NHSDigital · amarauzoma · Mar 16, 2026
diff --git a/infrastructure/instance/endpoints.tf b/infrastructure/instance/endpoints.tf
@@ -12,7 +12,10 @@ module "get_status" {
   prefix                            = local.prefix
   short_prefix                      = local.short_prefix
   function_name                     = "get_status"
-  image_uri                         = module.docker_image.image_uri
+  lambda_source_dir                 = local.lambda_dir
+  shared_source_dir                 = "${local.shared_dir}/src/common"
+  source_hash                       = "${local.lambda_dir_sha}-${local.shared_dir_sha}"
+  artifact_s3_bucket                = aws_s3_bucket.batch_data_source_bucket.bucket
   policy_json                       = data.aws_iam_policy_document.logs_policy_document.json
   error_alarm_notifications_enabled = var.error_alarm_notifications_enabled
   environment                       = var.environment
@@ -65,7 +68,10 @@ module "imms_event_endpoint_lambdas" {
   prefix                            = local.prefix
   short_prefix                      = local.short_prefix
   function_name                     = local.imms_endpoints[count.index]
-  image_uri                         = module.docker_image.image_uri
+  lambda_source_dir                 = local.lambda_dir
+  shared_source_dir                 = "${local.shared_dir}/src/common"
+  source_hash                       = "${local.lambda_dir_sha}-${local.shared_dir_sha}"
+  artifact_s3_bucket                = aws_s3_bucket.batch_data_source_bucket.bucket
   policy_json                       = data.aws_iam_policy_document.imms_policy_document.json
   environment_variables             = local.imms_lambda_env_vars
   vpc_subnet_ids                    = local.private_subnet_ids

diff --git a/infrastructure/instance/lambda.tf b/infrastructure/instance/lambda.tf
@@ -4,83 +4,3 @@ locals {
   lambda_files   = fileset(local.lambda_dir, "**")
   lambda_dir_sha = sha1(join("", [for f in local.lambda_files : filesha1("${local.lambda_dir}/${f}")]))
 }
-
-resource "aws_ecr_repository" "operation_lambda_repository" {
-  image_scanning_configuration {
-    scan_on_push = true
-  }
-  name         = "${local.prefix}-operation-lambda-repo"
-  force_delete = local.is_temp
-}
-
-# Module for building and pushing Docker image to ECR
-module "docker_image" {
-  source  = "terraform-aws-modules/lambda/aws//modules/docker-build"
-  version = "8.7.0"
-
-  create_ecr_repo  = false
-  ecr_repo         = "${local.prefix}-operation-lambda-repo"
-  docker_file_path = "./backend/Dockerfile"
-  ecr_repo_lifecycle_policy = jsonencode({
-    "rules" : [
-      {
-        "rulePriority" : 1,
-        "description" : "Keep only the last 2 images",
-        "selection" : {
-          "tagStatus" : "any",
-          "countType" : "imageCountMoreThan",
-          "countNumber" : 2
-        },
-        "action" : {
-          "type" : "expire"
-        }
-      }
-    ]
-  })
-
-  platform      = "linux/amd64"
-  use_image_tag = false
-  source_path   = abspath("${path.root}/../../lambdas")
-  triggers = {
-    dir_sha        = local.lambda_dir_sha
-    shared_dir_sha = local.shared_dir_sha
-  }
-}
-
-# Define the lambdaECRImageRetreival policy
-resource "aws_ecr_repository_policy" "operation_lambda_ECRImageRetreival_policy" {
-  repository = aws_ecr_repository.operation_lambda_repository.name
-
-  policy = jsonencode({
-    Version = "2012-10-17"
-    Statement = [
-      {
-        "Sid" : "LambdaECRImageRetrievalPolicy",
-        "Effect" : "Allow",
-        "Principal" : {
-          "Service" : "lambda.amazonaws.com"
-        },
-        "Action" : [
-          "ecr:BatchGetImage",
-          "ecr:DeleteRepositoryPolicy",
-          "ecr:GetDownloadUrlForLayer",
-          "ecr:GetRepositoryPolicy",
-          "ecr:SetRepositoryPolicy"
-        ],
-        "Condition" : {
-          "StringLike" : {
-            "aws:sourceArn" : [
-              "arn:aws:lambda:${var.aws_region}:${var.immunisation_account_id}:function:${local.short_prefix}_get_status",
-              "arn:aws:lambda:${var.aws_region}:${var.immunisation_account_id}:function:${local.short_prefix}_not_found",
-              "arn:aws:lambda:${var.aws_region}:${var.immunisation_account_id}:function:${local.short_prefix}_search_imms",
-              "arn:aws:lambda:${var.aws_region}:${var.immunisation_account_id}:function:${local.short_prefix}_get_imms",
-              "arn:aws:lambda:${var.aws_region}:${var.immunisation_account_id}:function:${local.short_prefix}_delete_imms",
-              "arn:aws:lambda:${var.aws_region}:${var.immunisation_account_id}:function:${local.short_prefix}_create_imms",
-              "arn:aws:lambda:${var.aws_region}:${var.immunisation_account_id}:function:${local.short_prefix}_update_imms"
-            ]
-          }
-        }
-      }
-    ]
-  })
-}
diff --git a/infrastructure/instance/modules/lambda/lambda.tf b/infrastructure/instance/modules/lambda/lambda.tf
@@ -1,17 +1,40 @@
-module "lambda_function_container_image" {
+module "lambda_function_zip" {
   source  = "terraform-aws-modules/lambda/aws"
   version = "8.0.1"
 
