = number<br/>    rate_limit  = number<br/>  })</pre> | <pre>{<br/>  "burst_limit": 100,<br/>  "rate_limit": 50<br/>}</pre> | no |

src/infra/dev/eu-south-1/main.tf

@@ -251,7 +251,7 @@ module "backend" {
       },
       {
         name  = "PDV_BASE_URL"
-        value = "https://api.dev.pdv.pagopa.it"
+        value = var.pdv_base_url
       },
       {
         name  = "PDV_ERROR_QUEUE_URL"
@@ -555,7 +555,8 @@ module "backend" {
     vpc_tls_security_group_endpoint_id = module.network.security_group_vpc_tls_id
     pdv_errors_queue_arn               = module.sqs.sqs_queue_arn
     environment_variables = {
-      "LOG_LEVEL" = var.app_log_level
+      "LOG_LEVEL"    = var.app_log_level
+      "PDV_BASE_URL" = var.pdv_base_url
     }
   }
 

src/infra/dev/eu-south-1/variables.tf

@@ -772,3 +772,9 @@ variable "pairwise_enabled" {
   default     = true
   description = "Enable PDV pairwise feature"
 }
+
+variable "pdv_base_url" {
+  type        = string
+  default     = "https://api.dev.pdv.pagopa.it"
+  description = "PDV base URL"
+}

src/infra/modules/backend/lambda.tf

@@ -987,12 +987,8 @@ module "pdv_reconciler_lambda" {
   ignore_source_code_hash = true
 
 
-  attach_policy_json    = true
-  policy_json           = data.aws_iam_policy_document.pdv_reconciler_lambda.json
-  attach_network_policy = true
-
-  vpc_subnet_ids         = var.pdv_reconciler_lambda.vpc_subnet_ids
-  vpc_security_group_ids = [module.security_group_lambda_pdv_reconciler.security_group_id]
+  attach_policy_json = true
+  policy_json        = data.aws_iam_policy_document.pdv_reconciler_lambda.json
 
   publish = true
 
@@ -1030,36 +1026,20 @@ data "aws_iam_policy_document" "pdv_reconciler_lambda" {
       var.pdv_reconciler_lambda.pdv_errors_queue_arn
     ]
   }
+  statement {
+    effect = "Allow"
+    actions = [
+      "ssm:Describe*",
+      "ssm:Get*",
+      "ssm:List*"
+    ]
+    resources = [
+      "arn:aws:ssm:${var.aws_region}:${var.account_id}:parameter/pdv/*"
+    ]
+  }
 
 }
 
-module "security_group_lambda_pdv_reconciler" {
-  source  = "terraform-aws-modules/security-group/aws"
-  version = "4.17.2"
-
-  name        = "${var.pdv_reconciler_lambda.name}-sg"
-  description = "Security Group for Lambda Egress"
-
-  vpc_id = var.pdv_reconciler_lambda.vpc_id
-
-  egress_cidr_blocks      = []
-  egress_ipv6_cidr_blocks = []
-
-  # Prefix list ids to use in all egress rules in this module
-  egress_prefix_list_ids = [
-  ]
-
-  egress_rules = ["https-443-tcp"]
-}
-
-resource "aws_vpc_security_group_egress_rule" "pdv_reconciler_sec_group_egress_rule" {
-  security_group_id            = module.security_group_lambda_pdv_reconciler.security_group_id
-  from_port                    = 443
-  ip_protocol                  = "tcp"
-  to_port                      = 443
-  referenced_security_group_id = var.pdv_reconciler_lambda.vpc_tls_security_group_endpoint_id
-}
-
 ## Cert Expiration Lambda ##
 data "aws_iam_policy_document" "cert_exp_checker_lambda" {
   statement {

src/infra/prod/eu-central-1/README.md

@@ -142,6 +142,7 @@ No outputs.
 | <a name="input_metadata_info"></a> [metadata\_info](#input\_metadata\_info) | # Metadata Info variables## | <pre>object({<br/>    acs_url = string<br/>    slo_url = string<br/>  })</pre> | <pre>{<br/>  "acs_url": "/saml/acs",<br/>  "slo_url": "/saml/slo"<br/>}</pre> | no |
 | <a name="input_number_of_images_to_keep"></a> [number\_of\_images\_to\_keep](#input\_number\_of\_images\_to\_keep) | Number of images to keeps in ECR. | `number` | `10` | no |
 | <a name="input_pairwise_enabled"></a> [pairwise\_enabled](#input\_pairwise\_enabled) | Enable PDV pairwise feature | `bool` | `true` | no |
+| <a name="input_pdv_base_url"></a> [pdv\_base\_url](#input\_pdv\_base\_url) | PDV base URL | `string` | `"https://api.pdv.pagopa.it"` | no |
 | <a name="input_r53_dns_zone"></a> [r53\_dns\_zone](#input\_r53\_dns\_zone) | # R53 DNS zone ## | <pre>object({<br/>    name    = string<br/>    comment = string<br/>  })</pre> | <pre>{<br/>  "comment": "Oneidentity prod hosted zone.",<br/>  "name": "oneid.pagopa.it"<br/>}</pre> | no |
 | <a name="input_repository_image_tag_mutability"></a> [repository\_image\_tag\_mutability](#input\_repository\_image\_tag\_mutability) | The tag mutability setting for the repository. Must be one of: MUTABLE or IMMUTABLE. Defaults to IMMUTABLE | `string` | `"MUTABLE"` | no |
 | <a name="input_rest_api_throttle_settings"></a> [rest\_api\_throttle\_settings](#input\_rest\_api\_throttle\_settings) | Rest api throttle settings. | <pre>object({<br/>    burst_limit = number<br/>    rate_limit  = number<br/>  })</pre> | <pre>{<br/>  "burst_limit": 500,<br/>  "rate_limit": 300<br/>}</pre> | no |

