(infra): Refactor the Terraform to a module

The module will deploy everything each Lambda needs - queue, log group,
permissions etc. When I deploy more Lambdas I'll just need to call the
module again pointing to the relevant file etc.

Author: alex9smith

TODO.md

@@ -10,7 +10,6 @@
 ## Infrastucture
 
 - Deploy the other lambdas
-- Refactor queue / logs / lambda into a module?
 
 ## Benchmark
 

infra/cloudwatch.tf

@@ -1,27 +1,9 @@
-resource "aws_lambda_function" "lambda_benchmark_typescript_lambda" {
-  function_name    = "lambda_benchmark_typescript_lambda"
-  filename         = "../lambda/typescript/dist/index.zip"
-  role             = aws_iam_role.lambda_benchmark_lambda_role.arn
-  handler          = "index.handler"
-  source_code_hash = filebase64sha256("../lambda/typescript/dist/index.zip")
-  runtime          = "nodejs20.x"
-  architectures    = ["arm64"]
-  timeout          = 5
-  tags             = var.default_tags
+module "typescript_lambda" {
+  source = "./modules/lambda"
 
-  environment {
-    variables = {
-      TABLE_NAME = var.dynamodb_table_name,
-    }
-  }
-
-  depends_on = [
-    aws_iam_role_policy_attachment.lambda_benchmark_allow_logging,
-    aws_cloudwatch_log_group.lambda_benchmark_typescript_logs,
-  ]
-}
-
-resource "aws_lambda_event_source_mapping" "lambda_benchmark_typescript_lambda" {
-  event_source_arn = aws_sqs_queue.typescript_lambda_queue.arn
-  function_name    = aws_lambda_function.lambda_benchmark_typescript_lambda.arn
+  source_file         = "../lambda/typescript/dist/index.zip"
+  language_name       = "typescript"
+  runtime             = "nodejs20.x"
+  handler             = "index.handler"
+  dynamodb_table_name = var.dynamodb_table_name
 }

infra/lambda.tf

@@ -0,0 +1,5 @@
+resource "aws_cloudwatch_log_group" "log_group" {
+  name              = "/aws/lambda/lambda_benchmark_${var.language_name}_lambda"
+  retention_in_days = 3
+  tags              = var.default_tags
+}

infra/modules/lambda/cloudwatch.tf

@@ -11,8 +11,8 @@ data "aws_iam_policy_document" "assume_role" {
   }
 }
 
-resource "aws_iam_role" "lambda_benchmark_lambda_role" {
-  name               = "lambda_benchmark_lambda_role"
+resource "aws_iam_role" "base_lambda_role" {
+  name               = "lambda_benchmark_base_${var.language_name}_role"
   assume_role_policy = data.aws_iam_policy_document.assume_role.json
   tags               = var.default_tags
 }
@@ -31,17 +31,17 @@ data "aws_iam_policy_document" "lambda_logging" {
   }
 }
 
-resource "aws_iam_policy" "lambda_benchmark_allow_logging" {
-  name        = "lambda_benchmark_allow_logging"
+resource "aws_iam_policy" "allow_logging" {
+  name        = "lambda_benchmark_${var.language_name}_allow_logging"
   path        = "/"
-  description = "Allow lambdas in the lambda_benchmark app to log to Cloudwatch"
+  description = "Allow the ${var.language_name} lambda in the lambda_benchmark app to log to Cloudwatch"
   policy      = data.aws_iam_policy_document.lambda_logging.json
   tags        = var.default_tags
 }
 
-resource "aws_iam_role_policy_attachment" "lambda_benchmark_allow_logging" {
-  role       = aws_iam_role.lambda_benchmark_lambda_role.name
-  policy_arn = aws_iam_policy.lambda_benchmark_allow_logging.arn
+resource "aws_iam_role_policy_attachment" "allow_logging" {
+  role       = aws_iam_role.base_lambda_role.name
+  policy_arn = aws_iam_policy.allow_logging.arn
 }
 
 data "aws_iam_policy_document" "dynamodb_access" {
@@ -52,29 +52,29 @@ data "aws_iam_policy_document" "dynamodb_access" {
       "dynamodb:PutItem",
     ]
 
-    resources = [aws_dynamodb_table.table.arn]
+    resources = ["arn:aws:dynamodb:*:*:table/${var.dynamodb_table_name}"]
   }
 }
 
