mirror of
https://github.com/Hestia-Homes/Model.git
synced 2026-06-30 13:10:47 +00:00
Merge pull request #823 from Hestia-Homes/deploy-fastapi-with-terraform
Deploy FastAPI app with terraform
This commit is contained in:
commit
de61379ba2
13 changed files with 472 additions and 110 deletions
28
.github/workflows/_deploy_lambda.yml
vendored
28
.github/workflows/_deploy_lambda.yml
vendored
|
|
@ -16,12 +16,14 @@ on:
|
||||||
type: string
|
type: string
|
||||||
|
|
||||||
ecr_repo:
|
ecr_repo:
|
||||||
required: true
|
required: false
|
||||||
type: string
|
type: string
|
||||||
|
default: ''
|
||||||
|
|
||||||
image_digest:
|
image_digest:
|
||||||
required: true
|
required: false
|
||||||
type: string
|
type: string
|
||||||
|
default: ''
|
||||||
|
|
||||||
terraform_apply:
|
terraform_apply:
|
||||||
required: false
|
required: false
|
||||||
|
|
@ -119,11 +121,21 @@ jobs:
|
||||||
TF_VAR_google_solar_api_key: ${{ secrets.TF_VAR_google_solar_api_key }}
|
TF_VAR_google_solar_api_key: ${{ secrets.TF_VAR_google_solar_api_key }}
|
||||||
TF_VAR_ordnance_survey_api_key: ${{ secrets.TF_VAR_ordnance_survey_api_key}}
|
TF_VAR_ordnance_survey_api_key: ${{ secrets.TF_VAR_ordnance_survey_api_key}}
|
||||||
run: |
|
run: |
|
||||||
|
ECR_REPO_URL_VAR=""
|
||||||
|
if [[ -n "${{ inputs.ecr_repo }}" ]]; then
|
||||||
|
ECR_REPO_URL_VAR="-var=ecr_repo_url=${{ steps.repo.outputs.ecr_repo_url }}"
|
||||||
|
fi
|
||||||
|
|
||||||
|
IMAGE_DIGEST_VAR=""
|
||||||
|
if [[ -n "${{ inputs.ecr_repo }}" ]]; then
|
||||||
|
IMAGE_DIGEST_VAR="-var=image_digest=${{ inputs.image_digest }}"
|
||||||
|
fi
|
||||||
|
|
||||||
terraform plan \
|
terraform plan \
|
||||||
-var="stage=${{ inputs.stage }}" \
|
-var="stage=${{ inputs.stage }}" \
|
||||||
-var="lambda_name=${{ inputs.lambda_name }}" \
|
-var="lambda_name=${{ inputs.lambda_name }}" \
|
||||||
-var="ecr_repo_url=${{ steps.repo.outputs.ecr_repo_url }}" \
|
$ECR_REPO_URL_VAR \
|
||||||
-var="image_digest=${{ inputs.image_digest }}" \
|
$IMAGE_DIGEST_VAR \
|
||||||
-out=lambdaplan
|
-out=lambdaplan
|
||||||
|
|
||||||
- name: Terraform Apply
|
- name: Terraform Apply
|
||||||
|
|
@ -145,8 +157,12 @@ jobs:
|
||||||
TF_VAR_google_solar_api_key: ${{ secrets.TF_VAR_google_solar_api_key }}
|
TF_VAR_google_solar_api_key: ${{ secrets.TF_VAR_google_solar_api_key }}
|
||||||
TF_VAR_ordnance_survey_api_key: ${{ secrets.TF_VAR_ordnance_survey_api_key}}
|
TF_VAR_ordnance_survey_api_key: ${{ secrets.TF_VAR_ordnance_survey_api_key}}
|
||||||
run: |
|
run: |
|
||||||
|
EXTRA_VARS=""
|
||||||
|
if [[ -n "${{ inputs.ecr_repo }}" ]]; then
|
||||||
|
EXTRA_VARS="-var=ecr_repo_url=${{ steps.repo.outputs.ecr_repo_url }} -var=image_digest=${{ inputs.image_digest }}"
|
||||||
|
fi
|
||||||
|
|
||||||
terraform destroy -auto-approve \
|
terraform destroy -auto-approve \
|
||||||
-var="stage=${{ inputs.stage }}" \
|
-var="stage=${{ inputs.stage }}" \
|
||||||
-var="lambda_name=${{ inputs.lambda_name }}" \
|
-var="lambda_name=${{ inputs.lambda_name }}" \
|
||||||
-var="ecr_repo_url=${{ steps.repo.outputs.ecr_repo_url }}" \
|
$EXTRA_VARS
|
||||||
-var="image_digest=${{ inputs.image_digest }}"
|
|
||||||
|
|
|
||||||
122
.github/workflows/deploy_terraform.yml
vendored
122
.github/workflows/deploy_terraform.yml
vendored
|
|
@ -41,7 +41,7 @@ jobs:
|
||||||
fi
|
fi
|
||||||
|
|
||||||
# ============================================================
|
# ============================================================
|
||||||
# 1️⃣ Shared Terraform (infra)
|
# Shared Terraform (infra)
|
||||||
# ============================================================
|
# ============================================================
|
||||||
shared_terraform:
|
shared_terraform:
|
||||||
needs: determine_stage
|
needs: determine_stage
|
||||||
|
|
@ -77,9 +77,74 @@ jobs:
|
||||||
if: env.TERRAFORM_APPLY == 'true'
|
if: env.TERRAFORM_APPLY == 'true'
|
||||||
working-directory: infrastructure/terraform/shared
|
working-directory: infrastructure/terraform/shared
|
||||||
run: terraform apply -auto-approve tfplan
|
run: terraform apply -auto-approve tfplan
|
||||||
|
|
||||||
|
# ============================================================
|
||||||
|
# Ara Engine image and Push
|
||||||
|
# ============================================================
|
||||||
|
ara_engine_image:
|
||||||
|
needs: [determine_stage, shared_terraform]
|
||||||
|
uses: ./.github/workflows/_build_image.yml
|
||||||
|
with:
|
||||||
|
ecr_repo: engine-${{ needs.determine_stage.outputs.stage }}
|
||||||
|
dockerfile_path: backend/docker/engine.Dockerfile
|
||||||
|
build_context: .
