CCM-14149: Support Container Based Lambdas

Author: jamesthompson26-nhs

infrastructure/modules/lambda/README.md

@@ -22,11 +22,11 @@
 | <a name="input_filter_pattern"></a> [filter\_pattern](#input\_filter\_pattern) | Filter pattern to use for the log subscription filter | `string` | `""` | no |
 | <a name="input_force_lambda_code_deploy"></a> [force\_lambda\_code\_deploy](#input\_force\_lambda\_code\_deploy) | If the lambda package in s3 has the same commit id tag as the terraform build branch, the lambda will not update automatically. Set to True if making changes to Lambda code from on the same commit for example during development | `bool` | `false` | no |
 | <a name="input_function_code_base_path"></a> [function\_code\_base\_path](#input\_function\_code\_base\_path) | The base path to the sourcecode directories needed for this lambda | `string` | `"./"` | no |
-| <a name="input_function_code_dir"></a> [function\_code\_dir](#input\_function\_code\_dir) | The directory for this lambda | `string` | n/a | yes |
+| <a name="input_function_code_dir"></a> [function\_code\_dir](#input\_function\_code\_dir) | The directory for this lambda (required for Zip) | `string` | `null` | no |
 | <a name="input_function_include_common"></a> [function\_include\_common](#input\_function\_include\_common) | Include the 'common' lambda module with this lambda | `bool` | `true` | no |
 | <a name="input_function_module_name"></a> [function\_module\_name](#input\_function\_module\_name) | The name of the function module as used by the lambda handler, e.g. index or exports | `string` | `"index"` | no |
 | <a name="input_function_name"></a> [function\_name](#input\_function\_name) | Base name of this lambda | `string` | n/a | yes |
-| <a name="input_function_s3_bucket"></a> [function\_s3\_bucket](#input\_function\_s3\_bucket) | The bucket to upload Lambda packages to | `string` | n/a | yes |
+| <a name="input_function_s3_bucket"></a> [function\_s3\_bucket](#input\_function\_s3\_bucket) | The bucket to upload Lambda packages to (required for Zip) | `string` | `null` | no |
 | <a name="input_group"></a> [group](#input\_group) | The name of the tfscaffold group | `string` | `null` | no |
 | <a name="input_handler_function_name"></a> [handler\_function\_name](#input\_handler\_function\_name) | The name of the lambda handler function (passed directly to the Lambda's handler option) | `string` | `"handler"` | no |
 | <a name="input_iam_policy_document"></a> [iam\_policy\_document](#input\_iam\_policy\_document) | n/a | <pre>object({<br/>    body = string<br/>  })</pre> | `null` | no |
@@ -44,7 +44,10 @@
 | <a name="input_permission_statements"></a> [permission\_statements](#input\_permission\_statements) | Statements giving an external source permission to invoke the Lambda function | <pre>list(object({<br/>    action         = optional(string)<br/>    principal      = string<br/>    source_arn     = optional(string)<br/>    source_account = optional(string)<br/>    statement_id   = string<br/>  }))</pre> | `[]` | no |
 | <a name="input_project"></a> [project](#input\_project) | The name of the tfscaffold project | `string` | n/a | yes |
 | <a name="input_region"></a> [region](#input\_region) | The AWS Region | `string` | n/a | yes |
-| <a name="input_runtime"></a> [runtime](#input\_runtime) | The runtime to use for the lambda function | `string` | n/a | yes |
+| <a name="input_runtime"></a> [runtime](#input\_runtime) | The runtime to use for the lambda function (required for Zip) | `string` | `null` | no |
+| <a name="input_package_type"></a> [package\_type](#input\_package\_type) | Lambda package type: Zip or Image | `string` | `"Zip"` | no |
+| <a name="input_image_uri"></a> [image\_uri](#input\_image\_uri) | ECR image URI for Image-based Lambda | `string` | `null` | no |
+| <a name="input_image_config"></a> [image\_config](#input\_image\_config) | Optional image configuration for Image-based Lambda | <pre>object({<br/>    entry_point = optional(list(string))<br/>    command = optional(list(string))<br/>    working_directory = optional(string)<br/>  })</pre> | `null` | no |
 | <a name="input_schedule"></a> [schedule](#input\_schedule) | The fully qualified Cloudwatch Events schedule for when to run the lambda function, e.g. rate(1 day) or a cron() expression. Default disables all events resources | `string` | `""` | no |
 | <a name="input_send_to_firehose"></a> [send\_to\_firehose](#input\_send\_to\_firehose) | Enable sending logs to firehose | `bool` | `true` | no |
 | <a name="input_sns_destination"></a> [sns\_destination](#input\_sns\_destination) | SNS Topic ARN to be used for on-failure Lambda invocation records | `string` | `null` | no |

infrastructure/modules/lambda/data_archive_file_lambda.tf

@@ -1,4 +1,5 @@
 data "archive_file" "lambda" {
+  count = var.package_type == "Zip" ? 1 : 0
   type       = "zip"
   source_dir = "${path.root}/${var.function_code_base_path}/${var.function_code_dir}"
 

infrastructure/modules/lambda/data_iam_policy_document_ecr.tf

@@ -0,0 +1,14 @@
+data "aws_iam_policy_document" "ecr" {
+  statement {
+    effect = "Allow"
+
+    actions = [
+      "ecr:GetAuthorizationToken",
+      "ecr:BatchGetImage",
+      "ecr:GetDownloadUrlForLayer",
+      "ecr:BatchCheckLayerAvailability",
+    ]
+
+    resources = ["*"]
+  }
+}