 
-resource "aws_iam_policy" "lambda_benchmark_dynamodb_table_access" {
-  name        = "lambda_benchmark_dynamodb_table_access"
+resource "aws_iam_policy" "dynamodb_access" {
+  name        = "lambda_benchmark_${var.language_name}_dynamodb_access"
   path        = "/"
-  description = "IAM policy to allow lambdas in the lambda_benchmark app to write to DynamoDB"
+  description = "IAM policy to allow the ${var.language_name} lambda in the lambda_benchmark app to write to DynamoDB"
   policy      = data.aws_iam_policy_document.dynamodb_access.json
   tags        = var.default_tags
 }
 
-resource "aws_iam_role_policy_attachment" "dynamodb_table_access" {
-  role       = aws_iam_role.lambda_benchmark_lambda_role.name
-  policy_arn = aws_iam_policy.lambda_benchmark_dynamodb_table_access.arn
+resource "aws_iam_role_policy_attachment" "dynamodb_access" {
+  role       = aws_iam_role.base_lambda_role.name
+  policy_arn = aws_iam_policy.dynamodb_access.arn
 }
 
 data "aws_iam_policy_document" "sqs_access" {
   statement {
     sid       = "AllowSQSPermissions"
     effect    = "Allow"
-    resources = [aws_sqs_queue.typescript_lambda_queue.arn]
+    resources = [aws_sqs_queue.queue.arn]
 
     actions = [
       "sqs:ChangeMessageVisibility",
@@ -86,15 +86,15 @@ data "aws_iam_policy_document" "sqs_access" {
 
 }
 
-resource "aws_iam_policy" "lambda_benchmark_sqs_access" {
-  name        = "lambda_benchmark_sqs_access"
+resource "aws_iam_policy" "sqs_access" {
+  name        = "lambda_benchmark_${var.language_name}_sqs_access"
   path        = "/"
-  description = "IAM policy to allow lambdas in the lambda_benchmark app to read from SQS"
+  description = "IAM policy to allow the ${var.language_name} lambda in the lambda_benchmark app to read from SQS"
   policy      = data.aws_iam_policy_document.sqs_access.json
   tags        = var.default_tags
 }
 
 resource "aws_iam_role_policy_attachment" "sqs_access" {
-  role       = aws_iam_role.lambda_benchmark_lambda_role.name
-  policy_arn = aws_iam_policy.lambda_benchmark_sqs_access.arn
+  role       = aws_iam_role.base_lambda_role.name
+  policy_arn = aws_iam_policy.sqs_access.arn
 }

infra/iam.tf renamed to infra/modules/lambda/iam.tf

@@ -0,0 +1,27 @@
+resource "aws_lambda_function" "lambda" {
+  function_name    = "lambda_benchmark_${var.language_name}_lambda"
+  filename         = var.source_file
+  role             = aws_iam_role.base_lambda_role.arn
+  handler          = var.handler
+  source_code_hash = filebase64sha256(var.source_file)
+  runtime          = var.runtime
+  architectures    = ["arm64"]
+  timeout          = 5
+  tags             = var.default_tags
+
+  environment {
+    variables = {
+      TABLE_NAME = var.dynamodb_table_name,
+    }
+  }
+
+  depends_on = [
+    aws_iam_role_policy_attachment.allow_logging,
+    aws_cloudwatch_log_group.log_group,
+  ]
+}
+
+resource "aws_lambda_event_source_mapping" "mapping" {
+  event_source_arn = aws_sqs_queue.queue.arn
+  function_name    = aws_lambda_function.lambda.arn
+}

infra/modules/lambda/lambda.tf

@@ -0,0 +1,8 @@
+terraform {
+  required_providers {
+    aws = {
+      source  = "opentofu/aws"
+      version = "5.69.0"
+    }
+  }
+}

infra/modules/lambda/main.tf

@@ -0,0 +1,4 @@
+resource "aws_sqs_queue" "queue" {
+  name_prefix = "benchmark_lambda_${var.language_name}_queue"
+  tags        = var.default_tags
+}

infra/modules/lambda/outputs.tf

@@ -0,0 +1,28 @@
+variable "language_name" {
+  type = string
+}
+
+variable "source_file" {
+  type = string
+}
+
+variable "handler" {
+  type = string
+}
+
+variable "runtime" {
+  type = string
+}
+
+variable "dynamodb_table_name" {
+  type = string
+}
+
+variable "default_tags" {
+  description = "Tags to apply to AWS resources"
+  default = {
+    Environment = "Dev"
+    Application = "Lambda benchmark prototype"
+  }
+}
+