CCM-14149 Container Lambda Support (#94)

* CCM-14149: Container Lambda Support

* CCM-14149: Container Lambda Support

* CCM-14149: Container Lambda Support

* CCM-14149: Container Lambda Support

* CCM-14149: Container Lambda Support

* CCM-14149: Container Lambda Support

Author: jamesthompson26-nhs

docs/package-lock.json

@@ -1 +1 @@
-terraform 1.9.2
+terraform 1.10.1

infrastructure/terraform/components/examplecomponent/.tool-versions

@@ -16,6 +16,7 @@ No requirements.
 | <a name="input_force_lambda_code_deploy"></a> [force\_lambda\_code\_deploy](#input\_force\_lambda\_code\_deploy) | If the lambda package in s3 has the same commit id tag as the terraform build branch, the lambda will not update automatically. Set to True if making changes to Lambda code from on the same commit for example during development | `bool` | `false` | no |
 | <a name="input_group"></a> [group](#input\_group) | The group variables are being inherited from (often synonmous with account short-name) | `string` | n/a | yes |
 | <a name="input_log_retention_in_days"></a> [log\_retention\_in\_days](#input\_log\_retention\_in\_days) | The retention period in days for the Cloudwatch Logs events to be retained, default of 0 is indefinite | `number` | `0` | no |
+| <a name="input_parent_acct_environment"></a> [parent\_acct\_environment](#input\_parent\_acct\_environment) | Name of the environment responsible for the acct resources used, affects things like DNS zone. Useful for named dev environments | `string` | `"main"` | no |
 | <a name="input_project"></a> [project](#input\_project) | The name of the tfscaffold project | `string` | n/a | yes |
 | <a name="input_region"></a> [region](#input\_region) | The AWS Region | `string` | n/a | yes |
 ## Modules

infrastructure/terraform/components/examplecomponent/README.md

@@ -0,0 +1,34 @@
+# module "example_image_lambda" {
+#   source = "https://github.com/NHSDigital/nhs-notify-shared-modules/releases/download/v2.0.32/terraform-lambda.zip"
+
+#   project        = var.project
+#   environment    = var.environment
+#   component      = var.component
+#   aws_account_id = var.aws_account_id
+#   region         = var.region
+#   group          = var.group
+
+#   function_name = "example-image-lambda"
+#   description   = "Example image lambda function"
+
+#   kms_key_arn = var.kms_key_arn
+
+#   package_type           = "Image"
+#   image_uri              = "${var.aws_account_id}.dkr.ecr.${var.region}.amazonaws.com/${var.project}-${var.parent_acct_environment}-acct@${data.aws_ecr_image.example_image_lambda.image_digest}"
+#   image_repository_names = ["${var.project}-${var.parent_acct_environment}-acct"]
+
+#   memory  = 128
+#   timeout = 3
+
+
+#   send_to_firehose          = var.send_to_firehose
+#   log_destination_arn       = var.log_destination_arn
+#   log_retention_in_days     = var.log_retention_in_days
+#   log_subscription_role_arn = var.log_subscription_role_arn
+# }
+
+# data "aws_ecr_image" "example_image_lambda" {
+#   registry_id     = var.aws_account_id
+#   repository_name = "${var.project}-${var.parent_acct_environment}-acct"
+#   image_tag       = "${var.project}-${var.environment}-${var.component}-example-image-lambda-latest"
+# }

infrastructure/terraform/components/examplecomponent/module_lambda_example_image_lambda.tf

@@ -1,8 +1,8 @@
-# module "example_lambda" {
+# module "example_zip_lambda" {
 #   source = "git::https://github.com/NHSDigital/nhs-notify-shared-modules.git//infrastructure/modules/lambda?ref=v2.0.10"
 
-#   function_name = "example-lambda"
-#   description   = "An example lambda function"
+#   function_name = "example-zip-lambda"
+#   description   = "An example zip lambda function"
 
 #   aws_account_id = var.aws_account_id
 #   component      = var.component
@@ -15,12 +15,12 @@
 #   kms_key_arn           = module.kms.key_arn ## Requires shared kms module
 
 #   iam_policy_document = {
-#     body = data.aws_iam_policy_document.example_lambda.json
+#     body = data.aws_iam_policy_document.example_zip_lambda.json
 #   }
 
 #   function_s3_bucket      = local.acct.s3_buckets["lambda_function_artefacts"]["id"]
 #   function_code_base_path = local.aws_lambda_functions_dir_path
-#   function_code_dir       = "example-lambda/dist"
+#   function_code_dir       = "example-zip-lambda/dist"
 #   function_include_common = true
 #   handler_function_name   = "handler"
 #   runtime                 = "nodejs22.x"
@@ -35,7 +35,7 @@
 #   }
 # }
 