|
||||||
|
secrets:
|
||||||
|
AWS_ACCESS_KEY_ID: ${{ secrets.DEV_AWS_ACCESS_KEY_ID }}
|
||||||
|
AWS_SECRET_ACCESS_KEY: ${{ secrets.DEV_AWS_SECRET_ACCESS_KEY }}
|
||||||
|
AWS_REGION: ${{ secrets.DEV_AWS_REGION }}
|
||||||
|
|
||||||
|
# ============================================================
|
||||||
|
# Deploy Ara Engine Lambda
|
||||||
|
# ============================================================
|
||||||
|
ara_engine_lambda:
|
||||||
|
needs: [ara_engine_image, determine_stage]
|
||||||
|
uses: ./.github/workflows/_deploy_lambda.yml
|
||||||
|
with:
|
||||||
|
lambda_name: ara_engine
|
||||||
|
lambda_path: infrastructure/terraform/lambda/engine
|
||||||
|
stage: ${{ needs.determine_stage.outputs.stage }}
|
||||||
|
ecr_repo: engine-${{ needs.determine_stage.outputs.stage }}
|
||||||
|
image_digest: ${{ needs.ara_engine_image.outputs.image_digest }}
|
||||||
|
terraform_apply: ${{ needs.determine_stage.outputs.terraform_apply }}
|
||||||
|
secrets:
|
||||||
|
AWS_ACCESS_KEY_ID: ${{ secrets.DEV_AWS_ACCESS_KEY_ID }}
|
||||||
|
AWS_SECRET_ACCESS_KEY: ${{ secrets.DEV_AWS_SECRET_ACCESS_KEY }}
|
||||||
|
AWS_REGION: ${{ secrets.DEV_AWS_REGION }}
|
||||||
|
TF_VAR_db_host: ${{ secrets.DEV_DB_HOST }}
|
||||||
|
TF_VAR_db_name: ${{ secrets.DEV_DB_NAME }}
|
||||||
|
TF_VAR_db_port: ${{ secrets.DEV_DB_PORT }}
|
||||||
|
TF_VAR_api_key: ${{ secrets.DEV_API_KEY }}
|
||||||
|
TF_VAR_secret_key: ${{ secrets.DEV_SECRET_KEY }}
|
||||||
|
TF_VAR_domain_name: ${{ secrets.DEV_DOMAIN_NAME }}
|
||||||
|
TF_VAR_epc_auth_token: ${{ secrets.DEV_EPC_AUTH_TOKEN }}
|
||||||
|
TF_VAR_google_solar_api_key: ${{ secrets.DEV_GOOGLE_SOLAR_API_KEY }}
|
||||||
|
|
||||||
|
# ============================================================
|
||||||
|
# Deploy FastAPI Lambda
|
||||||
|
# ============================================================
|
||||||
|
fast_api_lambda:
|
||||||
|
needs: [determine_stage]
|
||||||
|
uses: ./.github/workflows/_deploy_lambda.yml
|
||||||
|
with:
|
||||||
|
lambda_name: ara_fast_api
|
||||||
|
lambda_path: infrastructure/terraform/lambda/fast-api
|
||||||
|
stage: ${{ needs.determine_stage.outputs.stage }}
|
||||||
|
terraform_apply: ${{ needs.determine_stage.outputs.terraform_apply }}
|
||||||
|
secrets:
|
||||||
|
AWS_ACCESS_KEY_ID: ${{ secrets.DEV_AWS_ACCESS_KEY_ID }}
|
||||||
|
AWS_SECRET_ACCESS_KEY: ${{ secrets.DEV_AWS_SECRET_ACCESS_KEY }}
|
||||||
|
AWS_REGION: ${{ secrets.DEV_AWS_REGION }}
|
||||||
|
TF_VAR_db_host: ${{ secrets.DEV_DB_HOST }}
|
||||||
|
TF_VAR_db_name: ${{ secrets.DEV_DB_NAME }}
|
||||||
|
TF_VAR_db_port: ${{ secrets.DEV_DB_PORT }}
|
||||||
|
TF_VAR_api_key: ${{ secrets.DEV_API_KEY }}
|
||||||
|
TF_VAR_secret_key: ${{ secrets.DEV_SECRET_KEY }}
|
||||||
|
TF_VAR_domain_name: ${{ secrets.DEV_DOMAIN_NAME }}
|
||||||
|
TF_VAR_epc_auth_token: ${{ secrets.DEV_EPC_AUTH_TOKEN }}
|
||||||
|
TF_VAR_google_solar_api_key: ${{ secrets.DEV_GOOGLE_SOLAR_API_KEY }}
|
||||||
|
|
||||||
# ============================================================
|
# ============================================================
|
||||||
# 2️⃣ Build Address 2 UPRN image and Push
|
# Build Address 2 UPRN image and Push
|
||||||
# ============================================================
|
# ============================================================
|
||||||
address2uprn_image:
|
address2uprn_image:
|
||||||
needs: [determine_stage, shared_terraform]
|
needs: [determine_stage, shared_terraform]
|
||||||
|
|
@ -103,7 +168,7 @@ jobs:
|
||||||
EPC_AUTH_TOKEN: ${{ secrets.DEV_EPC_AUTH_TOKEN }}
|
EPC_AUTH_TOKEN: ${{ secrets.DEV_EPC_AUTH_TOKEN }}
|
||||||
|
|
||||||
# ============================================================
|
# ============================================================
|
||||||
# 3️⃣ Deploy Address 2 UPRN Lambda
|
# Deploy Address 2 UPRN Lambda
|
||||||
