From 2050786e7982a7cba45762bb5c35c754870afa55 Mon Sep 17 00:00:00 2001 From: Liam Lloyd Date: Mon, 25 Nov 2024 11:52:17 -0800 Subject: [PATCH] Add terraform and Github Actions config to deploy account space update lambda Now that we have a working handler for the account space update lambda, this commit adds the terraform and Github Actions configuration necessary to include this lambda in deploys. --- .github/workflows/build.yml | 20 +++ .github/workflows/dev_deploy.yml | 11 +- .github/workflows/full_test_deploy.yml | 9 +- .github/workflows/generate_image_tags.yml | 6 + .github/workflows/prod_deploy.yml | 7 +- .github/workflows/staging_deploy.yml | 11 +- Dockerfile.account_space_updater | 6 + .../prod_cluster/account_space_prod_lambda.tf | 115 ++++++++++++++++++ terraform/prod_cluster/variables.tf | 5 + .../test_cluster/account_space_dev_lambda.tf | 115 ++++++++++++++++++ .../account_space_staging_lambda.tf | 115 ++++++++++++++++++ terraform/test_cluster/variables.tf | 10 ++ 12 files changed, 422 insertions(+), 8 deletions(-) create mode 100644 terraform/prod_cluster/account_space_prod_lambda.tf create mode 100644 terraform/test_cluster/account_space_dev_lambda.tf create mode 100644 terraform/test_cluster/account_space_staging_lambda.tf diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 065fc76..4724c93 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -104,3 +104,23 @@ jobs: AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} - name: Publish Image to ECR run: docker push $ACCESS_COPY_LAMBDA_IMAGE_TAG + build_account_space_updater: + needs: + - generate_image_tags + runs-on: ubuntu-20.04 + env: + ACCOUNT_SPACE_UPDATER_IMAGE_TAG: ${{ needs.generate_image_tags.outputs.ACCOUNT_SPACE_UPDATER_IMAGE_TAG }} + steps: + - uses: actions/checkout@v3 + - name: Build Image + run: docker build -t $ACCOUNT_SPACE_UPDATER_IMAGE_TAG --build-arg="AWS_RDS_CERT_BUNDLE=$AWS_RDS_CERT_BUNDLE" -f Dockerfile.account_space_updater . + env: + AWS_RDS_CERT_BUNDLE: ${{ secrets.AWS_RDS_CERT_BUNDLE }} + - name: AWS Login + run: aws ecr get-login-password --region $AWS_REGION | docker login --username AWS --password-stdin 364159549467.dkr.ecr.$AWS_REGION.amazonaws.com + env: + AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} + AWS_REGION: ${{ secrets.AWS_DEFAULT_REGION }} + AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} + - name: Publish Image to ECR + run: docker push $ACCOUNT_SPACE_UPDATER_IMAGE_TAG diff --git a/.github/workflows/dev_deploy.yml b/.github/workflows/dev_deploy.yml index ad1f6c4..681c422 100644 --- a/.github/workflows/dev_deploy.yml +++ b/.github/workflows/dev_deploy.yml @@ -29,6 +29,7 @@ jobs: RECORD_THUMBNAIL_LAMBDA_IMAGE_TAG: ${{ needs.generate_image_tags.outputs.RECORD_THUMBNAIL_LAMBDA_IMAGE_TAG }} THUMBNAIL_REFRESH_IMAGE_TAG: ${{ needs.generate_image_tags.outputs.THUMBNAIL_REFRESH_IMAGE_TAG }} ACCESS_COPY_LAMBDA_IMAGE_TAG: ${{ needs.generate_image_tags.outputs.ACCESS_COPY_LAMBDA_IMAGE_TAG }} + ACCOUNT_SPACE_UPDATER_IMAGE_TAG: ${{ needs.generate_image_tags.outputs.ACCOUNT_SPACE_UPDATER_IMAGE_TAG }} defaults: run: working-directory: ./terraform/test_cluster @@ -60,11 +61,14 @@ jobs: -var="thumbnail_refresh_staging_image=$THUMBNAIL_REFRESH_IMAGE_TAG" \ -var="access_copy_dev_lambda_image=$ACCESS_COPY_LAMBDA_IMAGE_TAG" \ -var="access_copy_staging_lambda_image=$ACCESS_COPY_LAMBDA_IMAGE_TAG" \ + -var="account_space_updater_dev_lambda_image=$ACCOUNT_SPACE_UPDATER_IMAGE_TAG" \ + -var="account_space_updater_staging_lambda_image=$ACCOUNT_SPACE_UPDATER_IMAGE_TAG" \ -target=kubernetes_deployment.stela_dev \ -target=kubernetes_cron_job_v1.archivematica_cleanup_dev \ -target=aws_lambda_function.record_thumbnail_lambda \ -target=kubernetes_cron_job_v1.thumbnail_refresh_dev \ - -target=aws_lambda_function.access_copy_dev_lambda + -target=aws_lambda_function.access_copy_dev_lambda \ + -target=aws_lambda_function.account_space_update_dev_lambda - name: Terraform Apply run: | terraform apply -auto-approve -input=false \ @@ -78,8 +82,11 @@ jobs: -var="thumbnail_refresh_staging_image=$THUMBNAIL_REFRESH_IMAGE_TAG" \ -var="access_copy_dev_lambda_image=$ACCESS_COPY_LAMBDA_IMAGE_TAG" \ -var="access_copy_staging_lambda_image=$ACCESS_COPY_LAMBDA_IMAGE_TAG" \ + -var="account_space_updater_dev_lambda_image=$ACCOUNT_SPACE_UPDATER_IMAGE_TAG" \ + -var="account_space_updater_staging_lambda_image=$ACCOUNT_SPACE_UPDATER_IMAGE_TAG" \ -target=kubernetes_deployment.stela_dev \ -target=kubernetes_cron_job_v1.archivematica_cleanup_dev \ -target=aws_lambda_function.record_thumbnail_lambda \ -target=kubernetes_cron_job_v1.thumbnail_refresh_dev \ - -target=aws_lambda_function.access_copy_dev_lambda + -target=aws_lambda_function.access_copy_dev_lambda \ + -target=aws_lambda_function.account_space_update_dev_lambda diff --git a/.github/workflows/full_test_deploy.yml b/.github/workflows/full_test_deploy.yml index 41ee270..d589211 100644 --- a/.github/workflows/full_test_deploy.yml +++ b/.github/workflows/full_test_deploy.yml @@ -26,6 +26,7 @@ jobs: RECORD_THUMBNAIL_LAMBDA_IMAGE_TAG: ${{ needs.generate_image_tags.outputs.RECORD_THUMBNAIL_LAMBDA_IMAGE_TAG }} THUMBNAIL_REFRESH_IMAGE_TAG: ${{ needs.generate_image_tags.outputs.THUMBNAIL_REFRESH_IMAGE_TAG }} ACCESS_COPY_LAMBDA_IMAGE_TAG: ${{ needs.generate_image_tags.outputs.ACCESS_COPY_LAMBDA_IMAGE_TAG }} + ACCOUNT_SPACE_UPDATER_IMAGE_TAG: ${{ needs.generate_image_tags.outputs.ACCOUNT_SPACE_UPDATER_IMAGE_TAG }} defaults: run: working-directory: ./terraform/test_cluster @@ -54,7 +55,9 @@ jobs: -var="thumbnail_refresh_dev_image=$THUMBNAIL_REFRESH_IMAGE_TAG" \ -var="thumbnail_refresh_staging_image=$THUMBNAIL_REFRESH_IMAGE_TAG" \ -var="access_copy_dev_lambda_image=$ACCESS_COPY_LAMBDA_IMAGE_TAG" \ - -var="access_copy_staging_lambda_image=$ACCESS_COPY_LAMBDA_IMAGE_TAG" + -var="access_copy_staging_lambda_image=$ACCESS_COPY_LAMBDA_IMAGE_TAG" \ + -var="account_space_updater_dev_lambda_image=$ACCOUNT_SPACE_UPDATER_IMAGE_TAG" \ + -var="account_space_updater_staging_lambda_image=$ACCOUNT_SPACE_UPDATER_IMAGE_TAG" - name: Terraform Apply run: | terraform apply -auto-approve -input=false \ @@ -67,4 +70,6 @@ jobs: -var="thumbnail_refresh_dev_image=$THUMBNAIL_REFRESH_IMAGE_TAG" \ -var="thumbnail_refresh_staging_image=$THUMBNAIL_REFRESH_IMAGE_TAG" \ -var="access_copy_dev_lambda_image=$ACCESS_COPY_LAMBDA_IMAGE_TAG" \ - -var="access_copy_staging_lambda_image=$ACCESS_COPY_LAMBDA_IMAGE_TAG" + -var="access_copy_staging_lambda_image=$ACCESS_COPY_LAMBDA_IMAGE_TAG" \ + -var="account_space_updater_dev_lambda_image=$ACCOUNT_SPACE_UPDATER_IMAGE_TAG" \ + -var="account_space_updater_staging_lambda_image=$ACCOUNT_SPACE_UPDATER_IMAGE_TAG" diff --git a/.github/workflows/generate_image_tags.yml b/.github/workflows/generate_image_tags.yml index db01051..ef590bc 100644 --- a/.github/workflows/generate_image_tags.yml +++ b/.github/workflows/generate_image_tags.yml @@ -12,6 +12,8 @@ on: value: ${{ jobs.generate_image_tags.outputs.THUMBNAIL_REFRESH_IMAGE_TAG }} ACCESS_COPY_LAMBDA_IMAGE_TAG: value: ${{ jobs.generate_image_tags.outputs.ACCESS_COPY_LAMBDA_IMAGE_TAG }} + ACCOUNT_SPACE_UPDATER_IMAGE_TAG: + value: ${{ jobs.generate_image_tags.outputs.ACCOUNT_SPACE_UPDATER_IMAGE_TAG }} jobs: generate_image_tags: runs-on: ubuntu-20.04 @@ -21,6 +23,7 @@ jobs: RECORD_THUMBNAIL_LAMBDA_IMAGE_TAG: ${{ steps.generate_record_thumbnail_lambda_image_tag.outputs.RECORD_THUMBNAIL_LAMBDA_IMAGE_TAG }} THUMBNAIL_REFRESH_IMAGE_TAG: ${{ steps.generate_thumbnail_refresh_image_tag.outputs.THUMBNAIL_REFRESH_IMAGE_TAG }} ACCESS_COPY_LAMBDA_IMAGE_TAG: ${{ steps.generate_access_copy_lambda_image_tag.outputs.ACCESS_COPY_LAMBDA_IMAGE_TAG }} + ACCOUNT_SPACE_UPDATER_IMAGE_TAG: ${{ steps.generate_account_space_updater_image_tag.outputs.ACCOUNT_SPACE_UPDATER_IMAGE_TAG }} steps: - uses: actions/checkout@v3 - name: Set ECR domain env var @@ -49,3 +52,6 @@ jobs: - name: Generate Access Copy Lambda Image Tag id: generate_access_copy_lambda_image_tag run: echo "ACCESS_COPY_LAMBDA_IMAGE_TAG=$ECR_DOMAIN/stela:access_copy_lambda-$BRANCH_TYPE-$ABBREVIATED_COMMIT_HASH" >> "$GITHUB_OUTPUT" + - name: Generate Account Space Updater Image Tag + id: generate_account_space_updater_image_tag + run: echo "ACCOUNT_SPACE_UPDATER_IMAGE_TAG=$ECR_DOMAIN/stela:account_space_updater-$BRANCH_TYPE-$ABBREVIATED_COMMIT_HASH" >> "$GITHUB_OUTPUT" diff --git a/.github/workflows/prod_deploy.yml b/.github/workflows/prod_deploy.yml index dd385c8..28ff9de 100644 --- a/.github/workflows/prod_deploy.yml +++ b/.github/workflows/prod_deploy.yml @@ -24,6 +24,7 @@ jobs: RECORD_THUMBNAIL_LAMBDA_IMAGE_TAG: ${{ needs.generate_image_tags.outputs.RECORD_THUMBNAIL_LAMBDA_IMAGE_TAG }} THUMBNAIL_REFRESH_IMAGE_TAG: ${{ needs.generate_image_tags.outputs.THUMBNAIL_REFRESH_IMAGE_TAG }} ACCESS_COPY_LAMBDA_IMAGE_TAG: ${{ needs.generate_image_tags.outputs.ACCESS_COPY_LAMBDA_IMAGE_TAG }} + ACCOUNT_SPACE_UPDATER_IMAGE_TAG: ${{ needs.generate_image_tags.outputs.ACCOUNT_SPACE_UPDATER_IMAGE_TAG }} defaults: run: working-directory: ./terraform/prod_cluster @@ -47,7 +48,8 @@ jobs: -var="archivematica_cleanup_image=$AM_CLEANUP_IMAGE_TAG" \ -var="record_thumbnail_lambda_image=$RECORD_THUMBNAIL_LAMBDA_IMAGE_TAG" \ -var="thumbnail_refresh_image=$THUMBNAIL_REFRESH_IMAGE_TAG" \ - -var="access_copy_lambda_image=$ACCESS_COPY_LAMBDA_IMAGE_TAG" + -var="access_copy_lambda_image=$ACCESS_COPY_LAMBDA_IMAGE_TAG" \ + -var="account_space_updater_lambda_image=$ACCOUNT_SPACE_UPDATER_IMAGE_TAG" - name: Terraform Apply run: | terraform apply -auto-approve -input=false \ @@ -55,4 +57,5 @@ jobs: -var="archivematica_cleanup_image=$AM_CLEANUP_IMAGE_TAG" \ -var="record_thumbnail_lambda_image=$RECORD_THUMBNAIL_LAMBDA_IMAGE_TAG" \ -var="thumbnail_refresh_image=$THUMBNAIL_REFRESH_IMAGE_TAG" \ - -var="access_copy_lambda_image=$ACCESS_COPY_LAMBDA_IMAGE_TAG" + -var="access_copy_lambda_image=$ACCESS_COPY_LAMBDA_IMAGE_TAG" \ + -var="account_space_updater_lambda_image=$ACCOUNT_SPACE_UPDATER_IMAGE_TAG" diff --git a/.github/workflows/staging_deploy.yml b/.github/workflows/staging_deploy.yml index dc4ac26..ab63d11 100644 --- a/.github/workflows/staging_deploy.yml +++ b/.github/workflows/staging_deploy.yml @@ -27,6 +27,7 @@ jobs: RECORD_THUMBNAIL_LAMBDA_IMAGE_TAG: ${{ needs.generate_image_tags.outputs.RECORD_THUMBNAIL_LAMBDA_IMAGE_TAG }} THUMBNAIL_REFRESH_IMAGE_TAG: ${{ needs.generate_image_tags.outputs.THUMBNAIL_REFRESH_IMAGE_TAG }} ACCESS_COPY_LAMBDA_IMAGE_TAG: ${{ needs.generate_image_tags.outputs.ACCESS_COPY_LAMBDA_IMAGE_TAG }} + ACCOUNT_SPACE_UPDATER_IMAGE_TAG: ${{ needs.generate_image_tags.outputs.ACCOUNT_SPACE_UPDATER_IMAGE_TAG }} defaults: run: working-directory: ./terraform/test_cluster @@ -58,11 +59,14 @@ jobs: -var="thumbnail_refresh_staging_image=$THUMBNAIL_REFRESH_IMAGE_TAG" \ -var="access_copy_dev_lambda_image=$ACCESS_COPY_LAMBDA_IMAGE_TAG" \ -var="access_copy_staging_lambda_image=$ACCESS_COPY_LAMBDA_IMAGE_TAG" \ + -var="account_space_updater_dev_lambda_image=$ACCOUNT_SPACE_UPDATER_IMAGE_TAG" \ + -var="account_space_updater_staging_lambda_image=$ACCOUNT_SPACE_UPDATER_IMAGE_TAG" \ -target=kubernetes_deployment.stela_staging \ -target=kubernetes_cron_job_v1.archivematica_cleanup_staging \ -target=aws_lambda_function.record_thumbnail_lambda_staging \ -target=kubernetes_cron_job_v1.thumbnail_refresh_staging \ - -target=aws_lambda_function.access_copy_lambda_staging + -target=aws_lambda_function.access_copy_lambda_staging \ + -target=aws_lambda_function.account_space_update_staging_lambda - name: Terraform Apply run: | terraform apply -auto-approve -input=false \ @@ -74,8 +78,11 @@ jobs: -var="record_thumbnail_staging_lambda_image=$RECORD_THUMBNAIL_LAMBDA_IMAGE_TAG" \ -var="thumbnail_refresh_dev_image=$THUMBNAIL_REFRESH_IMAGE_TAG" \ -var="thumbnail_refresh_staging_image=$THUMBNAIL_REFRESH_IMAGE_TAG" \ + -var="account_space_updater_dev_lambda_image=$ACCOUNT_SPACE_UPDATER_IMAGE_TAG" \ + -var="account_space_updater_staging_lambda_image=$ACCOUNT_SPACE_UPDATER_IMAGE_TAG" \ -target=kubernetes_deployment.stela_staging \ -target=kubernetes_cron_job_v1.archivematica_cleanup_staging \ -target=aws_lambda_function.record_thumbnail_lambda_staging \ -target=kubernetes_cron_job_v1.thumbnail_refresh_staging \ - -target=aws_lambda_function.access_copy_lambda_staging + -target=aws_lambda_function.access_copy_lambda_staging \ + -target=aws_lambda_function.account_space_update_staging_lambda diff --git a/Dockerfile.account_space_updater b/Dockerfile.account_space_updater index a71b34e..85a4e87 100644 --- a/Dockerfile.account_space_updater +++ b/Dockerfile.account_space_updater @@ -14,8 +14,14 @@ RUN npm run build -ws FROM public.ecr.aws/lambda/nodejs:18 as final + +ARG AWS_RDS_CERT_BUNDLE + WORKDIR ${LAMBDA_TASK_ROOT} +RUN mkdir /etc/ca-certificates +RUN echo -e $AWS_RDS_CERT_BUNDLE > /etc/ca-certificates/rds-us-west-2-ca-bundle.pem + COPY --from=builder /usr/local/apps/stela/packages/account_space_updater/dist ./packages/account_space_updater/dist COPY --from=builder /usr/local/apps/stela/packages/account_space_updater/package.json ./packages/account_space_updater/package.json COPY --from=builder /usr/local/apps/stela/packages/logger/dist ./packages/logger/dist diff --git a/terraform/prod_cluster/account_space_prod_lambda.tf b/terraform/prod_cluster/account_space_prod_lambda.tf new file mode 100644 index 0000000..5f883e1 --- /dev/null +++ b/terraform/prod_cluster/account_space_prod_lambda.tf @@ -0,0 +1,115 @@ +resource "aws_sqs_queue" "account_space_update_prod_deadletter_queue" { + name = "account-space-update-prod-deadletter-queue" +} + +resource "aws_sqs_queue" "account_space_update_prod_queue" { + name = "account-space-update-prod-queue" + + redrive_policy = jsonencode({ + deadLetterTargetArn = aws_sqs_queue.account_space_update_prod_deadletter_queue.arn + maxReceiveCount = 3 + }) +} + +resource "aws_sqs_queue_policy" "account_space_update_prod_queue_policy" { + queue_url = aws_sqs_queue.account_space_update_prod_queue.id + policy = jsonencode({ + Version = "2012-10-17", + Statement = [ + { + Effect = "Allow", + Principal = { + Service = "sns.amazonaws.com" + }, + Action = "sqs:SendMessage", + Resource = aws_sqs_queue.account_space_update_prod_queue.arn, + Condition = { + ArnEquals = { + "aws:SourceArn" = var.event_topic_arn + } + } + } + ] + }) +} + +resource "aws_sns_topic_subscription" "account_space_update_prod_subscription" { + topic_arn = var.event_topic_arn + protocol = "sqs" + endpoint = aws_sqs_queue.account_space_update_prod_queue.arn + filter_policy = jsonencode({ + Entity = ["record"], + Action = ["create", "copy"] + }) +} + +data "aws_iam_policy_document" "assume_prod_account_space_update_role" { + statement { + effect = "Allow" + principals { + type = "Service" + identifiers = ["lambda.amazonaws.com"] + } + actions = ["sts:AssumeRole"] + } +} + +resource "aws_iam_role" "account_space_update_prod_lambda_role" { + name = "account-space-update-prod-lambda-role" + assume_role_policy = data.aws_iam_policy_document.assume_prod_account_space_update_role.json +} + +resource "aws_iam_role_policy" "account_space_update_prod_lambda_policy" { + name = "account-space-update-lambda-policy" + role = aws_iam_role.account_space_update_prod_lambda_role.name + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = [ + "logs:CreateLogGroup", + "logs:CreateLogStream", + "logs:PutLogEvents", + "ec2:CreateNetworkInterface", + "ec2:DescribeNetworkInterfaces", + "ec2:DeleteNetworkInterface", + "ec2:DescribeSecurityGroups", + "ec2:DescribeSubnets", + "sqs:ReceiveMessage", + "sqs:DeleteMessage", + "sqs:GetQueueAttributes", + ] + Effect = "Allow" + Resource = ["*", aws_sqs_queue.account_space_update_prod_queue.arn] + }, + ] + }) +} + +resource "aws_lambda_function" "account_space_update_prod_lambda" { + package_type = "Image" + image_uri = var.account_space_updater_lambda_image + function_name = "account-space-update-prod-lambda" + role = aws_iam_role.account_space_update_prod_lambda_role.arn + timeout = 30 + + vpc_config { + security_group_ids = [var.prod_security_group_id] + subnet_ids = var.subnet_ids + } + + environment { + variables = { + ENV = var.prod_env + SENTRY_DSN = var.sentry_dsn + DATABASE_URL = var.prod_database_url + } + } +} + +resource "aws_lambda_event_source_mapping" "account_space_update_prod_event_source_mapping" { + event_source_arn = aws_sqs_queue.account_space_update_prod_queue.arn + function_name = aws_lambda_function.account_space_update_prod_lambda.arn + batch_size = 10 + maximum_batching_window_in_seconds = 0 +} diff --git a/terraform/prod_cluster/variables.tf b/terraform/prod_cluster/variables.tf index 8e1685e..f35d8af 100644 --- a/terraform/prod_cluster/variables.tf +++ b/terraform/prod_cluster/variables.tf @@ -52,6 +52,11 @@ variable "access_copy_lambda_image" { type = string } +variable "account_space_updater_lambda_image" { + description = "Tag of the account space updater lambda image to deploy" + type = string +} + variable "prod_security_group_id" { description = "ID of the Production security group" type = string diff --git a/terraform/test_cluster/account_space_dev_lambda.tf b/terraform/test_cluster/account_space_dev_lambda.tf new file mode 100644 index 0000000..a6c3ffb --- /dev/null +++ b/terraform/test_cluster/account_space_dev_lambda.tf @@ -0,0 +1,115 @@ +resource "aws_sqs_queue" "account_space_update_dev_deadletter_queue" { + name = "account-space-update-dev-deadletter-queue" +} + +resource "aws_sqs_queue" "account_space_update_dev_queue" { + name = "account-space-update-dev-queue" + + redrive_policy = jsonencode({ + deadLetterTargetArn = aws_sqs_queue.account_space_update_dev_deadletter_queue.arn + maxReceiveCount = 3 + }) +} + +resource "aws_sqs_queue_policy" "account_space_update_dev_queue_policy" { + queue_url = aws_sqs_queue.account_space_update_dev_queue.id + policy = jsonencode({ + Version = "2012-10-17", + Statement = [ + { + Effect = "Allow", + Principal = { + Service = "sns.amazonaws.com" + }, + Action = "sqs:SendMessage", + Resource = aws_sqs_queue.account_space_update_dev_queue.arn, + Condition = { + ArnEquals = { + "aws:SourceArn" = var.dev_event_topic_arn + } + } + } + ] + }) +} + +resource "aws_sns_topic_subscription" "account_space_update_dev_subscription" { + topic_arn = var.dev_event_topic_arn + protocol = "sqs" + endpoint = aws_sqs_queue.account_space_update_dev_queue.arn + filter_policy = jsonencode({ + Entity = ["record"], + Action = ["create", "copy"] + }) +} + +data "aws_iam_policy_document" "assume_dev_account_space_update_role" { + statement { + effect = "Allow" + principals { + type = "Service" + identifiers = ["lambda.amazonaws.com"] + } + actions = ["sts:AssumeRole"] + } +} + +resource "aws_iam_role" "account_space_update_dev_lambda_role" { + name = "account-space-update-dev-lambda-role" + assume_role_policy = data.aws_iam_policy_document.assume_dev_account_space_update_role.json +} + +resource "aws_iam_role_policy" "account_space_update_dev_lambda_policy" { + name = "account-space-update-lambda-policy" + role = aws_iam_role.account_space_update_dev_lambda_role.name + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = [ + "logs:CreateLogGroup", + "logs:CreateLogStream", + "logs:PutLogEvents", + "ec2:CreateNetworkInterface", + "ec2:DescribeNetworkInterfaces", + "ec2:DeleteNetworkInterface", + "ec2:DescribeSecurityGroups", + "ec2:DescribeSubnets", + "sqs:ReceiveMessage", + "sqs:DeleteMessage", + "sqs:GetQueueAttributes", + ] + Effect = "Allow" + Resource = ["*", aws_sqs_queue.account_space_update_dev_queue.arn] + }, + ] + }) +} + +resource "aws_lambda_function" "account_space_update_dev_lambda" { + package_type = "Image" + image_uri = var.account_space_updater_dev_lambda_image + function_name = "account-space-update-dev-lambda" + role = aws_iam_role.account_space_update_dev_lambda_role.arn + timeout = 30 + + vpc_config { + security_group_ids = [var.dev_security_group_id] + subnet_ids = var.subnet_ids + } + + environment { + variables = { + ENV = var.dev_env + SENTRY_DSN = var.sentry_dsn + DATABASE_URL = var.dev_database_url + } + } +} + +resource "aws_lambda_event_source_mapping" "account_space_update_dev_event_source_mapping" { + event_source_arn = aws_sqs_queue.account_space_update_dev_queue.arn + function_name = aws_lambda_function.account_space_update_dev_lambda.arn + batch_size = 10 + maximum_batching_window_in_seconds = 0 +} diff --git a/terraform/test_cluster/account_space_staging_lambda.tf b/terraform/test_cluster/account_space_staging_lambda.tf new file mode 100644 index 0000000..62bd8ea --- /dev/null +++ b/terraform/test_cluster/account_space_staging_lambda.tf @@ -0,0 +1,115 @@ +resource "aws_sqs_queue" "account_space_update_staging_deadletter_queue" { + name = "account-space-update-staging-deadletter-queue" +} + +resource "aws_sqs_queue" "account_space_update_staging_queue" { + name = "account-space-update-staging-queue" + + redrive_policy = jsonencode({ + deadLetterTargetArn = aws_sqs_queue.account_space_update_staging_deadletter_queue.arn + maxReceiveCount = 3 + }) +} + +resource "aws_sqs_queue_policy" "account_space_update_staging_queue_policy" { + queue_url = aws_sqs_queue.account_space_update_staging_queue.id + policy = jsonencode({ + Version = "2012-10-17", + Statement = [ + { + Effect = "Allow", + Principal = { + Service = "sns.amazonaws.com" + }, + Action = "sqs:SendMessage", + Resource = aws_sqs_queue.account_space_update_staging_queue.arn, + Condition = { + ArnEquals = { + "aws:SourceArn" = var.staging_event_topic_arn + } + } + } + ] + }) +} + +resource "aws_sns_topic_subscription" "account_space_update_staging_subscription" { + topic_arn = var.staging_event_topic_arn + protocol = "sqs" + endpoint = aws_sqs_queue.account_space_update_staging_queue.arn + filter_policy = jsonencode({ + Entity = ["record"], + Action = ["create", "copy"] + }) +} + +data "aws_iam_policy_document" "assume_staging_account_space_update_role" { + statement { + effect = "Allow" + principals { + type = "Service" + identifiers = ["lambda.amazonaws.com"] + } + actions = ["sts:AssumeRole"] + } +} + +resource "aws_iam_role" "account_space_update_staging_lambda_role" { + name = "account-space-update-staging-lambda-role" + assume_role_policy = data.aws_iam_policy_document.assume_staging_account_space_update_role.json +} + +resource "aws_iam_role_policy" "account_space_update_staging_lambda_policy" { + name = "account-space-update-lambda-policy" + role = aws_iam_role.account_space_update_staging_lambda_role.name + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = [ + "logs:CreateLogGroup", + "logs:CreateLogStream", + "logs:PutLogEvents", + "ec2:CreateNetworkInterface", + "ec2:DescribeNetworkInterfaces", + "ec2:DeleteNetworkInterface", + "ec2:DescribeSecurityGroups", + "ec2:DescribeSubnets", + "sqs:ReceiveMessage", + "sqs:DeleteMessage", + "sqs:GetQueueAttributes", + ] + Effect = "Allow" + Resource = ["*", aws_sqs_queue.account_space_update_staging_queue.arn] + }, + ] + }) +} + +resource "aws_lambda_function" "account_space_update_staging_lambda" { + package_type = "Image" + image_uri = var.account_space_updater_staging_lambda_image + function_name = "account-space-update-staging-lambda" + role = aws_iam_role.account_space_update_staging_lambda_role.arn + timeout = 30 + + vpc_config { + security_group_ids = [var.staging_security_group_id] + subnet_ids = var.subnet_ids + } + + environment { + variables = { + ENV = var.staging_env + SENTRY_DSN = var.sentry_dsn + DATABASE_URL = var.staging_database_url + } + } +} + +resource "aws_lambda_event_source_mapping" "account_space_update_staging_event_source_mapping" { + event_source_arn = aws_sqs_queue.account_space_update_staging_queue.arn + function_name = aws_lambda_function.account_space_update_staging_lambda.arn + batch_size = 10 + maximum_batching_window_in_seconds = 0 +} diff --git a/terraform/test_cluster/variables.tf b/terraform/test_cluster/variables.tf index a1d84e8..50e6b9b 100644 --- a/terraform/test_cluster/variables.tf +++ b/terraform/test_cluster/variables.tf @@ -88,6 +88,16 @@ variable "access_copy_staging_lambda_image" { type = string } +variable "account_space_updater_dev_lambda_image" { + description = "Tag of account space updater image to deploy to dev" + type = string +} + +variable "account_space_updater_staging_lambda_image" { + description = "Tag of account space updater image to deploy to staging" + type = string +} + variable "dev_security_group_id" { description = "ID of the Development security group" type = string