-# data "aws_iam_policy_document" "example_lambda" {
+# data "aws_iam_policy_document" "example_zip_lambda" {
 #   statement {
 #     sid    = "KMSPermissions"
 #     effect = "Allow"

…omponent/module_lambda_example_lambda.tf …nent/module_lambda_example_zip_lambda.tfinfrastructure/terraform/components/examplecomponent/module_lambda_example_lambda.tf renamed to infrastructure/terraform/components/examplecomponent/module_lambda_example_zip_lambda.tf infrastructure/terraform/components/examplecomponent/module_lambda_example_lambda.tf renamed to infrastructure/terraform/components/examplecomponent/module_lambda_example_zip_lambda.tf

@@ -62,3 +62,9 @@ variable "force_lambda_code_deploy" {
   description = "If the lambda package in s3 has the same commit id tag as the terraform build branch, the lambda will not update automatically. Set to True if making changes to Lambda code from on the same commit for example during development"
   default     = false
 }
+
+variable "parent_acct_environment" {
+  type        = string
+  description = "Name of the environment responsible for the acct resources used, affects things like DNS zone. Useful for named dev environments"
+  default     = "main"
+}

infrastructure/terraform/components/examplecomponent/variables.tf

@@ -0,0 +1,16 @@
+#!/bin/bash
+
+set -euo pipefail
+
+rm -rf dist
+
+npx esbuild \
+    --bundle \
+    --minify \
+    --sourcemap \
+    --target=es2020 \
+    --platform=node \
+    --loader:.node=file \
+    --entry-names=[name] \
+    --outdir=dist \
+    src/index.ts ## Update this to include your lambda's entry point

lambdas/example-lambda/build.sh

@@ -0,0 +1,8 @@
+ARG BASE_IMAGE
+
+FROM ${BASE_IMAGE}
+
+# Copy the built output from the build context (docker.sh should have run build.sh already)
+COPY dist/ ${LAMBDA_TASK_ROOT}/
+
+CMD [ "index.handler" ]

lambdas/example-lambda/docker/lambda/Dockerfile

@@ -14,7 +14,8 @@
   "name": "nhs-notify-repository-template-example-lambda",
   "private": true,
   "scripts": {
-    "lambda-build": "rm -rf dist && npx esbuild --bundle --minify --sourcemap --target=es2020 --platform=node --loader:.node=file --entry-names=[name] --outdir=dist src/index.ts",
+    "//": "For a standard zip based Lambda use './build.sh', For a Container based lambda use '../../scripts/lambda-container-build/docker.sh --base-image <base-image>'",
+    "lambda-build": "./build.sh",
     "lint": "eslint .",
     "lint:fix": "eslint . --fix",
     "test:unit": "jest",

