diff --git a/terraform/environments/data-platform/api.tf b/terraform/environments/data-platform/api.tf index 022d6ca1444..c51626aaa4e 100644 --- a/terraform/environments/data-platform/api.tf +++ b/terraform/environments/data-platform/api.tf @@ -23,12 +23,13 @@ resource "aws_api_gateway_deployment" "deployment" { aws_api_gateway_resource.data_product_table, aws_api_gateway_resource.data_product_table_name, aws_api_gateway_resource.upload_data_for_data_product_table_name, - aws_api_gateway_resource.create_schema_for_data_product_table_name, + aws_api_gateway_resource.schema_for_data_product_table_name, aws_api_gateway_method.docs, aws_api_gateway_method.get_glue_metadata, aws_api_gateway_method.register_data_product, aws_api_gateway_method.upload_data_for_data_product_table_name, aws_api_gateway_method.create_schema_for_data_product_table_name, + aws_api_gateway_method.get_schema_for_data_product_table_name, aws_api_gateway_integration.docs_to_lambda, aws_api_gateway_integration.upload_data_for_data_product_table_name_to_lambda, aws_api_gateway_integration.proxy_to_lambda, @@ -36,6 +37,7 @@ resource "aws_api_gateway_deployment" "deployment" { aws_api_gateway_integration.get_glue_metadata, aws_api_gateway_integration.register_data_product_to_lambda, aws_api_gateway_integration.create_schema_for_data_product_table_name_to_lambda, + aws_api_gateway_integration.get_schema_for_data_product_table_name_to_lambda, ])) } @@ -123,6 +125,18 @@ resource "aws_api_gateway_resource" "upload_data_for_data_product_table_name" { rest_api_id = aws_api_gateway_rest_api.data_platform.id } +# /data-product/{data-product-name}/table/{table-name}/schema resource +resource "aws_api_gateway_resource" "schema_for_data_product_table_name" { + parent_id = aws_api_gateway_resource.data_product_table_name.id + path_part = "schema" + rest_api_id = aws_api_gateway_rest_api.data_platform.id +} + +moved { + from = aws_api_gateway_resource.create_schema_for_data_product_table_name + to = aws_api_gateway_resource.schema_for_data_product_table_name +} + # /data-product/{data-product-name}/table/{table-name}/upload POST method resource "aws_api_gateway_method" "upload_data_for_data_product_table_name" { authorization = "CUSTOM" @@ -153,19 +167,12 @@ resource "aws_api_gateway_integration" "upload_data_for_data_product_table_name_ } } -# /data-product/{data-product-name}/table/{table-name}/schema resource -resource "aws_api_gateway_resource" "create_schema_for_data_product_table_name" { - parent_id = aws_api_gateway_resource.data_product_table_name.id - path_part = "schema" - rest_api_id = aws_api_gateway_rest_api.data_platform.id -} - # /data-product/{data-product-name}/table/{table-name}/schema POST method resource "aws_api_gateway_method" "create_schema_for_data_product_table_name" { authorization = "CUSTOM" authorizer_id = aws_api_gateway_authorizer.authorizer.id http_method = "POST" - resource_id = aws_api_gateway_resource.create_schema_for_data_product_table_name.id + resource_id = aws_api_gateway_resource.schema_for_data_product_table_name.id rest_api_id = aws_api_gateway_rest_api.data_platform.id request_parameters = { @@ -178,7 +185,7 @@ resource "aws_api_gateway_method" "create_schema_for_data_product_table_name" { # /data-product/{data-product-name}/table/{table-name}/schema lambda integration resource "aws_api_gateway_integration" "create_schema_for_data_product_table_name_to_lambda" { http_method = aws_api_gateway_method.create_schema_for_data_product_table_name.http_method - resource_id = aws_api_gateway_resource.create_schema_for_data_product_table_name.id + resource_id = aws_api_gateway_resource.schema_for_data_product_table_name.id rest_api_id = aws_api_gateway_rest_api.data_platform.id integration_http_method = "POST" type = "AWS_PROXY" @@ -190,6 +197,36 @@ resource "aws_api_gateway_integration" "create_schema_for_data_product_table_nam } } +# /data-product/{data-product-name}/table/{table-name}/schema GET method +resource "aws_api_gateway_method" "get_schema_for_data_product_table_name" { + authorization = "CUSTOM" + authorizer_id = aws_api_gateway_authorizer.authorizer.id + http_method = "GET" + resource_id = aws_api_gateway_resource.schema_for_data_product_table_name.id + rest_api_id = aws_api_gateway_rest_api.data_platform.id + + request_parameters = { + "method.request.header.Authorization" = true, + "method.request.path.data-product-name" = true, + "method.request.path.table-name" = true, + } +} + +# /data-product/{data-product-name}/table/{table-name}/schema lambda integration +resource "aws_api_gateway_integration" "get_schema_for_data_product_table_name_to_lambda" { + http_method = aws_api_gateway_method.get_schema_for_data_product_table_name.http_method + resource_id = aws_api_gateway_resource.schema_for_data_product_table_name.id + rest_api_id = aws_api_gateway_rest_api.data_platform.id + integration_http_method = "POST" + type = "AWS_PROXY" + uri = module.get_schema_lambda.lambda_function_invoke_arn + + request_parameters = { + "integration.request.path.data-product-name" = "method.request.path.data-product-name", + "integration.request.path.table-name" = "method.request.path.table-name", + } +} + # API docs endpoint resource "aws_api_gateway_resource" "docs" { diff --git a/terraform/environments/data-platform/application_variables.auto.tfvars.json b/terraform/environments/data-platform/application_variables.auto.tfvars.json index 51911bbcc8d..566b4444e61 100644 --- a/terraform/environments/data-platform/application_variables.auto.tfvars.json +++ b/terraform/environments/data-platform/application_variables.auto.tfvars.json @@ -58,5 +58,11 @@ "test": "1.0.0", "preproduction": "1.0.0", "production": "1.0.0" + }, + "get_schema_versions": { + "development": "1.0.0", + "test": "1.0.0", + "preproduction": "1.0.0", + "production": "1.0.0" } } diff --git a/terraform/environments/data-platform/iam.tf b/terraform/environments/data-platform/iam.tf index be8f7b10fad..87d3e63228a 100644 --- a/terraform/environments/data-platform/iam.tf +++ b/terraform/environments/data-platform/iam.tf @@ -18,20 +18,26 @@ data "aws_iam_policy_document" "log_to_bucket" { data "aws_iam_policy_document" "read_metadata" { statement { - sid = "s3ReadMetadata" - effect = "Allow" - actions = [ - "s3:GetObject", - "s3:ListBucket", - ] + sid = "s3ReadMetadata" + effect = "Allow" + actions = ["s3:GetObject", "s3:ListBucket"] resources = [ + "${module.metadata_s3_bucket.bucket.arn}/*", "${module.metadata_s3_bucket.bucket.arn}", - "${module.metadata_s3_bucket.bucket.arn}/*" ] } } -data "aws_iam_policy_document" "iam_policy_document_for_docs_lambda" { +data "aws_iam_policy_document" "write_metadata" { + statement { + sid = "s3WriteMetadata" + effect = "Allow" + actions = ["s3:PutObject"] + resources = ["${module.metadata_s3_bucket.bucket.arn}/*"] + } +} + +data "aws_iam_policy_document" "create_write_lambda_logs" { statement { sid = "LambdaLogGroup" effect = "Allow" @@ -41,29 +47,12 @@ data "aws_iam_policy_document" "iam_policy_document_for_docs_lambda" { } data "aws_iam_policy_document" "athena_load_lambda_function_policy" { - source_policy_documents = [data.aws_iam_policy_document.log_to_bucket.json, data.aws_iam_policy_document.read_metadata.json] + source_policy_documents = [ + data.aws_iam_policy_document.log_to_bucket.json, + data.aws_iam_policy_document.read_metadata.json, + data.aws_iam_policy_document.create_write_lambda_logs.json, + ] - statement { - sid = "AllowLambdaToCreateLogGroup" - effect = "Allow" - actions = [ - "logs:CreateLogGroup" - ] - resources = [ - format("arn:aws:logs:eu-west-2:%s:*", data.aws_caller_identity.current.account_id) - ] - } - statement { - sid = "AllowLambdaToWriteLogsToGroup" - effect = "Allow" - actions = [ - "logs:CreateLogStream", - "logs:PutLogEvents" - ] - resources = [ - format("arn:aws:logs:eu-west-2:%s:*", data.aws_caller_identity.current.account_id) - ] - } statement { sid = "s3Access" effect = "Allow" @@ -135,29 +124,12 @@ data "aws_iam_policy_document" "athena_load_lambda_function_policy" { } data "aws_iam_policy_document" "landing_to_raw_lambda_policy" { - source_policy_documents = [data.aws_iam_policy_document.log_to_bucket.json, data.aws_iam_policy_document.read_metadata.json] + source_policy_documents = [ + data.aws_iam_policy_document.log_to_bucket.json, + data.aws_iam_policy_document.read_metadata.json, + data.aws_iam_policy_document.create_write_lambda_logs.json, + ] - statement { - sid = "AllowLambdaToCreateLogGroup" - effect = "Allow" - actions = [ - "logs:CreateLogGroup" - ] - resources = [ - format("arn:aws:logs:eu-west-2:%s:*", data.aws_caller_identity.current.account_id) - ] - } - statement { - sid = "AllowLambdaToWriteLogsToGroup" - effect = "Allow" - actions = [ - "logs:CreateLogStream", - "logs:PutLogEvents" - ] - resources = [ - format("arn:aws:logs:eu-west-2:%s:*", data.aws_caller_identity.current.account_id) - ] - } statement { sid = "getLandingData" effect = "Allow" @@ -185,18 +157,17 @@ data "aws_iam_policy_document" "landing_to_raw_lambda_policy" { } data "aws_iam_policy_document" "iam_policy_document_for_authorizer_lambda" { - source_policy_documents = [data.aws_iam_policy_document.log_to_bucket.json] - - statement { - sid = "LambdaLogGroup" - effect = "Allow" - actions = ["logs:CreateLogGroup", "logs:CreateLogStream", "logs:PutLogEvents"] - resources = ["arn:aws:logs:${local.region}:${local.account_id}:log-group:/aws/lambda/*"] - } + source_policy_documents = [ + data.aws_iam_policy_document.log_to_bucket.json, + data.aws_iam_policy_document.create_write_lambda_logs.json, + ] } data "aws_iam_policy_document" "iam_policy_document_for_get_glue_metadata_lambda" { - source_policy_documents = [data.aws_iam_policy_document.log_to_bucket.json] + source_policy_documents = [ + data.aws_iam_policy_document.log_to_bucket.json, + data.aws_iam_policy_document.create_write_lambda_logs.json, + ] statement { sid = "GlueReadOnly" effect = "Allow" @@ -207,21 +178,23 @@ data "aws_iam_policy_document" "iam_policy_document_for_get_glue_metadata_lambda "arn:aws:glue:${local.region}:${local.account_id}:table/*" ] } - statement { - sid = "LambdaLogGroup" - effect = "Allow" - actions = ["logs:CreateLogGroup", "logs:CreateLogStream", "logs:PutLogEvents"] - resources = ["arn:aws:logs:${local.region}:${local.account_id}:log-group:/aws/lambda/*"] - } } data "aws_iam_policy_document" "iam_policy_document_for_presigned_url_lambda" { - source_policy_documents = [data.aws_iam_policy_document.log_to_bucket.json, data.aws_iam_policy_document.read_metadata.json] + source_policy_documents = [ + data.aws_iam_policy_document.log_to_bucket.json, + data.aws_iam_policy_document.read_metadata.json, + data.aws_iam_policy_document.create_write_lambda_logs.json, + ] statement { - sid = "GetPutDataObject" - effect = "Allow" - actions = ["s3:GetObject", "s3:PutObject", "s3:ListBucket"] + sid = "GetPutDataObject" + effect = "Allow" + actions = [ + "s3:GetObject", + "s3:PutObject", + "s3:ListBucket", + ] resources = [ "${module.data_s3_bucket.bucket.arn}/raw/*", "${module.logs_s3_bucket.bucket.arn}/logs/*", @@ -229,13 +202,6 @@ data "aws_iam_policy_document" "iam_policy_document_for_presigned_url_lambda" { "${module.logs_s3_bucket.bucket.arn}/logs", ] } - - statement { - sid = "LambdaLogGroup" - effect = "Allow" - actions = ["logs:CreateLogGroup", "logs:CreateLogStream", "logs:PutLogEvents"] - resources = ["arn:aws:logs:${local.region}:${local.account_id}:log-group:/aws/lambda/*"] - } } # API Gateway authoriser IAM permissions @@ -443,9 +409,15 @@ data "aws_iam_policy_document" "logs_s3_bucket_policy_document" { identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:user/cicd-member-user"] } - actions = ["s3:PutObject", "s3:ListBucket"] + actions = [ + "s3:PutObject", + "s3:ListBucket" + ] - resources = [module.logs_s3_bucket.bucket.arn, "${module.logs_s3_bucket.bucket.arn}/*"] + resources = [ + module.logs_s3_bucket.bucket.arn, + "${module.logs_s3_bucket.bucket.arn}/*", + ] } statement { @@ -473,16 +445,12 @@ data "aws_iam_policy_document" "logs_s3_bucket_policy_document" { # api gateway create data product metdata permissions data "aws_iam_policy_document" "iam_policy_document_for_create_metadata_lambda" { - source_policy_documents = [data.aws_iam_policy_document.log_to_bucket.json] - - statement { - sid = "GetPutMetadata" - effect = "Allow" - actions = ["s3:GetObject", "s3:PutObject"] - resources = [ - "${module.metadata_s3_bucket.bucket.arn}/*" - ] - } + source_policy_documents = [ + data.aws_iam_policy_document.log_to_bucket.json, + data.aws_iam_policy_document.read_metadata.json, + data.aws_iam_policy_document.write_metadata.json, + data.aws_iam_policy_document.create_write_lambda_logs.json, + ] statement { sid = "ListBucket" @@ -492,32 +460,14 @@ data "aws_iam_policy_document" "iam_policy_document_for_create_metadata_lambda" module.metadata_s3_bucket.bucket.arn ] } - - statement { - sid = "AllowLambdaToCreateLogGroup" - effect = "Allow" - actions = [ - "logs:CreateLogGroup" - ] - resources = [ - format("arn:aws:logs:eu-west-2:%s:*", data.aws_caller_identity.current.account_id) - ] - } - statement { - sid = "AllowLambdaToWriteLogsToGroup" - effect = "Allow" - actions = [ - "logs:CreateLogStream", - "logs:PutLogEvents" - ] - resources = [ - format("arn:aws:logs:eu-west-2:%s:*", data.aws_caller_identity.current.account_id) - ] - } } data "aws_iam_policy_document" "iam_policy_document_for_reload_data_product_lambda" { - source_policy_documents = [data.aws_iam_policy_document.log_to_bucket.json, data.aws_iam_policy_document.read_metadata.json] + source_policy_documents = [ + data.aws_iam_policy_document.log_to_bucket.json, + data.aws_iam_policy_document.read_metadata.json, + data.aws_iam_policy_document.create_write_lambda_logs.json, + ] statement { sid = "ListBucket" @@ -542,16 +492,22 @@ data "aws_iam_policy_document" "iam_policy_document_for_reload_data_product_lamb "*" ] } - statement { - sid = "LambdaLogGroup" - effect = "Allow" - actions = ["logs:CreateLogGroup", "logs:CreateLogStream", "logs:PutLogEvents"] - resources = ["arn:aws:logs:${local.region}:${local.account_id}:log-group:/aws/lambda/*"] - } +} + +data "aws_iam_policy_document" "iam_policy_document_for_get_schema_lambda" { + source_policy_documents = [ + data.aws_iam_policy_document.log_to_bucket.json, + data.aws_iam_policy_document.read_metadata.json, + data.aws_iam_policy_document.create_write_lambda_logs.json, + ] } data "aws_iam_policy_document" "iam_policy_document_for_resync_unprocessed_files_lambda" { - source_policy_documents = [data.aws_iam_policy_document.log_to_bucket.json, data.aws_iam_policy_document.read_metadata.json] + source_policy_documents = [ + data.aws_iam_policy_document.log_to_bucket.json, + data.aws_iam_policy_document.read_metadata.json, + data.aws_iam_policy_document.create_write_lambda_logs.json, + ] statement { sid = "ListBucket" @@ -567,30 +523,13 @@ data "aws_iam_policy_document" "iam_policy_document_for_resync_unprocessed_files actions = ["lambda:InvokeFunction"] resources = [module.data_product_athena_load_lambda.lambda_function_arn] } - - statement { - sid = "LambdaLogGroup" - effect = "Allow" - actions = ["logs:CreateLogGroup", "logs:CreateLogStream", "logs:PutLogEvents"] - resources = ["arn:aws:logs:${local.region}:${local.account_id}:log-group:/aws/lambda/*"] - } } data "aws_iam_policy_document" "iam_policy_document_for_create_schema_lambda" { - source_policy_documents = [data.aws_iam_policy_document.log_to_bucket.json, data.aws_iam_policy_document.read_metadata.json] - statement { - sid = "s3MetadataWrite" - effect = "Allow" - actions = ["s3:PutObject"] - resources = [ - "${module.metadata_s3_bucket.bucket.arn}/*", - - ] - } - statement { - sid = "LambdaLogGroup" - effect = "Allow" - actions = ["logs:CreateLogGroup", "logs:CreateLogStream", "logs:PutLogEvents"] - resources = ["arn:aws:logs:${local.region}:${local.account_id}:log-group:/aws/lambda/*"] - } + source_policy_documents = [ + data.aws_iam_policy_document.log_to_bucket.json, + data.aws_iam_policy_document.read_metadata.json, + data.aws_iam_policy_document.write_metadata.json, + data.aws_iam_policy_document.create_write_lambda_logs.json, + ] } diff --git a/terraform/environments/data-platform/lambda.tf b/terraform/environments/data-platform/lambda.tf index 0578dde1980..fbdf8fb0dfc 100644 --- a/terraform/environments/data-platform/lambda.tf +++ b/terraform/environments/data-platform/lambda.tf @@ -6,7 +6,7 @@ module "data_product_docs_lambda" { function_name = "data_product_docs_${local.environment}" role_name = "docs_lambda_role_${local.environment}" policy_json_attached = true - policy_json = data.aws_iam_policy_document.iam_policy_document_for_docs_lambda.json + policy_json = data.aws_iam_policy_document.create_write_lambda_logs.json create_role = true reserved_concurrent_executions = 1 @@ -18,10 +18,9 @@ module "data_product_docs_lambda" { allowed_triggers = { AllowExecutionFromAPIGateway = { - action = "lambda:InvokeFunction" - function_name = "data_product_docs_${local.environment}" - principal = "apigateway.amazonaws.com" - source_arn = "arn:aws:execute-api:${local.region}:${local.account_id}:${aws_api_gateway_rest_api.data_platform.id}/*/*" + action = "lambda:InvokeFunction" + principal = "apigateway.amazonaws.com" + source_arn = "arn:aws:execute-api:${local.region}:${local.account_id}:${aws_api_gateway_rest_api.data_platform.id}/*/*" } } @@ -52,10 +51,9 @@ module "data_product_authorizer_lambda" { allowed_triggers = { AllowExecutionFromAPIGateway = { - action = "lambda:InvokeFunction" - function_name = "data_product_authorizer_${local.environment}" - principal = "apigateway.amazonaws.com" - source_arn = "arn:aws:execute-api:${local.region}:${local.account_id}:${aws_api_gateway_rest_api.data_platform.id}/*/*" + action = "lambda:InvokeFunction" + principal = "apigateway.amazonaws.com" + source_arn = "arn:aws:execute-api:${local.region}:${local.account_id}:${aws_api_gateway_rest_api.data_platform.id}/*/*" } } @@ -81,10 +79,9 @@ module "data_product_get_glue_metadata_lambda" { allowed_triggers = { AllowExecutionFromAPIGateway = { - action = "lambda:InvokeFunction" - function_name = "data_product_get_glue_metadata_${local.environment}" - principal = "apigateway.amazonaws.com" - source_arn = "arn:aws:execute-api:${local.region}:${local.account_id}:${aws_api_gateway_rest_api.data_platform.id}/*/${aws_api_gateway_method.get_glue_metadata.http_method}${aws_api_gateway_resource.get_glue_metadata.path}" + action = "lambda:InvokeFunction" + principal = "apigateway.amazonaws.com" + source_arn = "arn:aws:execute-api:${local.region}:${local.account_id}:${aws_api_gateway_rest_api.data_platform.id}/*/${aws_api_gateway_method.get_glue_metadata.http_method}${aws_api_gateway_resource.get_glue_metadata.path}" } } @@ -112,10 +109,9 @@ module "data_product_landing_to_raw_lambda" { allowed_triggers = { AllowExecutionFromCloudWatch = { - action = "lambda:InvokeFunction" - function_name = "data_product_landing_to_raw_${local.environment}" - principal = "events.amazonaws.com" - source_arn = aws_cloudwatch_event_rule.object_created_data_landing.arn + action = "lambda:InvokeFunction" + principal = "events.amazonaws.com" + source_arn = aws_cloudwatch_event_rule.object_created_data_landing.arn } } @@ -143,10 +139,9 @@ module "data_product_presigned_url_lambda" { allowed_triggers = { AllowExecutionFromAPIGateway = { - action = "lambda:InvokeFunction" - function_name = "data_product_presigned_url_${local.environment}" - principal = "apigateway.amazonaws.com" - source_arn = "arn:aws:execute-api:${local.region}:${local.account_id}:${aws_api_gateway_rest_api.data_platform.id}/*/${aws_api_gateway_method.upload_data_for_data_product_table_name.http_method}${aws_api_gateway_resource.upload_data_for_data_product_table_name.path}" + action = "lambda:InvokeFunction" + principal = "apigateway.amazonaws.com" + source_arn = "arn:aws:execute-api:${local.region}:${local.account_id}:${aws_api_gateway_rest_api.data_platform.id}/*/${aws_api_gateway_method.upload_data_for_data_product_table_name.http_method}${aws_api_gateway_resource.upload_data_for_data_product_table_name.path}" } } @@ -176,10 +171,9 @@ module "data_product_athena_load_lambda" { allowed_triggers = { AllowExecutionFromCloudWatch = { - action = "lambda:InvokeFunction" - function_name = "data_product_athena_load_${local.environment}" - principal = "events.amazonaws.com" - source_arn = aws_cloudwatch_event_rule.object_created_raw_data.arn + action = "lambda:InvokeFunction" + principal = "events.amazonaws.com" + source_arn = aws_cloudwatch_event_rule.object_created_raw_data.arn } } @@ -210,10 +204,9 @@ module "data_product_create_metadata_lambda" { allowed_triggers = { AllowExecutionFromAPIGateway = { - action = "lambda:InvokeFunction" - function_name = "data_product_create_metadata_${local.environment}" - principal = "apigateway.amazonaws.com" - source_arn = "arn:aws:execute-api:${local.region}:${local.account_id}:${aws_api_gateway_rest_api.data_platform.id}/*/${aws_api_gateway_method.register_data_product.http_method}${aws_api_gateway_resource.register_data_product.path}" + action = "lambda:InvokeFunction" + principal = "apigateway.amazonaws.com" + source_arn = "arn:aws:execute-api:${local.region}:${local.account_id}:${aws_api_gateway_rest_api.data_platform.id}/*/${aws_api_gateway_method.register_data_product.http_method}${aws_api_gateway_resource.register_data_product.path}" } } @@ -286,11 +279,38 @@ module "data_product_create_schema_lambda" { allowed_triggers = { AllowExecutionFromAPIGateway = { - action = "lambda:InvokeFunction" - function_name = "data_product_create_metadata_${local.environment}" - principal = "apigateway.amazonaws.com" - source_arn = "arn:aws:execute-api:${local.region}:${local.account_id}:${aws_api_gateway_rest_api.data_platform.id}/*/${aws_api_gateway_method.create_schema_for_data_product_table_name.http_method}${aws_api_gateway_resource.create_schema_for_data_product_table_name.path}" + action = "lambda:InvokeFunction" + principal = "apigateway.amazonaws.com" + source_arn = "arn:aws:execute-api:${local.region}:${local.account_id}:${aws_api_gateway_rest_api.data_platform.id}/*/${aws_api_gateway_method.create_schema_for_data_product_table_name.http_method}${aws_api_gateway_resource.schema_for_data_product_table_name.path}" } } +} + +module "get_schema_lambda" { + source = "github.com/ministryofjustice/modernisation-platform-terraform-lambda-function?ref=a4392c1" # ref for V2.1 + application_name = "get_schema" + tags = local.tags + description = "Fetch the schema for a table from S3" + role_name = "get_schema_role_${local.environment}" + policy_json = data.aws_iam_policy_document.iam_policy_document_for_get_schema_lambda.json + policy_json_attached = true + function_name = "get_schema_${local.environment}" + create_role = true + reserved_concurrent_executions = 1 + + image_uri = "374269020027.dkr.ecr.eu-west-2.amazonaws.com/data-platform-get-schema-lambda-ecr-repo:${local.get_schema_version}" + timeout = 600 + tracing_mode = "Active" + memory_size = 128 + environment_variables = merge(local.logger_environment_vars, local.storage_environment_vars) + + allowed_triggers = { + + AllowExecutionFromAPIGateway = { + action = "lambda:InvokeFunction" + principal = "apigateway.amazonaws.com" + source_arn = "arn:aws:execute-api:${local.region}:${local.account_id}:${aws_api_gateway_rest_api.data_platform.id}/*/${aws_api_gateway_method.get_schema_for_data_product_table_name.http_method}${aws_api_gateway_resource.schema_for_data_product_table_name.path}" + } + } } diff --git a/terraform/environments/data-platform/locals.tf b/terraform/environments/data-platform/locals.tf index 8c811169c51..3d8d917b583 100644 --- a/terraform/environments/data-platform/locals.tf +++ b/terraform/environments/data-platform/locals.tf @@ -34,6 +34,7 @@ locals { create_metadata_version = lookup(var.create_metadata_versions, local.environment) resync_unprocessed_files_version = lookup(var.resync_unprocessed_files_versions, local.environment) reload_data_product_version = lookup(var.reload_data_product_versions, local.environment) + get_schema_version = lookup(var.get_schema_versions, local.environment) create_schema_version = lookup(var.create_schema_versions, local.environment) landing_to_raw_version = lookup(var.landing_to_raw_versions, local.environment) diff --git a/terraform/environments/data-platform/variables.tf b/terraform/environments/data-platform/variables.tf index 4666e7b95f5..6bfa471153e 100644 --- a/terraform/environments/data-platform/variables.tf +++ b/terraform/environments/data-platform/variables.tf @@ -37,3 +37,7 @@ variable "landing_to_raw_versions" { variable "create_schema_versions" { type = map(any) } + +variable "get_schema_versions" { + type = map(any) +}