NHSDigital
diff --git a/‎.github/workflows/deploy-backend.yml‎
Lines changed: 51 additions & 9 deletions b/‎.github/workflows/deploy-backend.yml‎
Lines changed: 51 additions & 9 deletions
diff --git a/‎.github/workflows/pr-deploy-and-test.yml‎
Lines changed: 0 additions & 4 deletions b/‎.github/workflows/pr-deploy-and-test.yml‎
Lines changed: 0 additions & 4 deletions
diff --git a/‎.github/workflows/pr-teardown.yml‎
Lines changed: 19 additions & 4 deletions b/‎.github/workflows/pr-teardown.yml‎
Lines changed: 19 additions & 4 deletions
diff --git a/‎infrastructure/account/ackbackend_ecr_repo.tf‎
Lines changed: 0 additions & 33 deletions b/‎infrastructure/account/ackbackend_ecr_repo.tf‎
Lines changed: 0 additions & 33 deletions
diff --git a/‎infrastructure/account/lambda_ecr_repos.tf‎
Lines changed: 147 additions & 0 deletions b/‎infrastructure/account/lambda_ecr_repos.tf‎
Lines changed: 147 additions & 0 deletions
diff --git a/‎infrastructure/account/recordprocessor_ecr_repo.tf‎
Lines changed: 0 additions & 30 deletions b/‎infrastructure/account/recordprocessor_ecr_repo.tf‎
Lines changed: 0 additions & 30 deletions
@@ -9,7 +9,7 @@ on:
       lambda_build_flags:
         description: >
           JSON map of lambda_name -> force-build flag.
-          e.g. {"recordprocessor":true,"ack-backend":false}
+          e.g. {"backend":true,"recordprocessor":true,"ack-backend":false}
         required: false
         type: string
         default: "{}"
@@ -73,14 +73,14 @@ on:
       lambda_build_flags:
         description: >
           JSON map of lambda_name -> force-build flag.
-          e.g. {"recordprocessor":true,"ack-backend":false}
+          e.g. {"backend":true,"recordprocessor":true,"ack-backend":false}
         required: false
         type: string
         default: "{}"
       lambda_image_overrides:
         description: >
           JSON map of lambda_name -> immutable image selector for reuse mode.
-          e.g. {"recordprocessor":"internal-dev-git-abc123","ack-backend":"123456789012.dkr.ecr.eu-west-2.amazonaws.com/imms-ackbackend-repo@sha256:..."}
+          e.g. {"backend":"internal-dev-git-abc123","ack-backend":"123456789012.dkr.ecr.eu-west-2.amazonaws.com/imms-ackbackend-repo@sha256:..."}
         required: false
         type: string
         default: "{}"
@@ -118,18 +118,61 @@ jobs:
       fail-fast: false
       matrix:
         include:
+          - lambda_name: backend
+            tf_var_suffix: backend
+            ecr_repository: imms-fhir-api-operation-lambda-repo
+            dockerfile_path: lambdas/backend/Dockerfile
+            lambda_paths: lambdas/backend/
+          - lambda_name: batch_processor_filter
+            tf_var_suffix: batch_processor_filter
+            ecr_repository: imms-batch-processor-filter-repo
+            dockerfile_path: lambdas/batch_processor_filter/Dockerfile
+            lambda_paths: lambdas/batch_processor_filter/
+          - lambda_name: delta_backend
+            tf_var_suffix: delta_backend
+            ecr_repository: imms-fhir-api-delta-lambda-repo
+            dockerfile_path: lambdas/delta_backend/Dockerfile
+            lambda_paths: lambdas/delta_backend/
+          - lambda_name: filenameprocessor
+            tf_var_suffix: filenameprocessor
+            ecr_repository: imms-filenameproc-repo
+            dockerfile_path: lambdas/filenameprocessor/Dockerfile
+            lambda_paths: lambdas/filenameprocessor/
+          - lambda_name: id_sync
+            tf_var_suffix: id_sync
+            ecr_repository: imms-id-sync-repo
+            dockerfile_path: lambdas/id_sync/Dockerfile
+            lambda_paths: lambdas/id_sync/
+          - lambda_name: mesh_processor
+            tf_var_suffix: mesh_processor
+            ecr_repository: imms-mesh-processor-repo
+            dockerfile_path: lambdas/mesh_processor/Dockerfile
+            lambda_paths: lambdas/mesh_processor/
+          - lambda_name: mns_publisher
+            tf_var_suffix: mns_publisher
+            ecr_repository: imms-mns-publisher-repo
+            dockerfile_path: lambdas/mns_publisher/Dockerfile
+            lambda_paths: lambdas/mns_publisher/
+          - lambda_name: recordforwarder
+            tf_var_suffix: recordforwarder
+            ecr_repository: imms-forwarding-repo
+            dockerfile_path: lambdas/recordforwarder/Dockerfile
+            lambda_paths: lambdas/recordforwarder/
+          - lambda_name: redis_sync
+            tf_var_suffix: redis_sync
