Refactor Lambda event source mappings and update deployment workflows

- Removed the management of shared Lambda triggers for blue/green deployments from the deploy-backend.yml workflow.
- Introduced a new workflow step to apply Lambda event source mappings from a dedicated directory.
- Added a script to adopt existing event source mappings for Lambda functions, streamlining the deployment process.
- Updated the pr-teardown.yml workflow to include the destruction of Lambda event source mappings.
- Created new Terraform configuration files for managing event source mappings, including variables and outputs.
- Updated README.md to reflect changes in the Lambda trigger management process.

Author: Thomas-Boyle

.github/workflows/deploy-backend.yml

@@ -251,10 +251,6 @@ jobs:
         working-directory: infrastructure/instance
         run: make workspace
 
-      - name: Adopt shared Lambda triggers for blue/green deploys
-        working-directory: infrastructure/instance
-        run: bash ../../utilities/scripts/manage_blue_green_event_source_mappings.sh prepare-state
-
       - name: Terraform Plan
         # Ignore cancellations to prevent Terraform from being killed while it holds a state lock
         # A stuck process can still be killed with the force-cancel API operation
@@ -305,11 +301,6 @@ jobs:
         working-directory: infrastructure/instance
         run: make workspace
 
-      - name: Remove stale Lambda triggers for blue/green deploys
-        if: ${{ !failure() }}
-        working-directory: infrastructure/instance
-        run: bash ../../utilities/scripts/manage_blue_green_event_source_mappings.sh cleanup-stale
-
       - name: Terraform Apply
         # Ignore cancellations to prevent Terraform from being killed while it holds a state lock
         # A stuck process can still be killed with the force-cancel API operation
@@ -319,6 +310,14 @@ jobs:
           make apply-ci
           echo "ID_SYNC_QUEUE_ARN=$(make -s output name=id_sync_queue_arn)" >> $GITHUB_ENV
 
+      - name: Apply Lambda event source mappings
+        if: ${{ !failure() }}
+        working-directory: infrastructure/event_source_mappings
+        run: |
+          make init
+          make adopt
+          make apply
+
       - name: Install poetry
         if: ${{ inputs.environment == 'dev' && inputs.create_mns_subscription }}
         run: pip install poetry==2.1.4

.github/workflows/pr-teardown.yml

@@ -92,6 +92,12 @@ jobs:
           echo "Unsubscribing SQS to MNS for notifications..."
           make unsubscribe
 
+      - name: Destroy Lambda event source mappings
+        working-directory: infrastructure/event_source_mappings
+        run: |
+          make init apigee_environment=$APIGEE_ENVIRONMENT environment=$BACKEND_ENVIRONMENT sub_environment=$BACKEND_SUB_ENVIRONMENT
+          make destroy apigee_environment=$APIGEE_ENVIRONMENT environment=$BACKEND_ENVIRONMENT sub_environment=$BACKEND_SUB_ENVIRONMENT
+
       - name: Terraform Destroy
         working-directory: infrastructure/instance
         run: |

infrastructure/event_source_mappings/.terraform.lock.hcl

@@ -0,0 +1,46 @@
+-include .env
+
+apigee_environment ?= $(APIGEE_ENVIRONMENT)
+environment        ?= $(ENVIRONMENT)
+sub_environment    ?= $(SUB_ENVIRONMENT)
+sub_environment_dir := $(if $(findstring pr-,$(sub_environment)),pr,$(sub_environment))
+tf_var_file        := ../instance/environments/$(environment)/$(sub_environment_dir)/variables.tfvars
+has_sub_environment_scope = $(shell awk -F= '/^has_sub_environment_scope/ { gsub(/[[:space:]]/, "", $$2); print $$2 }' "$(tf_var_file)")
+workspace_name = $(if $(filter false,$(has_sub_environment_scope)),$(environment),$(sub_environment))
+
+tf_cmd = AWS_PROFILE=$(AWS_PROFILE) terraform
+
+bucket_name = $(if $(filter dev,$(environment)),immunisation-$(apigee_environment),immunisation-$(environment))-terraform-state-files
+
+tf_state = \
+  -backend-config="bucket=$(bucket_name)" \
+  -backend-config="key=event-source-mappings/state"
+
+tf_vars = \
+  -var="sub_environment=$(sub_environment)" \
+  -var-file="$(tf_var_file)"
+
+init:
+	$(tf_cmd) init $(tf_state) -upgrade
+
+workspace:
+	$(tf_cmd) workspace select -or-create $(workspace_name) && echo "Switched to workspace/environment: $(workspace_name)"
+
+adopt: workspace
+	ENVIRONMENT='$(environment)' SUB_ENVIRONMENT='$(sub_environment)' RESOURCE_SCOPE='$(workspace_name)' bash ../../utilities/scripts/adopt_event_source_mappings.sh $(tf_vars)
+
+plan: workspace
+	$(tf_cmd) plan $(tf_vars)
+
+apply: workspace
+	$(tf_cmd) apply $(tf_vars) --auto-approve
+
+destroy: workspace
+	$(tf_cmd) destroy $(tf_vars) -auto-approve
+	$(tf_cmd) workspace select default
+	$(tf_cmd) workspace delete $(workspace_name)
+
+output:
+	$(tf_cmd) output -raw $(name)
+
+.PHONY : init workspace adopt plan apply destroy output

