Model/deployment/terraform/lambda/bulkUploadFinaliser/main.tf

data "terraform_remote_state" "shared" {
  backend = "s3"
  config = {
    bucket = "assessment-model-terraform-state"
    key    = "env:/${var.stage}/terraform.tfstate"
    region = "eu-west-2"
  }
}

data "aws_secretsmanager_secret_version" "db_credentials" {
  secret_id = "${var.stage}/assessment_model/db_credentials"
}

locals {
  db_credentials = jsondecode(data.aws_secretsmanager_secret_version.db_credentials.secret_string)
}

module "lambda" {
  source = "../../modules/lambda_with_sqs"

  name  = "bulk-upload-finaliser"
  stage = var.stage

  image_uri = local.image_uri

  # The finaliser reads the combiner CSV and does one bulk INSERT — IO-light, but
  # a property list can be ~40,000 rows, so 300s leaves ample headroom under the
  # queue visibility timeout. batch_size = 1 keeps one upload per invocation so a
  # bad record can't redrive its siblings; maximum_concurrency caps DB write
  # fan-out.
  timeout             = 300
  batch_size          = 1
  maximum_concurrency = 2

  environment = merge(
    {
      STAGE             = var.stage
      LOG_LEVEL         = "info"
      POSTGRES_USERNAME = local.db_credentials.db_assessment_model_username
      POSTGRES_PASSWORD = local.db_credentials.db_assessment_model_password
    },
  )
}

# Attach S3 read policy so the handler can read the combiner output CSV.
resource "aws_iam_role_policy_attachment" "bulk_upload_finaliser_s3_read" {
  role       = module.lambda.role_name
  policy_arn = data.terraform_remote_state.shared.outputs.bulk_upload_finaliser_s3_read_arn
}