From 1ea0a94d4ed9b4eedff3be09037bab095421f198 Mon Sep 17 00:00:00 2001 From: chrispsheehan Date: Fri, 27 Mar 2026 16:30:28 +0000 Subject: [PATCH 1/6] chore: make bucket naming generic --- .github/workflows/build.yml | 2 +- .github/workflows/build_get.yml | 2 +- .github/workflows/infra.yml | 2 +- .github/workflows/infra_releases.yml | 4 ++-- infra/modules/aws/_shared/lambda/data.tf | 8 ++++---- infra/modules/aws/_shared/lambda/main.tf | 4 ++-- infra/modules/aws/_shared/lambda/variables.tf | 6 +++--- infra/modules/aws/api/main.tf | 2 +- infra/modules/aws/api/variables.tf | 6 +++--- infra/modules/aws/code_bucket/main.tf | 12 ++++++------ infra/modules/aws/code_bucket/outputs.tf | 2 +- infra/modules/aws/code_bucket/variables.tf | 4 ++-- infra/modules/aws/lambda_worker/main.tf | 2 +- infra/modules/aws/lambda_worker/variables.tf | 6 +++--- infra/root.hcl | 4 ++-- 15 files changed, 33 insertions(+), 33 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index b6f0d023..3bedf897 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -36,7 +36,7 @@ jobs: steps: - uses: actions/checkout@v6 - - name: Get lambda code bucket + - name: Get build artifact bucket id: deploy_bucket uses: chrispsheehan/terragrunt-aws-oidc-action@0.4.1 with: diff --git a/.github/workflows/build_get.yml b/.github/workflows/build_get.yml index ddcca5d2..25bd0017 100644 --- a/.github/workflows/build_get.yml +++ b/.github/workflows/build_get.yml @@ -13,7 +13,7 @@ on: default: "" outputs: code_bucket: - description: "Bucket containing lambda zips" + description: "Bucket containing build artifacts" value: ${{ jobs.bucket.outputs.code_bucket_name }} lambda_version: description: "Valid lambda version" diff --git a/.github/workflows/infra.yml b/.github/workflows/infra.yml index 543015c2..88fad163 100644 --- a/.github/workflows/infra.yml +++ b/.github/workflows/infra.yml @@ -10,7 +10,7 @@ on: required: true type: string code_bucket: - description: "Bucket containing lambda zips" + description: "Bucket containing build artifacts" required: true type: string lambda_matrix: diff --git a/.github/workflows/infra_releases.yml b/.github/workflows/infra_releases.yml index 7bd7af27..36d53ccb 100644 --- a/.github/workflows/infra_releases.yml +++ b/.github/workflows/infra_releases.yml @@ -11,7 +11,7 @@ on: type: string outputs: code_bucket: - description: "Bucket containing lambda zips" + description: "Bucket containing build artifacts" value: ${{ jobs.bucket.outputs.bucket_name }} concurrency: # only run one instance of workflow at any one time @@ -35,7 +35,7 @@ jobs: with: ref: ${{ inputs.infra_version }} - - name: Deploy lambda code bucket + - name: Deploy build artifact bucket id: deploy_bucket uses: chrispsheehan/terragrunt-aws-oidc-action@0.4.1 with: diff --git a/infra/modules/aws/_shared/lambda/data.tf b/infra/modules/aws/_shared/lambda/data.tf index 96cf5af9..1ef311cd 100644 --- a/infra/modules/aws/_shared/lambda/data.tf +++ b/infra/modules/aws/_shared/lambda/data.tf @@ -1,5 +1,5 @@ -data "aws_s3_bucket" "lambda_code" { - bucket = var.lambda_bucket +data "aws_s3_bucket" "code_bucket" { + bucket = var.code_bucket } data "archive_file" "bootstrap_lambda" { @@ -55,7 +55,7 @@ data "aws_iam_policy_document" "codedeploy_lambda" { effect = "Allow" actions = ["s3:GetObject", "s3:GetObjectVersion"] resources = [ - "arn:aws:s3:::${data.aws_s3_bucket.lambda_code.bucket}/*" + "arn:aws:s3:::${data.aws_s3_bucket.code_bucket.bucket}/*" ] } @@ -64,7 +64,7 @@ data "aws_iam_policy_document" "codedeploy_lambda" { sid = "ListArtifactPrefix" effect = "Allow" actions = ["s3:ListBucket", "s3:GetBucketLocation"] - resources = ["arn:aws:s3:::${data.aws_s3_bucket.lambda_code.bucket}"] + resources = ["arn:aws:s3:::${data.aws_s3_bucket.code_bucket.bucket}"] } statement { diff --git a/infra/modules/aws/_shared/lambda/main.tf b/infra/modules/aws/_shared/lambda/main.tf index 131b9689..52dd0421 100644 --- a/infra/modules/aws/_shared/lambda/main.tf +++ b/infra/modules/aws/_shared/lambda/main.tf @@ -21,7 +21,7 @@ resource "aws_iam_role_policy_attachment" "additional_iam_attachments" { } resource "aws_s3_object" "bootstrap_lambda_zip" { - bucket = data.aws_s3_bucket.lambda_code.bucket + bucket = data.aws_s3_bucket.code_bucket.bucket key = local.lambda_bootstrap_zip_key source = data.archive_file.bootstrap_lambda.output_path @@ -38,7 +38,7 @@ resource "aws_lambda_function" "lambda" { reserved_concurrent_executions = local.pc_reserved_count - s3_bucket = data.aws_s3_bucket.lambda_code.bucket + s3_bucket = data.aws_s3_bucket.code_bucket.bucket s3_key = aws_s3_object.bootstrap_lambda_zip.key # publish ONE immutable version so we can create an alias diff --git a/infra/modules/aws/_shared/lambda/variables.tf b/infra/modules/aws/_shared/lambda/variables.tf index 96a2aec1..83ed6ddf 100644 --- a/infra/modules/aws/_shared/lambda/variables.tf +++ b/infra/modules/aws/_shared/lambda/variables.tf @@ -9,9 +9,9 @@ variable "environment" { description = "Environment reference used in naming resources i.e. 'dev'" } -variable "lambda_bucket" { +variable "code_bucket" { type = string - description = "Lambda bucket where the code zip(s) are uploaded to" + description = "Bucket where deployable code artifacts are uploaded" } ### end of static vars set in root.hcl ### @@ -220,4 +220,4 @@ variable "provisioned_config" { ) error_message = "When sqs_scale is set, both scale_in_cooldown_seconds and scale_out_cooldown_seconds must be specified and each must be at least 60 seconds." } -} \ No newline at end of file +} diff --git a/infra/modules/aws/api/main.tf b/infra/modules/aws/api/main.tf index 1991bae5..aa8a5b46 100644 --- a/infra/modules/aws/api/main.tf +++ b/infra/modules/aws/api/main.tf @@ -3,7 +3,7 @@ module "lambda_api" { project_name = var.project_name environment = var.environment - lambda_bucket = var.lambda_bucket + code_bucket = var.code_bucket lambda_name = local.lambda_name diff --git a/infra/modules/aws/api/variables.tf b/infra/modules/aws/api/variables.tf index 17d00294..c34d4f98 100644 --- a/infra/modules/aws/api/variables.tf +++ b/infra/modules/aws/api/variables.tf @@ -9,9 +9,9 @@ variable "environment" { description = "Environment reference used in naming resources i.e. 'dev'" } -variable "lambda_bucket" { +variable "code_bucket" { type = string - description = "Lambda bucket where the code zip(s) are uploaded to" + description = "Bucket where deployable code artifacts are uploaded" } ### end of static vars set in root.hcl ### @@ -57,4 +57,4 @@ variable "api_5xx_alarm_evaluation_periods" { variable "api_5xx_alarm_datapoints_to_alarm" { type = number description = "The number of evaluated periods that must be breaching to trigger ALARM" -} \ No newline at end of file +} diff --git a/infra/modules/aws/code_bucket/main.tf b/infra/modules/aws/code_bucket/main.tf index f7b85f7d..ad16b9b8 100644 --- a/infra/modules/aws/code_bucket/main.tf +++ b/infra/modules/aws/code_bucket/main.tf @@ -1,11 +1,11 @@ -resource "aws_s3_bucket" "lambda" { - bucket = var.lambda_bucket +resource "aws_s3_bucket" "code" { + bucket = var.code_bucket force_destroy = true } -resource "aws_s3_bucket_ownership_controls" "lambda" { - depends_on = [aws_s3_bucket.lambda] - bucket = aws_s3_bucket.lambda.id +resource "aws_s3_bucket_ownership_controls" "code" { + depends_on = [aws_s3_bucket.code] + bucket = aws_s3_bucket.code.id rule { object_ownership = "BucketOwnerEnforced" } @@ -14,7 +14,7 @@ resource "aws_s3_bucket_ownership_controls" "lambda" { resource "aws_s3_bucket_lifecycle_configuration" "delete_old_files" { count = var.s3_expiration_days > 0 ? 1 : 0 - bucket = aws_s3_bucket.lambda.id + bucket = aws_s3_bucket.code.id rule { id = "delete-expired-objects" diff --git a/infra/modules/aws/code_bucket/outputs.tf b/infra/modules/aws/code_bucket/outputs.tf index 326a8856..65816d7e 100644 --- a/infra/modules/aws/code_bucket/outputs.tf +++ b/infra/modules/aws/code_bucket/outputs.tf @@ -1,3 +1,3 @@ output "bucket" { - value = aws_s3_bucket.lambda.bucket + value = aws_s3_bucket.code.bucket } diff --git a/infra/modules/aws/code_bucket/variables.tf b/infra/modules/aws/code_bucket/variables.tf index ff218ad3..474e02cf 100644 --- a/infra/modules/aws/code_bucket/variables.tf +++ b/infra/modules/aws/code_bucket/variables.tf @@ -1,6 +1,6 @@ ### start of static vars set in root.hcl ### -variable "lambda_bucket" { - description = "S3 bucket to host lambda code files" +variable "code_bucket" { + description = "S3 bucket to host build artifacts" type = string } ### end of static vars set in root.hcl ### diff --git a/infra/modules/aws/lambda_worker/main.tf b/infra/modules/aws/lambda_worker/main.tf index d2ba4951..8c125011 100644 --- a/infra/modules/aws/lambda_worker/main.tf +++ b/infra/modules/aws/lambda_worker/main.tf @@ -3,7 +3,7 @@ module "lambda_worker" { project_name = var.project_name environment = var.environment - lambda_bucket = var.lambda_bucket + code_bucket = var.code_bucket lambda_name = local.lambda_name diff --git a/infra/modules/aws/lambda_worker/variables.tf b/infra/modules/aws/lambda_worker/variables.tf index 49b84495..ba569385 100644 --- a/infra/modules/aws/lambda_worker/variables.tf +++ b/infra/modules/aws/lambda_worker/variables.tf @@ -9,9 +9,9 @@ variable "environment" { description = "Environment reference used in naming resources i.e. 'dev'" } -variable "lambda_bucket" { +variable "code_bucket" { type = string - description = "Lambda bucket where the code zip(s) are uploaded to" + description = "Bucket where deployable code artifacts are uploaded" } ### end of static vars set in root.hcl ### @@ -63,4 +63,4 @@ variable "sqs_dlq_alarm_evaluation_periods" { variable "sqs_dlq_alarm_datapoints_to_alarm" { type = number description = "The number of evaluated periods that must be breaching to trigger ALARM" -} \ No newline at end of file +} diff --git a/infra/root.hcl b/infra/root.hcl index bb4ccc34..8024f520 100644 --- a/infra/root.hcl +++ b/infra/root.hcl @@ -26,7 +26,7 @@ locals { # separate s3 version bucket when dev, otherwise ci s3_bucket_base = local.environment == "dev" ? "${local.base_reference}-${local.environment}" : "${local.base_reference}-ci" - lambda_bucket = "${local.s3_bucket_base}-lambda" + code_bucket = "${local.s3_bucket_base}-artifacts" } terraform { @@ -97,6 +97,6 @@ inputs = merge( deploy_role_arn = local.deploy_role_arn state_bucket = local.state_bucket state_lock_table = local.state_lock_table - lambda_bucket = local.lambda_bucket + code_bucket = local.code_bucket } ) From 1c177c436bf4b3dbf44cb54880ff6841c6df405b