fixes for lambda errors

bcgov · Apr 23, 2024 · 5ce2a96 · 5ce2a96
1 parent 754ed62
commit 5ce2a96
Show file tree

Hide file tree

Showing 3 changed files with 37 additions and 3 deletions.
diff --git a/lambda/cache-invalidator/nodejs/app.js b/lambda/cache-invalidator/nodejs/app.js
@@ -15,7 +15,7 @@ const distributionIds = distributionIdsString.split(',');
  * @returns {Object} object - API Gateway Lambda Proxy Output Format
  * 
  */
-exports.lambdaHandler = async (event, context) => {
+export const lambdaHandler = async (event, context) => {
     const cloudfront = new AWS.CloudFront();
     const invalidationPaths = ['/*']; // Paths to invalidate, right now assume it's the root for all services
     const results = [];

diff --git a/terraform/iam.tf b/terraform/iam.tf
@@ -18,6 +18,7 @@ data "aws_iam_policy" "lambdaSecrets" {
   name = "SecretsManagerReadWrite"
 }
 
+
 resource "aws_iam_role" "lambda_iam_role" {
   name = "wfone-public-mobile-lambda-role-${var.target_env}"
   assume_role_policy = jsonencode({
@@ -63,11 +64,44 @@ resource "aws_iam_policy" "lambdaSQS" {
 EOF
 }
 
+resource "aws_iam_policy" "cloudfrontInvalidate" {
+  name        = "wfone-cloudfront-invalidate-${var.target_env}"
+  path        = "/"
+  policy = <<EOF
+{
+	"Version": "2012-10-17",
+	"Statement": [
+		{
+			"Sid": "VisualEditor0",
+			"Effect": "Allow",
+			"Action": [
+				"cloudfront:GetDistribution",
+				"cloudfront:UpdateCachePolicy",
+				"cloudfront:ListInvalidations",
+				"cloudfront:ListDistributions",
+				"cloudfront:GetInvalidation",
+				"cloudfront:ListCachePolicies",
+				"cloudfront:UpdateDistribution",
+				"cloudfront:GetCachePolicy",
+				"cloudfront:CreateInvalidation"
+			],
+			"Resource": "*"
+		}
+	]
+}
+EOF
+}
+
 resource "aws_iam_role_policy_attachment" "lambdaAttach" {
   role       = aws_iam_role.lambda_iam_role.name
   policy_arn = data.aws_iam_policy.lambdaExecute.arn
 }
 
+resource "aws_iam_role_policy_attachment" "cloudfrontAttach" {
+  role       = aws_iam_role.lambda_iam_role.name
+  policy_arn = aws_iam_policy.cloudfrontInvalidate.arn
+}
+
 resource "aws_iam_role_policy_attachment" "sqsAttach" {
   role       = aws_iam_role.lambda_iam_role.name
   policy_arn = aws_iam_policy.lambdaSQS.arn

diff --git a/terraform/lambda.tf b/terraform/lambda.tf
@@ -136,14 +136,14 @@ resource "aws_lambda_function" "wfnews-cache-invalidator" {
   s3_key =  "wfnews-cache-invalidator.zip"
   source_code_hash = data.aws_s3_object.wfnews_cache_invalidator_hash.body
   role          = aws_iam_role.lambda_iam_role.arn
-  handler       = "app.lambda_handler"
+  handler       = "app.lambdaHandler"
   runtime       = "nodejs18.x"
   timeout = 180
   environment {
     variables = {
       S3_BUCKET   = aws_s3_bucket.wfnews-monitor-queue-bucket.id
       SECRET_NAME = var.SECRET_NAME
-      DISTRIBUTION_IDS = "${aws_cloudfront_distribution.wfnews_openmaps_cache[0].id},${aws_cloudfront_distribution.wfnews_services6_cache[0].id}"
+      MAPS_CLOUDFRONT_DISTRIBUTION_IDS = "${aws_cloudfront_distribution.wfnews_openmaps_cache[0].id},${aws_cloudfront_distribution.wfnews_services6_cache[0].id}"
     }
   }
   vpc_config {