VED-1040: Terraform tidy (#1172)

* Consolidate lambda names to use hyphens

Also tidy us hard coded aws regions and use vars instead

* Revert to hard coded region in main.tf

* Review comment

* Review comment - add tf validation to aws region

* Tidy up generic validator code from redis_sync lambda

Author: edhall-nhs

infrastructure/account/csoc_eventforwarder_role.tf

@@ -27,7 +27,7 @@ resource "aws_iam_role_policy" "eventbridge_forwarder_policy" {
       Effect = "Allow",
       Action = ["events:PutEvents"],
       Resource = [
-        "arn:aws:events:eu-west-2:${var.csoc_account_id}:event-bus/shield-eventbus"
+        "arn:aws:events:${var.aws_region}:${var.csoc_account_id}:event-bus/shield-eventbus"
       ]
     }]
   })

infrastructure/account/endpoints.tf

@@ -1,8 +1,8 @@
 data "aws_ec2_managed_prefix_list" "egress" {
   for_each = toset([
     "com.amazonaws.global.cloudfront.origin-facing",
-    "com.amazonaws.eu-west-2.dynamodb",
-    "com.amazonaws.eu-west-2.s3"
+    "com.amazonaws.${var.aws_region}.dynamodb",
+    "com.amazonaws.${var.aws_region}.s3"
   ])
 
   name = each.value

infrastructure/account/shield_protection.tf

@@ -101,7 +101,7 @@ resource "aws_cloudwatch_event_rule" "shield_ddos_rule_regional" {
 resource "aws_cloudwatch_event_target" "shield_ddos_target_regional" {
   rule      = aws_cloudwatch_event_rule.shield_ddos_rule_regional.name
   target_id = "csoc-eventbus"
-  arn       = "arn:aws:events:eu-west-2:${var.csoc_account_id}:event-bus/shield-eventbus"
+  arn       = "arn:aws:events:${var.aws_region}:${var.csoc_account_id}:event-bus/shield-eventbus"
   role_arn  = aws_iam_role.eventbridge_forwarder_role.arn
 }
 

infrastructure/instance/ack_lambda.tf

@@ -1,11 +1,9 @@
 # Define the directory containing the Docker image and calculate its SHA-256 hash for triggering redeployments
 locals {
-  ack_lambda_dir = abspath("${path.root}/../../lambdas/ack_backend")
-
-  ack_lambda_files = fileset(local.ack_lambda_dir, "**")
-
+  ack_lambda_dir     = abspath("${path.root}/../../lambdas/ack_backend")
+  ack_lambda_files   = fileset(local.ack_lambda_dir, "**")
   ack_lambda_dir_sha = sha1(join("", [for f in local.ack_lambda_files : filesha1("${local.ack_lambda_dir}/${f}")]))
-  ack_lambda_name    = "${local.short_prefix}-ack_lambda"
+  ack_lambda_name    = "${local.short_prefix}-ack-lambda"
 }
 
 
@@ -72,7 +70,7 @@ resource "aws_ecr_repository_policy" "ack_lambda_ECRImageRetreival_policy" {
         ],
         "Condition" : {
           "StringLike" : {
-            "aws:sourceArn" : "arn:aws:lambda:eu-west-2:${var.immunisation_account_id}:function:${local.short_prefix}-ack-lambda"
+            "aws:sourceArn" : "arn:aws:lambda:${var.aws_region}:${var.immunisation_account_id}:function:${local.ack_lambda_name}"
           }
         }
       }
@@ -82,7 +80,7 @@ resource "aws_ecr_repository_policy" "ack_lambda_ECRImageRetreival_policy" {
 
 # IAM Role for Lambda
 resource "aws_iam_role" "ack_lambda_exec_role" {
-  name = "${local.short_prefix}-ack-lambda-exec-role"
+  name = "${local.ack_lambda_name}-exec-role"
   assume_role_policy = jsonencode({
     Version = "2012-10-17",
     Statement = [{
@@ -98,7 +96,7 @@ resource "aws_iam_role" "ack_lambda_exec_role" {
 
