Skip to content

Commit 1dae029

Browse files
eddalmond1eddalmond1
authored
Merge pull request #662 from NHSDigital/bugfix/eja-eli-710-remove-lambda-insights-to-allow-preprod-code-signing
eja - removing lambda insights as the layer is signed by an AWS account with no accessible ARN, so we can't include it in code signing
2 parents 053269c + e80239f commit 1dae029

5 files changed

Lines changed: 3 additions & 18 deletions

File tree

infrastructure/modules/lambda/lambda.tf

Lines changed: 2 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -41,10 +41,8 @@ resource "aws_lambda_function" "eligibility_signposting_lambda" {
4141
}
4242

4343
layers = compact([
44-
var.environment == "prod" || var.environment == "preprod" ?
45-
"arn:aws:lambda:${var.region}:580247275435:layer:LambdaInsightsExtension:${var.lambda_insights_extension_version}"
46-
:
47-
null
44+
# LambdaInsightsExtension excluded: incompatible with Lambda code signing enforcement.
45+
# AWS signs the layer with an internal profile not available via the API.
4846
])
4947

5048

infrastructure/modules/lambda/variables.tf

Lines changed: 0 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -74,11 +74,6 @@ variable "provisioned_concurrency_count" {
7474
type = number
7575
}
7676

77-
variable "lambda_insights_extension_version" {
78-
description = "version number of LambdaInsightsExtension"
79-
type = number
80-
}
81-
8277
variable "api_domain_name" {
8378
description = "api domain name - env variable for status endpoint response"
8479
type = string

infrastructure/stacks/api-layer/iam_policies.tf

Lines changed: 0 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -250,12 +250,6 @@ resource "aws_iam_role_policy_attachment" "lambda_logs_policy_attachment" {
250250
policy_arn = "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"
251251
}
252252

253-
#Attach CloudWatchLambdaInsightsExecutionRolePolicy to lambda for enhanced monitoring
254-
resource "aws_iam_role_policy_attachment" "lambda_insights_policy" {
255-
role = aws_iam_role.eligibility_lambda_role.name
256-
policy_arn = "arn:aws:iam::aws:policy/CloudWatchLambdaInsightsExecutionRolePolicy"
257-
}
258-
259253
# Policy document to read from Kinesis Source stream
260254
data "aws_iam_policy_document" "kinesis_source_access" {
261255
statement {

infrastructure/stacks/api-layer/lambda.tf

Lines changed: 0 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -27,7 +27,6 @@ module "eligibility_signposting_lambda_function" {
2727
eligibility_status_table_name = module.eligibility_status_table.table_name
2828
kinesis_audit_stream_name = aws_kinesis_stream.kinesis_source_stream.name
2929
hashing_secret_name = module.secrets_manager.aws_hashing_secret_name
30-
lambda_insights_extension_version = 38
3130
log_level = "INFO"
3231
enable_xray_patching = "true"
3332
stack_name = local.stack_name

infrastructure/stacks/iams-developer-roles/github_actions_policies.tf

Lines changed: 1 addition & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -145,8 +145,7 @@ resource "aws_iam_policy" "lambda_management" {
145145
"arn:aws:lambda:*:${data.aws_caller_identity.current.account_id}:function:eligibility_signposting_api",
146146
"arn:aws:lambda:*:${data.aws_caller_identity.current.account_id}:function:eligibility_signposting_api:*",
147147
"arn:aws:lambda:*:${data.aws_caller_identity.current.account_id}:function:default-CreatePendingSecretFunction",
148-
"arn:aws:lambda:*:${data.aws_caller_identity.current.account_id}:function:default-PromoteToCurrentFunction",
149-
"arn:aws:lambda:*:580247275435:layer:LambdaInsightsExtension:*"
148+
"arn:aws:lambda:*:${data.aws_caller_identity.current.account_id}:function:default-PromoteToCurrentFunction"
150149
]
151150
}
152151
]

0 commit comments

Comments
 (0)