From dcc1a7a522f790f3fb14f2afac62c2b228bae0b7 Mon Sep 17 00:00:00 2001 From: karthikeyannhs <174426205+Karthikeyannhs@users.noreply.github.com> Date: Tue, 19 Aug 2025 13:12:07 +0100 Subject: [PATCH 01/11] provisioned concurrency --- infrastructure/modules/lambda/lambda.tf | 14 ++++++++++++++ infrastructure/modules/lambda/variables.tf | 5 +++++ infrastructure/stacks/api-layer/lambda.tf | 1 + 3 files changed, 20 insertions(+) diff --git a/infrastructure/modules/lambda/lambda.tf b/infrastructure/modules/lambda/lambda.tf index f31a6e762..85549c3b5 100644 --- a/infrastructure/modules/lambda/lambda.tf +++ b/infrastructure/modules/lambda/lambda.tf @@ -37,3 +37,17 @@ resource "aws_lambda_function" "eligibility_signposting_lambda" { mode = "Active" } } + +# provisioned concurrency - number of pre-warmed lambda containers +resource "aws_lambda_alias" "campaign_alias" { + name = "live" + function_name = aws_lambda_function.eligibility_signposting_lambda.function_name + function_version = aws_lambda_function.eligibility_signposting_lambda.version +} + +resource "aws_lambda_provisioned_concurrency_config" "campaign_pc" { + count = var.environment == "prod" ? 1 : 0 + function_name = aws_lambda_function.eligibility_signposting_lambda.function_name + qualifier = aws_lambda_alias.campaign_alias.name + provisioned_concurrent_executions = var.provisioned_concurrency_count +} diff --git a/infrastructure/modules/lambda/variables.tf b/infrastructure/modules/lambda/variables.tf index 229c1fbb4..8bb630624 100644 --- a/infrastructure/modules/lambda/variables.tf +++ b/infrastructure/modules/lambda/variables.tf @@ -52,3 +52,8 @@ variable "enable_xray_patching"{ description = "flag to enable xray tracing, which puts an entry for dynamodb, s3 and firehose in trace map" type = string } + +variable "provisioned_concurrency_count" { + description = "Number of prewarmed Lambda instances" + type = number +} diff --git a/infrastructure/stacks/api-layer/lambda.tf b/infrastructure/stacks/api-layer/lambda.tf index 68885b6d7..914de6b08 100644 --- a/infrastructure/stacks/api-layer/lambda.tf +++ b/infrastructure/stacks/api-layer/lambda.tf @@ -26,4 +26,5 @@ module "eligibility_signposting_lambda_function" { log_level = "INFO" enable_xray_patching = "true" stack_name = local.stack_name + provisioned_concurrency_count = 5 } From d22e0e307284005ae686d7b6e2f734e340b81571 Mon Sep 17 00:00:00 2001 From: karthikeyannhs <174426205+Karthikeyannhs@users.noreply.github.com> Date: Tue, 19 Aug 2025 13:41:47 +0100 Subject: [PATCH 02/11] enable dead letter queue --- infrastructure/modules/lambda/lambda.tf | 5 ++++ infrastructure/modules/lambda/sqs.tf | 23 +++++++++++++++++++ infrastructure/modules/lambda/variables.tf | 7 +++++- .../assumed_role_permissions_boundary.tf | 5 +++- infrastructure/stacks/api-layer/lambda.tf | 1 + .../iams_permissions_boundary.tf | 5 +++- 6 files changed, 43 insertions(+), 3 deletions(-) create mode 100644 infrastructure/modules/lambda/sqs.tf diff --git a/infrastructure/modules/lambda/lambda.tf b/infrastructure/modules/lambda/lambda.tf index 85549c3b5..6c96bbc95 100644 --- a/infrastructure/modules/lambda/lambda.tf +++ b/infrastructure/modules/lambda/lambda.tf @@ -33,9 +33,14 @@ resource "aws_lambda_function" "eligibility_signposting_lambda" { security_group_ids = var.security_group_ids } + dead_letter_config { + target_arn = aws_sqs_queue.lambda_dlq.arn + } + tracing_config { mode = "Active" } + } # provisioned concurrency - number of pre-warmed lambda containers diff --git a/infrastructure/modules/lambda/sqs.tf b/infrastructure/modules/lambda/sqs.tf new file mode 100644 index 000000000..f538b8383 --- /dev/null +++ b/infrastructure/modules/lambda/sqs.tf @@ -0,0 +1,23 @@ +resource "aws_sqs_queue" "lambda_dlq" { + name = "${var.lambda_func_name}_dead_letter_queue" + kms_master_key_id = aws_kms_key.lambda_cmk.id + tags = var.tags +} + +# sql policy attachment +resource "aws_iam_role_policy" "lambda_sqs_send_inline" { + name = "LambdaSQSMessageSendPolicy" + role = var.eligibility_lambda_role_name + + policy = jsonencode({ + Version = "2012-10-17", + Statement = [ + { + Sid = "AllowSQSSendMessage", + Effect = "Allow", + Action = ["sqs:SendMessage"], + Resource = aws_sqs_queue.lambda_dlq.arn + } + ] + }) +} diff --git a/infrastructure/modules/lambda/variables.tf b/infrastructure/modules/lambda/variables.tf index 8bb630624..5d9d285bd 100644 --- a/infrastructure/modules/lambda/variables.tf +++ b/infrastructure/modules/lambda/variables.tf @@ -1,5 +1,10 @@ variable "eligibility_lambda_role_arn" { - description = "lambda read role arn for dynamodb" + description = "lambda role arn" + type = string +} + +variable "eligibility_lambda_role_name" { + description = "lambda role name" type = string } diff --git a/infrastructure/stacks/api-layer/assumed_role_permissions_boundary.tf b/infrastructure/stacks/api-layer/assumed_role_permissions_boundary.tf index efc3168b2..7a9e28f94 100644 --- a/infrastructure/stacks/api-layer/assumed_role_permissions_boundary.tf +++ b/infrastructure/stacks/api-layer/assumed_role_permissions_boundary.tf @@ -52,7 +52,10 @@ data "aws_iam_policy_document" "assumed_role_permissions_boundary" { # X-Ray - Lambda tracing "xray:PutTraceSegments", - "xray:PutTelemetryRecords" + "xray:PutTelemetryRecords", + + #SQS - message management + "sqs:SendMessage" ] resources = ["*"] diff --git a/infrastructure/stacks/api-layer/lambda.tf b/infrastructure/stacks/api-layer/lambda.tf index 914de6b08..8b96f8cab 100644 --- a/infrastructure/stacks/api-layer/lambda.tf +++ b/infrastructure/stacks/api-layer/lambda.tf @@ -13,6 +13,7 @@ data "aws_subnet" "private_subnets" { module "eligibility_signposting_lambda_function" { source = "../../modules/lambda" eligibility_lambda_role_arn = aws_iam_role.eligibility_lambda_role.arn + eligibility_lambda_role_name = aws_iam_role.eligibility_lambda_role.name workspace = local.workspace environment = var.environment lambda_func_name = "${terraform.workspace == "default" ? "" : "${terraform.workspace}-"}eligibility_signposting_api" diff --git a/infrastructure/stacks/iams-developer-roles/iams_permissions_boundary.tf b/infrastructure/stacks/iams-developer-roles/iams_permissions_boundary.tf index 4b37cde68..d0b878b4f 100644 --- a/infrastructure/stacks/iams-developer-roles/iams_permissions_boundary.tf +++ b/infrastructure/stacks/iams-developer-roles/iams_permissions_boundary.tf @@ -217,7 +217,10 @@ data "aws_iam_policy_document" "permissions_boundary" { "ssm:GetParameters", "ssm:ListTagsForResource", "ssm:PutParameter", - "ssm:AddTagsToResource" + "ssm:AddTagsToResource", + + #SQS - message management + "sqs:SendMessage" ] resources = ["*"] From 48553f75ddd4e15d1797a2bbdc063d4534fddc50 Mon Sep 17 00:00:00 2001 From: karthikeyannhs <174426205+Karthikeyannhs@users.noreply.github.com> Date: Wed, 20 Aug 2025 11:09:35 +0100 Subject: [PATCH 03/11] enhanced monitoring --- infrastructure/modules/lambda/lambda.tf | 6 +++- infrastructure/modules/lambda/variables.tf | 11 ++++++ .../stacks/api-layer/iam_policies.tf | 7 ++++ infrastructure/stacks/api-layer/lambda.tf | 36 ++++++++++--------- 4 files changed, 42 insertions(+), 18 deletions(-) diff --git a/infrastructure/modules/lambda/lambda.tf b/infrastructure/modules/lambda/lambda.tf index 6c96bbc95..e3cd48fa7 100644 --- a/infrastructure/modules/lambda/lambda.tf +++ b/infrastructure/modules/lambda/lambda.tf @@ -11,7 +11,7 @@ resource "aws_lambda_function" "eligibility_signposting_lambda" { source_code_hash = filebase64sha256(var.file_name) - runtime = "python3.13" + runtime = var.runtime timeout = 30 memory_size = 2048 @@ -37,6 +37,10 @@ resource "aws_lambda_function" "eligibility_signposting_lambda" { target_arn = aws_sqs_queue.lambda_dlq.arn } + layers = compact([ + var.environment == "prod" ? "arn:aws:lambda:${var.region}:580247275435:layer:LambdaInsightsExtension:${var.lambda_insights_extension_version}" : null + ]) + tracing_config { mode = "Active" } diff --git a/infrastructure/modules/lambda/variables.tf b/infrastructure/modules/lambda/variables.tf index 5d9d285bd..92d9d081a 100644 --- a/infrastructure/modules/lambda/variables.tf +++ b/infrastructure/modules/lambda/variables.tf @@ -13,6 +13,12 @@ variable "lambda_func_name" { type = string } +variable "runtime" { + description = "runtime of the Lambda function" + type = string +} + + variable "vpc_intra_subnets" { description = "vpc private subnets for lambda" type = list(string) @@ -62,3 +68,8 @@ variable "provisioned_concurrency_count" { description = "Number of prewarmed Lambda instances" type = number } + +variable "lambda_insights_extension_version" { + description = "version number of LambdaInsightsExtension" + type = number +} diff --git a/infrastructure/stacks/api-layer/iam_policies.tf b/infrastructure/stacks/api-layer/iam_policies.tf index 5f384895c..5246d496c 100644 --- a/infrastructure/stacks/api-layer/iam_policies.tf +++ b/infrastructure/stacks/api-layer/iam_policies.tf @@ -189,6 +189,13 @@ resource "aws_iam_role_policy_attachment" "lambda_logs_policy_attachment" { policy_arn = "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole" } +#Attach CloudWatchLambdaInsightsExecutionRolePolicy to lambda for enhanced monitoring +resource "aws_iam_role_policy_attachment" "lambda_insights_policy" { + count = var.environment == "prod" ? 1 : 0 + role = aws_iam_role.eligibility_lambda_role.name + policy_arn = "arn:aws:iam::aws:policy/CloudWatchLambdaInsightsExecutionRolePolicy" +} + # Policy doc for S3 Audit bucket data "aws_iam_policy_document" "s3_audit_bucket_policy" { statement { diff --git a/infrastructure/stacks/api-layer/lambda.tf b/infrastructure/stacks/api-layer/lambda.tf index 8b96f8cab..5c71a2787 100644 --- a/infrastructure/stacks/api-layer/lambda.tf +++ b/infrastructure/stacks/api-layer/lambda.tf @@ -11,21 +11,23 @@ data "aws_subnet" "private_subnets" { } module "eligibility_signposting_lambda_function" { - source = "../../modules/lambda" - eligibility_lambda_role_arn = aws_iam_role.eligibility_lambda_role.arn - eligibility_lambda_role_name = aws_iam_role.eligibility_lambda_role.name - workspace = local.workspace - environment = var.environment - lambda_func_name = "${terraform.workspace == "default" ? "" : "${terraform.workspace}-"}eligibility_signposting_api" - security_group_ids = [data.aws_security_group.main_sg.id] - vpc_intra_subnets = [for v in data.aws_subnet.private_subnets : v.id] - file_name = "../../../dist/lambda.zip" - handler = "eligibility_signposting_api.app.lambda_handler" - eligibility_rules_bucket_name = module.s3_rules_bucket.storage_bucket_name - eligibility_status_table_name = module.eligibility_status_table.table_name - kinesis_audit_stream_to_s3_name = module.eligibility_audit_firehose_delivery_stream.firehose_stream_name - log_level = "INFO" - enable_xray_patching = "true" - stack_name = local.stack_name - provisioned_concurrency_count = 5 + source = "../../modules/lambda" + eligibility_lambda_role_arn = aws_iam_role.eligibility_lambda_role.arn + eligibility_lambda_role_name = aws_iam_role.eligibility_lambda_role.name + workspace = local.workspace + environment = var.environment + runtime = "python3.13" + lambda_func_name = "${terraform.workspace == "default" ? "" : "${terraform.workspace}-"}eligibility_signposting_api" + security_group_ids = [data.aws_security_group.main_sg.id] + vpc_intra_subnets = [for v in data.aws_subnet.private_subnets : v.id] + file_name = "../../../dist/lambda.zip" + handler = "eligibility_signposting_api.app.lambda_handler" + eligibility_rules_bucket_name = module.s3_rules_bucket.storage_bucket_name + eligibility_status_table_name = module.eligibility_status_table.table_name + kinesis_audit_stream_to_s3_name = module.eligibility_audit_firehose_delivery_stream.firehose_stream_name + lambda_insights_extension_version = 38 + log_level = "INFO" + enable_xray_patching = "true" + stack_name = local.stack_name + provisioned_concurrency_count = 5 } From 67e2a3db21f5d90c60d64dc04e025dca7cb29dd1 Mon Sep 17 00:00:00 2001 From: karthikeyannhs <174426205+Karthikeyannhs@users.noreply.github.com> Date: Wed, 20 Aug 2025 13:50:51 +0100 Subject: [PATCH 04/11] lambda function versioning --- infrastructure/modules/lambda/lambda.tf | 1 + 1 file changed, 1 insertion(+) diff --git a/infrastructure/modules/lambda/lambda.tf b/infrastructure/modules/lambda/lambda.tf index e3cd48fa7..035dbe324 100644 --- a/infrastructure/modules/lambda/lambda.tf +++ b/infrastructure/modules/lambda/lambda.tf @@ -45,6 +45,7 @@ resource "aws_lambda_function" "eligibility_signposting_lambda" { mode = "Active" } + publish = true } # provisioned concurrency - number of pre-warmed lambda containers From 2fcc89fa06684e8ddd8323f0e103211c0c5607ec Mon Sep 17 00:00:00 2001 From: karthikeyannhs <174426205+Karthikeyannhs@users.noreply.github.com> Date: Wed, 20 Aug 2025 14:09:52 +0100 Subject: [PATCH 05/11] provison concurrancy - alias version fix --- infrastructure/modules/lambda/data.tf | 4 ++++ infrastructure/modules/lambda/lambda.tf | 15 ++++++++++----- 2 files changed, 14 insertions(+), 5 deletions(-) diff --git a/infrastructure/modules/lambda/data.tf b/infrastructure/modules/lambda/data.tf index 8fc4b38cc..ea065f9c3 100644 --- a/infrastructure/modules/lambda/data.tf +++ b/infrastructure/modules/lambda/data.tf @@ -1 +1,5 @@ data "aws_caller_identity" "current" {} + +data "aws_lambda_function" "existing" { + function_name = aws_lambda_function.eligibility_signposting_lambda.function_name +} diff --git a/infrastructure/modules/lambda/lambda.tf b/infrastructure/modules/lambda/lambda.tf index 035dbe324..e6191f11d 100644 --- a/infrastructure/modules/lambda/lambda.tf +++ b/infrastructure/modules/lambda/lambda.tf @@ -44,17 +44,22 @@ resource "aws_lambda_function" "eligibility_signposting_lambda" { tracing_config { mode = "Active" } - - publish = true } -# provisioned concurrency - number of pre-warmed lambda containers +# lambda alias required for provisioning concurrency resource "aws_lambda_alias" "campaign_alias" { name = "live" - function_name = aws_lambda_function.eligibility_signposting_lambda.function_name - function_version = aws_lambda_function.eligibility_signposting_lambda.version + function_name = coalesce( + aws_lambda_function.eligibility_signposting_lambda.function_name, + data.aws_lambda_function.existing.version + ) + function_version = coalesce( + aws_lambda_function.eligibility_signposting_lambda.version, + data.aws_lambda_function.existing.version + ) } +# provisioned concurrency - number of pre-warmed lambda containers resource "aws_lambda_provisioned_concurrency_config" "campaign_pc" { count = var.environment == "prod" ? 