Skip to content

Lambda versioning for provisioned concurrancy #309

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
Karthikeyannhs merged 3 commits into from
Aug 22, 2025
Merged

Lambda versioning for provisioned concurrancy #309

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
a95eea0
lambda versioning for provisioned concurrency
Karthikeyannhs Aug 22, 2025
95a7963
dlq is not for RequestResponse (sync)
Karthikeyannhs Aug 22, 2025
4dddfa2
checkov skip for dlq
Karthikeyannhs Aug 22, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 0 additions & 5 deletions infrastructure/modules/lambda/data.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1 @@
data "aws_caller_identity" "current" {}

data "aws_lambda_function" "existing" {
function_name = var.lambda_func_name
qualifier = "$LATEST"
}
18 changes: 6 additions & 12 deletions infrastructure/modules/lambda/lambda.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,5 @@
resource "aws_lambda_function" "eligibility_signposting_lambda" {
#checkov:skip=CKV_AWS_116: No deadletter queue is configured for this Lambda function, as the requests are synchronous
#checkov:skip=CKV_AWS_115: Concurrent execution limit will be set at APIM level, not at Lambda level
#checkov:skip=CKV_AWS_272: Skipping code signing but flagged to create ticket to investigate on ELI-238
# If the file is not in the current working directory you will need to include a
Expand Down Expand Up @@ -27,15 +28,13 @@ resource "aws_lambda_function" "eligibility_signposting_lambda" {

kms_key_arn = aws_kms_key.lambda_cmk.arn

publish = true

vpc_config {
subnet_ids = var.vpc_intra_subnets
security_group_ids = var.security_group_ids
}

dead_letter_config {
target_arn = aws_sqs_queue.lambda_dlq.arn
}

layers = compact([
var.environment == "prod" ? "arn:aws:lambda:${var.region}:580247275435:layer:LambdaInsightsExtension:${var.lambda_insights_extension_version}" : null
])
Expand All @@ -49,14 +48,8 @@ resource "aws_lambda_function" "eligibility_signposting_lambda" {
resource "aws_lambda_alias" "campaign_alias" {
count = var.environment == "prod" ? 1 : 0
name = "live"
function_name = coalesce(
aws_lambda_function.eligibility_signposting_lambda.function_name,
data.aws_lambda_function.existing.function_name
)
function_version = coalesce(
aws_lambda_function.eligibility_signposting_lambda.version,
data.aws_lambda_function.existing.version
)
function_name = aws_lambda_function.eligibility_signposting_lambda.function_name
function_version = aws_lambda_function.eligibility_signposting_lambda.version
}

# provisioned concurrency - number of pre-warmed lambda containers
Expand All @@ -66,3 +59,4 @@ resource "aws_lambda_provisioned_concurrency_config" "campaign_pc" {
qualifier = aws_lambda_alias.campaign_alias[0].name
provisioned_concurrent_executions = var.provisioned_concurrency_count
}

23 changes: 0 additions & 23 deletions infrastructure/modules/lambda/sqs.tf
View file
Open in desktop

This file was deleted.

5 changes: 1 addition & 4 deletions infrastructure/stacks/api-layer/assumed_role_permissions_boundary.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -52,10 +52,7 @@ data "aws_iam_policy_document" "assumed_role_permissions_boundary" {

# X-Ray - Lambda tracing
"xray:PutTraceSegments",
"xray:PutTelemetryRecords",

#SQS - message management
"sqs:SendMessage"
"xray:PutTelemetryRecords"
]

resources = ["*"]
Expand Down
32 changes: 0 additions & 32 deletions infrastructure/stacks/iams-developer-roles/github_actions_policies.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -550,32 +550,6 @@ resource "aws_iam_policy" "cloudwatch_management" {
tags = merge(local.tags, { Name = "cloudwatch-management" })
}

# SQS Management Policy for GetQueueAttributes
resource "aws_iam_policy" "sqs_management" {
name = "sqs-management"
description = "Policy granting permissions to get SQS queue attributes"
path = "/service-policies/"

policy = jsonencode({
Version = "2012-10-17",
Statement = [
{
Effect = "Allow",
Action = [
"sqs:GetQueueAttributes",
"sqs:listqueuetags",
"sqs:createqueue"
],
Resource = [
"arn:aws:sqs:eu-west-2:${data.aws_caller_identity.current.account_id}:*"
]
}
]
})

tags = merge(local.tags, { Name = "sqs-management" })
}

# Attach the policies to the role
resource "aws_iam_role_policy_attachment" "terraform_state" {
role = aws_iam_role.github_actions.name
Expand Down Expand Up @@ -621,9 +595,3 @@ resource "aws_iam_role_policy_attachment" "cloudwatch_management" {
role = aws_iam_role.github_actions.name
policy_arn = aws_iam_policy.cloudwatch_management.arn
}

resource "aws_iam_role_policy_attachment" "sqs_management" {
role = aws_iam_role.github_actions.name
policy_arn = aws_iam_policy.sqs_management.arn
}

8 changes: 1 addition & 7 deletions infrastructure/stacks/iams-developer-roles/iams_permissions_boundary.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -221,13 +221,7 @@ data "aws_iam_policy_document" "permissions_boundary" {
"ssm:GetParameters",
"ssm:ListTagsForResource",
"ssm:PutParameter",
"ssm:AddTagsToResource",

#SQS - message management
"sqs:SendMessage",
"sqs:GetQueueAttributes",
"sqs:listqueuetags",
"sqs:createqueue"
"ssm:AddTagsToResource"
]

resources = ["*"]
Expand Down