Mon Sep 17 00:00:00 2001 From: chrispsheehan Date: Mon, 30 Mar 2026 13:04:19 +0100 Subject: [PATCH 2/6] chore: fmt --- infra/modules/aws/api/main.tf | 6 +++--- infra/modules/aws/lambda_worker/main.tf | 6 +++--- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/infra/modules/aws/api/main.tf b/infra/modules/aws/api/main.tf index aa8a5b46..d8c3e001 100644 --- a/infra/modules/aws/api/main.tf +++ b/infra/modules/aws/api/main.tf @@ -1,9 +1,9 @@ module "lambda_api" { source = "../_shared/lambda" - project_name = var.project_name - environment = var.environment - code_bucket = var.code_bucket + project_name = var.project_name + environment = var.environment + code_bucket = var.code_bucket lambda_name = local.lambda_name diff --git a/infra/modules/aws/lambda_worker/main.tf b/infra/modules/aws/lambda_worker/main.tf index 8c125011..ce453360 100644 --- a/infra/modules/aws/lambda_worker/main.tf +++ b/infra/modules/aws/lambda_worker/main.tf @@ -1,9 +1,9 @@ module "lambda_worker" { source = "../_shared/lambda" - project_name = var.project_name - environment = var.environment - code_bucket = var.code_bucket + project_name = var.project_name + environment = var.environment + code_bucket = var.code_bucket lambda_name = local.lambda_name From c62ae8d9cf88ec720782cf86b43d8bd0080027e3 Mon Sep 17 00:00:00 2001 From: chrispsheehan Date: Mon, 30 Mar 2026 14:44:37 +0100 Subject: [PATCH 3/6] fix: artifacts -> code for char limit on s3 --- infra/root.hcl | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/infra/root.hcl b/infra/root.hcl index 8024f520..99f15a28 100644 --- a/infra/root.hcl +++ b/infra/root.hcl @@ -26,7 +26,7 @@ locals { # separate s3 version bucket when dev, otherwise ci s3_bucket_base = local.environment == "dev" ? "${local.base_reference}-${local.environment}" : "${local.base_reference}-ci" - code_bucket = "${local.s3_bucket_base}-artifacts" + code_bucket = "${local.s3_bucket_base}-code" } terraform { From fc9610a9415eaa6cfec3d262d425ef00651b3413 Mon Sep 17 00:00:00 2001 From: chrispsheehan Date: Mon, 30 Mar 2026 14:49:05 +0100 Subject: [PATCH 4/6] fix: add dep for frontend in ci deploy --- .github/workflows/deploy.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml index 6b56e5f2..92024397 100644 --- a/.github/workflows/deploy.yml +++ b/.github/workflows/deploy.yml @@ -139,6 +139,7 @@ jobs: frontend: runs-on: ubuntu-latest + needs: lambdas if: ${{ inputs.frontend_version != '' }} steps: - uses: actions/checkout@v6 From d36f8d98327fd6267bb2f71ab47ffa0f2d721c62 Mon Sep 17 00:00:00 2001 From: chrispsheehan Date: Mon, 30 Mar 2026 14:59:36 +0100 Subject: [PATCH 5/6] fix: infra init deploy deps --- .github/workflows/deploy.yml | 1 - .github/workflows/infra.yml | 2 +- 2 files changed, 1 insertion(+), 2 deletions(-) diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml index 92024397..6b56e5f2 100644 --- a/.github/workflows/deploy.yml +++ b/.github/workflows/deploy.yml @@ -139,7 +139,6 @@ jobs: frontend: runs-on: ubuntu-latest - needs: lambdas if: ${{ inputs.frontend_version != '' }} steps: - uses: actions/checkout@v6 diff --git a/.github/workflows/infra.yml b/.github/workflows/infra.yml index 88fad163..1fa46b09 100644 --- a/.github/workflows/infra.yml +++ b/.github/workflows/infra.yml @@ -45,7 +45,7 @@ jobs: tg_directory: infra/live/${{ inputs.environment }}/aws/oidc frontend: - needs: oidc + needs: lambdas runs-on: ubuntu-latest steps: - uses: actions/checkout@v6 From 48c1ed8ba6f9df2efbba84e9a82f3167dcccbdbf Mon Sep 17 00:00:00 2001 From: chrispsheehan Date: Mon, 30 Mar 2026 16:43:46 +0100 Subject: [PATCH 6/6] fix: pass in api_invoke_url var --- .github/workflows/destroy.yml | 4 +++- .github/workflows/infra.yml | 17 +++++++++++++++++ infra/modules/aws/frontend/data.tf | 8 -------- infra/modules/aws/frontend/locals.tf | 2 +- infra/modules/aws/frontend/variables.tf | 5 +++++ 5 files changed, 26 insertions(+), 10 deletions(-) diff --git a/.github/workflows/destroy.yml b/.github/workflows/destroy.yml index 8979cfc5..3defe623 100644 --- a/.github/workflows/destroy.yml +++ b/.github/workflows/destroy.yml @@ -60,13 +60,15 @@ jobs: tg_action: destroy frontend: - needs: setup + needs: lambdas runs-on: ubuntu-latest steps: - uses: actions/checkout@v6 - name: Destroy frontend infra uses: chrispsheehan/terragrunt-aws-oidc-action@0.4.1 + env: + TF_VAR_api_invoke_url: "https://placeholder.execute-api.us-east-1.amazonaws.com" with: aws_oidc_role_arn: ${{ env.AWS_OIDC_ROLE_ARN }} tg_directory: infra/live/${{ inputs.environment }}/aws/frontend diff --git a/.github/workflows/infra.yml b/.github/workflows/infra.yml index 1fa46b09..f47c3a6c 100644 --- a/.github/workflows/infra.yml +++ b/.github/workflows/infra.yml @@ -52,8 +52,25 @@ jobs: with: ref: ${{ inputs.infra_version }} + - name: Get api infra + uses: chrispsheehan/terragrunt-aws-oidc-action@0.4.1 + id: get-api + with: + aws_oidc_role_arn: ${{ env.AWS_OIDC_ROLE_ARN }} + tg_directory: infra/live/${{ inputs.environment }}/aws/api + tg_action: init + + - name: Get api invoke url + id: get_api_vars + env: + TG_OUTPUTS: ${{ steps.get-api.outputs.tg_outputs }} + run: | + echo "invoke_url=$(echo $TG_OUTPUTS | jq -r '.invoke_url.value')" >> $GITHUB_OUTPUT + - name: Deploy frontend infra uses: chrispsheehan/terragrunt-aws-oidc-action@0.4.1 + env: + TF_VAR_api_invoke_url: ${{ steps.get_api_vars.outputs.invoke_url }} with: aws_oidc_role_arn: ${{ env.AWS_OIDC_ROLE_ARN }} tg_directory: infra/live/${{ inputs.environment }}/aws/frontend diff --git a/infra/modules/aws/frontend/data.tf b/infra/modules/aws/frontend/data.tf index 0f749c00..048b10c0 100644 --- a/infra/modules/aws/frontend/data.tf +++ b/infra/modules/aws/frontend/data.tf @@ -51,11 +51,3 @@ data "aws_cloudfront_cache_policy" "caching_disabled" { data "aws_caller_identity" "current" {} -data "terraform_remote_state" "api" { - backend = "s3" - config = { - bucket = var.state_bucket - key = "${var.environment}/aws/api/terraform.tfstate" - region = var.aws_region - } -} diff --git a/infra/modules/aws/frontend/locals.tf b/infra/modules/aws/frontend/locals.tf index fb6e6a47..c4960c68 100644 --- a/infra/modules/aws/frontend/locals.tf +++ b/infra/modules/aws/frontend/locals.tf @@ -1,7 +1,7 @@ locals { name = "${var.environment}-${var.project_name}" bucket_name = "${data.aws_caller_identity.current.account_id}-${local.name}" - api_domain = replace(data.terraform_remote_state.api.outputs.invoke_url, "https://", "") + api_domain = replace(var.api_invoke_url, "https://", "") s3_origin_id = "s3" api_origin_id = "api" diff --git a/infra/modules/aws/frontend/variables.tf b/infra/modules/aws/frontend/variables.tf index 3a332ba2..05814992 100644 --- a/infra/modules/aws/frontend/variables.tf +++ b/infra/modules/aws/frontend/variables.tf @@ -23,3 +23,8 @@ variable "deploy_role_arn" { description = "ARN of the OIDC deploy role to grant frontend bucket access" } ### end of static vars set in root.hcl ### + +variable "api_invoke_url" { + type = string + description = "Invoke URL of the API Gateway HTTP API" +}