update fast-api terraform

2026-06-08 11:17:27 +00:00 · 2026-03-10 11:42:06 +00:00 · 2026-03-10 11:42:06 +00:00 · dcb3efdb7e
commit dcb3efdb7e
parent 6632e6fcdc
3 changed files with 118 additions and 53 deletions
--- a/infrastructure/terraform/lambda/fast-api/main.tf
+++ b/infrastructure/terraform/lambda/fast-api/main.tf
@ -7,43 +7,101 @@ data "terraform_remote_state" "shared" {
  }
 }

-module "lambda" {
-  source = "../../modules/lambda_with_sqs"
+data "aws_secretsmanager_secret_version" "db_credentials" {
+  secret_id = "${var.stage}/assessment_model/db_credentials"
+}

-  name  = REPLACE ME #"address2uprn" for example
-  stage = var.stage
+locals {
+  db_credentials = jsondecode(data.aws_secretsmanager_secret_version.db_credentials.secret_string)
+}

-  image_uri = local.image_uri

-  # Optional: Set maximum_concurrency to limit concurrent SQS-triggered invocations (2-1000)
-  maximum_concurrency = var.maximum_concurrency
+data "aws_ssm_parameter" "certificate_arn" {
+  name = "/ssl_certificate_arn"
+}

-  batch_size = var.batch_size
+data "aws_route53_zone" "this" {
+  name = var.domain_name
+}

-  environment = {
-    STAGE = var.stage
-    LOG_LEVEL = "info"
+############################################
+# Install Python requirements
+############################################
+resource "null_resource" "pip_install" {
+  triggers = {
+    requirements_hash = filemd5("${path.root}/../../../../backend/app/requirements/requirements.txt")
+  }
+
+  provisioner "local-exec" {
+    command = <<EOT
+      pip install \
+        -r ${path.root}/../../../../backend/app/requirements/requirements.txt \
+        -t ${path.root}/../../../../backend/app/packages \
+        --platform manylinux2014_x86_64 \
+        --implementation cp \
+        --python-version 3.11 \
+        --only-binary=:all: \
+        --upgrade
+    EOT
  }
 }