# ============================================================
|
# ============================================================
|
||||||
address2uprn_lambda:
|
address2uprn_lambda:
|
||||||
needs: [address2uprn_image, determine_stage]
|
needs: [address2uprn_image, determine_stage]
|
||||||
|
|
@ -122,7 +187,7 @@ jobs:
|
||||||
|
|
||||||
|
|
||||||
# ============================================================
|
# ============================================================
|
||||||
# 2️⃣ Build Postcode Splitter image and Push
|
# Build Postcode Splitter image and Push
|
||||||
# ============================================================
|
# ============================================================
|
||||||
postcodeSplitter_image:
|
postcodeSplitter_image:
|
||||||
needs: [determine_stage, shared_terraform]
|
needs: [determine_stage, shared_terraform]
|
||||||
|
|
@ -144,7 +209,7 @@ jobs:
|
||||||
DEV_DB_NAME: ${{ secrets.DEV_DB_NAME }}
|
DEV_DB_NAME: ${{ secrets.DEV_DB_NAME }}
|
||||||
|
|
||||||
# ============================================================
|
# ============================================================
|
||||||
# 3️⃣ Deploy Postcode Splitter Lambda
|
# Deploy Postcode Splitter Lambda
|
||||||
# ============================================================
|
# ============================================================
|
||||||
postcodeSplitter_lambda:
|
postcodeSplitter_lambda:
|
||||||
needs: [postcodeSplitter_image, determine_stage, address2uprn_lambda]
|
needs: [postcodeSplitter_image, determine_stage, address2uprn_lambda]
|
||||||
|
|
@ -242,48 +307,7 @@ jobs:
|
||||||
AWS_REGION: ${{ secrets.DEV_AWS_REGION }}
|
AWS_REGION: ${{ secrets.DEV_AWS_REGION }}
|
||||||
|
|
||||||
# ============================================================
|
# ============================================================
|
||||||
# Ara Engine image and Push
|
# Build OrdanceSurvey image and Push
|
||||||
# ============================================================
|
|
||||||
ara_engine_image:
|
|
||||||
needs: [determine_stage, shared_terraform]
|
|
||||||
uses: ./.github/workflows/_build_image.yml
|
|
||||||
with:
|
|
||||||
ecr_repo: engine-${{ needs.determine_stage.outputs.stage }}
|
|
||||||
dockerfile_path: backend/docker/engine.Dockerfile
|
|
||||||
build_context: .
|
|
||||||
secrets:
|
|
||||||
AWS_ACCESS_KEY_ID: ${{ secrets.DEV_AWS_ACCESS_KEY_ID }}
|
|
||||||
AWS_SECRET_ACCESS_KEY: ${{ secrets.DEV_AWS_SECRET_ACCESS_KEY }}
|
|
||||||
AWS_REGION: ${{ secrets.DEV_AWS_REGION }}
|
|
||||||
|
|
||||||
# ============================================================
|
|
||||||
# Deploy Ara Engine Lambda
|
|
||||||
# ============================================================
|
|
||||||
ara_engine_lambda:
|
|
||||||
needs: [ara_engine_image, determine_stage]
|
|
||||||
uses: ./.github/workflows/_deploy_lambda.yml
|
|
||||||
with:
|
|
||||||
lambda_name: ara_engine
|
|
||||||
lambda_path: infrastructure/terraform/lambda/engine
|
|
||||||
stage: ${{ needs.determine_stage.outputs.stage }}
|
|
||||||
ecr_repo: engine-${{ needs.determine_stage.outputs.stage }}
|
|
||||||
image_digest: ${{ needs.ara_engine_image.outputs.image_digest }}
|
|
||||||
terraform_apply: ${{ needs.determine_stage.outputs.terraform_apply }}
|
|
||||||
secrets:
|
|
||||||
AWS_ACCESS_KEY_ID: ${{ secrets.DEV_AWS_ACCESS_KEY_ID }}
|
|
||||||
AWS_SECRET_ACCESS_KEY: ${{ secrets.DEV_AWS_SECRET_ACCESS_KEY }}
|
|
||||||
AWS_REGION: ${{ secrets.DEV_AWS_REGION }}
|
|
||||||
TF_VAR_db_host: ${{ secrets.DEV_DB_HOST }}
|
|
||||||
TF_VAR_db_name: ${{ secrets.DEV_DB_NAME }}
|
|
||||||
TF_VAR_db_port: ${{ secrets.DEV_DB_PORT }}
|
|
||||||
TF_VAR_api_key: ${{ secrets.DEV_API_KEY }}
|
|
||||||
TF_VAR_secret_key: ${{ secrets.DEV_SECRET_KEY }}
|
|
||||||
TF_VAR_domain_name: ${{ secrets.DEV_DOMAIN_NAME }}
|
|
||||||
