MLPAB-1518 - enable lambda insights for image lambda (#810)

* enable lambda insights for image lambda * attach lambda insights policy * detect changes to dockerfiles
ministryofjustice · Nov 2, 2023 · 4298ebf · 4298ebf
1 parent abb6cf7
commit 4298ebf
Show file tree

Hide file tree

Showing 4 changed files with 22 additions and 2 deletions.
diff --git a/.github/workflows/detect_changes_to_app_job.yml b/.github/workflows/detect_changes_to_app_job.yml
@@ -23,12 +23,12 @@ jobs:
           echo "Build status of ${{github.event.before}}: $BEFORE_STATUS"
           if [[ "$BEFORE_STATUS" == "success" ]]; then
             echo "Checking against ${{github.event.before}}"
-            (git diff --quiet ${{github.event.before}} ${{github.event.after}} -- cmd internal lang web lambda Dockerfile package.json yarn.lock go.mod && \
+            (git diff --quiet ${{github.event.before}} ${{github.event.after}} -- cmd internal lang web lambda docker/event-received docker/mlpa package.json yarn.lock go.mod && \
             echo "changes=${{ false }}" || \
             echo "changes=${{ true }}") | tee -a "${GITHUB_OUTPUT}"
           else
             echo "Checking against origin/main"
-            (git diff --quiet HEAD origin/main -- cmd internal lang web lambda Dockerfile package.json yarn.lock go.mod && \
+            (git diff --quiet HEAD origin/main -- cmd internal lang web lambda docker/event-received docker/mlpa package.json yarn.lock go.mod && \
             echo "changes=${{ false }}" || \
             echo "changes=${{ true }}") | tee -a "${GITHUB_OUTPUT}"
           fi

diff --git a/docker/event-received/Dockerfile b/docker/event-received/Dockerfile
@@ -12,6 +12,8 @@ RUN GOOS=linux GOARCH=amd64 CGO_ENABLED=0 go build -tags lambda.norpc -o event-r
 
 FROM public.ecr.aws/lambda/provided:al2 AS dev
 
+WORKDIR /app
+
 COPY --from=build /app/event-received ./event-received
 COPY lang ./lang
 COPY docker/event-received/aws-lambda-rie ./aws-lambda-rie
@@ -20,6 +22,12 @@ ENTRYPOINT ["./event-received"]
 
 FROM public.ecr.aws/lambda/provided:al2 AS production
 
+WORKDIR /app
+
+RUN curl -O https://lambda-insights-extension.s3-ap-northeast-1.amazonaws.com/amazon_linux/lambda-insights-extension.rpm && \
+    rpm -U lambda-insights-extension.rpm && \
+    rm -f lambda-insights-extension.rpm ;
+
 COPY --from=build /app/event-received ./event-received
 COPY lang ./lang
 

diff --git a/terraform/environment/region/modules/event_received/lambda.tf b/terraform/environment/region/modules/event_received/lambda.tf
@@ -56,6 +56,12 @@ resource "aws_iam_role_policy" "event_received" {
   provider = aws.region
 }
 
+resource "aws_iam_role_policy_attachment" "cloudwatch_lambda_insights" {
+  role       = module.event_received.lambda_role.id
+  policy_arn = "arn:aws:iam::aws:policy/CloudWatchLambdaInsightsExecutionRolePolicy"
+  provider   = aws.region
+}
+
 data "aws_kms_alias" "dynamodb_encryption_key" {
   name     = "alias/${data.aws_default_tags.current.tags.application}_dynamodb_encryption"
   provider = aws.region

diff --git a/terraform/environment/region/modules/uploads_s3_bucket/lambda.tf b/terraform/environment/region/modules/uploads_s3_bucket/lambda.tf
@@ -116,3 +116,9 @@ data "aws_iam_policy_document" "scheduler_invoke_lambda" {
   }
   provider = aws.region
 }
+
+resource "aws_iam_role_policy_attachment" "cloudwatch_lambda_insights" {
+  role       = module.s3_create_batch_replication_jobs.lambda_role.id
+  policy_arn = "arn:aws:iam::aws:policy/CloudWatchLambdaInsightsExecutionRolePolicy"
+  provider   = aws.region
+}