src/infra/prod/eu-central-1/main.tf

@@ -174,7 +174,7 @@ module "backend" {
       },
       {
         name  = "PDV_BASE_URL"
-        value = "https://api.pdv.pagopa.it"
+        value = var.pdv_base_url
       },
       {
         name  = "PDV_ERROR_QUEUE_URL"
@@ -230,7 +230,8 @@ module "backend" {
     vpc_tls_security_group_endpoint_id = module.network.security_group_vpc_tls_id
     pdv_errors_queue_arn               = module.sqs.sqs_queue_arn
     environment_variables = {
-      "LOG_LEVEL" = var.app_log_level
+      "LOG_LEVEL"    = var.app_log_level
+      "PDV_BASE_URL" = var.pdv_base_url
     }
   }
 

src/infra/prod/eu-central-1/variables.tf

@@ -677,3 +677,9 @@ variable "pairwise_enabled" {
   default     = true
   description = "Enable PDV pairwise feature"
 }
+
+variable "pdv_base_url" {
+  type        = string
+  default     = "https://api.pdv.pagopa.it"
+  description = "PDV base URL"
+}

src/infra/prod/eu-south-1/README.md

@@ -166,6 +166,7 @@
 | <a name="input_metadata_info"></a> [metadata\_info](#input\_metadata\_info) | # Metadata Info variables## | <pre>object({<br/>    acs_url = string<br/>    slo_url = string<br/>  })</pre> | <pre>{<br/>  "acs_url": "/saml/acs",<br/>  "slo_url": "/saml/slo"<br/>}</pre> | no |
 | <a name="input_number_of_images_to_keep"></a> [number\_of\_images\_to\_keep](#input\_number\_of\_images\_to\_keep) | Number of images to keeps in ECR. | `number` | `10` | no |
 | <a name="input_pairwise_enabled"></a> [pairwise\_enabled](#input\_pairwise\_enabled) | Enable PDV pairwise feature | `bool` | `true` | no |
+| <a name="input_pdv_base_url"></a> [pdv\_base\_url](#input\_pdv\_base\_url) | PDV base URL | `string` | `"https://api.pdv.pagopa.it"` | no |
 | <a name="input_r53_dns_zone"></a> [r53\_dns\_zone](#input\_r53\_dns\_zone) | # R53 DNS zone ## | <pre>object({<br/>    name    = string<br/>    comment = string<br/>  })</pre> | <pre>{<br/>  "comment": "Oneidentity prod hosted zone.",<br/>  "name": "oneid.pagopa.it"<br/>}</pre> | no |
 | <a name="input_repository_image_tag_mutability"></a> [repository\_image\_tag\_mutability](#input\_repository\_image\_tag\_mutability) | The tag mutability setting for the repository. Must be one of: MUTABLE or IMMUTABLE. Defaults to IMMUTABLE | `string` | `"MUTABLE"` | no |
 | <a name="input_rest_api_throttle_settings"></a> [rest\_api\_throttle\_settings](#input\_rest\_api\_throttle\_settings) | Rest api throttle settings. | <pre>object({<br/>    burst_limit = number<br/>    rate_limit  = number<br/>  })</pre> | <pre>{<br/>  "burst_limit": 500,<br/>  "rate_limit": 300<br/>}</pre> | no |

src/infra/prod/eu-south-1/main.tf

@@ -223,7 +223,7 @@ module "backend" {
       },
       {
         name  = "PDV_BASE_URL"
-        value = "https://api.pdv.pagopa.it"
+        value = var.pdv_base_url
       },
       {
         name  = "PDV_ERROR_QUEUE_URL"
@@ -452,7 +452,8 @@ module "backend" {
     vpc_tls_security_group_endpoint_id = module.network.security_group_vpc_tls_id
     pdv_errors_queue_arn               = module.sqs.sqs_queue_arn
     environment_variables = {
-      "LOG_LEVEL" = var.app_log_level
+      "LOG_LEVEL"    = var.app_log_level
+      "PDV_BASE_URL" = var.pdv_base_url
     }
   }