1 : 0 function_name = aws_lambda_function.eligibility_signposting_lambda.function_name From 90be68899e205c83ed6bad401061724442a38436 Mon Sep 17 00:00:00 2001 From: karthikeyannhs <174426205+Karthikeyannhs@users.noreply.github.com> Date: Wed, 20 Aug 2025 15:13:51 +0100 Subject: [PATCH 06/11] removed checkov as we implemented dead letter queue --- infrastructure/modules/lambda/lambda.tf | 1 - 1 file changed, 1 deletion(-) diff --git a/infrastructure/modules/lambda/lambda.tf b/infrastructure/modules/lambda/lambda.tf index e6191f11d..ad6d87366 100644 --- a/infrastructure/modules/lambda/lambda.tf +++ b/infrastructure/modules/lambda/lambda.tf @@ -1,5 +1,4 @@ resource "aws_lambda_function" "eligibility_signposting_lambda" { - #checkov:skip=CKV_AWS_116: No deadletter queue is configured for this Lambda function, yet #checkov:skip=CKV_AWS_115: Concurrent execution limit will be set at APIM level, not at Lambda level #checkov:skip=CKV_AWS_272: Skipping code signing but flagged to create ticket to investigate on ELI-238 # If the file is not in the current working directory you will need to include a From 80db7a28bb5a1b2c4be8746226734642791ec546 Mon Sep 17 00:00:00 2001 From: karthikeyannhs <174426205+Karthikeyannhs@users.noreply.github.com> Date: Wed, 20 Aug 2025 17:27:57 +0100 Subject: [PATCH 07/11] prod conditions and github roles --- infrastructure/modules/lambda/data.tf | 2 +- infrastructure/modules/lambda/lambda.tf | 7 +- .../stacks/api-layer/iam_policies.tf | 1 - .../github_actions_policies.tf | 85 +++++++++++-------- .../iams_permissions_boundary.tf | 6 +- 5 files changed, 58 insertions(+), 43 deletions(-) diff --git a/infrastructure/modules/lambda/data.tf b/infrastructure/modules/lambda/data.tf index ea065f9c3..4ee3562a9 100644 --- a/infrastructure/modules/lambda/data.tf +++ b/infrastructure/modules/lambda/data.tf @@ -1,5 +1,5 @@ data "aws_caller_identity" "current" {} data "aws_lambda_function" "existing" { - function_name = aws_lambda_function.eligibility_signposting_lambda.function_name + function_name = var.lambda_func_name } diff --git a/infrastructure/modules/lambda/lambda.tf b/infrastructure/modules/lambda/lambda.tf index ad6d87366..47466b3ba 100644 --- a/infrastructure/modules/lambda/lambda.tf +++ b/infrastructure/modules/lambda/lambda.tf @@ -47,10 +47,11 @@ resource "aws_lambda_function" "eligibility_signposting_lambda" { # lambda alias required for provisioning concurrency resource "aws_lambda_alias" "campaign_alias" { + count = var.environment == "prod" ? 1 : 0 name = "live" function_name = coalesce( aws_lambda_function.eligibility_signposting_lambda.function_name, - data.aws_lambda_function.existing.version + data.aws_lambda_function.existing.function_name ) function_version = coalesce( aws_lambda_function.eligibility_signposting_lambda.version, @@ -61,7 +62,7 @@ resource "aws_lambda_alias" "campaign_alias" { # provisioned concurrency - number of pre-warmed lambda containers resource "aws_lambda_provisioned_concurrency_config" "campaign_pc" { count = var.environment == "prod" ? 1 : 0 - function_name = aws_lambda_function.eligibility_signposting_lambda.function_name - qualifier = aws_lambda_alias.campaign_alias.name + function_name = var.lambda_func_name + qualifier = aws_lambda_alias.campaign_alias[0].name provisioned_concurrent_executions = var.provisioned_concurrency_count } diff --git a/infrastructure/stacks/api-layer/iam_policies.tf b/infrastructure/stacks/api-layer/iam_policies.tf index 5246d496c..2e7de68e6 100644 --- a/infrastructure/stacks/api-layer/iam_policies.tf +++ b/infrastructure/stacks/api-layer/iam_policies.tf @@ -191,7 +191,6 @@ resource "aws_iam_role_policy_attachment" "lambda_logs_policy_attachment" { #Attach CloudWatchLambdaInsightsExecutionRolePolicy to lambda for enhanced monitoring resource "aws_iam_role_policy_attachment" "lambda_insights_policy" { - count = var.environment == "prod" ? 