add cirrus update-state lambda

Element84 · Aug 19, 2024 · c944457 · c944457
1 parent ff8125c
commit c944457
Show file tree

Hide file tree

Showing 9 changed files with 194 additions and 0 deletions.
diff --git a/default.tfvars b/default.tfvars
@@ -172,6 +172,10 @@ cirrus_inputs = {
       memory               = 128
       reserved_concurrency = 16
   }
+  update_state_lambda = {
+      timeout = 15
+      memory  = 128
+  }
 }
 
 cirrus_dashboard_inputs = {

diff --git a/inputs.tf b/inputs.tf
@@ -367,6 +367,10 @@ variable "cirrus_inputs" {
       memory               = number
       reserved_concurrency = number
     })
+    update_state_lambda = object({
+      timeout = number
+      memory  = number
+    })
   })
   default = {
     data_bucket    = "cirrus-data-bucket-name"
@@ -389,6 +393,10 @@ variable "cirrus_inputs" {
       memory               = 128
       reserved_concurrency = 16
     }
+    update_state_lambda = {
+      timeout = 15
+      memory  = 128
+    }
   }
 }
 

diff --git a/modules/cirrus/functions.tf b/modules/cirrus/functions.tf
@@ -12,11 +12,14 @@ module "functions" {
   cirrus_process_lambda_timeout                    = var.cirrus_process_lambda_timeout
   cirrus_process_lambda_memory                     = var.cirrus_process_lambda_memory
   cirrus_process_lambda_reserved_concurrency       = var.cirrus_process_lambda_reserved_concurrency
+  cirrus_update_state_lambda_timeout               = var.cirrus_process_lambda_timeout
+  cirrus_update_state_lambda_memory                = var.cirrus_process_lambda_memory
   cirrus_state_dynamodb_table_name                 = module.base-builtins.cirrus_state_dynamodb_table_name
   cirrus_state_dynamodb_table_arn                  = module.base-builtins.cirrus_state_dynamodb_table_arn
   cirrus_state_event_timestreamwrite_database_name = module.base-builtins.cirrus_state_event_timestreamwrite_database_name
   cirrus_state_event_timestreamwrite_table_name    = module.base-builtins.cirrus_state_event_timestreamwrite_table_name
   cirrus_state_event_timestreamwrite_table_arn     = module.base-builtins.cirrus_state_event_timestreamwrite_table_arn
   cirrus_workflow_event_sns_topic_arn              = module.base-builtins.cirrus_workflow_event_sns_topic_arn
   cirrus_process_sqs_queue_arn                     = module.base-builtins.cirrus_process_sqs_queue_arn
+  cirrus_process_sqs_queue_url                     = module.base-builtins.cirrus_process_sqs_queue_url
 }
diff --git a/modules/cirrus/functions/inputs.tf b/modules/cirrus/functions/inputs.tf
@@ -49,6 +49,18 @@ variable "cirrus_process_lambda_reserved_concurrency" {
   default     = 16
 }
 
+variable "cirrus_update_state_lambda_timeout" {
+  description = "Cirrus update-state lambda timeout (sec)"
+  type        = number
+  default     = 15
+}
+
+variable "cirrus_update_state_lambda_memory" {
+  description = "Cirrus update-state lambda memory (MB)"
+  type        = number
+  default     = 128
+}
+
 variable "cirrus_state_dynamodb_table_name" {
   description = "Cirrus state dynamodb table name"
   type        = string
@@ -79,6 +91,11 @@ variable "cirrus_process_sqs_queue_arn" {
   type        = string
 }
 
+variable "cirrus_process_sqs_queue_url" {
+  description = "Cirrus process sqs queue url"
+  type        = string
+}
+
 variable "cirrus_workflow_event_sns_topic_arn" {
   description = "Cirrus workflow event sns topic arn"
   type        = string

