Skip to content

Commit

Permalink
[PRMP-614] bump up lambda runtime python version (and terraform aws p…
Browse files Browse the repository at this point in the history
…rovider version) (#206)

* [PRMP-614] bump up lambda runtime python version (and terraform aws provider version)

* run formatter
  • Loading branch information
joefong-nhs authored Jul 24, 2024
1 parent 028a92a commit 0e462f3
Show file tree
Hide file tree
Showing 12 changed files with 105 additions and 108 deletions.
14 changes: 7 additions & 7 deletions terraform/backend.tf
Original file line number Diff line number Diff line change
@@ -1,8 +1,8 @@
terraform{
backend "s3" {
bucket = "prm-deductions-terraform-state"
key = "suspension-service/terraform.tfstate"
region = "eu-west-2"
encrypt = true
}
terraform {
backend "s3" {
bucket = "prm-deductions-terraform-state"
key = "suspension-service/terraform.tfstate"
region = "eu-west-2"
encrypt = true
}
}
50 changes: 25 additions & 25 deletions terraform/cloudwatch.tf
Original file line number Diff line number Diff line change
Expand Up @@ -53,15 +53,15 @@ resource "aws_cloudwatch_metric_alarm" "not_suspended_sns_topic_error_log_alarm"
period = "60"
metric_name = local.sns_topic_error_logs_metric_name
namespace = local.sns_topic_namespace
dimensions = {
dimensions = {
TopicName = local.not_suspended_sns_topic_name
}
statistic = "Sum"
alarm_description = "This alarm monitors errors logs in ${local.not_suspended_sns_topic_name}"
treat_missing_data = "notBreaching"
actions_enabled = "true"
alarm_actions = [data.aws_sns_topic.alarm_notifications.arn]
ok_actions = [data.aws_sns_topic.alarm_notifications.arn]
statistic = "Sum"
alarm_description = "This alarm monitors errors logs in ${local.not_suspended_sns_topic_name}"
treat_missing_data = "notBreaching"
actions_enabled = "true"
alarm_actions = [data.aws_sns_topic.alarm_notifications.arn]
ok_actions = [data.aws_sns_topic.alarm_notifications.arn]
}

resource "aws_cloudwatch_metric_alarm" "suspension_out_of_order_audit" {
Expand All @@ -74,11 +74,11 @@ resource "aws_cloudwatch_metric_alarm" "suspension_out_of_order_audit" {
alarm_description = "This alarm triggers when messages on the out of order audit queue is not polled by splunk in last 15 mins"
statistic = "Maximum"
period = "900"
dimensions = {
dimensions = {
QueueName = aws_sqs_queue.event_out_of_order_audit.name
}
alarm_actions = [data.aws_sns_topic.alarm_notifications.arn]
ok_actions = [data.aws_sns_topic.alarm_notifications.arn]
alarm_actions = [data.aws_sns_topic.alarm_notifications.arn]
ok_actions = [data.aws_sns_topic.alarm_notifications.arn]
}

resource "aws_cloudwatch_metric_alarm" "suspension_not_suspended_audit" {
Expand All @@ -91,11 +91,11 @@ resource "aws_cloudwatch_metric_alarm" "suspension_not_suspended_audit" {
alarm_description = "This alarm triggers when messages on the not suspended audit queue is not polled by splunk in last 15 mins"
statistic = "Maximum"
period = "900"
dimensions = {
dimensions = {
QueueName = aws_sqs_queue.not_suspended_audit.name
}
alarm_actions = [data.aws_sns_topic.alarm_notifications.arn]
ok_actions = [data.aws_sns_topic.alarm_notifications.arn]
alarm_actions = [data.aws_sns_topic.alarm_notifications.arn]
ok_actions = [data.aws_sns_topic.alarm_notifications.arn]
}

resource "aws_cloudwatch_metric_alarm" "suspension_mof_not_updated_audit" {
Expand All @@ -108,11 +108,11 @@ resource "aws_cloudwatch_metric_alarm" "suspension_mof_not_updated_audit" {
alarm_description = "This alarm triggers when messages on the MOF not updated audit queue is not polled by splunk in last 15 mins"
statistic = "Maximum"
period = "900"
dimensions = {
dimensions = {
QueueName = aws_sqs_queue.mof_not_updated_audit.name
}
alarm_actions = [data.aws_sns_topic.alarm_notifications.arn]
ok_actions = [data.aws_sns_topic.alarm_notifications.arn]
alarm_actions = [data.aws_sns_topic.alarm_notifications.arn]
ok_actions = [data.aws_sns_topic.alarm_notifications.arn]
}