TF_VAR_epc_auth_token: ${{ secrets.DEV_EPC_AUTH_TOKEN }}
|
|
||||||
TF_VAR_google_solar_api_key: ${{ secrets.DEV_GOOGLE_SOLAR_API_KEY }}
|
|
||||||
|
|
||||||
# ============================================================
|
|
||||||
# 2️⃣ Build OrdanceSurvey image and Push
|
|
||||||
# ============================================================
|
# ============================================================
|
||||||
ordnanceSurvey_image:
|
ordnanceSurvey_image:
|
||||||
needs: [determine_stage, shared_terraform]
|
needs: [determine_stage, shared_terraform]
|
||||||
|
|
@ -305,7 +329,7 @@ jobs:
|
||||||
DEV_DB_NAME: ${{ secrets.DEV_DB_NAME }}
|
DEV_DB_NAME: ${{ secrets.DEV_DB_NAME }}
|
||||||
|
|
||||||
# ============================================================
|
# ============================================================
|
||||||
# 3️⃣ Deploy OrdanceSurvey Lambda
|
# Deploy OrdanceSurvey Lambda
|
||||||
# ============================================================
|
# ============================================================
|
||||||
ordnanceSurvey_lambda:
|
ordnanceSurvey_lambda:
|
||||||
needs: [ordnanceSurvey_image, determine_stage]
|
needs: [ordnanceSurvey_image, determine_stage]
|
||||||
|
|
@ -322,3 +346,5 @@ jobs:
|
||||||
AWS_SECRET_ACCESS_KEY: ${{ secrets.DEV_AWS_SECRET_ACCESS_KEY }}
|
AWS_SECRET_ACCESS_KEY: ${{ secrets.DEV_AWS_SECRET_ACCESS_KEY }}
|
||||||
AWS_REGION: ${{ secrets.DEV_AWS_REGION }}
|
AWS_REGION: ${{ secrets.DEV_AWS_REGION }}
|
||||||
TF_VAR_ORDNANCE_SURVEY_API_KEY: ${{ secrets.ORDNANCE_SURVEY_API_KEY }}
|
TF_VAR_ORDNANCE_SURVEY_API_KEY: ${{ secrets.ORDNANCE_SURVEY_API_KEY }}
|
||||||
|
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -0,0 +1,9 @@
|
||||||
|
output "categorisation_queue_url" {
|
||||||
|
value = module.lambda.queu_url
|
||||||
|
description = "URL of the Categorisation SQS queue"
|
||||||
|
}
|
||||||
|
|
||||||
|
output "categorisation_queue_arn" {
|
||||||
|
value = module.lambda.queu_arn
|
||||||
|
description = "ARN of the Categorisation SQS queue"
|
||||||
|
}
|
||||||
9
infrastructure/terraform/lambda/engine/outputs.tf
Normal file
9
infrastructure/terraform/lambda/engine/outputs.tf
Normal file
|
|
@ -0,0 +1,9 @@
|
||||||
|
output "ara_engine_queue_url" {
|
||||||
|
value = module.lambda.queu_url
|
||||||
|
description = "URL of the Engine SQS queue"
|
||||||
|
}
|
||||||
|
|
||||||
|
output "ara_engine_queue_arn" {
|
||||||
|
value = module.lambda.queu_arn
|
||||||
|
description = "ARN of the Engine SQS queue"
|
||||||
|
}
|
||||||
|
|
@ -1,3 +1,6 @@
|
||||||
|
############################################
|
||||||
|
# Load Terraform State
|
||||||
|
############################################
|
||||||
data "terraform_remote_state" "shared" {
|
data "terraform_remote_state" "shared" {
|
||||||
backend = "s3"
|
backend = "s3"
|
||||||
config = {
|
config = {
|
||||||
|
|
@ -7,43 +10,144 @@ data "terraform_remote_state" "shared" {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
module "lambda" {
|
data "terraform_remote_state" "engine" {
|
||||||
source = "../../modules/lambda_with_sqs"
|
backend = "s3"
|
||||||
|
config = {
|
||||||
name = REPLACE ME #"address2uprn" for example
|
bucket = "ara-engine-terraform-state",
|
||||||
stage = var.stage
|
key = "env:/${var.stage}/teraform.tfstate"
|
||||||
|
region = "eu-west-2"
|
||||||
image_uri = local.image_uri
|
|
||||||
|
|
||||||
# Optional: Set maximum_concurrency to limit concurrent SQS-triggered invocations (2-1000)
|
|
||||||
maximum_concurrency = var.maximum_concurrency
|
|
||||||
|
|
||||||
batch_size = var.batch_size
|
|
||||||
|
|
||||||
environment = {
|
|
||||||
STAGE = var.stage
|
|
||||||
LOG_LEVEL = "info"
|
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
# ======================================================================
|