+            ecr_repository: imms-redis-sync-repo
+            dockerfile_path: lambdas/redis_sync/Dockerfile
+            lambda_paths: lambdas/redis_sync/
           - lambda_name: recordprocessor
             tf_var_suffix: recordprocessor
             ecr_repository: imms-recordprocessor-repo
             dockerfile_path: lambdas/recordprocessor/Dockerfile
-            lambda_paths: |
-              lambdas/recordprocessor/
+            lambda_paths: lambdas/recordprocessor/
           - lambda_name: ack-backend
             tf_var_suffix: ack_backend
             ecr_repository: imms-ackbackend-repo
             dockerfile_path: lambdas/ack_backend/Dockerfile
-            lambda_paths: |
-              lambdas/ack_backend/
+            lambda_paths: lambdas/ack_backend/
     uses: ./.github/workflows/deploy-lambda-artifact.yml
     with:
       lambda_name: ${{ matrix.lambda_name }}
@@ -142,8 +185,7 @@ jobs:
       diff_base_sha: ${{ inputs.diff_base_sha }}
       diff_head_sha: ${{ inputs.diff_head_sha }}
       lambda_paths: ${{ matrix.lambda_paths }}
-      shared_paths: |
-        lambdas/shared/src/common/
+      shared_paths: lambdas/shared/src/common/
       docker_context_path: lambdas
       dockerfile_path: ${{ matrix.dockerfile_path }}
       ecr_repository: ${{ matrix.ecr_repository }}
 
@@ -20,10 +20,6 @@ jobs:
     uses: ./.github/workflows/deploy-backend.yml
     with:
       apigee_environment: internal-dev
-      lambda_build_flags: >-
-        ${{ (github.event.action == 'opened' || github.event.action == 'reopened')
-            && '{"recordprocessor":true,"ack-backend":true}'
-            || '{}' }}
       diff_base_sha: ${{ github.event.action == 'synchronize' && github.event.before || github.event.pull_request.base.sha }}
       diff_head_sha: ${{ github.event.pull_request.head.sha }}
       run_diff_check: ${{ github.event.action == 'synchronize' }}
 
@@ -20,6 +20,18 @@ jobs:
       APIGEE_ENVIRONMENT: internal-dev
       BACKEND_ENVIRONMENT: dev
       BACKEND_SUB_ENVIRONMENT: pr-${{ github.event_name == 'pull_request' && github.event.pull_request.number || inputs.pr_number }}
+      LAMBDA_IMAGE_BINDINGS: |
+        backend_image_uri:imms-fhir-api-operation-lambda-repo
+        batch_processor_filter_image_uri:imms-batch-processor-filter-repo
+        delta_backend_image_uri:imms-fhir-api-delta-lambda-repo
+        filenameprocessor_image_uri:imms-filenameproc-repo
+        id_sync_image_uri:imms-id-sync-repo
+        mesh_processor_image_uri:imms-mesh-processor-repo
+        mns_publisher_image_uri:imms-mns-publisher-repo
+        recordprocessor_image_uri:imms-recordprocessor-repo
+        recordforwarder_image_uri:imms-forwarding-repo
+        ack_backend_image_uri:imms-ackbackend-repo
+        redis_sync_image_uri:imms-redis-sync-repo
     permissions:
       id-token: write
       contents: read
@@ -53,8 +65,10 @@ jobs:
             local uri="$(make -s output "name=$1" 2>/dev/null || true)"
             echo "${uri:-placeholder.dkr.ecr.eu-west-2.amazonaws.com/$2@sha256:0000000000000000000000000000000000000000000000000000000000000000}"
           }
-          echo "TF_VAR_recordprocessor_image_uri=$(resolve_or_placeholder recordprocessor_image_uri imms-recordprocessor-repo)" >> $GITHUB_ENV
-          echo "TF_VAR_ack_backend_image_uri=$(resolve_or_placeholder ack_backend_image_uri imms-ackbackend-repo)" >> $GITHUB_ENV
+          while IFS=: read -r output_name repository_name; do
+            [ -n "${output_name}" ] || continue
+            echo "TF_VAR_${output_name}=$(resolve_or_placeholder "${output_name}" "${repository_name}")" >> $GITHUB_ENV
+          done <<< "${LAMBDA_IMAGE_BINDINGS}"
 
       - name: Install poetry
         run: pip install poetry==2.1.4
@@ -129,6 +143,7 @@ jobs:
               --output json
           }
 
-          for repository_name in imms-recordprocessor-repo imms-ackbackend-repo; do
+          while IFS=: read -r _ repository_name; do
+            [ -n "${repository_name}" ] || continue
             cleanup_repo_by_prefix "${repository_name}"
-          done
+          done <<< "${LAMBDA_IMAGE_BINDINGS}"
@@ -0,0 +1,147 @@
+locals {
+  lambda_source_arn_prefix = "arn:aws:lambda:${var.aws_region}:${var.imms_account_id}:function:imms-"
+  lambda_image_retrieval_actions = [
+    "ecr:BatchGetImage",
+    "ecr:GetDownloadUrlForLayer"
+  ]
+  recordprocessor_lifecycle_policy = jsonencode({
+    rules = [
+      {
+        rulePriority = 1
+        description  = "Keep last 10 images."