resource "aws_cloudwatch_metric_alarm" "suspension_mof_updated_audit" {
Expand All @@ -125,11 +125,11 @@ resource "aws_cloudwatch_metric_alarm" "suspension_mof_updated_audit" {
alarm_description = "This alarm triggers when messages on the MOF updated audit queue is not polled by splunk in last 15 mins"
statistic = "Maximum"
period = "900"
dimensions = {
dimensions = {
QueueName = aws_sqs_queue.mof_updated_audit.name
}
alarm_actions = [data.aws_sns_topic.alarm_notifications.arn]
ok_actions = [data.aws_sns_topic.alarm_notifications.arn]
alarm_actions = [data.aws_sns_topic.alarm_notifications.arn]
ok_actions = [data.aws_sns_topic.alarm_notifications.arn]
}

resource "aws_cloudwatch_metric_alarm" "suspension_deceased_patient_audit" {
Expand All @@ -142,11 +142,11 @@ resource "aws_cloudwatch_metric_alarm" "suspension_deceased_patient_audit" {
alarm_description = "This alarm triggers when messages on the deceased patient audit queue is not polled by splunk in last 15 mins"
statistic = "Maximum"
period = "900"
dimensions = {
dimensions = {
QueueName = aws_sqs_queue.deceased_patient_audit.name
}
alarm_actions = [data.aws_sns_topic.alarm_notifications.arn]
ok_actions = [data.aws_sns_topic.alarm_notifications.arn]
alarm_actions = [data.aws_sns_topic.alarm_notifications.arn]
ok_actions = [data.aws_sns_topic.alarm_notifications.arn]
}

resource "aws_cloudwatch_metric_alarm" "suspension_invalid_suspension_dlq_audit" {
Expand All @@ -159,9 +159,9 @@ resource "aws_cloudwatch_metric_alarm" "suspension_invalid_suspension_dlq_audit"
alarm_description = "This alarm triggers when messages on the invalid suspensions dlq audit queue is not polled by splunk in last 15 mins"
statistic = "Maximum"
period = "900"
dimensions = {
dimensions = {
QueueName = aws_sqs_queue.invalid_suspension_audit.name
}
alarm_actions = [data.aws_sns_topic.alarm_notifications.arn]
ok_actions = [data.aws_sns_topic.alarm_notifications.arn]
alarm_actions = [data.aws_sns_topic.alarm_notifications.arn]
ok_actions = [data.aws_sns_topic.alarm_notifications.arn]
}
8 changes: 4 additions & 4 deletions terraform/dynamodb.tf
Original file line number Diff line number Diff line change
@@ -1,8 +1,8 @@
resource "aws_dynamodb_table" "suspensions" {
name = "${var.environment}-${var.component_name}-dynamodb"
billing_mode = "PAY_PER_REQUEST"
hash_key = "nhs_number"
# deletion_protection_enabled = true
name = "${var.environment}-${var.component_name}-dynamodb"
billing_mode = "PAY_PER_REQUEST"
hash_key = "nhs_number"
# deletion_protection_enabled = true

server_side_encryption {
enabled = true
Expand Down
2 changes: 1 addition & 1 deletion terraform/ecs-service.tf
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
locals {
ecs_cluster_id = aws_ecs_cluster.ecs-cluster.id
ecs_task_sg_id = aws_security_group.ecs-tasks-sg.id
ecs_task_sg_id = aws_security_group.ecs-tasks-sg.id
private_subnets = split(",", data.aws_ssm_parameter.deductions_private_private_subnets.value)
}