diff --git a/modules/cirrus/functions/update-state.tf b/modules/cirrus/functions/update-state.tf
@@ -0,0 +1,132 @@
+resource "aws_iam_role" "cirrus_update_state_lambda_role" {
+  name_prefix = "${var.cirrus_prefix}-process-role-"
+
+  assume_role_policy = <<EOF
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Action": "sts:AssumeRole",
+      "Principal": {
+        "Service": "lambda.amazonaws.com"
+      },
+      "Effect": "Allow"
+    }
+  ]
+}
+EOF
+
+}
+
+resource "aws_iam_policy" "cirrus_update_state_lambda_policy" {
+  name_prefix = "${var.cirrus_prefix}-process-policy-"
+
+  # TODO: the secret thing is probably not gonna work without some fixes in boto3utils...
+  # We should probably reconsider if this is the right solution.
+  policy = <<EOF
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Effect": "Allow",
+      "Action": [
+        "dynamodb:Query",
+        "dynamodb:Scan",
+        "dynamodb:GetItem",
+        "dynamodb:PutItem",
+        "dynamodb:UpdateItem",
+        "dynamodb:DescribeTable"
+      ],
+      "Resource": [
+        "${var.cirrus_state_dynamodb_table_arn}",
+        "${var.cirrus_state_dynamodb_table_arn}/index.*"
+      ]
+    },
+    {
+      "Effect": "Allow",
+      "Action": [
+        "timestream:DescribeEndpoints"
+      ],
+      "Resource": "*"
+    },
+    {
+      "Effect": "Allow",
+      "Action": [
+        "timestream:WriteRecords"
+      ],
+      "Resource": "${var.cirrus_state_event_timestreamwrite_table_arn}"
+    },
+    {
+      "Effect": "Allow",
+      "Action": [
+        "states:GetExecutionHistory"
+      ],
+      "Resource": "arn:aws:states:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:stateMachine:${var.cirrus_prefix}-*"
+    },
+    {
+      "Effect": "Allow",
+      "Action": [
+        "sqs:SendMessage"
+      ],
+      "Resource": "${var.cirrus_process_sqs_queue_arn}"
+    },
+    {
+      "Effect": "Allow",
+      "Action": [
+        "s3:GetObject"
+      ],
+      "Resource": "arn:aws:s3:::${var.cirrus_payload_bucket}*"
+    },
+    {
+      "Effect": "Allow",
+      "Action": [
+        "sns:Publish"
+      ],
+      "Resource": "${var.cirrus_workflow_event_sns_topic_arn}"
+    }
+  ]
+}
+EOF
+
+}
+
+resource "aws_iam_role_policy_attachment" "cirrus_update_state_lambda_role_policy_attachment1" {
+  role       = aws_iam_role.cirrus_update_state_lambda_role.name
+  policy_arn = aws_iam_policy.cirrus_update_state_lambda_policy.arn
+}
+
+resource "aws_iam_role_policy_attachment" "cirrus_update_state_lambda_role_policy_attachment2" {
+  role       = aws_iam_role.cirrus_update_state_lambda_role.name
+  policy_arn = "arn:aws:iam::aws:policy/service-role/AWSLambdaVPCAccessExecutionRole"
+}
+
+resource "aws_lambda_function" "cirrus_update_state" {
+  filename                       = "${path.module}/cirrus-lambda-dist.zip"
+  function_name                  = "${var.cirrus_prefix}-process"
+  description                    = "Cirrus Update-State Lambda"
+  role                           = aws_iam_role.cirrus_update_state_lambda_role.arn
+  handler                        = "update_state.lambda_handler"
+  source_code_hash               = filebase64sha256("${path.module}/cirrus-lambda-dist.zip")
+  runtime                        = "python3.12"
+  timeout                        = var.cirrus_update_state_lambda_timeout
+  memory_size                    = var.cirrus_update_state_lambda_memory
+  publish                        = true
+  architectures                  = ["arm64"]
+
+  environment {
+    variables = {
+      CIRRUS_LOG_LEVEL                = var.cirrus_log_level
+      CIRRUS_DATA_BUCKET              = var.cirrus_data_bucket
+      CIRRUS_PAYLOAD_BUCKET           = var.cirrus_payload_bucket
+      CIRRUS_STATE_DB                 = var.cirrus_state_dynamodb_table_name
+      CIRRUS_EVENT_DB_AND_TABLE       = "${var.cirrus_state_event_timestreamwrite_database_name}|${var.cirrus_state_event_timestreamwrite_table_name}"
+      CIRRUS_WORKFLOW_EVENT_TOPIC_ARN = var.cirrus_workflow_event_sns_topic_arn
+      CIRRUS_PROCESS_QUEUE_URL        = var.cirrus_process_sqs_queue_url
+    }
+  }
+
+  vpc_config {
+    security_group_ids           = var.vpc_security_group_ids
+    subnet_ids                   = var.vpc_subnet_ids
+  }
+}
diff --git a/modules/cirrus/inputs.tf b/modules/cirrus/inputs.tf
@@ -86,6 +86,18 @@ variable "cirrus_process_lambda_reserved_concurrency" {
   default     = 16
 }
 
+variable "cirrus_update_state_lambda_timeout" {
+  description = "Cirrus update-state lambda timeout (sec)"
+  type        = number
+  default     = 15
+}
+
+variable "cirrus_update_state_lambda_memory" {
+  description = "Cirrus update-state lambda memory (MB)"
+  type        = number
+  default     = 128
+}
+
 variable "vpc_subnet_ids" {
   description = "List of subnet ids in the FilmDrop vpc"
   type        = list(string)

diff --git a/profiles/cirrus/inputs.tf b/profiles/cirrus/inputs.tf
@@ -49,6 +49,10 @@ variable "cirrus_inputs" {
       memory               = number
       reserved_concurrency = number
     })
+    update_state_lambda = object({
+      timeout = number
+      memory  = number
+    })
   })
   default = {
     data_bucket    = "cirrus-data-bucket-name"
@@ -71,5 +75,9 @@ variable "cirrus_inputs" {
       memory               = 128
       reserved_concurrency = 16
     }
+    update_state_lambda = {
+      timeout = 15
+      memory  = 128
+    }
   }
 }
diff --git a/profiles/cirrus/main.tf b/profiles/cirrus/main.tf
@@ -17,4 +17,6 @@ module "cirrus" {
   cirrus_process_lambda_timeout                             = var.cirrus_inputs.process_lambda.timeout
   cirrus_process_lambda_memory                              = var.cirrus_inputs.process_lambda.memory
   cirrus_process_lambda_reserved_concurrency                = var.cirrus_inputs.process_lambda.reserved_concurrency
+  cirrus_update_state_lambda_timeout                        = var.cirrus_inputs.update_state_lambda.timeout
+  cirrus_update_state_lambda_memory                         = var.cirrus_inputs.update_state_lambda.memory
 }
diff --git a/profiles/core/inputs.tf b/profiles/core/inputs.tf
@@ -367,6 +367,10 @@ variable "cirrus_inputs" {
       memory               = number
       reserved_concurrency = number
     })
+    update_state_lambda = object({
+      timeout = number
+      memory  = number
+    })
   })
   default = {
     data_bucket    = "cirrus-data-bucket-name"
@@ -389,6 +393,10 @@ variable "cirrus_inputs" {
       memory               = 128
       reserved_concurrency = 16
     }
+    update_state_lambda = {
+      timeout = 15
+      memory  = 128
+    }
   }
 }