infrastructure/event_source_mappings/Makefile

@@ -0,0 +1,78 @@
+terraform {
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = "~> 6"
+    }
+  }
+  backend "s3" {
+    region       = "eu-west-2"
+    key          = "event-source-mappings/state"
+    use_lockfile = true
+  }
+  required_version = ">= 1.5.0"
+}
+
+provider "aws" {
+  region = var.aws_region
+  default_tags {
+    tags = {
+      Project     = var.project_name
+      Environment = local.resource_scope
+      Service     = var.service
+    }
+  }
+}
+
+locals {
+  resource_scope      = var.has_sub_environment_scope ? var.sub_environment : var.environment
+  short_prefix        = "${var.project_short_name}-${var.sub_environment}"
+  events_table_name   = "imms-${local.resource_scope}-imms-events"
+  id_sync_queue_name  = "imms-${local.resource_scope}-id-sync-queue"
+  delta_lambda_name   = "${local.short_prefix}-delta-lambda"
+  delta_dlq_name      = "${local.short_prefix}-delta-dlq"
+  id_sync_lambda_name = "${local.short_prefix}-id-sync-lambda"
+}
+
+data "aws_dynamodb_table" "events" {
+  name = local.events_table_name
+}
+
+data "aws_sqs_queue" "delta_dlq" {
+  name = local.delta_dlq_name
+}
+
+data "aws_sqs_queue" "id_sync" {
+  name = local.id_sync_queue_name
+}
+
+data "aws_lambda_function" "delta" {
+  function_name = local.delta_lambda_name
+}
+
+data "aws_lambda_function" "id_sync" {
+  function_name = local.id_sync_lambda_name
+}
+
+resource "aws_lambda_event_source_mapping" "delta_trigger" {
+  event_source_arn  = data.aws_dynamodb_table.events.stream_arn
+  function_name     = data.aws_lambda_function.delta.function_name
+  starting_position = "TRIM_HORIZON"
+
+  destination_config {
+    on_failure {
+      destination_arn = data.aws_sqs_queue.delta_dlq.arn
+    }
+  }
+
+  maximum_retry_attempts = 0
+}
+
+resource "aws_lambda_event_source_mapping" "id_sync_sqs_trigger" {
+  event_source_arn = data.aws_sqs_queue.id_sync.arn
+  function_name    = data.aws_lambda_function.id_sync.arn
+
+  batch_size                         = 10
+  maximum_batching_window_in_seconds = 5
+  function_response_types            = ["ReportBatchItemFailures"]
+}

infrastructure/event_source_mappings/main.tf

@@ -0,0 +1,4 @@
+output "id_sync_queue_arn" {
+  description = "The ARN of the ID Sync (MNS NHS Number change) SQS queue"
+  value       = data.aws_sqs_queue.id_sync.arn
+}