Expand Down
12 changes: 6 additions & 6 deletions terraform/ecs-task.tf
Original file line number Diff line number Diff line change
@@ -1,8 +1,8 @@
locals {
task_role_arn = aws_iam_role.component-ecs-role.arn
task_execution_role = "arn:aws:iam::${data.aws_caller_identity.current.account_id}:role/${var.environment}-${var.component_name}-EcsTaskRole"
task_ecr_url = "${data.aws_caller_identity.current.account_id}.dkr.ecr.${var.region}.amazonaws.com"
task_log_group = "/nhs/deductions/${var.environment}-${data.aws_caller_identity.current.account_id}/${var.component_name}"
task_role_arn = aws_iam_role.component-ecs-role.arn
task_execution_role = "arn:aws:iam::${data.aws_caller_identity.current.account_id}:role/${var.environment}-${var.component_name}-EcsTaskRole"
task_ecr_url = "${data.aws_caller_identity.current.account_id}.dkr.ecr.${var.region}.amazonaws.com"
task_log_group = "/nhs/deductions/${var.environment}-${data.aws_caller_identity.current.account_id}/${var.component_name}"
environment_variables = [
{ name = "COMPONENT_NAME", value = var.component_name },
{ name = "METRIC_NAMESPACE", value = var.metric_namespace },
Expand All @@ -29,11 +29,11 @@ locals {
{ name = "CAN_UPDATE_MANAGING_ORGANISATION_TO_REPO", value = tostring(var.can_update_managing_organisation_to_repo) },
{ name = "DYNAMODB_TABLE_NAME", value = aws_dynamodb_table.suspensions.name },
{
name = "PDS_ADAPTOR_URL",
name = "PDS_ADAPTOR_URL",
value = "https://pds-adaptor.${data.aws_ssm_parameter.environment_domain_name.value}"
},
{ name = "REPO_ODS_CODE", value = data.aws_ssm_parameter.repo_ods_code.value },
{ name = "SAFE_LISTED_ODS_CODES", value = data.aws_ssm_parameter.safe_listed_ods_codes.value},
{ name = "SAFE_LISTED_ODS_CODES", value = data.aws_ssm_parameter.safe_listed_ods_codes.value },
{ name = "REPO_PROCESS_ONLY_SAFE_LISTED_ODS_CODES", value = tostring(var.repo_process_only_safe_listed_ods_codes) }
]
}
Expand Down
36 changes: 18 additions & 18 deletions terraform/encryption-key.tf
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
resource "aws_kms_key" "not_suspended" {
description = "Custom KMS Key to enable server side encryption for SNS and SQS"
policy = data.aws_iam_policy_document.kms_key_policy_doc.json
description = "Custom KMS Key to enable server side encryption for SNS and SQS"
policy = data.aws_iam_policy_document.kms_key_policy_doc.json
enable_key_rotation = true

tags = {
Expand Down Expand Up @@ -61,8 +61,8 @@ data "aws_iam_policy_document" "kms_key_policy_doc" {
}

resource "aws_kms_key" "mof_updated" {
description = "Custom KMS Key to enable server side encryption for SNS and SQS"
policy = data.aws_iam_policy_document.kms_key_policy_doc.json
description = "Custom KMS Key to enable server side encryption for SNS and SQS"
policy = data.aws_iam_policy_document.kms_key_policy_doc.json
enable_key_rotation = true

tags = {
Expand All @@ -78,8 +78,8 @@ resource "aws_kms_alias" "mof_updated_encryption" {
}

resource "aws_kms_key" "mof_not_updated" {
description = "Custom KMS Key to enable server side encryption for mof not updated topic"
policy = data.aws_iam_policy_document.kms_key_policy_doc.json
description = "Custom KMS Key to enable server side encryption for mof not updated topic"
policy = data.aws_iam_policy_document.kms_key_policy_doc.json
enable_key_rotation = true

tags = {
Expand All @@ -95,8 +95,8 @@ resource "aws_kms_alias" "mof_not_updated_encryption" {
}

resource "aws_kms_key" "invalid_suspension" {
description = "Custom KMS Key to enable server side encryption for invalid suspension topic"
policy = data.aws_iam_policy_document.kms_key_policy_doc.json
description = "Custom KMS Key to enable server side encryption for invalid suspension topic"
policy = data.aws_iam_policy_document.kms_key_policy_doc.json
enable_key_rotation = true

tags = {
Expand All @@ -112,8 +112,8 @@ resource "aws_kms_alias" "invalid_suspension_encryption" {
}

resource "aws_kms_key" "invalid_suspension_audit" {
description = "Custom KMS Key to enable server side encryption for invalid suspension audit topic"
policy = data.aws_iam_policy_document.kms_key_policy_doc.json
description = "Custom KMS Key to enable server side encryption for invalid suspension audit topic"
policy = data.aws_iam_policy_document.kms_key_policy_doc.json
enable_key_rotation = true

tags = {
Expand All @@ -129,8 +129,8 @@ resource "aws_kms_alias" "invalid_suspension_audit_encryption" {
}

resource "aws_kms_key" "event_out_of_order" {
description = "Custom KMS Key to enable server side encryption for event out of order topic"
policy = data.aws_iam_policy_document.kms_key_policy_doc.json
description = "Custom KMS Key to enable server side encryption for event out of order topic"
policy = data.aws_iam_policy_document.kms_key_policy_doc.json
enable_key_rotation = true

tags = {
Expand All @@ -146,8 +146,8 @@ resource "aws_kms_alias" "event_out_of_order_encryption" {
}

resource "aws_kms_key" "suspension_dynamodb_kms_key" {
description = "Custom KMS Key to enable server side encryption for Suspension DB"
policy = data.aws_iam_policy_document.kms_key_policy_doc.json
description = "Custom KMS Key to enable server side encryption for Suspension DB"
policy = data.aws_iam_policy_document.kms_key_policy_doc.json
enable_key_rotation = true