+        selection = {
+          tagStatus   = "any"
+          countType   = "imageCountMoreThan"
+          countNumber = 10
+        }
+        action = {
+          type = "expire"
+        }
+      }
+    ]
+  })
+}
+
+locals {
+  lambda_ecr_repositories = {
+    operation = {
+      name = "imms-fhir-api-operation-lambda-repo"
+      lambda_source_names = [
+        "*_get_status",
+        "*_not_found",
+        "*_search_imms",
+        "*_get_imms",
+        "*_delete_imms",
+        "*_create_imms",
+        "*_update_imms"
+      ]
+    }
+    batch_processor_filter = {
+      name                = "imms-batch-processor-filter-repo"
+      lambda_source_names = ["*-batch-processor-filter-lambda"]
+    }
+    delta = {
+      name                = "imms-fhir-api-delta-lambda-repo"
+      lambda_source_names = ["*-delta-lambda"]
+    }
+    filenameprocessor = {
+      name                = "imms-filenameproc-repo"
+      lambda_source_names = ["*-filenameproc-lambda"]
+    }
+    id_sync = {
+      name                = "imms-id-sync-repo"
+      lambda_source_names = ["*-id-sync-lambda"]
+    }
+    mesh_processor = {
+      name                = "imms-mesh-processor-repo"
+      lambda_source_names = ["*-mesh-processor-lambda"]
+    }
+    mns_publisher = {
+      name                = "imms-mns-publisher-repo"
+      lambda_source_names = ["*-mns-publisher-lambda"]
+    }
+    ack_backend = {
+      name                = "imms-ackbackend-repo"
+      lambda_source_names = ["*-ack-lambda"]
+    }
+    recordforwarder = {
+      name                = "imms-forwarding-repo"
+      lambda_source_names = ["*-forwarding-lambda"]
+    }
+    recordprocessor = {
+      name             = "imms-recordprocessor-repo"
+      lifecycle_policy = local.recordprocessor_lifecycle_policy
+    }
+    redis_sync = {
+      name                = "imms-redis-sync-repo"
+      lambda_source_names = ["*-redis-sync-lambda"]
+    }
+  }
+}
+
+resource "aws_ecr_repository" "lambda_repository" {
+  for_each = local.lambda_ecr_repositories
+
+  image_scanning_configuration {
+    scan_on_push = true
+  }
+
+  image_tag_mutability = "IMMUTABLE"
+  name                 = each.value.name
+}
+
+resource "aws_ecr_repository_policy" "lambda_repository_image_retrieval_policy" {
+  for_each = {
+    for key, repo in local.lambda_ecr_repositories : key => repo if try(repo.lambda_source_names, null) != null
+  }
+
+  repository = aws_ecr_repository.lambda_repository[each.key].name
+
+  policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [
+      {
+        Sid    = "LambdaECRImageRetrievalPolicy"
+        Effect = "Allow"
+        Principal = {
+          Service = "lambda.amazonaws.com"
+        }
+        Action = local.lambda_image_retrieval_actions
+        Condition = {
+          StringLike = {
+            "aws:sourceArn" = formatlist("${local.lambda_source_arn_prefix}%s", each.value.lambda_source_names)
+          }
+        }
+      }
+    ]
+  })
+}
+
+resource "aws_ecr_lifecycle_policy" "lambda_repository_lifecycle_policy" {
+  for_each = {
+    for key, repo in local.lambda_ecr_repositories : key => repo if try(repo.lifecycle_policy, null) != null
+  }
+
+  repository = aws_ecr_repository.lambda_repository[each.key].name
+  policy     = each.value.lifecycle_policy
+}
+
+moved {
+  from = aws_ecr_repository.ackbackend_repository
+  to   = aws_ecr_repository.lambda_repository["ack_backend"]
+}
+
+moved {
+  from = aws_ecr_repository_policy.ackbackend_repository_lambda_image_retrieval_policy
+  to   = aws_ecr_repository_policy.lambda_repository_image_retrieval_policy["ack_backend"]
+}
+
+moved {
+  from = aws_ecr_repository.recordprocessor_repository
+  to   = aws_ecr_repository.lambda_repository["recordprocessor"]
+}
+
+moved {
+  from = aws_ecr_lifecycle_policy.recordprocessor_repository_lifecycle_policy
+  to   = aws_ecr_lifecycle_policy.lambda_repository_lifecycle_policy["recordprocessor"]
+}