(infra): Deploy the first lambda with OpenTofu

Author: alex9smith

.opentofu-version

@@ -0,0 +1 @@
+1.9.1

README.md

@@ -12,6 +12,28 @@ Each lambda implementation has the same functionality:
 
 ## Requirements
 
-Node >= v 20
-NPM
-ESBuild availble globally
+- Node >= v20
+- NPM
+- ESBuild availble globally
+- OpenTofu (see `.opentofu-version`)
+
+## Deploying
+
+The prototype is deployed with [OpenTofu](https://opentofu.org/).
+Valid AWS credentials must be present in your shell.
+
+First, build the lambda:
+
+```bash
+cd lambda/typescript
+npm run build
+
+```
+
+Then deploy:
+
+```bash
+cd infra
+tofu init
+tofu apply
+```

TODO.md

@@ -9,8 +9,8 @@
 
 ## Infrastucture
 
-- Decide Terraform vs. Cloudformation
-- How to build each lambda?
+- Deploy the other lambdas
+- Refactor queue / logs / lambda into a module?
 
 ## Benchmark
 

infra/.gitignore

@@ -0,0 +1,3 @@
+/.terraform
+production.auto.tfvars
+terraform.tfstate*

infra/.terraform.lock.hcl

@@ -0,0 +1,5 @@
+resource "aws_cloudwatch_log_group" "lambda_benchmark_typescript_logs" {
+  name              = "/aws/lambda/lambda_benchmark_typescript_lambda"
+  retention_in_days = 3
+  tags              = var.default_tags
+}

infra/cloudwatch.tf

@@ -0,0 +1,11 @@
+resource "aws_dynamodb_table" "table" {
+  name         = var.dynamodb_table_name
+  billing_mode = "PAY_PER_REQUEST"
+  hash_key     = "eventId"
+
+  attribute {
+    name = "eventId"
+    type = "S"
+  }
+
+}

infra/dynamodb.tf

@@ -0,0 +1 @@
+owner = ""

infra/example.tfvars

@@ -0,0 +1,100 @@
+data "aws_iam_policy_document" "assume_role" {
+  statement {
+    effect = "Allow"
+
+    principals {
+      type        = "Service"
+      identifiers = ["lambda.amazonaws.com"]
+    }
+
+    actions = ["sts:AssumeRole"]
+  }
+}
+
+resource "aws_iam_role" "lambda_benchmark_lambda_role" {
+  name               = "lambda_benchmark_lambda_role"
+  assume_role_policy = data.aws_iam_policy_document.assume_role.json
+  tags               = var.default_tags
+}
+
+data "aws_iam_policy_document" "lambda_logging" {
+  statement {
+    effect = "Allow"
+
+    actions = [
+      "logs:CreateLogGroup",
+      "logs:CreateLogStream",
+      "logs:PutLogEvents",
+    ]
+
+    resources = ["arn:aws:logs:*:*:*"]
+  }
+}
+
+resource "aws_iam_policy" "lambda_benchmark_allow_logging" {
+  name        = "lambda_benchmark_allow_logging"
+  path        = "/"
+  description = "Allow lambdas in the lambda_benchmark app to log to Cloudwatch"
+  policy      = data.aws_iam_policy_document.lambda_logging.json
+  tags        = var.default_tags
+}
+
+resource "aws_iam_role_policy_attachment" "lambda_benchmark_allow_logging" {
+  role       = aws_iam_role.lambda_benchmark_lambda_role.name
+  policy_arn = aws_iam_policy.lambda_benchmark_allow_logging.arn
+}
+
+data "aws_iam_policy_document" "dynamodb_access" {
+  statement {
+    effect = "Allow"
+
+    actions = [
+      "dynamodb:PutItem",
+    ]
+
+    resources = [aws_dynamodb_table.table.arn]
+  }
+}
+
+
+resource "aws_iam_policy" "lambda_benchmark_dynamodb_table_access" {
+  name        = "lambda_benchmark_dynamodb_table_access"
+  path        = "/"
+  description = "IAM policy to allow lambdas in the lambda_benchmark app to write to DynamoDB"
+  policy      = data.aws_iam_policy_document.dynamodb_access.json
+  tags        = var.default_tags
+}
+
+resource "aws_iam_role_policy_attachment" "dynamodb_table_access" {
+  role       = aws_iam_role.lambda_benchmark_lambda_role.name
+  policy_arn = aws_iam_policy.lambda_benchmark_dynamodb_table_access.arn
+}
+
+data "aws_iam_policy_document" "sqs_access" {
+  statement {
+    sid       = "AllowSQSPermissions"
+    effect    = "Allow"
+    resources = [aws_sqs_queue.typescript_lambda_queue.arn]
+
+    actions = [
+      "sqs:ChangeMessageVisibility",
+      "sqs:DeleteMessage",
+      "sqs:GetQueueAttributes",
+      "sqs:ReceiveMessage",
+    ]
+  }
+
+}
+
+resource "aws_iam_policy" "lambda_benchmark_sqs_access" {
+  name        = "lambda_benchmark_sqs_access"
+  path        = "/"
+  description = "IAM policy to allow lambdas in the lambda_benchmark app to read from SQS"
+  policy      = data.aws_iam_policy_document.sqs_access.json
+  tags        = var.default_tags
+}
+
+resource "aws_iam_role_policy_attachment" "sqs_access" {
+  role       = aws_iam_role.lambda_benchmark_lambda_role.name
+  policy_arn = aws_iam_policy.lambda_benchmark_sqs_access.arn
+}

infra/iam.tf

@@ -0,0 +1,27 @@
+resource "aws_lambda_function" "lambda_benchmark_typescript_lambda" {
+  function_name    = "lambda_benchmark_typescript_lambda"
+  filename         = "../lambda/typescript/dist/index.zip"
+  role             = aws_iam_role.lambda_benchmark_lambda_role.arn
+  handler          = "index.handler"
+  source_code_hash = filebase64sha256("../lambda/typescript/dist/index.zip")
+  runtime          = "nodejs20.x"
+  architectures    = ["arm64"]
+  timeout          = 5
+  tags             = var.default_tags
+
+  environment {
+    variables = {
+      TABLE_NAME = var.dynamodb_table_name,
+    }
+  }
+
+  depends_on = [
+    aws_iam_role_policy_attachment.lambda_benchmark_allow_logging,
+    aws_cloudwatch_log_group.lambda_benchmark_typescript_logs,
+  ]
+}
+
+resource "aws_lambda_event_source_mapping" "lambda_benchmark_typescript_lambda" {
+  event_source_arn = aws_sqs_queue.typescript_lambda_queue.arn
+  function_name    = aws_lambda_function.lambda_benchmark_typescript_lambda.arn
+}