ministryofjustice · murad-ali-MoJ · Jan 22, 2024 · Jan 17, 2024 · Jan 17, 2024 · Jan 17, 2024
@@ -0,0 +1,6 @@
+resource "aws_cloudwatch_event_rule" "jml_lambda_trigger" {
+  count = terraform.workspace == "data-platform-apps-and-tools-production" ? 1 : 0
+
+  name                = "jml-lambda-trigger"
+  schedule_expression = "cron(0 2 1 * ? *)"
+}
@@ -0,0 +1,7 @@
+resource "aws_cloudwatch_event_target" "jml_lambda_trigger" {
+  count = terraform.workspace == "data-platform-apps-and-tools-production" ? 1 : 0
+
+  rule      = aws_cloudwatch_event_rule.jml_lambda_trigger[0].name
+  target_id = "jml-lambda-trigger"
+  arn       = module.jml_extract_lambda[0].lambda_function_arn
+}
@@ -81,4 +81,20 @@ data "aws_secretsmanager_secret_version" "openmetadata_entra_id_client_id" {
 
 data "aws_secretsmanager_secret_version" "openmetadata_entra_id_tenant_id" {
   secret_id = "openmetadata/entra-id/tenant-id"
-}
+}
+
+##################################################
+# Data Platform Apps and Tools JML
+##################################################
+
+data "aws_secretsmanager_secret_version" "govuk_notify_api_key" {
+  count = terraform.workspace == "data-platform-apps-and-tools-production" ? 1 : 0
+
+  secret_id = aws_secretsmanager_secret.govuk_notify_api_key[0].id
+}
+
+data "aws_secretsmanager_secret_version" "jml_email" {
+  count = terraform.workspace == "data-platform-apps-and-tools-production" ? 1 : 0
+
+  secret_id = aws_secretsmanager_secret.jml_email[0].id
+}
@@ -0,0 +1,59 @@
+module "jml_extract_lambda" {
+  #checkov:skip=CKV_TF_1:Module is from Terraform registry
+  count = terraform.workspace == "data-platform-apps-and-tools-production" ? 1 : 0
+
+  source  = "terraform-aws-modules/lambda/aws"
+  version = "~> 6.0"
+
+  publish        = true
+  create_package = false
+
+  function_name = "data_platform_jml_extract"
+  description   = "Generates a JML report and sends it to JMLv4"
+  package_type  = "Image"
+  image_uri     = "374269020027.dkr.ecr.eu-west-2.amazonaws.com/data-platform-jml-extract-lambda-ecr-repo:1.0.1"
+
+  environment_variables = {
+    SECRET_ID       = data.aws_secretsmanager_secret_version.govuk_notify_api_key[0].secret_string
+    LOG_GROUP_NAMES = module.auth0_log_streams["alpha-analytics-moj"].cloudwatch_log_group_name
+    EMAIL_SECRET    = data.aws_secretsmanager_secret_version.jml_email[0].secret_string
+    TEMPLATE_ID     = "de618989-db86-4d9a-aa55-4724d5485fa5"
+  }
+
+  attach_policy_statements = true
+  policy_statements = {
+    "cloudwatch" = {
+      sid    = "CloudWatch"
+      effect = "Allow"
+      actions = [
+        "cloudwatch:GenerateQuery",
+        "logs:DescribeLogStreams",
+        "logs:DescribeLogGroups",
+        "logs:GetLogEvents"
+      ]
+      resources = [
+        "${module.auth0_log_streams["alpha-analytics-moj"].cloudwatch_log_group_arn}/*"
+      ]
+    }
+    "secretsmanager" = {
+      sid    = "SecretsManager"
+      effect = "Allow"
+      actions = [
+        "secretsmanager:DescribeSecret",
+        "secretsmanager:GetSecretValue",
+        "secretsmanager:ListSecrets"
+      ]
+      resources = [
+        aws_secretsmanager_secret.govuk_notify_api_key[0].arn,
+        aws_secretsmanager_secret.jml_email[0].arn
+      ]
+    }
+  }
+
+  allowed_triggers = {
+    "eventbridge" = {
+      principal  = "events.amazonaws.com"
+      source_arn = aws_cloudwatch_event_rule.jml_lambda_trigger[0].arn
+    }
+  }
+}
@@ -0,0 +1,7 @@
+output "cloudwatch_log_group_arn" {
+  value = aws_cloudwatch_log_group.this.arn
+}
+
+output "cloudwatch_log_group_name" {
+  value = local.cloudwatch_log_group_name
+}
@@ -15,8 +15,9 @@ module "powerbi_gateway" {
   source  = "terraform-aws-modules/ec2-instance/aws"
   version = "v5.6.0"
 
-  name                        = local.environment_configuration.powerbi_gateway_ec2.instance_name
-  ami                         = data.aws_ami.windows_server_2022.id
+  name = local.environment_configuration.powerbi_gateway_ec2.instance_name
+  # ami                         = data.aws_ami.windows_server_2022.id
+  ami                         = "ami-00ffeb610527f540b" # Hardcoded AMI ID for Windows Server 2022
   instance_type               = local.environment_configuration.powerbi_gateway_ec2.instance_type
   key_name                    = aws_key_pair.powerbi_gateway_keypair.key_name
   monitoring                  = true

@@ -42,6 +42,8 @@ resource "aws_secretsmanager_secret" "govuk_notify_api_key" {
 }
 
 # Email secret for Lambda function
-resource "aws_secretsmanager_secret" "email_secret" {
+resource "aws_secretsmanager_secret" "jml_email" {
+  count = terraform.workspace == "data-platform-apps-and-tools-production" ? 1 : 0
+
   name = "jml/email"
 }