Structure OpenTofu environments

modules/quantum/build/.gitkeep

@@ -0,0 +1 @@
+

modules/quantum/lambda/handler.py

@@ -0,0 +1,48 @@
+import json
+import os
+
+
+def lambda_handler(event, context):
+    app_name = os.environ.get("APP_NAME", "Quantum")
+    bucket_name = os.environ.get("BUCKET_NAME", "unknown")
+    secret_name = os.environ.get("SECRET_NAME", "unknown")
+
+    records = event.get("Records", [])
+
+    processed = []
+    for record in records:
+        body = record.get("body", "{}")
+
+        try:
+            payload = json.loads(body)
+        except json.JSONDecodeError:
+            payload = {"raw": body}
+
+        processed.append(
+            {
+                "messageId": record.get("messageId"),
+                "payload": payload,
+            }
+        )
+
+    print(
+        json.dumps(
+            {
+                "app": app_name,
+                "bucket": bucket_name,
+                "secret": secret_name,
+                "processedCount": len(processed),
+                "records": processed,
+            }
+        )
+    )
+
+    return {
+        "statusCode": 200,
+        "body": json.dumps(
+            {
+                "message": "Quantum event batch processed",
+                "processedCount": len(processed),
+            }
+        ),
+    }

modules/quantum/main.tf

@@ -0,0 +1,207 @@
+locals {
+  name_prefix = "${var.project_name}-${var.environment}"
+
+  common_tags = {
+    Application = "Quantum"
+    Environment = var.environment
+    ManagedBy   = "OpenTofu"
+    Runtime     = "LocalStack"
+  }
+}
+
+data "archive_file" "quantum_lambda" {
+  type        = "zip"
+  source_file = "${path.module}/lambda/handler.py"
+  output_path = "${path.module}/build/quantum_lambda.zip"
+}
+
+resource "aws_s3_bucket" "quantum_artifacts" {
+  bucket        = "${local.name_prefix}-artifacts"
+  force_destroy = true
+
+  tags = merge(local.common_tags, {
+    Name = "${local.name_prefix}-artifacts"
+  })
+}
+
+resource "aws_s3_bucket_versioning" "quantum_artifacts" {
+  bucket = aws_s3_bucket.quantum_artifacts.id
+
+  versioning_configuration {
+    status = "Enabled"
+  }
+}
+
+resource "aws_s3_object" "sample_config" {
+  bucket       = aws_s3_bucket.quantum_artifacts.id
+  key          = "config/quantum-${var.environment}.json"
+  content_type = "application/json"
+
+  content = jsonencode({
+    appName       = "Quantum"
+    environment   = var.environment
+    featureToggle = "simulated-localstack"
+    owner         = "platform-team"
+  })
+
+  tags = local.common_tags
+}
+
+resource "aws_sqs_queue" "quantum_dlq" {
+  name                      = "${local.name_prefix}-events-dlq"
+  message_retention_seconds = 1209600
+
+  tags = merge(local.common_tags, {
+    Name = "${local.name_prefix}-events-dlq"
+  })
+}
+
+resource "aws_sqs_queue" "quantum_events" {
+  name                       = "${local.name_prefix}-events"
+  visibility_timeout_seconds = 45
+  message_retention_seconds  = 345600
+
+  redrive_policy = jsonencode({
+    deadLetterTargetArn = aws_sqs_queue.quantum_dlq.arn
+    maxReceiveCount     = 3
+  })
+
+  tags = merge(local.common_tags, {
+    Name = "${local.name_prefix}-events"
+  })
+}
+
+resource "aws_secretsmanager_secret" "quantum_app" {
+  name                    = "${local.name_prefix}/app"
+  recovery_window_in_days = 0
+
+  tags = merge(local.common_tags, {
+    Name = "${local.name_prefix}-app-secret"
+  })
+}
+
+resource "aws_secretsmanager_secret_version" "quantum_app" {
+  secret_id = aws_secretsmanager_secret.quantum_app.id
+
+  secret_string = jsonencode({
+    databaseUrl = "postgres://quantum_user:fake_password@quantum-${var.environment}-db.local:5432/quantum"
+    apiKey      = "qtm_${var.environment}_fake_123456"
+    jwtSecret   = "localstack-only-secret-${var.environment}"
+  })
+}
+
+resource "aws_iam_role" "quantum_lambda" {
+  name = "${local.name_prefix}-lambda-role"
+
+  assume_role_policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [
+      {
+        Effect = "Allow"
+        Principal = {
+          Service = "lambda.amazonaws.com"
+        }
+        Action = "sts:AssumeRole"
+      }
+    ]
+  })
+
+  tags = local.common_tags
+}
+
+resource "aws_iam_policy" "quantum_lambda" {
+  name        = "${local.name_prefix}-lambda-policy"
+  description = "Simulated permissions for the Quantum Lambda function on LocalStack."
+
+  policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [
+      {
+        Effect = "Allow"
+        Action = [
+          "logs:CreateLogGroup",
+          "logs:CreateLogStream",
+          "logs:PutLogEvents"
+        ]
+        Resource = "*"
+      },
+      {
+        Effect = "Allow"
+        Action = [
+          "sqs:ReceiveMessage",
+          "sqs:DeleteMessage",
+          "sqs:GetQueueAttributes"
+        ]
+        Resource = aws_sqs_queue.quantum_events.arn
+      },
+      {
+        Effect = "Allow"
+        Action = [
+          "secretsmanager:GetSecretValue"
+        ]
+        Resource = aws_secretsmanager_secret.quantum_app.arn
+      },
+      {
+        Effect = "Allow"
+        Action = [
+          "s3:GetObject",
+          "s3:PutObject",
+          "s3:ListBucket"
+        ]
+        Resource = [
+          aws_s3_bucket.quantum_artifacts.arn,
+          "${aws_s3_bucket.quantum_artifacts.arn}/*"
+        ]
+      }
+    ]
+  })
+
+  tags = local.common_tags
+}
+
+resource "aws_iam_role_policy_attachment" "quantum_lambda" {
+  role       = aws_iam_role.quantum_lambda.name
+  policy_arn = aws_iam_policy.quantum_lambda.arn
+}
+
+resource "aws_cloudwatch_log_group" "quantum_lambda" {
+  name              = "/aws/lambda/${local.name_prefix}-processor"
+  retention_in_days = 14
+
+  tags = local.common_tags
+}
+
+resource "aws_lambda_function" "quantum_processor" {
+  function_name    = "${local.name_prefix}-processor"
+  description      = "Fictional event processor for the Quantum application."
+  role             = aws_iam_role.quantum_lambda.arn
+  runtime          = "python3.11"
+  handler          = "handler.lambda_handler"
+  filename         = data.archive_file.quantum_lambda.output_path
+  source_code_hash = data.archive_file.quantum_lambda.output_base64sha256
+  timeout          = 30
+  memory_size      = 256
+
+  environment {
+    variables = {
+      APP_NAME    = "Quantum"
+      BUCKET_NAME = aws_s3_bucket.quantum_artifacts.bucket
+      SECRET_NAME = aws_secretsmanager_secret.quantum_app.name
+      QUEUE_URL   = aws_sqs_queue.quantum_events.url
+    }
+  }
+
+  depends_on = [
+    aws_cloudwatch_log_group.quantum_lambda,
+    aws_iam_role_policy_attachment.quantum_lambda
+  ]
+
+  tags = local.common_tags
+}
+
+resource "aws_lambda_event_source_mapping" "quantum_events" {
+  event_source_arn = aws_sqs_queue.quantum_events.arn
+  function_name    = aws_lambda_function.quantum_processor.arn
+  batch_size       = 5
+  enabled          = true
+}