infrastructure/event_source_mappings/outputs.tf

@@ -0,0 +1,97 @@
+variable "environment" {
+  type        = string
+  description = "Environment (AWS Account) name - dev, preprod or prod"
+}
+
+variable "sub_environment" {
+  type        = string
+  description = "Sub-environment name, e.g. internal-dev, int-blue, blue"
+}
+
+variable "has_sub_environment_scope" {
+  description = "True if resources are scoped to the sub-environment. False for blue/green shared resources."
+  type        = bool
+  default     = false
+}
+
+variable "project_name" {
+  type    = string
+  default = "immunisation"
+}
+
+variable "project_short_name" {
+  type    = string
+  default = "imms"
+}
+
+variable "service" {
+  type    = string
+  default = "fhir-api"
+}
+
+variable "aws_region" {
+  type    = string
+  default = "eu-west-2"
+
+  validation {
+    condition     = var.aws_region == "eu-west-2"
+    error_message = "AWS Region must be set to eu-west-2."
+  }
+}
+
+variable "immunisation_account_id" {
+  type        = string
+  description = "Immunisation AWS Account ID"
+}
+
+variable "dspp_core_account_id" {
+  type        = string
+  description = "DSPP Core AWS Account ID"
+}
+
+variable "mns_account_id" {
+  type        = string
+  description = "MNS AWS account ID - trusted source for MNS notifications"
+  default     = "631615744739"
+}
+
+variable "pds_environment" {
+  type    = string
+  default = "int"
+}
+
+variable "mns_environment" {
+  type    = string
+  default = "int"
+}
+
+variable "error_alarm_notifications_enabled" {
+  default     = true
+  description = "Switch to enable error alarm notifications to Slack"
+  type        = bool
+}
+
+variable "create_mesh_processor" {
+  type    = bool
+  default = false
+}
+
+variable "mesh_no_invocation_period_seconds" {
+  type    = number
+  default = 300
+}
+
+variable "dspp_submission_s3_bucket_name" {
+  type    = string
+  default = "nhsd-dspp-core-ref-s3-submission-upload"
+}
+
+variable "dspp_submission_kms_key_alias" {
+  type    = string
+  default = "nhsd-dspp-core-ref-s3-submission-upload-key"
+}
+
+variable "dynamodb_point_in_time_recovery_enabled" {
+  type    = bool
+  default = false
+}

infrastructure/event_source_mappings/variables.tf

@@ -34,8 +34,6 @@ Note: If you switch environment configuration in .env ensure that you run `make
 If you want to apply Terraform to a workspace created by a PR you can set the above SUB_ENVIRONMENT to the `PR-number` and ENVIRONMENT set to `dev`.
 E.g. `pr-57`. You can use this to test out changes when tests fail in CI.
 
-## Blue/Green Lambda Trigger Handoff
+## Lambda Trigger Handoff
 
-For split sub-environments such as `int-blue`/`int-green` and `prod-blue`/`prod-green`, the deploy workflow now reimports the shared `delta_trigger` and `id_sync_sqs_trigger` resources into the target Terraform workspace before planning. On apply, it also deletes any stale trigger that still points at the target side's old dedicated Lambda function.
-
-This removes the release-time `Disable delta` and `Disable ID sync` steps from the repository-managed deployment flow. The remaining operational follow-up is outside this repository: update the Jira Smart Checklist release templates to remove those manual checklist items once the automated flow has been rolled out.
+The `delta_trigger` and `id_sync_sqs_trigger` event source mappings are managed from `../event_source_mappings` so the main instance plan does not rewrite shared backend state. The deploy workflow applies the main instance first, then adopts or updates the trigger mappings from the dedicated trigger workspace.

infrastructure/instance/README.md

@@ -70,20 +70,6 @@ resource "aws_lambda_function" "delta_sync_lambda" {
   ]
 }
 
-
-resource "aws_lambda_event_source_mapping" "delta_trigger" {
-  event_source_arn  = aws_dynamodb_table.events-dynamodb-table.stream_arn
-  function_name     = aws_lambda_function.delta_sync_lambda.function_name
-  starting_position = "TRIM_HORIZON"
-  destination_config {
-    on_failure {
-      destination_arn = aws_sqs_queue.dlq.arn
-    }
-  }
-  maximum_retry_attempts = 0
-}
-
-
 resource "aws_sqs_queue" "dlq" {
   name = "${local.short_prefix}-${local.dlq_name}"
 }

infrastructure/instance/delta.tf

@@ -258,20 +258,3 @@ resource "aws_cloudwatch_metric_alarm" "id_sync_error_alarm" {
   alarm_actions       = [data.aws_sns_topic.imms_system_alert_errors.arn]
   treat_missing_data  = "notBreaching"
 }
-
-
-
-# delete config_lambda_notification / new_s3_invoke_permission - not required; duplicate
-
-# NEW
-resource "aws_lambda_event_source_mapping" "id_sync_sqs_trigger" {
-  event_source_arn = aws_sqs_queue.id_sync_queue.arn
-  function_name    = aws_lambda_function.id_sync_lambda.arn
-
-  # Optional: Configure batch size and other settings
-  batch_size                         = 10
-  maximum_batching_window_in_seconds = 5
-
-  # Optional: Configure error handling
-  function_response_types = ["ReportBatchItemFailures"]
-}