 # Policy for Lambda execution role
 resource "aws_iam_policy" "ack_lambda_exec_policy" {
-  name = "${local.short_prefix}-ack-lambda-exec-policy"
+  name = "${local.ack_lambda_name}-exec-policy"
   policy = jsonencode({
     Version = "2012-10-17",
     Statement = [
@@ -109,7 +107,7 @@ resource "aws_iam_policy" "ack_lambda_exec_policy" {
           "logs:CreateLogStream",
           "logs:PutLogEvents"
         ]
-        Resource = "arn:aws:logs:eu-west-2:${var.immunisation_account_id}:log-group:/aws/lambda/${local.short_prefix}-ack-lambda:*"
+        Resource = "arn:aws:logs:${var.aws_region}:${var.immunisation_account_id}:log-group:/aws/lambda/${local.ack_lambda_name}:*"
       },
       {
         Effect = "Allow"
@@ -145,7 +143,7 @@ resource "aws_iam_policy" "ack_lambda_exec_policy" {
           "sqs:DeleteMessage",
           "sqs:GetQueueAttributes"
         ],
-      Resource = "arn:aws:sqs:eu-west-2:${var.immunisation_account_id}:${local.short_prefix}-ack-metadata-queue.fifo" },
+      Resource = "arn:aws:sqs:${var.aws_region}:${var.immunisation_account_id}:${local.short_prefix}-ack-metadata-queue.fifo" },
       {
         "Effect" : "Allow",
         "Action" : [
@@ -159,7 +157,7 @@ resource "aws_iam_policy" "ack_lambda_exec_policy" {
 }
 
 resource "aws_cloudwatch_log_group" "ack_lambda_log_group" {
-  name              = "/aws/lambda/${local.short_prefix}-ack-lambda"
+  name              = "/aws/lambda/${local.ack_lambda_name}"
   retention_in_days = 30
 }
 
@@ -200,7 +198,7 @@ resource "aws_iam_role_policy_attachment" "lambda_kms_policy_attachment" {
 
 # Lambda Function with Security Group and VPC.
 resource "aws_lambda_function" "ack_processor_lambda" {
-  function_name = "${local.short_prefix}-ack-lambda"
+  function_name = local.ack_lambda_name
   role          = aws_iam_role.ack_lambda_exec_role.arn
   package_type  = "Image"
   image_uri     = module.ack_processor_docker_image.image_uri

infrastructure/instance/batch_processor_filter_lambda.tf

@@ -3,6 +3,7 @@ locals {
   batch_processor_filter_lambda_dir     = abspath("${path.root}/../../lambdas/batch_processor_filter")
   batch_processor_filter_lambda_files   = fileset(local.batch_processor_filter_lambda_dir, "**")
   batch_processor_filter_lambda_dir_sha = sha1(join("", [for f in local.batch_processor_filter_lambda_files : filesha1("${local.batch_processor_filter_lambda_dir}/${f}")]))
+  batch_processor_filter_lambda_name    = "${local.short_prefix}-batch-processor-filter-lambda"
 }
 
 resource "aws_ecr_repository" "batch_processor_filter_lambda_repository" {
@@ -69,7 +70,7 @@ resource "aws_ecr_repository_policy" "batch_processor_filter_lambda_ECRImageRetr
         ],
         "Condition" : {
           "StringLike" : {
-            "aws:sourceArn" : "arn:aws:lambda:${var.aws_region}:${var.immunisation_account_id}:function:${local.short_prefix}-batch-processor-filter-lambda"
+            "aws:sourceArn" : "arn:aws:lambda:${var.aws_region}:${var.immunisation_account_id}:function:${local.batch_processor_filter_lambda_name}"
           }
         }
       }
@@ -79,7 +80,7 @@ resource "aws_ecr_repository_policy" "batch_processor_filter_lambda_ECRImageRetr
 
 # IAM Role for Lambda
 resource "aws_iam_role" "batch_processor_filter_lambda_exec_role" {
-  name = "${local.short_prefix}-batch-processor-filter-lambda-exec-role"
+  name = "${local.batch_processor_filter_lambda_name}-exec-role"
   assume_role_policy = jsonencode({
     Version = "2012-10-17",
     Statement = [{
@@ -95,7 +96,7 @@ resource "aws_iam_role" "batch_processor_filter_lambda_exec_role" {
 
 # Policy for Lambda execution role
 resource "aws_iam_policy" "batch_processor_filter_lambda_exec_policy" {
-  name = "${local.short_prefix}-batch-processor-filter-lambda-exec-policy"
+  name = "${local.batch_processor_filter_lambda_name}-exec-policy"
   policy = jsonencode({
     Version = "2012-10-17",
     Statement = [
@@ -106,7 +107,7 @@ resource "aws_iam_policy" "batch_processor_filter_lambda_exec_policy" {
           "logs:CreateLogStream",
           "logs:PutLogEvents"
         ]
-        Resource = "arn:aws:logs:${var.aws_region}:${var.immunisation_account_id}:log-group:/aws/lambda/${local.short_prefix}-batch-processor-filter-lambda:*"
+        Resource = "arn:aws:logs:${var.aws_region}:${var.immunisation_account_id}:log-group:/aws/lambda/${local.batch_processor_filter_lambda_name}:*"
       },
       {
         Effect = "Allow",
@@ -157,7 +158,7 @@ resource "aws_iam_policy" "batch_processor_filter_lambda_exec_policy" {
 