1 : 0 role = aws_iam_role.eligibility_lambda_role.name policy_arn = "arn:aws:iam::aws:policy/CloudWatchLambdaInsightsExecutionRolePolicy" } diff --git a/infrastructure/stacks/iams-developer-roles/github_actions_policies.tf b/infrastructure/stacks/iams-developer-roles/github_actions_policies.tf index cb72a7966..8cf35c031 100644 --- a/infrastructure/stacks/iams-developer-roles/github_actions_policies.tf +++ b/infrastructure/stacks/iams-developer-roles/github_actions_policies.tf @@ -62,10 +62,14 @@ resource "aws_iam_policy" "lambda_management" { "lambda:ListAliases", "lambda:AddPermission", "lambda:RemovePermission", - "lambda:GetPolicy" + "lambda:GetPolicy", + "lambda:GetAlias", + "lambda:GetFunction", + "lambda:GetProvisionedConcurrencyConfig" ], Resource = [ - "arn:aws:lambda:*:${data.aws_caller_identity.current.account_id}:function:*eligibility_signposting_api" + "arn:aws:lambda:*:${data.aws_caller_identity.current.account_id}:function:eligibility_signposting_api", + "arn:aws:lambda:*:${data.aws_caller_identity.current.account_id}:function:eligibility_signposting_api:*" ] } ] @@ -465,29 +469,6 @@ data "aws_iam_policy_document" "github_actions_assume_role" { } } -resource "aws_iam_policy" "cloudwatch_logging" { - name = "cloudwatch-logging-management" - description = "Allow access to logging resources" - path = "/service-policies/" - - policy = jsonencode({ - Version = "2012-10-17", - Statement = [ - { - Effect = "Allow", - Action = [ - "logs:ListTagsForResource", - "logs:DescribeLogGroups", - "logs:PutRetentionPolicy" - ], - Resource = "arn:aws:logs:${var.default_aws_region}:${data.aws_caller_identity.current.account_id}:log-group:/aws/kinesisfirehose/*" - } - ] - }) - - tags = merge(local.tags, { Name = "cloudwatch-logging-management" }) -} - resource "aws_iam_policy" "firehose_readonly" { name = "firehose-describe-access" description = "Allow GitHub Actions to describe Firehose delivery stream" @@ -518,9 +499,9 @@ resource "aws_iam_policy" "firehose_readonly" { tags = merge(local.tags, { Name = "firehose-describe-access" }) } -resource "aws_iam_policy" "cloudwatch_alarms" { - name = "cloudwatch-alarms-management" - description = "Allow GitHub Actions to manage CloudWatch alarms and SNS topics" +resource "aws_iam_policy" "cloudwatch_management" { + name = "cloudwatch-management" + description = "Allow GitHub Actions to manage CloudWatch logs, alarms, and SNS topics" path = "/service-policies/" policy = jsonencode({ @@ -529,7 +510,10 @@ resource "aws_iam_policy" "cloudwatch_alarms" { { Effect = "Allow", Action = [ - # CloudWatch Alarms management + "logs:ListTagsForResource", + "logs:DescribeLogGroups", + "logs:PutRetentionPolicy", + "cloudwatch:PutMetricAlarm", "cloudwatch:DeleteAlarms", "cloudwatch:DescribeAlarms", @@ -537,7 +521,7 @@ resource "aws_iam_policy" "cloudwatch_alarms" { "cloudwatch:ListTagsForResource", "cloudwatch:TagResource", "cloudwatch:UntagResource", - # SNS Topic management for alarm notifications + "sns:CreateTopic", "sns:DeleteTopic", "sns:GetTopicAttributes", @@ -552,6 +536,7 @@ resource "aws_iam_policy" "cloudwatch_alarms" { "sns:ListSubscriptionsByTopic" ], Resource = [ + "arn:aws:logs:${var.default_aws_region}:${data.aws_caller_identity.current.account_id}:log-group:/aws/kinesisfirehose/*", "arn:aws:cloudwatch:${var.default_aws_region}:${data.aws_caller_identity.current.account_id}:alarm:*", "arn:aws:sns:${var.default_aws_region}:${data.aws_caller_identity.current.account_id}:cloudwatch-security-alarms*" ] @@ -559,7 +544,32 @@ resource "aws_iam_policy" "cloudwatch_alarms" { ] }) - tags = merge(local.tags, { Name = "cloudwatch-alarms-management" }) + tags = merge(local.tags, { Name = "cloudwatch-management" }) +} + +# SQS Management Policy for GetQueueAttributes +resource "aws_iam_policy" "sqs_management" { + name = "sqs-management" + description = "Policy granting permissions to get SQS queue attributes" + path = "/service-policies/" + + policy = jsonencode({ + Version = "2012-10-17", + Statement = [ + { + Effect = "Allow", + Action = [ + "sqs:GetQueueAttributes", + "sqs:listqueuetags" + ], + Resource = [ + "arn:aws:sqs:eu-west-2:${data.aws_caller_identity.current.account_id}:*" + ] + } + ] + }) + + tags = merge(local.tags, { Name = "sqs-management" }) } # Attach the policies to the role @@ -598,17 +608,18 @@ resource "aws_iam_role_policy_attachment" "iam_management" { policy_arn = aws_iam_policy.iam_management.arn } -resource "aws_iam_role_policy_attachment" "cloudwatch_logging" { +resource "aws_iam_role_policy_attachment" "firehose_readonly_attach" { role = aws_iam_role.github_actions.name - policy_arn = aws_iam_policy.cloudwatch_logging.arn + policy_arn = aws_iam_policy.firehose_readonly.arn } -resource "aws_iam_role_policy_attachment" "firehose_readonly_attach" { +resource "aws_iam_role_policy_attachment" "cloudwatch_management" { role = aws_iam_role.github_actions.name - policy_arn = aws_iam_policy.firehose_readonly.arn + policy_arn = aws_iam_policy.cloudwatch_management.arn } -resource "aws_iam_role_policy_attachment" "cloudwatch_alarms" { +resource "aws_iam_role_policy_attachment" "sqs_management" { role = aws_iam_role.github_actions.name - policy_arn = aws_iam_policy.cloudwatch_alarms.arn + policy_arn = aws_iam_policy.sqs_management.arn } + diff --git a/infrastructure/stacks/iams-developer-roles/iams_permissions_boundary.tf b/infrastructure/stacks/iams-developer-roles/iams_permissions_boundary.tf index d0b878b4f..600fac233 100644 --- a/infrastructure/stacks/iams-developer-roles/iams_permissions_boundary.tf +++ b/infrastructure/stacks/iams-developer-roles/iams_permissions_boundary.tf @@ -150,6 +150,8 @@ data "aws_iam_policy_document" "permissions_boundary" { "lambda:AddPermission", "lambda:RemovePermission", "lambda:GetPolicy", + "lambda:GetAlias", + "lambda:GetProvisionedConcurrencyConfig", # CloudWatch Logs - log management "logs:CreateLogGroup", @@ -220,7 +222,9 @@ data "aws_iam_policy_document" "permissions_boundary" { "ssm:AddTagsToResource", #SQS - message management - "sqs:SendMessage" + "sqs:SendMessage", + "sqs:GetQueueAttributes", + "sqs:listqueuetags" ] resources = ["*"] From 1a94ebc4d11cb44031052c98b9738522b4cbc940 Mon Sep 17 00:00:00 2001 From: karthikeyannhs <174426205+Karthikeyannhs@users.noreply.github.com> Date: Wed, 20 Aug 2025 18:55:16 +0100 Subject: [PATCH 08/11] github roles --- .../stacks/iams-developer-roles/github_actions_policies.tf | 7 +++++-- .../iams-developer-roles/iams_permissions_boundary.tf | 2 ++ 2 files changed, 7 insertions(+), 2 deletions(-) diff --git a/infrastructure/stacks/iams-developer-roles/github_actions_policies.tf b/infrastructure/stacks/iams-developer-roles/github_actions_policies.tf index 8cf35c031..30061a182 100644 --- a/infrastructure/stacks/iams-developer-roles/github_actions_policies.tf +++ b/infrastructure/stacks/iams-developer-roles/github_actions_policies.tf @@ -65,11 +65,14 @@ resource "aws_iam_policy" "lambda_management" { "lambda:GetPolicy", "lambda:GetAlias", "lambda:GetFunction", - "lambda:GetProvisionedConcurrencyConfig" + "lambda:GetProvisionedConcurrencyConfig", + "lambda:GetLayerVersion", + "lambda:PutProvisionedConcurrencyConfig" ], Resource = [ "arn:aws:lambda:*:${data.aws_caller_identity.current.account_id}:function:eligibility_signposting_api", - "arn:aws:lambda:*:${data.aws_caller_identity.current.account_id}:function:eligibility_signposting_api:*" + "arn:aws:lambda:*:${data.aws_caller_identity.current.account_id}:function:eligibility_signposting_api:*", + "arn:aws:lambda:*:580247275435:layer:LambdaInsightsExtension:*" ] } ] diff --git a/infrastructure/stacks/iams-developer-roles/iams_permissions_boundary.tf