data "terraform_remote_state" "categorisation" {
|
||||||
# OPTIONAL: Attach S3 IAM policy to Lambda execution role
|
backend = "s3"
|
||||||
# ======================================================================
|
config = {
|
||||||
# Uncomment and configure the resource below to attach S3 permissions
|
bucket = "categorisation-terraform-state",
|
||||||
#
|
key = "env:/${var.stage}/teraform.tfstate"
|
||||||
# Example 1: Attach existing policy from shared state
|
region = "eu-west-2"
|
||||||
# resource "aws_iam_role_policy_attachment" "lambda_s3_policy" {
|
}
|
||||||
# role = module.lambda.role_name
|
}
|
||||||
# policy_arn = data.terraform_remote_state.shared.outputs.YOUR_POLICY_OUTPUT_NAME_arn
|
|
||||||
|
############################################
|
||||||
|
# Load Credentials
|
||||||
|
############################################
|
||||||
|
data "aws_secretsmanager_secret_version" "db_credentials" {
|
||||||
|
secret_id = "${var.stage}/assessment_model/db_credentials"
|
||||||
|
}
|
||||||
|
|
||||||
|
locals {
|
||||||
|
db_credentials = jsondecode(data.aws_secretsmanager_secret_version.db_credentials.secret_string)
|
||||||
|
}
|
||||||
|
|
||||||
|
# data "aws_ssm_parameter" "certificate_arn" {
|
||||||
|
# name = "/ssl_certificate_arn"
|
||||||
# }
|
# }
|
||||||
#
|
|
||||||
# Example 2: Attach multiple policies
|
# data "aws_route53_zone" "this" {
|
||||||
# resource "aws_iam_role_policy_attachment" "lambda_read_policy" {
|
# name = var.domain_name
|
||||||
# role = module.lambda.role_name
|
|
||||||
# policy_arn = data.terraform_remote_state.shared.outputs.postcode_splitter_s3_read_arn
|
|
||||||
# }
|
|
||||||
#
|
|
||||||
# resource "aws_iam_role_policy_attachment" "lambda_write_policy" {
|
|
||||||
# role = module.lambda.role_name
|
|
||||||
# policy_arn = data.terraform_remote_state.shared.outputs.another_policy_arn
|
|
||||||
# }
|
# }
|
||||||
|
|
||||||
|
############################################
|
||||||
|
# Install Python requirements
|
||||||
|
############################################
|
||||||
|
resource "null_resource" "pip_install" {
|
||||||
|
triggers = {
|
||||||
|
requirements_hash = filemd5("${path.root}/../../../../backend/app/requirements/requirements.txt")
|
||||||
|
}
|
||||||
|
|
||||||
|
provisioner "local-exec" {
|
||||||
|
command = <<EOT
|
||||||
|
pip install \
|
||||||
|
-r ${path.root}/../../../../backend/app/requirements/requirements.txt \
|
||||||
|
-t ${path.root}/../../../../backend/app/packages \
|
||||||
|
--platform manylinux2014_x86_64 \
|
||||||
|
--implementation cp \
|
||||||
|
--python-version 3.11 \
|
||||||
|
--only-binary=:all: \
|
||||||
|
EOT
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
############################################
|
||||||
|
# FastAPI Lambda + API Gateway
|
||||||
|
############################################
|
||||||
|
module "fastapi" {
|
||||||
|
depends_on = [null_resource.pip_install]
|
||||||
|
source = "../../modules/lambda_with_api_gateway"
|
||||||
|
|
||||||
|
name = "fastapi"
|
||||||
|
stage = var.stage
|
||||||
|
source_dir = "${path.root}/../../../../backend"
|
||||||
|
handler = "app.main.handler"
|
||||||
|
runtime = "python3.11"
|
||||||
|
timeout = 600
|
||||||
|
memory_size = 512
|
||||||
|
|
||||||
|
# domain_name = "api.${var.domain_name}"
|
||||||
|
# certificate_arn = data.aws_ssm_parameter.certificate_arn.value
|
||||||
|
# route53_zone_id = data.aws_route53_zone.this.zone_id
|
||||||
|
|
||||||
|
environment = {
|
||||||
|
ENVIRONMENT = var.stage
|
||||||
|
API_KEY = var.api_key
|
||||||
|
SECRET_KEY = var.secret_key
|
||||||
|
# DOMAIN_NAME = var.domain_name
|
||||||
|
EPC_AUTH_TOKEN = var.epc_auth_token
|
||||||
|
GOOGLE_SOLAR_API_KEY = var.google_solar_api_key
|
||||||
|
|
||||||
|
DB_HOST = var.db_host
|
||||||
|
DB_NAME = var.db_name
|
||||||
|