   create_role                       = false
   lambda_role                       = aws_iam_role.lambda_role.arn
   function_name                     = "${var.short_prefix}_${var.function_name}"
   handler                           = "${var.function_name}_handler.${var.function_name}_handler"
+  runtime                           = "python3.11"
   cloudwatch_logs_retention_in_days = 30
-  create_package                    = false
-  image_uri                         = var.image_uri
-  package_type                      = "Image"
+  package_type                      = "Zip"
   architectures                     = ["x86_64"]
   timeout                           = 6
+  store_on_s3                       = true
+  s3_bucket                         = var.artifact_s3_bucket
+  s3_prefix                         = "lambda-artifacts/${var.short_prefix}_${var.function_name}"
+  build_in_docker                   = true
+  hash_extra                        = var.source_hash
+  trigger_on_package_timestamp      = false
+
+  source_path = [
+    {
+      path = "${var.lambda_source_dir}/src"
+    },
+    {
+      path          = var.shared_source_dir
+      prefix_in_zip = "common"
+    },
+    {
+      path           = var.lambda_source_dir
+      poetry_install = true
+      patterns = [
+        "pyproject.toml",
+        "poetry.lock"
+      ]
+    }
+  ]
 
   vpc_subnet_ids         = var.vpc_subnet_ids
   vpc_security_group_ids = var.vpc_security_group_ids
@@ -21,7 +44,6 @@ module "lambda_function_container_image" {
   memory_size = 1024
 
   environment_variables = var.environment_variables
-  image_config_command  = ["${var.function_name}_handler.${var.function_name}_handler"]
 }
 
 resource "aws_cloudwatch_metric_alarm" "memory_alarm" {
@@ -42,7 +64,7 @@ resource "aws_cloudwatch_log_metric_filter" "max_memory_used_metric" {
   name    = "${var.short_prefix}_${var.function_name} max memory used"
   pattern = "[type=REPORT, ...]"
 
-  log_group_name = module.lambda_function_container_image.lambda_cloudwatch_log_group_name
+  log_group_name = module.lambda_function_zip.lambda_cloudwatch_log_group_name
 
   metric_transformation {
     name      = "max-memory-used"
@@ -56,7 +78,7 @@ resource "aws_cloudwatch_log_metric_filter" "fhir_api_error_logs" {
 
   name           = "${var.short_prefix}_${var.function_name}-ErrorLogsFilter"
   pattern        = "{ $.operation_outcome.status = \"500\" || $.operation_outcome.status = \"403\" }"
-  log_group_name = module.lambda_function_container_image.lambda_cloudwatch_log_group_name
+  log_group_name = module.lambda_function_zip.lambda_cloudwatch_log_group_name
 
   metric_transformation {
     name      = "${var.short_prefix}_${var.function_name}-ApiErrorLogs"

diff --git a/infrastructure/instance/modules/lambda/outputs.tf b/infrastructure/instance/modules/lambda/outputs.tf
@@ -1,9 +1,9 @@
 output "function_name" {
-  value = module.lambda_function_container_image.lambda_function_name
+  value = module.lambda_function_zip.lambda_function_name
 }
 output "lambda_arn" {
-  value = module.lambda_function_container_image.lambda_function_arn
+  value = module.lambda_function_zip.lambda_function_arn
 }
 output "invoke_arn" {
-  value = module.lambda_function_container_image.lambda_function_invoke_arn
+  value = module.lambda_function_zip.lambda_function_invoke_arn
 }
diff --git a/infrastructure/instance/modules/lambda/variables.tf b/infrastructure/instance/modules/lambda/variables.tf
@@ -15,7 +15,19 @@ variable "error_alarm_notifications_enabled" {
   type        = string
 }
 
-variable "image_uri" {
+variable "lambda_source_dir" {
+  type = string
+}
+
+variable "shared_source_dir" {
+  type = string
+}
+
+variable "source_hash" {
+  type = string
+}
+
+variable "artifact_s3_bucket" {
   type = string
 }