b/infrastructure/stacks/iams-developer-roles/iams_permissions_boundary.tf index 600fac233..c8e79220a 100644 --- a/infrastructure/stacks/iams-developer-roles/iams_permissions_boundary.tf +++ b/infrastructure/stacks/iams-developer-roles/iams_permissions_boundary.tf @@ -152,6 +152,8 @@ data "aws_iam_policy_document" "permissions_boundary" { "lambda:GetPolicy", "lambda:GetAlias", "lambda:GetProvisionedConcurrencyConfig", + "lambda:GetLayerVersion", + "lambda:PutProvisionedConcurrencyConfig", # CloudWatch Logs - log management "logs:CreateLogGroup", From 16709ca2dedd3167481b73b11e96a8f985df50c0 Mon Sep 17 00:00:00 2001 From: karthikeyannhs <174426205+Karthikeyannhs@users.noreply.github.com> Date: Thu, 21 Aug 2025 15:40:52 +0100 Subject: [PATCH 09/11] fix for corrupt kms policy --- infrastructure/modules/lambda/kms.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/infrastructure/modules/lambda/kms.tf b/infrastructure/modules/lambda/kms.tf index 55c5133f0..738cb32b2 100644 --- a/infrastructure/modules/lambda/kms.tf +++ b/infrastructure/modules/lambda/kms.tf @@ -7,7 +7,7 @@ resource "aws_kms_key" "lambda_cmk" { } resource "aws_kms_alias" "lambda_cmk" { - name = "alias/${terraform.workspace == "default" ? "" : "${terraform.workspace}-"}${var.lambda_func_name}-cmk" + name = "alias/${terraform.workspace == "default" ? "" : "${terraform.workspace}-"}${var.lambda_func_name}-key" target_key_id = aws_kms_key.lambda_cmk.key_id } From e22c6b13adee2fd0b2b3a75af81a05e24651d00a Mon Sep 17 00:00:00 2001 From: karthikeyannhs <174426205+Karthikeyannhs@users.noreply.github.com> Date: Thu, 21 Aug 2025 16:02:42 +0100 Subject: [PATCH 10/11] create queue --- .../stacks/iams-developer-roles/github_actions_policies.tf | 3 ++- .../stacks/iams-developer-roles/iams_permissions_boundary.tf | 3 ++- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/infrastructure/stacks/iams-developer-roles/github_actions_policies.tf b/infrastructure/stacks/iams-developer-roles/github_actions_policies.tf index 30061a182..22e3aa645 100644 --- a/infrastructure/stacks/iams-developer-roles/github_actions_policies.tf +++ b/infrastructure/stacks/iams-developer-roles/github_actions_policies.tf @@ -563,7 +563,8 @@ resource "aws_iam_policy" "sqs_management" { Effect = "Allow", Action = [ "sqs:GetQueueAttributes", - "sqs:listqueuetags" + "sqs:listqueuetags", + "sqs:createqueue" ], Resource = [ "arn:aws:sqs:eu-west-2:${data.aws_caller_identity.current.account_id}:*" diff --git a/infrastructure/stacks/iams-developer-roles/iams_permissions_boundary.tf b/infrastructure/stacks/iams-developer-roles/iams_permissions_boundary.tf index c8e79220a..7631ab5a7 100644 --- a/infrastructure/stacks/iams-developer-roles/iams_permissions_boundary.tf +++ b/infrastructure/stacks/iams-developer-roles/iams_permissions_boundary.tf @@ -226,7 +226,8 @@ data "aws_iam_policy_document" "permissions_boundary" { #SQS - message management "sqs:SendMessage", "sqs:GetQueueAttributes", - "sqs:listqueuetags" + "sqs:listqueuetags", + "sqs:createqueue" ] resources = ["*"] From b5fd9746d60af341fe293e94aa717c4c373189c8 Mon Sep 17 00:00:00 2001 From: karthikeyannhs <174426205+Karthikeyannhs@users.noreply.github.com> Date: Thu, 21 Aug 2025 17:09:08 +0100 Subject: [PATCH 11/11] get the latest function for concurrant provisioning --- infrastructure/modules/lambda/data.tf | 1 + 1 file changed, 1 insertion(+) diff --git a/infrastructure/modules/lambda/data.tf b/infrastructure/modules/lambda/data.tf index 4ee3562a9..9331249e2 100644 --- a/infrastructure/modules/lambda/data.tf +++ b/infrastructure/modules/lambda/data.tf @@ -2,4 +2,5 @@ data "aws_caller_identity" "current" {} data "aws_lambda_function" "existing" { function_name = var.lambda_func_name + qualifier = "$LATEST" }