 # Policy for Lambda to interact with SQS
 resource "aws_iam_policy" "batch_processor_filter_lambda_sqs_policy" {
-  name = "${local.short_prefix}-batch-processor-filter-lambda-sqs-policy"
+  name = "${local.batch_processor_filter_lambda_name}-sqs-policy"
 
   policy = jsonencode({
     Version = "2012-10-17",
@@ -183,7 +184,7 @@ resource "aws_iam_policy" "batch_processor_filter_lambda_sqs_policy" {
 }
 
 resource "aws_iam_policy" "batch_processor_filter_lambda_kms_access_policy" {
-  name        = "${local.short_prefix}-batch-processor-filter-lambda-kms-policy"
+  name        = "${local.batch_processor_filter_lambda_name}-kms-policy"
   description = "Allow Lambda to decrypt environment variables"
 
   policy = jsonencode({
@@ -261,7 +262,7 @@ resource "aws_iam_role_policy_attachment" "batch_processor_filter_lambda_dynamo_
 
 # Lambda Function with Security Group and VPC.
 resource "aws_lambda_function" "batch_processor_filter_lambda" {
-  function_name = "${local.short_prefix}-batch-processor-filter-lambda"
+  function_name = local.batch_processor_filter_lambda_name
   role          = aws_iam_role.batch_processor_filter_lambda_exec_role.arn
   package_type  = "Image"
   image_uri     = module.batch_processor_filter_docker_image.image_uri
@@ -293,7 +294,7 @@ resource "aws_lambda_function" "batch_processor_filter_lambda" {
 }
 
 resource "aws_cloudwatch_log_group" "batch_processor_filter_lambda_log_group" {
-  name              = "/aws/lambda/${local.short_prefix}-batch-processor-filter-lambda"
+  name              = "/aws/lambda/${local.batch_processor_filter_lambda_name}"
   retention_in_days = 30
 }
 
@@ -322,7 +323,7 @@ resource "aws_cloudwatch_log_metric_filter" "batch_processor_filter_error_logs"
 resource "aws_cloudwatch_metric_alarm" "batch_processor_filter_error_alarm" {
   count = var.error_alarm_notifications_enabled ? 1 : 0
 
-  alarm_name          = "${local.short_prefix}-batch-processor-filter-lambda-error"
+  alarm_name          = "${local.batch_processor_filter_lambda_name}-error"
   comparison_operator = "GreaterThanOrEqualToThreshold"
   evaluation_periods  = 1
   metric_name         = "${local.short_prefix}-BatchProcessorFilterErrorLogs"

infrastructure/instance/delta.tf

@@ -1,10 +1,9 @@
 locals {
-  delta_lambda_dir = abspath("${path.root}/../../lambdas/delta_backend")
-  delta_files      = fileset(local.delta_lambda_dir, "**")
-  delta_dir_sha    = sha1(join("", [for f in local.delta_files : filesha1("${local.delta_lambda_dir}/${f}")]))
-  function_name    = "delta"
-  dlq_name         = "delta-dlq"
-  sns_name         = "delta-sns"
+  delta_lambda_dir  = abspath("${path.root}/../../lambdas/delta_backend")
+  delta_files       = fileset(local.delta_lambda_dir, "**")
+  delta_dir_sha     = sha1(join("", [for f in local.delta_files : filesha1("${local.delta_lambda_dir}/${f}")]))
+  delta_lambda_name = "${local.short_prefix}-delta-lambda"
+  dlq_name          = "delta-dlq"
 }
 
 resource "aws_ecr_repository" "delta_lambda_repository" {
@@ -71,7 +70,7 @@ resource "aws_ecr_repository_policy" "delta_lambda_ECRImageRetreival_policy" {
         ],
         "Condition" : {
           "StringLike" : {
-            "aws:sourceArn" : "arn:aws:lambda:eu-west-2:${var.immunisation_account_id}:function:${local.short_prefix}-${local.function_name}"
+            "aws:sourceArn" : "arn:aws:lambda:${var.aws_region}:${var.immunisation_account_id}:function:${local.delta_lambda_name}"
           }
         }
       }
@@ -101,33 +100,29 @@ data "aws_iam_policy_document" "delta_policy_document" {
 }
 