modules/quantum/outputs.tf

@@ -0,0 +1,29 @@
+output "quantum_bucket_name" {
+  description = "S3 bucket for the Quantum application."
+  value       = aws_s3_bucket.quantum_artifacts.bucket
+}
+
+output "quantum_queue_url" {
+  description = "Main SQS queue URL."
+  value       = aws_sqs_queue.quantum_events.url
+}
+
+output "quantum_dlq_url" {
+  description = "DLQ URL."
+  value       = aws_sqs_queue.quantum_dlq.url
+}
+
+output "quantum_lambda_name" {
+  description = "Processor Lambda function name."
+  value       = aws_lambda_function.quantum_processor.function_name
+}
+
+output "quantum_log_group_name" {
+  description = "CloudWatch Log Group for the Lambda function."
+  value       = aws_cloudwatch_log_group.quantum_lambda.name
+}
+
+output "quantum_secret_name" {
+  description = "Secrets Manager secret name."
+  value       = aws_secretsmanager_secret.quantum_app.name
+}

modules/quantum/variables.tf

@@ -0,0 +1,10 @@
+variable "project_name" {
+  description = "Short name of the fictional project."
+  type        = string
+  default     = "quantum"
+}
+
+variable "environment" {
+  description = "Fictional application environment."
+  type        = string
+}

modules/quantum/versions.tf

@@ -0,0 +1,14 @@
+terraform {
+  required_version = ">= 1.6.0"
+
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = "~> 5.0"
+    }
+    archive = {
+      source  = "hashicorp/archive"
+      version = "~> 2.4"
+    }
+  }
+}