From 2b3a561b308359a52326c156490f7178d8bb9b79 Mon Sep 17 00:00:00 2001 From: edulop Date: Mon, 12 Apr 2021 16:32:04 -0400 Subject: [PATCH 1/9] [feature]: lambda vpc_config and memory_size --- aws-lambda-function/main.tf | 11 +++++++++++ aws-lambda-function/variables.tf | 16 ++++++++++++++++ 2 files changed, 27 insertions(+) diff --git a/aws-lambda-function/main.tf b/aws-lambda-function/main.tf index d440465e..3e36741f 100644 --- a/aws-lambda-function/main.tf +++ b/aws-lambda-function/main.tf @@ -39,6 +39,17 @@ resource aws_lambda_function lambda { } } + dynamic vpc_config { + for_each = compact([var.vpc_config]) + + content { + subnet_ids = vpc_config.subnet_ids + security_group_ids = vpc_config.security_group_ids + } + } + + memory_size = var.memory_size + tags = local.tags } diff --git a/aws-lambda-function/variables.tf b/aws-lambda-function/variables.tf index 126bf312..bc4e6cd5 100755 --- a/aws-lambda-function/variables.tf +++ b/aws-lambda-function/variables.tf @@ -108,3 +108,19 @@ variable reserved_concurrent_executions { description = "Set reserved_concurrent_executions for this function. See [docs](https://docs.aws.amazon.com/lambda/latest/dg/configuration-concurrency.html)." default = -1 // aws default } + +variable vpc_config { + type = object({ + subnet_ids = list(string), + security_group_ids = list(string) + }) + + description = "The lambda's vpc configuration" + default = null +} + +variable memory_size { + type = number + description = "Amount of memory to allocate to the lambda" + default = 128 +} From 7768b6cb7447ef9bbb0c769845e62c8508bf8755 Mon Sep 17 00:00:00 2001 From: edulop Date: Mon, 12 Apr 2021 16:33:18 -0400 Subject: [PATCH 2/9] README --- aws-lambda-function/README.md | 79 ++++++++++++++++++++++------------- 1 file changed, 49 insertions(+), 30 deletions(-) diff --git a/aws-lambda-function/README.md b/aws-lambda-function/README.md index 027d9b33..931d4462 100644 --- a/aws-lambda-function/README.md +++ b/aws-lambda-function/README.md @@ -24,49 +24,68 @@ module lambda { | Name | Version | |------|---------| -| aws | < 3.0.0 | +| [aws](#requirement\_aws) | < 3.0.0 | ## Providers | Name | Version | |------|---------| -| aws | < 3.0.0 | +| [aws](#provider\_aws) | < 3.0.0 | + +## Modules + +No modules. + +## Resources + +| Name | Type | +|------|------| +| [aws_cloudwatch_log_group.log](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_group) | resource | +| [aws_iam_policy.lambda_logging](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource | +| [aws_iam_role.role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource | +| [aws_iam_role_policy_attachment.lambda_logs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource | +| [aws_lambda_function.lambda](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_function) | resource | +| [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source | +| [aws_iam_policy_document.lambda_logging_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | +| [aws_iam_policy_document.lambda_role_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | +| [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source | ## Inputs | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| -| at\_edge | Is this lambda going to be used with a Cloufront distribution? If you set this, you will not have control over log retention, and you cannot include environment variables. | `bool` | `false` | no | -| env | Env for tagging and naming. See [doc](../README.md#consistent-tagging) | `string` | n/a | yes | -| environment | Map of environment variables. | `map(string)` | `{}` | no | -| filename | n/a | `string` | `null` | no | -| function\_description | Description for lambda function. | `string` | `""` | no | -| function\_name | If not set, function use default naming convention of $project-$env-$service. See local.name in main.tf | `string` | `null` | no | -| handler | Name of the lambda handler. | `string` | n/a | yes | -| kms\_key\_arn | KMS key used to encrypt environment variables. | `string` | `null` | no | -| lambda\_role\_path | The path to the IAM role for lambda. | `string` | `null` | no | -| log\_retention\_in\_days | n/a | `number` | `null` | no | -| owner | Owner for tagging and naming. See [doc](../README.md#consistent-tagging) | `string` | n/a | yes | -| project | Project for tagging and naming. See [doc](../README.md#consistent-tagging) | `string` | n/a | yes | -| publish\_lambda | Whether to publish creation/change as new lambda function version. | `bool` | `false` | no | -| reserved\_concurrent\_executions | Set reserved\_concurrent\_executions for this function. See [docs](https://docs.aws.amazon.com/lambda/latest/dg/configuration-concurrency.html). | `number` | `-1` | no | -| runtime | Lambda language runtime. | `string` | n/a | yes | -| service | Service for tagging and naming. See [doc](../README.md#consistent-tagging) | `string` | n/a | yes | -| source\_code\_hash | n/a | `string` | `null` | no | -| source\_s3\_bucket | Bucket holding lambda source code. | `string` | `null` | no | -| source\_s3\_key | Key identifying location of code. | `string` | `null` | no | -| timeout | Execution timeout for the lambda. | `number` | `null` | no | +| [at\_edge](#input\_at\_edge) | Is this lambda going to be used with a Cloufront distribution? If you set this, you will not have control over log retention, and you cannot include environment variables. | `bool` | `false` | no | +| [env](#input\_env) | Env for tagging and naming. See [doc](../README.md#consistent-tagging) | `string` | n/a | yes | +| [environment](#input\_environment) | Map of environment variables. | `map(string)` | `{}` | no | +| [filename](#input\_filename) | n/a | `string` | `null` | no | +| [function\_description](#input\_function\_description) | Description for lambda function. | `string` | `""` | no | +| [function\_name](#input\_function\_name) | If not set, function use default naming convention of $project-$env-$service. See local.name in main.tf | `string` | `null` | no | +| [handler](#input\_handler) | Name of the lambda handler. | `string` | n/a | yes | +| [kms\_key\_arn](#input\_kms\_key\_arn) | KMS key used to encrypt environment variables. | `string` | `null` | no | +| [lambda\_role\_path](#input\_lambda\_role\_path) | The path to the IAM role for lambda. | `string` | `null` | no | +| [log\_retention\_in\_days](#input\_log\_retention\_in\_days) | n/a | `number` | `null` | no | +| [memory\_size](#input\_memory\_size) | Amount of memory to allocate to the lambda | `number` | `128` | no | +| [owner](#input\_owner) | Owner for tagging and naming. See [doc](../README.md#consistent-tagging) | `string` | n/a | yes | +| [project](#input\_project) | Project for tagging and naming. See [doc](../README.md#consistent-tagging) | `string` | n/a | yes | +| [publish\_lambda](#input\_publish\_lambda) | Whether to publish creation/change as new lambda function version. | `bool` | `false` | no | +| [reserved\_concurrent\_executions](#input\_reserved\_concurrent\_executions) | Set reserved\_concurrent\_executions for this function. See [docs](https://docs.aws.amazon.com/lambda/latest/dg/configuration-concurrency.html). | `number` | `-1` | no | +| [runtime](#input\_runtime) | Lambda language runtime. | `string` | n/a | yes | +| [service](#input\_service) | Service for tagging and naming. See [doc](../README.md#consistent-tagging) | `string` | n/a | yes | +| [source\_code\_hash](#input\_source\_code\_hash) | n/a | `string` | `null` | no | +| [source\_s3\_bucket](#input\_source\_s3\_bucket) | Bucket holding lambda source code. | `string` | `null` | no | +| [source\_s3\_key](#input\_source\_s3\_key) | Key identifying location of code. | `string` | `null` | no | +| [timeout](#input\_timeout) | Execution timeout for the lambda. | `number` | `null` | no | +| [vpc\_config](#input\_vpc\_config) | The lambda's vpc configuration | 
