BFD-3351: Prepare for EFT Outbound Contingency (#2251)

ops/terraform/services/eft/README.md

@@ -111,7 +111,10 @@ No outputs.
 | [aws_sns_topic_policy.outbound_partner_notifs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sns_topic_policy) | resource |
 | [aws_sns_topic_policy.outbound_pending_s3_notifs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sns_topic_policy) | resource |
 | [aws_sns_topic_subscription.sftp_outbound_transfer](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sns_topic_subscription) | resource |
+| [aws_sns_topic_subscription.sftp_outbound_transfer_contingency](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sns_topic_subscription) | resource |
+| [aws_sqs_queue.sftp_outbound_transfer_contingency](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sqs_queue) | resource |
 | [aws_sqs_queue.sftp_outbound_transfer_dlq](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sqs_queue) | resource |
+| [aws_sqs_queue_policy.sftp_outbound_transfer_sqs_contingency](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sqs_queue_policy) | resource |
 | [aws_transfer_server.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/transfer_server) | resource |
 | [aws_transfer_ssh_key.eft_user](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/transfer_ssh_key) | resource |
 | [aws_transfer_user.eft_user](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/transfer_user) | resource |

ops/terraform/services/eft/contingency.tf

@@ -0,0 +1,37 @@
+# NOTE: These resources are defined to support a contingency that should be
+# activated in the event that AWS Lambda cannot satisfy the EFT Outbound
+# requirements within the allotted 15m timeout.
+resource "aws_sqs_queue" "sftp_outbound_transfer_contingency" {
+  count = length(local.eft_partners_with_outbound_enabled) > 0 ? 1 : 0
+  name  = "${local.outbound_lambda_full_name}-contingency"
+}
+
+resource "aws_sns_topic_subscription" "sftp_outbound_transfer_contingency" {
+  for_each = toset(local.eft_partners_with_outbound_enabled)
+
+  topic_arn = aws_sns_topic.outbound_pending_s3_notifs[each.key].arn
+  protocol  = "sqs"
+  endpoint  = one(aws_sqs_queue.sftp_outbound_transfer_contingency[*].arn)
+}
+
+resource "aws_sqs_queue_policy" "sftp_outbound_transfer_sqs_contingency" {
+  count     = length(local.eft_partners_with_outbound_enabled) > 0 ? 1 : 0
+  queue_url = one(aws_sqs_queue.sftp_outbound_transfer_contingency[*].id)
+  policy = jsonencode(
+    {
+      "Version" : "2012-10-17",
+      "Id" : "${local.outbound_lambda_full_name}-contingency",
+      "Statement" : [
+        {
+          "Effect" : "Allow",
+          "Principal" : {
+            "Service" : "sns.amazonaws.com"
+          },
+          "Action" : "SQS:SendMessage",
+          Resource = [one(aws_sqs_queue.sftp_outbound_transfer_contingency[*].arn)]
+          "Condition" : { "StringLike" : { "aws:SourceArn" : [for partner, data in aws_sns_topic.outbound_pending_s3_notifs : data.arn] } }
+        }
+      ]
+    }
+  )
+}

ops/terraform/services/eft/main.tf

@@ -271,7 +271,7 @@ resource "aws_lambda_function" "sftp_outbound_transfer" {
   image_uri        = local.outbound_lambda_image_uri
   source_code_hash = trimprefix(data.aws_ecr_image.sftp_outbound_transfer.id, "sha256:")
   package_type     = "Image"
-  memory_size      = 512
+  memory_size      = 5120
   timeout          = 900
 
   tags = {