DB_PORT = var.db_port
|
||||||
|
DB_USERNAME = local.db_credentials.db_assessment_model_username
|
||||||
|
DB_PASSWORD = local.db_credentials.db_assessment_model_password
|
||||||
|
|
||||||
|
PLAN_TRIGGER_BUCKET = data.terraform_remote_state.shared.outputs.retrofit_plan_trigger_bucket_name
|
||||||
|
DATA_BUCKET = data.terraform_remote_state.shared.outputs.retrofit_sap_data_bucket_name
|
||||||
|
SAP_PREDICTIONS_BUCKET = data.terraform_remote_state.shared.outputs.retrofit_sap_predictions_bucket_name
|
||||||
|
CARBON_PREDICTIONS_BUCKET = data.terraform_remote_state.shared.outputs.retrofit_carbon_predictions_bucket_name
|
||||||
|
HEAT_PREDICTIONS_BUCKET = data.terraform_remote_state.shared.outputs.retrofit_heat_predictions_bucket_name
|
||||||
|
HEATING_KWH_PREDICTIONS_BUCKET = data.terraform_remote_state.shared.outputs.retrofit_heating_kwh_predictions_bucket_name
|
||||||
|
HOTWATER_KWH_PREDICTIONS_BUCKET = data.terraform_remote_state.shared.outputs.retrofit_hotwater_kwh_predictions_bucket_name
|
||||||
|
ENERGY_ASSESSMENTS_BUCKET = data.terraform_remote_state.shared.outputs.retrofit_energy_assessments_bucket_name
|
||||||
|
|
||||||
|
ENGINE_SQS_URL = data.terraform_remote_state.engine.ara_engine_queue_url
|
||||||
|
CATEGORISATION_SQS_URL = data.terraform_remote_state.categorisation.categorisation_queue_url
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
############################################
|
||||||
|
# IAM policy attachments
|
||||||
|
############################################
|
||||||
|
resource "aws_iam_role_policy_attachment" "fast_api_s3_read" {
|
||||||
|
role = module.fastapi.role_name
|
||||||
|
policy_arn = data.terraform_remote_state.shared.outputs.fast_api_s3_read_arn
|
||||||
|
}
|
||||||
|
|
||||||
|
module "fastapi_sqs_policy" {
|
||||||
|
source = "../../modules/generic_iam_policy"
|
||||||
|
|
||||||
|
policy_name = "fastapi-sqs-send-${var.stage}"
|
||||||
|
policy_description = "Allow FastAPI to send messages to engine & categorisation queues"
|
||||||
|
|
||||||
|
actions = [
|
||||||
|
"sqs:SendMessage"
|
||||||
|
]
|
||||||
|
|
||||||
|
resources = [
|
||||||
|
data.terraform_remote_state.engine.outputs.ara_engine_queue_arn,
|
||||||
|
data.terraform_remote_state.categorisation.outputs.categorisation_queue_arn
|
||||||
|
]
|
||||||
|
|
||||||
|
conditions = null
|
||||||
|
|
||||||
|
tags = {
|
||||||
|
Service = "fastapi"
|
||||||
|
Stage = var.stage
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
resource "aws_iam_role_policy_attachment" "fastapi_sqs_read_and_write" {
|
||||||
|
role = module.fastapi.role_name
|
||||||
|
policy_arn = data.terraform_remote_state.shared.outputs.fast_api_s3_read_and_write_arn
|
||||||
|
}
|
||||||
|
|
@ -7,7 +7,7 @@ terraform {
|
||||||
}
|
}
|
||||||
|
|
||||||
backend "s3" {
|
backend "s3" {
|
||||||
bucket = REPLACE_ME
|
bucket = "ara-fast-api-terraform-state"
|
||||||
key = "terraform.tfstate"
|
key = "terraform.tfstate"
|
||||||
region = "eu-west-2"
|
region = "eu-west-2"
|
||||||
}
|
}
|
||||||
|
|
|
||||||
|
|
@ -4,34 +4,41 @@ variable "lambda_name" {
|
||||||
}
|
}
|
||||||
|
|
||||||
variable "stage" {
|
variable "stage" {
|
||||||
description = "Deployment stage (e.g. dev, prod)"
|
type = string
|
||||||
type = string
|
|
||||||
}
|
|
||||||
variable "ecr_repo_url" {
|
|
||||||
type = string
|
|
||||||
description = "ECR repository URL (no tag, no digest)"
|
|
||||||
}
|
}
|
||||||
|
|
||||||
variable "image_digest" {
|
variable "db_host" {
|
||||||
type = string
|
type = string
|
||||||
description = "Image digest (sha256:...)"
|
|
||||||
}
|
}
|
||||||
|
|
||||||
variable "maximum_concurrency" {
|
variable "db_name" {
|
||||||
type = number
|
type = string
|
||||||
default = null
|
|
||||||
description = "Maximum number of concurrent Lambda invocations from SQS (2-1000). null = no limit."