 resource "aws_iam_role" "delta_lambda_role" {
-  name               = "${local.short_prefix}-${local.function_name}-role"
-  assume_role_policy = <<EOF
-{
-  "Version": "2012-10-17",
-  "Statement": [
-    {
-      "Action": "sts:AssumeRole",
-      "Principal": {
-        "Service": "lambda.amazonaws.com"
+  name = "${local.delta_lambda_name}-role"
+  assume_role_policy = jsonencode({
+    Version = "2012-10-17",
+    Statement = [{
+      Effect = "Allow",
+      Sid    = "",
+      Principal = {
+        Service = "lambda.amazonaws.com"
       },
-      "Effect": "Allow",
-      "Sid": ""
-    }
-  ]
-}
-EOF
+      Action = "sts:AssumeRole"
+    }]
+  })
 }
 
 resource "aws_iam_role_policy" "lambda_role_policy" {
-  name   = "${local.prefix}-${local.function_name}-policy"
+  name   = "${local.prefix}-delta-policy"
   role   = aws_iam_role.delta_lambda_role.id
   policy = data.aws_iam_policy_document.delta_policy_document.json
 }
 
 
 resource "aws_lambda_function" "delta_sync_lambda" {
-  function_name = "${local.short_prefix}-${local.function_name}"
+  function_name = local.delta_lambda_name
   role          = aws_iam_role.delta_lambda_role.arn
   package_type  = "Image"
   architectures = ["x86_64"]
@@ -168,7 +163,7 @@ resource "aws_sqs_queue" "dlq" {
 }
 
 resource "aws_cloudwatch_log_group" "delta_lambda" {
-  name              = "/aws/lambda/${local.short_prefix}-${local.function_name}"
+  name              = "/aws/lambda/${local.delta_lambda_name}"
   retention_in_days = 30
 }
 
@@ -190,7 +185,7 @@ resource "aws_cloudwatch_log_metric_filter" "delta_error_logs" {
 resource "aws_cloudwatch_metric_alarm" "delta_error_alarm" {
   count = var.error_alarm_notifications_enabled ? 1 : 0
 
-  alarm_name          = "${local.short_prefix}-delta-lambda-error"
+  alarm_name          = "${local.delta_lambda_name}-error"
   comparison_operator = "GreaterThanOrEqualToThreshold"
   evaluation_periods  = 1
   metric_name         = "${local.short_prefix}-DeltaErrorLogs"
@@ -201,4 +196,4 @@ resource "aws_cloudwatch_metric_alarm" "delta_error_alarm" {
   alarm_description   = "This sets off an alarm for any error logs found in the delta Lambda function"
   alarm_actions       = [data.aws_sns_topic.imms_system_alert_errors.arn]
   treat_missing_data  = "notBreaching"
-}
+}

infrastructure/instance/endpoints.tf

@@ -30,7 +30,7 @@ locals {
     # except for prod and ref, any other env uses PDS int environment
     "PDS_ENV"              = var.pds_environment
     "SPLUNK_FIREHOSE_NAME" = module.splunk.firehose_stream_name
-    "SQS_QUEUE_URL"        = "https://sqs.eu-west-2.amazonaws.com/${var.immunisation_account_id}/${local.short_prefix}-ack-metadata-queue.fifo"
+    "SQS_QUEUE_URL"        = "https://sqs.${var.aws_region}.amazonaws.com/${var.immunisation_account_id}/${local.short_prefix}-ack-metadata-queue.fifo"
     "REDIS_HOST"           = data.aws_elasticache_cluster.existing_redis.cache_nodes[0].address
     "REDIS_PORT"           = data.aws_elasticache_cluster.existing_redis.cache_nodes[0].port
   }

infrastructure/instance/file_name_processor.tf

@@ -3,6 +3,8 @@ locals {
   filename_lambda_dir     = abspath("${path.root}/../../lambdas/filenameprocessor")
   filename_lambda_files   = fileset(local.filename_lambda_dir, "**")
   filename_lambda_dir_sha = sha1(join("", [for f in local.filename_lambda_files : filesha1("${local.filename_lambda_dir}/${f}")]))
+  filename_lambda_name    = "${local.short_prefix}-filenameproc-lambda"
+
   dps_bucket_name_for_extended_attribute = (
     var.environment == "prod"
     ? "nhsd-dspp-core-prod-extended-attributes-gdp"
@@ -79,7 +81,7 @@ resource "aws_ecr_repository_policy" "filenameprocessor_lambda_ECRImageRetreival
         ],
         "Condition" : {
           "StringLike" : {
-            "aws:sourceArn" : "arn:aws:lambda:eu-west-2:${var.immunisation_account_id}:function:${local.short_prefix}-filenameproc_lambda"
+            "aws:sourceArn" : "arn:aws:lambda:${var.aws_region}:${var.immunisation_account_id}:function:${local.filename_lambda_name}"
           }
         }
       }
@@ -89,7 +91,7 @@ resource "aws_ecr_repository_policy" "filenameprocessor_lambda_ECRImageRetreival
 