object({
    subnet_ids = list(string),
    security_group_ids = list(string)
  })
| `null` | no | ## Outputs | Name | Description | |------|-------------| -| arn | n/a | -| function\_name | n/a | -| invoke\_arn | n/a | -| log\_group\_name | n/a | -| qualified\_arn | If the lambda function is published, the qualified\_arn points at the latest version number. | -| role\_id | n/a | -| role\_name | n/a | - +| [arn](#output\_arn) | n/a | +| [function\_name](#output\_function\_name) | n/a | +| [invoke\_arn](#output\_invoke\_arn) | n/a | +| [log\_group\_name](#output\_log\_group\_name) | n/a | +| [qualified\_arn](#output\_qualified\_arn) | If the lambda function is published, the qualified\_arn points at the latest version number. | +| [role\_id](#output\_role\_id) | n/a | +| [role\_name](#output\_role\_name) | n/a | From 8e406dd1d9b860f9c94bddeec289408fa7e5c2f4 Mon Sep 17 00:00:00 2001 From: edulop Date: Mon, 12 Apr 2021 16:56:44 -0400 Subject: [PATCH 3/9] fix dynamic condition --- aws-lambda-function/main.tf | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/aws-lambda-function/main.tf b/aws-lambda-function/main.tf index 3e36741f..2979976e 100644 --- a/aws-lambda-function/main.tf +++ b/aws-lambda-function/main.tf @@ -40,11 +40,11 @@ resource aws_lambda_function lambda { } dynamic vpc_config { - for_each = compact([var.vpc_config]) + for_each = var.vpc_config == nil ? [] : [0] content { - subnet_ids = vpc_config.subnet_ids - security_group_ids = vpc_config.security_group_ids + subnet_ids = var.vpc_config.subnet_ids + security_group_ids = var.vpc_config.security_group_ids } } From 97de336a6e7b7086036d8cdb8c6e66004bc34894 Mon Sep 17 00:00:00 2001 From: edulop Date: Mon, 12 Apr 2021 16:57:50 -0400 Subject: [PATCH 4/9] s/nil/null/ --- aws-lambda-function/main.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/aws-lambda-function/main.tf b/aws-lambda-function/main.tf index 2979976e..2644e754 100644 --- a/aws-lambda-function/main.tf +++ b/aws-lambda-function/main.tf @@ -40,7 +40,7 @@ resource aws_lambda_function lambda { } dynamic vpc_config { - for_each = var.vpc_config == nil ? [] : [0] + for_each = var.vpc_config == null ? [] : [0] content { subnet_ids = var.vpc_config.subnet_ids From a9d1334a5046409dbd9d2aeb1191399976a0ad2d Mon Sep 17 00:00:00 2001 From: edulop Date: Mon, 12 Apr 2021 17:02:04 -0400 Subject: [PATCH 5/9] fmt --- aws-lambda-function/main.tf | 24 +++++++-------- aws-lambda-function/outputs.tf | 14 ++++----- aws-lambda-function/variables.tf | 52 ++++++++++++++++---------------- 3 files changed, 45 insertions(+), 45 deletions(-) diff --git a/aws-lambda-function/main.tf b/aws-lambda-function/main.tf index 2644e754..8f58f376 100644 --- a/aws-lambda-function/main.tf +++ b/aws-lambda-function/main.tf @@ -12,7 +12,7 @@ locals { } -resource aws_lambda_function lambda { +resource "aws_lambda_function" "lambda" { s3_bucket = var.source_s3_bucket s3_key = var.source_s3_key @@ -31,7 +31,7 @@ resource aws_lambda_function lambda { reserved_concurrent_executions = var.reserved_concurrent_executions - dynamic environment { + dynamic "environment" { for_each = length(var.environment) > 0 ? [0] : [] content { @@ -39,11 +39,11 @@ resource aws_lambda_function lambda { } } - dynamic vpc_config { + dynamic "vpc_config" { for_each = var.vpc_config == null ? [] : [0] content { - subnet_ids = var.vpc_config.subnet_ids + subnet_ids = var.vpc_config.subnet_ids security_group_ids = var.vpc_config.security_group_ids } } @@ -53,7 +53,7 @@ resource aws_lambda_function lambda { tags = local.tags } -data aws_iam_policy_document lambda_role_policy { +data "aws_iam_policy_document" "lambda_role_policy" { statement { principals { type = "Service" @@ -66,7 +66,7 @@ data aws_iam_policy_document lambda_role_policy { } } -resource aws_iam_role role { +resource "aws_iam_role" "role" { name = local.name path = var.lambda_role_path @@ -75,13 +75,13 @@ resource aws_iam_role role { tags = local.tags } -resource aws_cloudwatch_log_group log { +resource "aws_cloudwatch_log_group" "log" { name = "/aws/lambda/${local.name}" retention_in_days = var.log_retention_in_days } -data aws_region current {} -data aws_caller_identity current {} +data "aws_region" "current" {} +data "aws_caller_identity" "current" {} # TODO scope this policy down # @@ -92,7 +92,7 @@ data aws_caller_identity current {} # arn:aws:logs:us-west-2:123456789:log-group:/foo/bar # to match operations on the log group(like creating a new stream.) So instead we construct one # without the colon before the *, so that we can match both log groups and log streams. -data aws_iam_policy_document lambda_logging_policy { +data "aws_iam_policy_document" "lambda_logging_policy" { statement { effect = "Allow" actions = compact([ @@ -109,7 +109,7 @@ data aws_iam_policy_document lambda_logging_policy { } } -resource aws_iam_policy lambda_logging { +resource "aws_iam_policy" "lambda_logging" { name_prefix = "${local.name}-lambda-logging" path = "/" description = "IAM policy for logging from the ${local.name} lambda." @@ -117,7 +117,7 @@ resource aws_iam_policy lambda_logging { policy = data.aws_iam_policy_document.lambda_logging_policy.json } -resource aws_iam_role_policy_attachment lambda_logs { +resource "aws_iam_role_policy_attachment" "lambda_logs" { role = aws_iam_role.role.name policy_arn = aws_iam_policy.lambda_logging.arn } diff --git a/aws-lambda-function/outputs.tf b/aws-lambda-function/outputs.tf index 04750dd5..29e8f017 100755 --- a/aws-lambda-function/outputs.tf +++ b/aws-lambda-function/outputs.tf @@ -1,28 +1,28 @@ -output arn { +output "arn" { value = aws_lambda_function.lambda.arn } -output qualified_arn { +output "qualified_arn" { description = "If the lambda function is published, the qualified_arn points at the latest version number." value = aws_lambda_function.lambda.qualified_arn } -output invoke_arn { +output "invoke_arn" { value = aws_lambda_function.lambda.invoke_arn } -output function_name { +output "function_name" { value = aws_lambda_function.lambda.function_name } -output log_group_name { +output "log_group_name" { value = aws_cloudwatch_log_group.log.name } -output role_name { +output "role_name" { value = aws_iam_role.role.name } -output role_id { +output "role_id" { value = aws_iam_role.role.id } diff --git a/aws-lambda-function/variables.tf b/aws-lambda-function/variables.tf index bc4e6cd5..2a270b79 100755 --- a/aws-lambda-function/variables.tf +++ b/aws-lambda-function/variables.tf @@ -1,126 +1,126 @@ -variable project { +variable "project" { type = string description = "Project for tagging and naming. See [doc](../README.md#consistent-tagging)" } -variable env { +variable "env" { type = string description = "Env for tagging and naming. See [doc](../README.md#consistent-tagging)" } -variable service { +variable "service" { type = string description = "Service for tagging and naming. See [doc](../README.md#consistent-tagging)" } -variable owner { +variable "owner" { type = string description = "Owner for tagging and naming. See [doc](../README.md#consistent-tagging)" } -variable source_s3_bucket { +variable "source_s3_bucket" { type = string description = "Bucket holding lambda source code." default = null } -variable source_s3_key { +variable "source_s3_key" { type = string description = "Key identifying location of code." default = null } -variable handler { +variable "handler" { type = string description = "Name of the lambda handler." } -variable runtime { +variable "runtime" { type = string description = "Lambda language