|
|
||||||
}
|
}
|
||||||
|
|
||||||
variable "batch_size" {
|
variable "db_port" {
|
||||||
type = number
|
type = string
|
||||||
default = 1
|
|
||||||
}
|
}
|
||||||
|
|
||||||
locals {
|
variable "api_key" {
|
||||||
image_uri = "${var.ecr_repo_url}@${var.image_digest}"
|
type = string
|
||||||
|
sensitive = true
|
||||||
}
|
}
|
||||||
|
|
||||||
output "resolved_image_uri" {
|
variable "secret_key" {
|
||||||
value = local.image_uri
|
type = string
|
||||||
|
sensitive = true
|
||||||
}
|
}
|
||||||
|
|
||||||
|
# variable "domain_name" {
|
||||||
|
# type = string
|
||||||
|
# }
|
||||||
|
|
||||||
|
variable "epc_auth_token" {
|
||||||
|
type = string
|
||||||
|
sensitive = true
|
||||||
|
}
|
||||||
|
|
||||||
|
variable "google_solar_api_key" {
|
||||||
|
type = string
|
||||||
|
sensitive = true
|
||||||
|
}
|
||||||
24
infrastructure/terraform/modules/lambda_service_zip/main.tf
Normal file
24
infrastructure/terraform/modules/lambda_service_zip/main.tf
Normal file
|
|
@ -0,0 +1,24 @@
|
||||||
|
resource "aws_lambda_function" "this" {
|
||||||
|
function_name = var.name
|
||||||
|
role = var.role_arn
|
||||||
|
package_type = "Zip"
|
||||||
|
filename = var.filename
|
||||||
|
source_code_hash = var.source_code_hash
|
||||||
|
handler = var.handler
|
||||||
|
runtime = var.runtime
|
||||||
|
timeout = var.timeout
|
||||||
|
memory_size = var.memory_size
|
||||||
|
publish = true
|
||||||
|
|
||||||
|
environment {
|
||||||
|
variables = var.environment
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
output "lambda_arn" {
|
||||||
|
value = aws_lambda_function.this.arn
|
||||||
|
}
|
||||||
|
|
||||||
|
output "function_name" {
|
||||||
|
value = aws_lambda_function.this.function_name
|
||||||
|
}
|
||||||
|
|
@ -0,0 +1,9 @@
|
||||||
|
variable "name" { type = string }
|
||||||
|
variable "role_arn" { type = string }
|
||||||
|
variable "filename" { type = string }
|
||||||
|
variable "source_code_hash" { type = string }
|
||||||
|
variable "handler" { type = string }
|
||||||
|
variable "runtime" { type = string }
|
||||||
|
variable "timeout" { type = number default = 30 }
|
||||||
|
variable "memory_size" { type = number default = 128 }
|
||||||
|
variable "environment" { type = map(string) default = {} }
|
||||||
103
infrastructure/terraform/modules/lambda_with_api_gateway/main.tf
Normal file
103
infrastructure/terraform/modules/lambda_with_api_gateway/main.tf
Normal file
|
|
@ -0,0 +1,103 @@
|
||||||
|
############################################
|
||||||
|
# IAM role
|
||||||
|
############################################
|
||||||
|
module "role" {
|
||||||
|
source = "../lambda_execution_role"
|
||||||
|
name = "${var.name}-lambda-${var.stage}"
|
||||||
|
}
|
||||||
|
|
||||||
|
############################################
|
||||||
|
# Zip the source code
|
||||||
|
############################################
|
||||||
|
data "archive_file" "this" {
|
||||||
|
type = "zip"
|
||||||
|
source_dir = var.source_dir
|
||||||
|
output_path = "${path.module}/lambda_package.zip"
|
||||||
|
excludes = var.zip_excludes
|
||||||
|
}
|
||||||
|
|
||||||
|
############################################
|
||||||
|
# Lambda
|
||||||
|
############################################
|
||||||
|
module "lambda" {
|
||||||
|
source = "../lambda_service_zip"
|
||||||
|
|
||||||
|
name = "${var.name}-${var.stage}"
|
||||||
|
role_arn = module.role.role_arn
|
||||||
|
filename = data.archive_file.this.output_path
|
||||||
|
source_code_hash = data.archive_file.this.output_base64sha256
|
||||||
|
handler = var.handler
|
||||||
|
runtime = var.runtime
|
||||||
|
timeout = var.timeout
|
||||||
|
memory_size = var.memory_size
|
||||||
|
environment = var.environment
|
||||||
|
}
|
||||||
|
|
||||||
|
############################################
|
||||||
|
# API Gateway
|
||||||
|
############################################
|
||||||
|
resource "aws_apigatewayv2_api" "this" {
|
||||||
|
name = "${var.name}-api-${var.stage}"
|
||||||
|
protocol_type = "HTTP"
|
||||||
|
}
|
||||||
|
|
||||||
|
resource "aws_apigatewayv2_stage" "this" {
|
||||||
|
api_id = aws_apigatewayv2_api.this.id
|
||||||
|
name = "$default"
|
||||||
|
auto_deploy = true
|
||||||
|
}
|
||||||
|
|
||||||
|
resource "aws_apigatewayv2_integration" "this" {
|
||||||
|
api_id = aws_apigatewayv2_api.this.id
|
||||||
|
integration_type = "AWS_PROXY"
|
||||||
|
integration_uri = module.lambda.lambda_arn
|
||||||
|
payload_format_version = "2.0"
|
||||||
|
}
|
||||||
|
|
||||||
|
resource "aws_apigatewayv2_route" "catch_all" {
|
||||||
|
api_id = aws_apigatewayv2_api.this.id
|
||||||
|
