diff --git a/infrastructure/modules/lambda/data.tf b/infrastructure/modules/lambda/data.tf index 9331249e2..8fc4b38cc 100644 --- a/infrastructure/modules/lambda/data.tf +++ b/infrastructure/modules/lambda/data.tf @@ -1,6 +1 @@ data "aws_caller_identity" "current" {} - -data "aws_lambda_function" "existing" { - function_name = var.lambda_func_name - qualifier = "$LATEST" -} diff --git a/infrastructure/modules/lambda/lambda.tf b/infrastructure/modules/lambda/lambda.tf index 47466b3ba..717fbb0a7 100644 --- a/infrastructure/modules/lambda/lambda.tf +++ b/infrastructure/modules/lambda/lambda.tf @@ -1,4 +1,5 @@ resource "aws_lambda_function" "eligibility_signposting_lambda" { + #checkov:skip=CKV_AWS_116: No deadletter queue is configured for this Lambda function, as the requests are synchronous #checkov:skip=CKV_AWS_115: Concurrent execution limit will be set at APIM level, not at Lambda level #checkov:skip=CKV_AWS_272: Skipping code signing but flagged to create ticket to investigate on ELI-238 # If the file is not in the current working directory you will need to include a @@ -27,15 +28,13 @@ resource "aws_lambda_function" "eligibility_signposting_lambda" { kms_key_arn = aws_kms_key.lambda_cmk.arn + publish = true + vpc_config { subnet_ids = var.vpc_intra_subnets security_group_ids = var.security_group_ids } - dead_letter_config { - target_arn = aws_sqs_queue.lambda_dlq.arn - } - layers = compact([ var.environment == "prod" ? "arn:aws:lambda:${var.region}:580247275435:layer:LambdaInsightsExtension:${var.lambda_insights_extension_version}" : null ]) @@ -49,14 +48,8 @@ resource "aws_lambda_function" "eligibility_signposting_lambda" { resource "aws_lambda_alias" "campaign_alias" { count = var.environment == "prod" ? 1 : 0 name = "live" - function_name = coalesce( - aws_lambda_function.eligibility_signposting_lambda.function_name, - data.aws_lambda_function.existing.function_name - ) - function_version = coalesce( - aws_lambda_function.eligibility_signposting_lambda.version, - data.aws_lambda_function.existing.version - ) + function_name = aws_lambda_function.eligibility_signposting_lambda.function_name + function_version = aws_lambda_function.eligibility_signposting_lambda.version } # provisioned concurrency - number of pre-warmed lambda containers @@ -66,3 +59,4 @@ resource "aws_lambda_provisioned_concurrency_config" "campaign_pc" { qualifier = aws_lambda_alias.campaign_alias[0].name provisioned_concurrent_executions = var.provisioned_concurrency_count } + diff --git a/infrastructure/modules/lambda/sqs.tf b/infrastructure/modules/lambda/sqs.tf deleted file mode 100644 index f538b8383..000000000 --- a/infrastructure/modules/lambda/sqs.tf +++ /dev/null @@ -1,23 +0,0 @@ -resource "aws_sqs_queue" "lambda_dlq" { - name = "${var.lambda_func_name}_dead_letter_queue" - kms_master_key_id = aws_kms_key.lambda_cmk.id - tags = var.tags -} - -# sql policy attachment -resource "aws_iam_role_policy" "lambda_sqs_send_inline" { - name = "LambdaSQSMessageSendPolicy" - role = var.eligibility_lambda_role_name - - policy = jsonencode({ - Version = "2012-10-17", - Statement = [ - { - Sid = "AllowSQSSendMessage", - Effect = "Allow", - Action = ["sqs:SendMessage"], - Resource = aws_sqs_queue.lambda_dlq.arn - } - ] - }) -} diff --git a/infrastructure/stacks/api-layer/assumed_role_permissions_boundary.tf b/infrastructure/stacks/api-layer/assumed_role_permissions_boundary.tf index 7a9e28f94..efc3168b2 100644 --- a/infrastructure/stacks/api-layer/assumed_role_permissions_boundary.tf +++ b/infrastructure/stacks/api-layer/assumed_role_permissions_boundary.tf @@ -52,10 +52,7 @@ data "aws_iam_policy_document" "assumed_role_permissions_boundary" { # X-Ray - Lambda tracing "xray:PutTraceSegments", - "xray:PutTelemetryRecords", - - #SQS - message management - "sqs:SendMessage" + "xray:PutTelemetryRecords" ] resources = ["*"] diff --git a/infrastructure/stacks/iams-developer-roles/github_actions_policies.tf b/infrastructure/stacks/iams-developer-roles/github_actions_policies.tf index 22e3aa645..9918d1b40 100644 --- a/infrastructure/stacks/iams-developer-roles/github_actions_policies.tf +++ b/infrastructure/stacks/iams-developer-roles/github_actions_policies.tf @@ -550,32 +550,6 @@ resource "aws_iam_policy" "cloudwatch_management" { tags = merge(local.tags, { Name = "cloudwatch-management" }) } -# SQS Management Policy for GetQueueAttributes -resource "aws_iam_policy" "sqs_management" { - name = "sqs-management" - description = "Policy granting permissions to get SQS queue attributes" - path = "/service-policies/" - - policy = jsonencode({ - Version = "2012-10-17", - Statement = [ - { - Effect = "Allow", - Action = [ - "sqs:GetQueueAttributes", - "sqs:listqueuetags", - "sqs:createqueue" - ], - Resource = [ - "arn:aws:sqs:eu-west-2:${data.aws_caller_identity.current.account_id}:*" - ] - } - ] - }) - - tags = merge(local.tags, { Name = "sqs-management" }) -} - # Attach the policies to the role resource "aws_iam_role_policy_attachment" "terraform_state" { role = aws_iam_role.github_actions.name @@ -621,9 +595,3 @@ resource "aws_iam_role_policy_attachment" "cloudwatch_management" { role = aws_iam_role.github_actions.name policy_arn = aws_iam_policy.cloudwatch_management.arn } - -resource "aws_iam_role_policy_attachment" "sqs_management" { - role = aws_iam_role.github_actions.name - policy_arn = aws_iam_policy.sqs_management.arn -} - diff --git a/infrastructure/stacks/iams-developer-roles/iams_permissions_boundary.tf b/infrastructure/stacks/iams-developer-roles/iams_permissions_boundary.tf index 7631ab5a7..a403aa8a7 100644 --- a/infrastructure/stacks/iams-developer-roles/iams_permissions_boundary.tf +++ b/infrastructure/stacks/iams-developer-roles/iams_permissions_boundary.tf @@ -221,13 +221,7 @@ data "aws_iam_policy_document" "permissions_boundary" { "ssm:GetParameters", "ssm:ListTagsForResource", "ssm:PutParameter", - "ssm:AddTagsToResource", - - #SQS - message management - "sqs:SendMessage", - "sqs:GetQueueAttributes", - "sqs:listqueuetags", - "sqs:createqueue" + "ssm:AddTagsToResource" ] resources = ["*"]