 # IAM Role for Lambda
 resource "aws_iam_role" "filenameprocessor_lambda_exec_role" {
-  name = "${local.short_prefix}-filenameproc-lambda-exec-role"
+  name = "${local.filename_lambda_name}-exec-role"
   assume_role_policy = jsonencode({
     Version = "2012-10-17",
     Statement = [{
@@ -105,7 +107,7 @@ resource "aws_iam_role" "filenameprocessor_lambda_exec_role" {
 
 # Policy for Lambda execution role
 resource "aws_iam_policy" "filenameprocessor_lambda_exec_policy" {
-  name = "${local.short_prefix}-filenameproc-lambda-exec-policy"
+  name = "${local.filename_lambda_name}-exec-policy"
   policy = jsonencode({
     Version = "2012-10-17",
     Statement = [
@@ -116,7 +118,7 @@ resource "aws_iam_policy" "filenameprocessor_lambda_exec_policy" {
           "logs:CreateLogStream",
           "logs:PutLogEvents"
         ]
-        Resource = "arn:aws:logs:${var.aws_region}:${var.immunisation_account_id}:log-group:/aws/lambda/${local.short_prefix}-filenameproc_lambda:*"
+        Resource = "arn:aws:logs:${var.aws_region}:${var.immunisation_account_id}:log-group:/aws/lambda/${local.filename_lambda_name}:*"
       },
       {
         Effect = "Allow"
@@ -186,7 +188,7 @@ resource "aws_iam_policy" "filenameprocessor_lambda_exec_policy" {
 
 # Policy for Lambda to interact with SQS
 resource "aws_iam_policy" "filenameprocessor_lambda_sqs_policy" {
-  name = "${local.short_prefix}-filenameproc-lambda-sqs-policy"
+  name = "${local.filename_lambda_name}-sqs-policy"
 
   policy = jsonencode({
     Version = "2012-10-17",
@@ -201,7 +203,7 @@ resource "aws_iam_policy" "filenameprocessor_lambda_sqs_policy" {
 }
 
 resource "aws_iam_policy" "filenameprocessor_lambda_kms_access_policy" {
-  name        = "${local.short_prefix}-filenameproc-lambda-kms-policy"
+  name        = "${local.filename_lambda_name}-kms-policy"
   description = "Allow Lambda to decrypt environment variables"
 
   policy = jsonencode({
@@ -268,7 +270,7 @@ resource "aws_iam_policy" "filenameprocessor_dps_extended_attribute_kms_policy"
           "kms:GenerateDataKey",
           "kms:DescribeKey"
         ],
-        Resource = "arn:aws:kms:eu-west-2:${var.dspp_core_account_id}:key/*",
+        Resource = "arn:aws:kms:${var.aws_region}:${var.dspp_core_account_id}:key/*",
         "Condition" = {
           "ForAnyValue:StringEquals" = {
             "kms:ResourceAliases" = "alias/${var.dspp_kms_key_alias}"
@@ -311,7 +313,7 @@ resource "aws_iam_role_policy_attachment" "filenameprocessor_lambda_dynamo_acces
 
 # Lambda Function with Security Group and VPC.
 resource "aws_lambda_function" "file_processor_lambda" {
-  function_name = "${local.short_prefix}-filenameproc_lambda"
+  function_name = local.filename_lambda_name
   role          = aws_iam_role.filenameprocessor_lambda_exec_role.arn
   package_type  = "Image"
   image_uri     = module.file_processor_docker_image.image_uri
@@ -371,7 +373,7 @@ resource "aws_s3_bucket_notification" "datasources_lambda_notification" {
 }
 
 resource "aws_cloudwatch_log_group" "file_name_processor_log_group" {
-  name              = "/aws/lambda/${local.short_prefix}-filenameproc_lambda"
+  name              = "/aws/lambda/${local.filename_lambda_name}"
   retention_in_days = 30
 }