terraform-aws-braintrust-data-plane/modules/services/lambda-migrate-database.tf at e5b7664eed7ea1b9298f228090d273e315df7bfe · braintrustdata/terraform-aws-braintrust-data-plane · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
locals {
  migrate_database_base_function_name = "MigrateDatabaseFunction"
  migrate_database_function_name      = "${var.deployment_name}-${local.migrate_database_base_function_name}"
  migrate_database_original_handler   = "lambda_function.lambda_handler"
}

resource "aws_lambda_function" "migrate_database" {
  function_name = local.migrate_database_function_name
  s3_bucket     = local.lambda_s3_bucket
  s3_key        = local.lambda_versions[local.migrate_database_base_function_name]
  role          = aws_iam_role.default_role.arn
  handler       = local.observability_enabled ? local.python_datadog_handler : local.migrate_database_original_handler
  runtime       = "python3.13"
  memory_size   = 1024
  timeout       = 900
  publish       = true
  kms_key_arn   = var.kms_key_arn

  layers = concat(
    local.observability_enabled ? [local.datadog_node_layer_arn, local.datadog_extension_arm_layer_arn] : [],
    [data.aws_lambda_layer_version.aws_params_secrets_x86_64.arn],
    [aws_lambda_layer_version.secrets_wrapper.arn],
  )

  logging_config {
    log_format = local.observability_enabled ? "JSON" : "Text"
    log_group  = "/braintrust/${var.deployment_name}/${local.migrate_database_function_name}"
  }
  environment {
    variables = merge({
      BRAINTRUST_RUN_DRAFT_MIGRATIONS = var.run_draft_migrations
      INSERT_LOGS2                    = "true"
      PG_HOST                         = var.postgres_host
      PG_PORT                         = var.postgres_port
      DATABASE_SECRETS_ARN            = var.postgres_database_secret_arn
      AWS_LAMBDA_EXEC_WRAPPER         = "/opt/bin/aws-sm-wrapper.sh"
      },
      var.extra_env_vars.MigrateDatabaseFunction,
      local.observability_enabled ? merge(local.datadog_env_vars, {
        DD_SERVICE        = local.migrate_database_base_function_name
        DD_LAMBDA_HANDLER = local.migrate_database_original_handler
      }) : {}
    )
  }

  vpc_config {
    subnet_ids         = var.service_subnet_ids
    security_group_ids = [var.api_security_group_id]
  }

  tags = local.common_tags
}

# This is mainly for convenience to be able to manually invoke the latest
resource "aws_lambda_alias" "migrate_database_live" {
  name             = "live"
  function_name    = aws_lambda_function.migrate_database.function_name
  function_version = aws_lambda_function.migrate_database.version
}

# Invoke the database migration lambda function every time the version changes
resource "aws_lambda_invocation" "invoke_database_migration" {
  function_name = aws_lambda_function.migrate_database.function_name
  input         = jsonencode({})
  triggers = {
    function_version = aws_lambda_function.migrate_database.version
  }
}