route_key = "$default"
|
||||||
|
target = "integrations/${aws_apigatewayv2_integration.this.id}"
|
||||||
|
}
|
||||||
|
|
||||||
|
resource "aws_lambda_permission" "apigw_invoke" {
|
||||||
|
statement_id = "AllowAPIGatewayInvoke"
|
||||||
|
action = "lambda:InvokeFunction"
|
||||||
|
function_name = module.lambda.lambda_arn
|
||||||
|
principal = "apigateway.amazonaws.com"
|
||||||
|
source_arn = "${aws_apigatewayv2_api.this.execution_arn}/*/*"
|
||||||
|
}
|
||||||
|
|
||||||
|
############################################
|
||||||
|
# Custom domain
|
||||||
|
############################################
|
||||||
|
# resource "aws_apigatewayv2_domain_name" "this" {
|
||||||
|
# count = var.domain_name != null ? 1 : 0
|
||||||
|
# domain_name = var.domain_name
|
||||||
|
|
||||||
|
# domain_name_configuration {
|
||||||
|
# certificate_arn = var.certificate_arn
|
||||||
|
# endpoint_type = "REGIONAL"
|
||||||
|
# security_policy = "TLS_1_2"
|
||||||
|
# }
|
||||||
|
# }
|
||||||
|
|
||||||
|
# resource "aws_apigatewayv2_api_mapping" "this" {
|
||||||
|
# count = var.domain_name != null ? 1 : 0
|
||||||
|
# api_id = aws_apigatewayv2_api.this.id
|
||||||
|
# domain_name = aws_apigatewayv2_domain_name.this[0].id
|
||||||
|
# stage = aws_apigatewayv2_stage.this.id
|
||||||
|
# }
|
||||||
|
|
||||||
|
# resource "aws_route53_record" "this" {
|
||||||
|
# count = var.domain_name != null ? 1 : 0
|
||||||
|
# name = aws_apigatewayv2_domain_name.this[0].domain_name
|
||||||
|
# type = "A"
|
||||||
|
# zone_id = var.route53_zone_id
|
||||||
|
|
||||||
|
# alias {
|
||||||
|
# name = aws_apigatewayv2_domain_name.this[0].domain_name_configuration[0].target_domain_name
|
||||||
|
# zone_id = aws_apigatewayv2_domain_name.this[0].domain_name_configuration[0].hosted_zone_id
|
||||||
|
# evaluate_target_health = false
|
||||||
|
# }
|
||||||
|
# }
|
||||||
|
|
@ -0,0 +1,11 @@
|
||||||
|
output "role_name" {
|
||||||
|
value = module.role.role_name
|
||||||
|
}
|
||||||
|
|
||||||
|
output "api_endpoint" {
|
||||||
|
value = aws_apigatewayv2_stage.this.invoke_url
|
||||||
|
}
|
||||||
|
|
||||||
|
# output "custom_domain_endpoint" {
|
||||||
|
# value = var.domain_name != null ? "https://${var.domain_name}" : null
|
||||||
|
# }
|
||||||
|
|
@ -0,0 +1,18 @@
|
||||||
|
variable "name" { type = string }
|
||||||
|
variable "stage" { type = string }
|
||||||
|
variable "source_dir" { type = string }
|
||||||
|
variable "handler" { type = string }
|
||||||
|
variable "runtime" { type = string }
|
||||||
|
|
||||||
|
variable "zip_excludes" {
|
||||||
|
type = list(string)
|
||||||
|
default = ["**/__pycache__/**", "**/*.pyc", "**/.pytest_cache/**"]
|
||||||
|
}
|
||||||
|
|
||||||
|
variable "timeout" { type = number default = 600 }
|
||||||
|
variable "memory_size" { type = number default = 512 }
|
||||||
|
variable "environment" { type = map(string) default = {} }
|
||||||
|
|
||||||
|
variable "domain_name" { type = string default = null }
|
||||||
|
variable "certificate_arn" { type = string default = null }
|
||||||
|
variable "route53_zone_id" { type = string default = null }
|
||||||
|
|
@ -535,3 +535,29 @@ module "ara_fastapi_registry" {
|
||||||
name = "ara-fastapi"
|
name = "ara-fastapi"
|
||||||
stage = var.stage
|
stage = var.stage
|
||||||
}
|
}
|
||||||
|
|
||||||
|
# S3 policy for FastAPI app to read and write from various S3 buckets
|
||||||
|
module "fast_api_s3_read_and_write" {
|
||||||
|
source = "../modules/s3_iam_policy"
|
||||||
|
|
||||||
|
policy_name = "FastAPIReadandWriteS3"
|
||||||
|
policy_description = "Allow FastAPI Lambda to read from and write to various S3 buckets"
|
||||||
|
bucket_arns = [
|
||||||
|
"arn:aws:s3:::${module.s3_presignable_bucket.bucket_name}",
|
||||||
|
"arn:aws:s3:::${module.retrofit_sap_data.bucket_name}",
|
||||||
|
"arn:aws:s3:::${module.retrofit_sap_predictions.bucket_name}",
|
||||||
|
"arn:aws:s3:::${module.retrofit_carbon_predictions.bucket_name}",
|
||||||
|
"arn:aws:s3:::${module.retrofit_heat_predictions.bucket_name}",
|
||||||
|
"arn:aws:s3:::${module.retrofit_heating_kwh_predictions.bucket_name}",
|
||||||
|
"arn:aws:s3:::${module.retrofit_hotwater_kwh_predictions.bucket_name}",
|
||||||
|
"arn:aws:s3:::${module.retrofit_energy_assessments.bucket_name}"
|
||||||
|
]
|
||||||
|
actions = ["s3:GetObject", "s3:ListBucket"]
|
||||||
|
resource_paths = ["/*"]
|
||||||
|
}
|
||||||
|
|
||||||
|
output "fast_api_s3_read_and_write_arn" {
|
||||||
|
value = module.fast_api_s3_read_and_write.policy_arn
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
|
|
||||||
Loading…
Add table
Reference in a new issue