set environment variables on engine lambda from github

.github/workflows/_deploy_lambda.yml

@@ -42,6 +42,34 @@ on:
         required: true
       AWS_REGION:
         required: true
+      TF_VAR_api_key:
+        required: false
+      TF_VAR_secret_key:
+        required: false
+      TF_VAR_domain_name:
+        required: false
+      TF_VAR_epc_auth_token:
+        required: false
+      TF_VAR_google_solar_api_key:
+        required: false
+      TF_VAR_plan_trigger_bucket:
+        required: false
+      TF_VAR_data_bucket:
+        required: false
+      TF_VAR_predictions_bucket:
+        required: false
+      TF_VAR_sap_predictions_bucket:
+        required: false
+      TF_VAR_carbon_predictions_bucket:
+        required: false
+      TF_VAR_heat_predictions_bucket:
+        required: false
+      TF_VAR_heating_kwh_predictions_bucket:
+        required: false
+      TF_VAR_hotwater_kwh_predictions_bucket:
+        required: false
+      TF_VAR_energy_assessments_bucket:
+        required: false
 
 jobs:
   deploy:
@@ -90,6 +118,21 @@ jobs:
 
       - name: Terraform Plan
         working-directory: ${{ inputs.lambda_path }}
+        env:
+          TF_VAR_api_key: ${{ secrets.TF_VAR_api_key }}
+          TF_VAR_secret_key: ${{ secrets.TF_VAR_secret_key }}
+          TF_VAR_domain_name: ${{ secrets.TF_VAR_domain_name }}
+          TF_VAR_epc_auth_token: ${{ secrets.TF_VAR_epc_auth_token }}
+          TF_VAR_google_solar_api_key: ${{ secrets.TF_VAR_google_solar_api_key }}
+          TF_VAR_plan_trigger_bucket: ${{ secrets.TF_VAR_plan_trigger_bucket }}
+          TF_VAR_data_bucket: ${{ secrets.TF_VAR_data_bucket }}
+          TF_VAR_predictions_bucket: ${{ secrets.TF_VAR_predictions_bucket }}
+          TF_VAR_sap_predictions_bucket: ${{ secrets.TF_VAR_sap_predictions_bucket }}
+          TF_VAR_carbon_predictions_bucket: ${{ secrets.TF_VAR_carbon_predictions_bucket }}
+          TF_VAR_heat_predictions_bucket: ${{ secrets.TF_VAR_heat_predictions_bucket }}
+          TF_VAR_heating_kwh_predictions_bucket: ${{ secrets.TF_VAR_heating_kwh_predictions_bucket }}
+          TF_VAR_hotwater_kwh_predictions_bucket: ${{ secrets.TF_VAR_hotwater_kwh_predictions_bucket }}
+          TF_VAR_energy_assessments_bucket: ${{ secrets.TF_VAR_energy_assessments_bucket }}
         run: |
           terraform plan \
             -var="stage=${{ inputs.stage }}" \
@@ -106,10 +149,24 @@ jobs:
       - name: Terraform Destroy
         if: inputs.terraform_destroy == 'true' && inputs.terraform_apply != 'true'
         working-directory: ${{ inputs.lambda_path }}
+        env:
+          TF_VAR_api_key: ${{ secrets.TF_VAR_api_key }}
+          TF_VAR_secret_key: ${{ secrets.TF_VAR_secret_key }}
+          TF_VAR_domain_name: ${{ secrets.TF_VAR_domain_name }}
+          TF_VAR_epc_auth_token: ${{ secrets.TF_VAR_epc_auth_token }}
+          TF_VAR_google_solar_api_key: ${{ secrets.TF_VAR_google_solar_api_key }}
+          TF_VAR_plan_trigger_bucket: ${{ secrets.TF_VAR_plan_trigger_bucket }}
+          TF_VAR_data_bucket: ${{ secrets.TF_VAR_data_bucket }}
+          TF_VAR_predictions_bucket: ${{ secrets.TF_VAR_predictions_bucket }}
+          TF_VAR_sap_predictions_bucket: ${{ secrets.TF_VAR_sap_predictions_bucket }}
+          TF_VAR_carbon_predictions_bucket: ${{ secrets.TF_VAR_carbon_predictions_bucket }}
+          TF_VAR_heat_predictions_bucket: ${{ secrets.TF_VAR_heat_predictions_bucket }}
+          TF_VAR_heating_kwh_predictions_bucket: ${{ secrets.TF_VAR_heating_kwh_predictions_bucket }}
+          TF_VAR_hotwater_kwh_predictions_bucket: ${{ secrets.TF_VAR_hotwater_kwh_predictions_bucket }}
+          TF_VAR_energy_assessments_bucket: ${{ secrets.TF_VAR_energy_assessments_bucket }}
         run: |
           terraform destroy -auto-approve \
             -var="stage=${{ inputs.stage }}" \
             -var="lambda_name=${{ inputs.lambda_name }}" \
             -var="ecr_repo_url=${{ steps.repo.outputs.ecr_repo_url }}" \
             -var="image_digest=${{ inputs.image_digest }}"
-