-# ======================================================================
-# OPTIONAL: Attach S3 IAM policy to Lambda execution role
-# ======================================================================
-# Uncomment and configure the resource below to attach S3 permissions
-#
-# Example 1: Attach existing policy from shared state
-# resource "aws_iam_role_policy_attachment" "lambda_s3_policy" {
-#   role       = module.lambda.role_name
-#   policy_arn = data.terraform_remote_state.shared.outputs.YOUR_POLICY_OUTPUT_NAME_arn
-# }
-#
-# Example 2: Attach multiple policies
-# resource "aws_iam_role_policy_attachment" "lambda_read_policy" {
-#   role       = module.lambda.role_name
-#   policy_arn = data.terraform_remote_state.shared.outputs.postcode_splitter_s3_read_arn
-# }
-#
-# resource "aws_iam_role_policy_attachment" "lambda_write_policy" {
-#   role       = module.lambda.role_name
-#   policy_arn = data.terraform_remote_state.shared.outputs.another_policy_arn
-# }
+############################################
+# FastAPI Lambda + API Gateway
+############################################
+module "fastapi" {
+  depends_on = [null_resource.pip_install]
+  source     = "../../modules/lambda_with_api_gateway"
+
+  name        = "fastapi"
+  stage       = var.stage
+  source_dir  = "${path.root}/../../../../backend"
+  handler     = "app.main.handler"
+  runtime     = "python3.11"
+  timeout     = 600
+  memory_size = 512
+
+  domain_name     = "api.${var.domain_name}"
+  certificate_arn = data.aws_ssm_parameter.certificate_arn.value
+  route53_zone_id = data.aws_route53_zone.this.zone_id
+
+  environment = {
+    ENVIRONMENT    = var.stage
+    API_KEY        = var.api_key
+    SECRET_KEY     = var.secret_key
+    DOMAIN_NAME    = var.domain_name
+    EPC_AUTH_TOKEN = var.epc_auth_token
+    GOOGLE_SOLAR_API_KEY = var.google_solar_api_key
+
+    DB_HOST     = var.db_host
+    DB_NAME     = var.db_name
+    DB_PORT     = var.db_port
+    DB_USERNAME = local.db_credentials.db_assessment_model_username
+    DB_PASSWORD = local.db_credentials.db_assessment_model_password
+
+    PLAN_TRIGGER_BUCKET             = data.terraform_remote_state.shared.outputs.retrofit_plan_trigger_bucket_name
+    DATA_BUCKET                     = data.terraform_remote_state.shared.outputs.retrofit_sap_data_bucket_name
+    SAP_PREDICTIONS_BUCKET          = data.terraform_remote_state.shared.outputs.retrofit_sap_predictions_bucket_name
+    CARBON_PREDICTIONS_BUCKET       = data.terraform_remote_state.shared.outputs.retrofit_carbon_predictions_bucket_name
+    HEAT_PREDICTIONS_BUCKET         = data.terraform_remote_state.shared.outputs.retrofit_heat_predictions_bucket_name
+    HEATING_KWH_PREDICTIONS_BUCKET  = data.terraform_remote_state.shared.outputs.retrofit_heating_kwh_predictions_bucket_name
+    HOTWATER_KWH_PREDICTIONS_BUCKET = data.terraform_remote_state.shared.outputs.retrofit_hotwater_kwh_predictions_bucket_name
+    ENERGY_ASSESSMENTS_BUCKET       = data.terraform_remote_state.shared.outputs.retrofit_energy_assessments_bucket_name
+
+    ENGINE_SQS_URL         = data.terraform_remote_state.shared.outputs.engine_queue_url
+    CATEGORISATION_SQS_URL = "https://sqs.eu-west-2.amazonaws.com/337213553626/categorisation-queue-dev"
+  }
+}
+
+############################################
+# IAM policy attachments
+############################################
+resource "aws_iam_role_policy_attachment" "fastapi_s3_read" {
+  role       = module.fastapi.role_name
+  policy_arn = data.terraform_remote_state.shared.outputs.fastapi_s3_read_arn
+}
+
+resource "aws_iam_role_policy_attachment" "fastapi_sqs_send" {
+  role       = module.fastapi.role_name
+  policy_arn = data.terraform_remote_state.shared.outputs.fastapi_sqs_send_arn
+}
--- a/infrastructure/terraform/lambda/fast-api/provider.tf
+++ b/infrastructure/terraform/lambda/fast-api/provider.tf
@ -7,7 +7,7 @@ terraform {
  }

  backend "s3" {
-    bucket = REPLACE_ME
+    bucket = "ara-fast-api-terraform-state"
    key    = "terraform.tfstate"
    region = "eu-west-2"
  }
--- a/infrastructure/terraform/lambda/fast-api/variables.tf
+++ b/infrastructure/terraform/lambda/fast-api/variables.tf
@ -4,34 +4,41 @@ variable "lambda_name" {
 }

 variable "stage" {
-  description = "Deployment stage (e.g. dev, prod)"
-  type        = string
-}
-variable "ecr_repo_url" {
-  type        = string
-  description = "ECR repository URL (no tag, no digest)"
+  type = string
 }

-variable "image_digest" {
-  type        = string
-  description = "Image digest (sha256:...)"
+variable "db_host" {
+  type = string
 }

-variable "maximum_concurrency" {
-  type        = number
-  default     = null
-  description = "Maximum number of concurrent Lambda invocations from SQS (2-1000). null = no limit."
+variable "db_name" {
+  type = string
 }

-variable "batch_size" {
-  type    = number
-  default = 1
+variable "db_port" {
+  type = string
 }

-locals {
-  image_uri = "${var.ecr_repo_url}@${var.image_digest}"
+variable "api_key" {
+  type      = string
+  sensitive = true
 }

-output "resolved_image_uri" {
-  value = local.image_uri
+variable "secret_key" {
+  type      = string
+  sensitive = true
 }
+
+variable "domain_name" {
+  type = string
+}
+
+variable "epc_auth_token" {
+  type      = string
+  sensitive = true
+}
+
+variable "google_solar_api_key" {
+  type      = string
+  sensitive = true
+}