tags = {
Expand All @@ -163,8 +163,8 @@ resource "aws_kms_alias" "suspension_dynamodb_encryption" {
}

resource "aws_kms_key" "deceased_patient" {
description = "Custom KMS Key to enable server side encryption for deceased patient topic"
policy = data.aws_iam_policy_document.kms_key_policy_doc.json
description = "Custom KMS Key to enable server side encryption for deceased patient topic"
policy = data.aws_iam_policy_document.kms_key_policy_doc.json
enable_key_rotation = true

tags = {
Expand All @@ -180,8 +180,8 @@ resource "aws_kms_alias" "deceased_patient_encryption" {
}

resource "aws_kms_key" "active_suspensions" {
description = "Custom KMS Key to enable server side encryption for active-suspensions topic"
policy = data.aws_iam_policy_document.kms_key_policy_doc.json
description = "Custom KMS Key to enable server side encryption for active-suspensions topic"
policy = data.aws_iam_policy_document.kms_key_policy_doc.json
enable_key_rotation = true

tags = {
Expand Down
18 changes: 9 additions & 9 deletions terraform/iam.tf
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
locals {
account_id = data.aws_caller_identity.current.account_id
sns_base_arns = [
account_id = data.aws_caller_identity.current.account_id
sns_base_arns = [
aws_sns_topic.not_suspended.arn,
aws_sns_topic.mof_updated.arn,
aws_sns_topic.mof_not_updated.arn,
Expand All @@ -19,7 +19,7 @@ data "aws_iam_policy_document" "ecs-assume-role-policy" {
actions = ["sts:AssumeRole"]

principals {
type = "Service"
type = "Service"
identifiers = [
"ecs-tasks.amazonaws.com"
]
Expand Down Expand Up @@ -99,7 +99,7 @@ resource "aws_iam_policy" "suspensions_processor_sqs" {

data "aws_iam_policy_document" "sqs_suspensions_ecs_task" {
statement {
actions = [
actions = [
"sqs:GetQueue*",
"sqs:ChangeMessageVisibility",
"sqs:DeleteMessage",
Expand Down Expand Up @@ -132,7 +132,7 @@ resource "aws_iam_role_policy_attachment" "suspension_service_sns" {

data "aws_iam_policy_document" "sns_policy_doc" {
statement {
actions = [
actions = [
"sns:Publish",
"sns:GetTopicAttributes"
]
Expand All @@ -152,7 +152,7 @@ resource "aws_iam_policy" "suspensions_kms" {

data "aws_iam_policy_document" "kms_policy_doc" {
statement {
actions = [
actions = [
"kms:*"
]
resources = [
Expand Down Expand Up @@ -203,7 +203,7 @@ resource "aws_iam_role" "sns_failure_feedback_role" {

data "aws_iam_policy_document" "sns_failure_feedback_policy" {
statement {
actions = [
actions = [
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:PutLogEvents",
Expand Down Expand Up @@ -231,7 +231,7 @@ data "aws_iam_policy_document" "sns_service_assume_role_policy" {
actions = ["sts:AssumeRole"]

principals {
type = "Service"
type = "Service"
identifiers = [
"sns.amazonaws.com"
]
Expand Down Expand Up @@ -488,7 +488,7 @@ data "aws_iam_policy_document" "event_out_of_order_policy_doc" {

data "aws_iam_policy_document" "dynamodb-table-access" {
statement {
actions = [
actions = [
"dynamodb:GetItem",
"dynamodb:PutItem"
]
Expand Down
2 changes: 1 addition & 1 deletion terraform/main.tf
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,7 @@ terraform {
required_providers {
aws = {
source = "hashicorp/aws"
version = "3.76.1"
version = "5.59.0"
}
}
}
Expand Down
5 changes: 1 addition & 4 deletions terraform/modules/suspension-service/lambda.tf
Original file line number Diff line number Diff line change
Expand Up @@ -9,15 +9,12 @@ locals {
}

resource "aws_lambda_function" "lambda" {
# If the file is not in the current working directory you will need to include a
# path.module in the filename.
filename = data.archive_file.lambda.output_path
function_name = "${var.environment}_${local.ingestion_lambda_name}"
role = aws_iam_role.lambda_execution_role.arn
handler = "${local.ingestion_lambda_name}.lambda_handler"
source_code_hash = data.archive_file.lambda.output_base64sha256
# Remark: better to use python3.11 . For now we only have 3.8 as we are use a very old (3.44) terraform provider version
runtime = "python3.8"
runtime = "python3.12"
timeout = 30
memory_size = 128

Expand Down
Loading

0 comments on commit 0e462f3

Please sign in to comment.