infrastructure/modules/lambda/iam_role_policy_ecr.tf

@@ -0,0 +1,6 @@
+resource "aws_iam_role_policy" "ecr" {
+  count  = var.package_type == "Image" ? 1 : 0
+  name   = "${local.csi}-ecr"
+  role   = aws_iam_role.main.id
+  policy = data.aws_iam_policy_document.ecr.json
+}

infrastructure/modules/lambda/lambda_function.tf

@@ -2,15 +2,27 @@ resource "aws_lambda_function" "main" {
   description   = var.description
   function_name = local.csi
   role          = aws_iam_role.main.arn
-  handler       = "${var.function_module_name}.${var.handler_function_name}"
-  runtime       = var.runtime
+  handler       = var.package_type == "Zip" ? "${var.function_module_name}.${var.handler_function_name}" : null
+  runtime       = var.package_type == "Zip" ? var.runtime : null
+  package_type  = var.package_type
   publish       = true
   memory_size   = var.memory
   timeout       = var.timeout
 
-  s3_bucket         = aws_s3_object.lambda.bucket
-  s3_key            = aws_s3_object.lambda.key
-  s3_object_version = aws_s3_object.lambda.version_id
+  s3_bucket         = var.package_type == "Zip" ? aws_s3_object.lambda[0].bucket : null
+  s3_key            = var.package_type == "Zip" ? aws_s3_object.lambda[0].key : null
+  s3_object_version = var.package_type == "Zip" ? aws_s3_object.lambda[0].version_id : null
+
+  image_uri = var.package_type == "Image" ? var.image_uri : null
+
+  dynamic "image_config" {
+    for_each = var.package_type == "Image" && var.image_config != null ? [1] : []
+    content {
+      entry_point       = try(var.image_config.entry_point, null)
+      command           = try(var.image_config.command, null)
+      working_directory = try(var.image_config.working_directory, null)
+    }
+  }
 
   logging_config {
     application_log_level = var.application_log_level
@@ -19,12 +31,12 @@ resource "aws_lambda_function" "main" {
     system_log_level      = var.system_log_level
   }
 
-  layers = compact(concat(
+  layers = var.package_type == "Zip" ? compact(concat(
     var.layers,
     [
       var.enable_lambda_insights && var.lambda_at_edge == false ? "arn:aws:lambda:${var.region}:580247275435:layer:LambdaInsightsExtension:53" : null
     ]
-  ))
+  )) : []
 
   environment {
     variables = var.lambda_env_vars

infrastructure/modules/lambda/s3_object_lambda.tf

@@ -1,12 +1,13 @@
 resource "aws_s3_object" "lambda" {
+  count  = var.package_type == "Zip" ? 1 : 0
   bucket = var.function_s3_bucket
   key    = "${local.csi}.zip"
-  source = data.archive_file.lambda.output_path
+  source = data.archive_file.lambda[0].output_path
 
-  source_hash = var.force_lambda_code_deploy ? data.archive_file.lambda.output_base64sha256 : null
+  source_hash = var.force_lambda_code_deploy ? data.archive_file.lambda[0].output_base64sha256 : null
 
   metadata = {
-    hash     = data.archive_file.lambda.output_base64sha256
+    hash     = data.archive_file.lambda[0].output_base64sha256
     function = local.csi
     commit   = try(data.external.git_commit.result["sha"], "null")
   }

infrastructure/modules/lambda/variables.tf

@@ -92,6 +92,44 @@ variable "log_retention_in_days" {
 variable "runtime" {
   type        = string
   description = "The runtime to use for the lambda function"
+  default     = null
+
+  validation {
+    condition     = var.package_type != "Zip" || (var.runtime != null && var.runtime != "")
+    error_message = "runtime must be set when package_type is Zip."
+  }
+}
+
+variable "package_type" {
+  type        = string
+  description = "Lambda package type: Zip or Image"
+  default     = "Zip"
+
+  validation {
+    condition     = contains(["Zip", "Image"], var.package_type)
+    error_message = "package_type must be either Zip or Image."
+  }
+}
+
+variable "image_uri" {
+  type        = string
+  description = "ECR image URI for Image-based Lambda"
+  default     = null
+
+  validation {
+    condition     = var.package_type != "Image" || (var.image_uri != null && var.image_uri != "")
+    error_message = "image_uri must be set when package_type is Image."
+  }
+}
+
+variable "image_config" {
+  type = object({
+    entry_point       = optional(list(string))
+    command           = optional(list(string))
+    working_directory = optional(string)
+  })
+  description = "Optional image configuration for Image-based Lambda"
+  default     = null
 }
 
 variable "schedule" {
@@ -122,11 +160,23 @@ variable "function_code_base_path" {
 variable "function_code_dir" {
   type        = string
   description = "The directory for this lambda"
+  default     = null
+
+  validation {
+    condition     = var.package_type != "Zip" || (var.function_code_dir != null && var.function_code_dir != "")
+    error_message = "function_code_dir must be set when package_type is Zip."
+  }
 }
 
 variable "function_s3_bucket" {
   type        = string
   description = "The bucket to upload Lambda packages to"
+  default     = null
+
+  validation {
+    condition     = var.package_type != "Zip" || (var.function_s3_bucket != null && var.function_s3_bucket != "")
+    error_message = "function_s3_bucket must be set when package_type is Zip."
+  }
 }
 
 variable "function_include_common" {