Merge pull request #7883 from ministryofjustice/CC-2815

Cc 2815

terraform/environments/ccms-ebs/ccms-iam.tf

@@ -343,3 +343,52 @@ resource "aws_iam_role_policy_attachment" "ccms_ebs_shared_s3" {
   role       = aws_iam_role.role_stsassume_oracle_base.name
   policy_arn = aws_iam_policy.ccms_ebs_shared_s3.arn
 }
+
+
+### Role for Lambda Execution
+
+resource "aws_iam_role" "lambda_execution_role" {
+  name = "lambda_execution_role"
+  assume_role_policy = jsonencode(
+    {
+      "Version" : "2012-10-17",
+      "Statement" : [
+        {
+          "Action" : "sts:AssumeRole",
+          "Effect" : "Allow",
+          "Principal" : {
+            "Service" : "lambda.amazonaws.com"
+          }
+        }
+      ]
+    }
+  )
+  tags = merge(local.tags,
+    { Name = lower(format("Lambda Execution Role")) }
+  )
+}
+
+# Attach S3 Policy to Lambda Role
+resource "aws_iam_role_policy_attachment" "s3_policy_lambda" {
+  role       = aws_iam_role.lambda_execution_role.name
+  policy_arn = "arn:aws:iam::aws:policy/AmazonS3FullAccess"
+}
+
+# Attach ENI Management Policy to Lambda Role
+resource "aws_iam_role_policy_attachment" "eni_management_policy_lambda" {
+  role       = aws_iam_role.lambda_execution_role.name
+  policy_arn = "arn:aws:iam::aws:policy/service-role/AWSLambdaENIManagementAccess"
+}
+
+# Attach VPC Access Policy to Lambda Role
+resource "aws_iam_role_policy_attachment" "vpc_access_policy_lambda" {
+  role       = aws_iam_role.lambda_execution_role.name
+  policy_arn = "arn:aws:iam::aws:policy/service-role/AWSLambdaVPCAccessExecutionRole"
+}
+
+# Attach Secrets Manager Policy to Lambda Role
+resource "aws_iam_role_policy_attachment" "secrets_manager_policy_lambda" {
+  role       = aws_iam_role.lambda_execution_role.name
+  policy_arn = "arn:aws:iam::aws:policy/SecretsManagerReadWrite"
+}
+

terraform/environments/ccms-ebs/ccms-lambda.tf

@@ -0,0 +1,97 @@
+# Upload the Layer to S3
+
+resource "aws_s3_object" "lambda_layer_s3" {
+  bucket = aws_s3_bucket.lambda_payment_load.bucket
+  key    = "lambda/layer.zip"
+  source = "lambda/layer.zip"
+}
+
+# Lambda Layer
+resource "aws_lambda_layer_version" "lambda_layer" {
+  layer_name               = "${local.application_name}-${local.environment}-payment-load-layer"
+  s3_bucket                = aws_s3_bucket.lambda_payment_load.bucket
+  s3_key                   = aws_s3_object.lambda_layer_s3.key
+  compatible_runtimes      = ["python3.10"]
+  compatible_architectures = ["x86_64"]
+  description              = "Lambda Layer for ${local.application_name} Payment Load"
+
+  depends_on = [aws_s3_object.lambda_layer_s3]
+}
+
+# SG for Lambda
+resource "aws_security_group" "lambda_security_group" {
+  name   = "${local.application_name}-${local.environment}-lambda-sg"
+  description = "SG traffic control for Payment Load Lambda"
+  vpc_id = data.aws_vpc.shared.id
+
+  ingress {
+    from_port   = 1521
+    to_port     = 1522
+    protocol    = "tcp"
+    cidr_blocks = [data.aws_vpc.shared.cidr_block]
+  }
+
+  egress {
+    from_port   = 0
+    to_port     = 0
+    protocol    = "-1"
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+
+  tags = merge(local.tags,
+    { Name = "${local.application_name}-${local.environment}-lambda-sg" }
+  )
+}
+
+
+# Lambda Function
+resource "aws_lambda_function" "lambda_function" {
+  function_name = "${local.application_name}-${local.environment}-payment-load"
+  filename      = "lambda/function.zip"
+  handler       = "lambda_function.lambda_handler"
+  runtime       = "python3.10"
+  role          = aws_iam_role.lambda_execution_role.arn
+  layers        = [aws_lambda_layer_version.lambda_layer.arn]
+  architectures = ["x86_64"]
+  memory_size   = 128
+  timeout       = 120
+
+  vpc_config {
+    subnet_ids         = [data.aws_subnet.data_subnets_a.id]
+    security_group_ids = [aws_security_group.lambda_security_group.id]
+  }
+  environment {
+    variables = {
+      IS_PRODUCTION   = local.is-production ? "true" : "false"
+      LD_LIBRARY_PATH = "/opt/instantclient_12_2_linux"
+      S3_BUCKET_NAME  = aws_s3_bucket.lambda_payment_load.bucket
+      SECRET_NAME     = aws_secretsmanager_secret.secret_lambda_s3.name
+    }
+  }
+
+  tags = merge(local.tags, {
+    Name = "${local.application_name}-${local.environment}-payment-load"
+  })
+
+  depends_on = [aws_lambda_layer_version.lambda_layer]
+}
+
+resource "aws_lambda_permission" "allow_bucket" {
+  statement_id  = "AllowExecutionFromS3Bucket"
+  action        = "lambda:InvokeFunction"
+  function_name = aws_lambda_function.lambda_function.arn
+  principal     = "s3.amazonaws.com"
+  source_arn    = aws_s3_bucket.lambda_payment_load.arn
+}
+
+resource "aws_s3_bucket_notification" "lambda_trigger" {
+  bucket = aws_s3_bucket.lambda_payment_load.id
+
+  lambda_function {
+    lambda_function_arn = aws_lambda_function.lambda_function.arn
+    events              = ["s3:ObjectCreated:*"]
+    filter_suffix       = ".xlsx"
+  }
+
+  depends_on = [aws_lambda_permission.allow_bucket]
+}

terraform/environments/ccms-ebs/ccms-s3.tf

@@ -285,4 +285,11 @@ data "aws_iam_policy_document" "dbbackup_s3_policy" {
 
 resource "aws_s3_bucket" "ccms_ebs_shared" {
   bucket = "${local.application_name}-${local.environment}-shared"
+}
+
+
+### S3 Bucket for Payment Load
+
+resource "aws_s3_bucket" "lambda_payment_load" {
+  bucket = "${local.application_name}-${local.environment}-payment-load"
 }

terraform/environments/ccms-ebs/ccms-secrets.tf

@@ -17,3 +17,14 @@ resource "aws_secretsmanager_secret" "secret_ses_smtp_credentials" {
     { Name = "ses-smtp-credentials-${local.environment}" }
   )
 }
+
+# Secret for Payment Load
+
+resource "aws_secretsmanager_secret" "secret_lambda_s3" {
+  name        = "db-${local.environment}-credentials"
+  description = "AWS credentials for lambda to connect to the db"
+
+  tags = merge(local.tags,
+    { Name = "db-${local.environment}-credentials" }
+  )
+}