.github/workflows/deploy_terraform.yml

@@ -241,4 +241,45 @@ jobs:
       AWS_SECRET_ACCESS_KEY: ${{ secrets.DEV_AWS_SECRET_ACCESS_KEY }}
       AWS_REGION: ${{ secrets.DEV_AWS_REGION }}
 
+  # ============================================================
+  # Ara Engine image and Push
+  # ============================================================
+  ara_engine_image:
+    needs: [determine_stage, shared_terraform]
+    uses: ./.github/workflows/_build_image.yml
+    with:
+      ecr_repo: engine-${{ needs.determine_stage.outputs.stage }}
+      dockerfile_path: backend/docker/engine.Dockerfile
+      build_context: .
 
+  # ============================================================
+  # Deploy Categorisation Lambda
+  # ============================================================
+  ara_engine_lambda:
+    needs: [ara_engine_image, determine_stage]
+    uses: ./.github/workflows/_deploy_lambda.yml
+    with:
+      lambda_name: ara_engine
+      lambda_path: infrastructure/terraform/lambda/engine
+      stage: ${{ needs.determine_stage.outputs.stage }}
+      ecr_repo: engine-${{ needs.determine_stage.outputs.stage }}
+      image_digest: ${{ needs.ara_engine_image.outputs.image_digest }}
+      terraform_apply: ${{ needs.determine_stage.outputs.terraform_apply }}
+    secrets:
+      AWS_ACCESS_KEY_ID: ${{ secrets.DEV_AWS_ACCESS_KEY_ID }}
+      AWS_SECRET_ACCESS_KEY: ${{ secrets.DEV_AWS_SECRET_ACCESS_KEY }}
+      AWS_REGION: ${{ secrets.DEV_AWS_REGION }}
+      TF_VAR_api_key: ${{ secrets.DEV_API_KEY }}
+      TF_VAR_secret_key: ${{ secrets.DEV_SECRET_KEY }}
+      TF_VAR_domain_name: ${{ secrets.DEV_DOMAIN_NAME }}
+      TF_VAR_epc_auth_token: ${{ secrets.DEV_EPC_AUTH_TOKEN }}
+      TF_VAR_google_solar_api_key: ${{ secrets.DEV_GOOGLE_SOLAR_API_KEY }}
+      TF_VAR_plan_trigger_bucket: ${{ secrets.DEV_PLAN_TRIGGER_BUCKET }}
+      TF_VAR_data_bucket: ${{ secrets.DEV_DATA_BUCKET }}
+      TF_VAR_predictions_bucket: ${{ secrets.DEV_PREDICTIONS_BUCKET }}
+      TF_VAR_sap_predictions_bucket: ${{ secrets.DEV_SAP_PREDICTIONS_BUCKET }}
+      TF_VAR_carbon_predictions_bucket: ${{ secrets.DEV_CARBON_PREDICTIONS_BUCKET }}
+      TF_VAR_heat_predictions_bucket: ${{ secrets.DEV_HEAT_PREDICTIONS_BUCKET }}
+      TF_VAR_heating_kwh_predictions_bucket: ${{ secrets.DEV_HEATING_KWH_PREDICTIONS_BUCKET }}
+      TF_VAR_hotwater_kwh_predictions_bucket: ${{ secrets.DEV_HOTWATER_KWH_PREDICTIONS_BUCKET }}
+      TF_VAR_energy_assessments_bucket: ${{ secrets.DEV_ENERGY_ASSESSMENTS_BUCKET }}

infrastructure/terraform/lambda/engine/main.tf

@@ -7,6 +7,15 @@ data "terraform_remote_state" "shared" {
   }
 }
 
+data "aws_secretsmanager_secret_version" "db_credentials" {
+  secret_id = "${var.stage}/assessment_model/db_credentials"
+}
+
+locals {
+  db_credentials = jsondecode(data.aws_secretsmanager_secret_version.db_credentials.secret_string)
+}
+
+
 module "lambda" {
   source = "../modules/lambda_with_sqs"
 