lambdas/example-lambda/package.json

@@ -0,0 +1,129 @@
+#!/bin/bash
+
+# Fail fast on errors, unset variables, and pipeline failures.
+set -euo pipefail
+
+# Ensure build.sh is executable and build the lambda artifacts before producing the Docker image.
+chmod +x ./build.sh
+./build.sh
+
+
+# Parse arguments
+BASE_IMAGE=""
+while [[ $# -gt 0 ]]; do
+  case $1 in
+    --base-image)
+      BASE_IMAGE="$2"
+      shift 2
+      ;;
+    *)
+      echo "Unknown argument: $1" >&2
+      exit 1
+      ;;
+  esac
+done
+
+if [[ -z "$BASE_IMAGE" ]]; then
+  echo "Error: --base-image parameter is required." >&2
+  exit 1
+fi
+
+CSI="${PROJECT}-${ENVIRONMENT}-${COMPONENT}"
+ECR_REPO="${ECR_REPO:-nhs-notify-main-acct}"
+GHCR_LOGIN_TOKEN="${GITHUB_TOKEN}"
+GHCR_LOGIN_USER="${GITHUB_ACTOR}"
+LAMBDA_NAME="${LAMBDA_NAME:-$(basename "$PWD")}"
+
+## Set IMAGE_TAG_SUFFIX based on git tag or short SHA for unique lambda image tagging in ECR.
+#This ensures that each build produces a uniquely identifiable image, and tagged releases are easily traceable.
+echo "Checking if current commit is a tag..."
+GIT_TAG="$(git describe --tags --exact-match 2>/dev/null || true)"
+if [ -n "$GIT_TAG" ]; then
+  TAGGED="tag-$GIT_TAG"
+  echo "On tag: $GIT_TAG, exporting IMAGE_TAG_SUFFIX as tag: $TAGGED"
+  export IMAGE_TAG_SUFFIX="$TAGGED"
+
+else
+  SHORT_SHA="sha-$(git rev-parse --short HEAD)"
+  echo "Not on a tag, exporting IMAGE_TAG_SUFFIX as short SHA: $SHORT_SHA"
+  export IMAGE_TAG_SUFFIX="$SHORT_SHA"
+fi
+
+## Check if we are running in the context of a Terraform apply or plan, and set PUBLISH_LAMBDA_IMAGE accordingly. We only want to push images to ECR on apply, not on plan.
+echo "Checking if ACTION is 'apply' to set PUBLISH_LAMBDA_IMAGE..."
+if [ "$ACTION" = "apply" ]; then
+  echo "Setting PUBLISH_LAMBDA_IMAGE to true for apply action"
+  export PUBLISH_LAMBDA_IMAGE="true"
+else
+  echo "Not setting PUBLISH_LAMBDA_IMAGE for action ($ACTION)"
+fi
+
+# Ensure required AWS/ECR configuration is present.
+echo "BASE_IMAGE: ${BASE_IMAGE:-<unset>}"
+echo "AWS_ACCOUNT_ID: ${AWS_ACCOUNT_ID:-<unset>}"
+echo "AWS_REGION: ${AWS_REGION:-<unset>}"
+echo "COMPONENT: ${COMPONENT:-<unset>}"
+echo "CSI: ${CSI:-<unset>}"
+echo "ECR_REPO: ${ECR_REPO:-<unset>}"
+echo "ENVIRONMENT: ${ENVIRONMENT:-<unset>}"
+echo "GHCR_LOGIN_TOKEN: ${GHCR_LOGIN_TOKEN:-<unset>}"
+echo "GHCR_LOGIN_USER: ${GHCR_LOGIN_USER:-<unset>}"
+echo "IMAGE_TAG_SUFFIX: ${IMAGE_TAG_SUFFIX:-<unset>}"
+echo "LAMBDA_NAME: ${LAMBDA_NAME:-<unset>}"
+
+# Authenticate Docker with AWS ECR using an ephemeral login token.
+aws ecr get-login-password --region "${AWS_REGION}" | docker login --username AWS --password-stdin "${AWS_ACCOUNT_ID}".dkr.ecr."${AWS_REGION}".amazonaws.com
+
+# Authenticate to GitHub Container Registry for base images.
+if [ -n "${GHCR_LOGIN_USER:-}" ] && [ -n "${GHCR_LOGIN_TOKEN:-}" ]; then
+  echo "Attempting GHCR login as ${GHCR_LOGIN_USER}..."
+  if echo "${GHCR_LOGIN_TOKEN}" | docker login ghcr.io --username "${GHCR_LOGIN_USER}" --password-stdin; then
+    echo "GHCR login successful."
+  else
+    echo "GHCR login failed!" >&2
+  fi
+fi
+
+# Namespace tag by CSI and lambda name to avoid cross-environment collisions.
+IMAGE_TAG="${CSI}-${LAMBDA_NAME}"
+
+# Compose the full ECR image references.
+ECR_REPO_URI="${AWS_ACCOUNT_ID}.dkr.ecr.${AWS_REGION}.amazonaws.com/${ECR_REPO}"
+
+# Final tag names we will produce
+
+IMAGE_TAG_LATEST="${ECR_REPO_URI}:${IMAGE_TAG}-latest"
+IMAGE_TAG_SUFFIXED="${ECR_REPO_URI}:${IMAGE_TAG}-${IMAGE_TAG_SUFFIX}"
+
+echo "Will build and tag images:"
+echo "  LATEST -> ${IMAGE_TAG_LATEST}"
+echo "  SUFFIXED -> ${IMAGE_TAG_SUFFIXED}"
+
+# Build and tag the Docker image for the lambda.
+# --load makes the built image available to the local docker daemon (single-platform).
+docker buildx build \
+  -f docker/lambda/Dockerfile \
+  --platform=linux/amd64 \
+  --provenance=false \
+  --sbom=false \
+  --build-arg BASE_IMAGE="${BASE_IMAGE}" \
+  -t "${IMAGE_TAG_LATEST}" \
+  -t "${IMAGE_TAG_SUFFIXED}" \
+  --load \
+  .
+
+# Push the image tag(s) to ECR on apply only. The Terraform configuration will reference image digest.
+if [ "${PUBLISH_LAMBDA_IMAGE:-false}" = "true" ]; then
+  echo "PUBLISH_LAMBDA_IMAGE is set to true. Pushing Docker images to ECR..."
+
+
+  for TAG in "${IMAGE_TAG_LATEST}" "${IMAGE_TAG_SUFFIXED}"; do
+    echo "Pushing ${TAG}..."
+    docker push "${TAG}"
+  done
+
+  echo "Push complete."
+else
+  echo "PUBLISH_LAMBDA_IMAGE is not set to true (likely TF Plan). Skipping Docker push."
+  exit 0
+fi