@@ -18,8 +27,44 @@ module "lambda" {
   # Optional: Set maximum_concurrency to limit concurrent SQS-triggered invocations (2-1000)
   maximum_concurrency = var.maximum_concurrency
 
-  environment = {
-    STAGE = var.stage
-    LOG_LEVEL = "info"
-  }
-}
+  environment = merge(
+    {
+      STAGE      = var.stage
+      LOG_LEVEL  = "info"
+
+      # DB from Secrets Manager
+      DB_USERNAME = local.db_credentials.db_assessment_model_username
+      DB_PASSWORD = local.db_credentials.db_assessment_model_password
+
+      # Secrets from GitHub
+      DB_HOST     = var.db_host
+      DB_NAME     = var.db_name
+      DB_PORT     = var.db_port
+      API_KEY              = var.api_key
+      SECRET_KEY           = var.secret_key
+      DOMAIN_NAME          = var.domain_name
+      EPC_AUTH_TOKEN       = var.epc_auth_token
+      GOOGLE_SOLAR_API_KEY = var.google_solar_api_key
+
+      # Buckets
+      PLAN_TRIGGER_BUCKET             = var.plan_trigger_bucket
+      DATA_BUCKET                     = var.data_bucket
+      PREDICTIONS_BUCKET              = var.predictions_bucket
+      SAP_PREDICTIONS_BUCKET          = var.sap_predictions_bucket
+      CARBON_PREDICTIONS_BUCKET       = var.carbon_predictions_bucket
+      HEAT_PREDICTIONS_BUCKET         = var.heat_predictions_bucket
+      HEATING_KWH_PREDICTIONS_BUCKET  = var.heating_kwh_predictions_bucket
+      HOTWATER_KWH_PREDICTIONS_BUCKET = var.hotwater_kwh_predictions_bucket
+      ENERGY_ASSESSMENTS_BUCKET       = var.energy_assessments_bucket
+
+      # SQS
+      ENGINE_SQS_URL         = module.lambda.sqs_queue_url
+
+      # Deployment
+      ECR_URI    = var.ecr_repo_url
+      GITHUB_SHA = var.image_digest
+    }
+  )
+}
+
+# Policies and IAM

infrastructure/terraform/lambda/engine/variables.tf

@@ -23,10 +23,70 @@ variable "maximum_concurrency" {
   description = "Maximum number of concurrent Lambda invocations from SQS (2-1000). null = no limit."
 }
 
+variable "api_key" {
+  type      = string
+  sensitive = true
+}
+
+variable "secret_key" {
+  type      = string
+  sensitive = true
+}
+
+variable "domain_name" {
+  type = string
+}
+
+variable "epc_auth_token" {
+  type      = string
+  sensitive = true
+}
+
+variable "google_solar_api_key" {
+  type      = string
+  sensitive = true
+}
+
+variable "plan_trigger_bucket" {
+  type = string
+}
+
+variable "data_bucket" {
+  type = string
+}
+
+variable "predictions_bucket" {
+  type = string
+}
+
+variable "sap_predictions_bucket" {
+  type = string
+}
+
+variable "carbon_predictions_bucket" {
+  type = string
+}
+
+variable "heat_predictions_bucket" {
+  type = string
+}
+
+variable "heating_kwh_predictions_bucket" {
+  type = string
+}
+
+variable "hotwater_kwh_predictions_bucket" {
+  type = string
+}
+
+variable "energy_assessments_bucket" {
+  type = string
+}
+
 locals {
   image_uri = "${var.ecr_repo_url}@${var.image_digest}"
 }
 
 output "resolved_image_uri" {
   value = local.image_uri
-}
+}