runtime." } -variable timeout { +variable "timeout" { type = number description = "Execution timeout for the lambda." default = null } -variable environment { +variable "environment" { type = map(string) description = "Map of environment variables." default = {} } -variable kms_key_arn { +variable "kms_key_arn" { type = string description = "KMS key used to encrypt environment variables." default = null } -variable source_code_hash { +variable "source_code_hash" { type = string default = null } -variable filename { +variable "filename" { type = string default = null } -variable log_retention_in_days { +variable "log_retention_in_days" { type = number default = null } -variable function_name { +variable "function_name" { type = string description = "If not set, function use default naming convention of $project-$env-$service. See local.name in main.tf" default = null } -variable function_description { +variable "function_description" { type = string description = "Description for lambda function." default = "" } -variable publish_lambda { +variable "publish_lambda" { type = bool description = "Whether to publish creation/change as new lambda function version." default = false } -variable lambda_role_path { +variable "lambda_role_path" { type = string description = "The path to the IAM role for lambda." default = null } -variable at_edge { +variable "at_edge" { type = bool description = "Is this lambda going to be used with a Cloufront distribution? If you set this, you will not have control over log retention, and you cannot include environment variables." default = false } -variable reserved_concurrent_executions { +variable "reserved_concurrent_executions" { type = number description = "Set reserved_concurrent_executions for this function. See [docs](https://docs.aws.amazon.com/lambda/latest/dg/configuration-concurrency.html)." default = -1 // aws default } -variable vpc_config { +variable "vpc_config" { type = object({ - subnet_ids = list(string), + subnet_ids = list(string), security_group_ids = list(string) }) description = "The lambda's vpc configuration" - default = null + default = null } -variable memory_size { - type = number +variable "memory_size" { + type = number description = "Amount of memory to allocate to the lambda" - default = 128 + default = 128 } From 3d750808a6e008ec58beddcefdd65d79f886b5c7 Mon Sep 17 00:00:00 2001 From: edulop Date: Mon, 12 Apr 2021 17:08:29 -0400 Subject: [PATCH 6/9] allow network interface creation --- aws-lambda-function/main.tf | 20 ++++++++++++++++++++ 1 file changed, 20 insertions(+) diff --git a/aws-lambda-function/main.tf b/aws-lambda-function/main.tf index 8f58f376..0e31d9f9 100644 --- a/aws-lambda-function/main.tf +++ b/aws-lambda-function/main.tf @@ -121,3 +121,23 @@ resource "aws_iam_role_policy_attachment" "lambda_logs" { role = aws_iam_role.role.name policy_arn = aws_iam_policy.lambda_logging.arn } + +// Execution role basic permissions +data "aws_iam_policy_document" "role" { + statement { + sid = "ec2" + effect = "Allow" + actions = [ + "ec2:CreateNetworkInterface", + ] + + resources = [ + "*", + ] + } +} + +resource "aws_iam_role_policy" "role" { + role = aws_iam_role.role.name + policy = aws_iam_policy_document.role.json +} From 51946bb1cddb164a879218620823355135d06e2b Mon Sep 17 00:00:00 2001 From: edulop Date: Mon, 12 Apr 2021 17:09:47 -0400 Subject: [PATCH 7/9] fix --- aws-lambda-function/main.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/aws-lambda-function/main.tf b/aws-lambda-function/main.tf index 0e31d9f9..1009e3df 100644 --- a/aws-lambda-function/main.tf +++ b/aws-lambda-function/main.tf @@ -139,5 +139,5 @@ data "aws_iam_policy_document" "role" { resource "aws_iam_role_policy" "role" { role = aws_iam_role.role.name - policy = aws_iam_policy_document.role.json + policy = data.aws_iam_policy_document.role.json } From 88f8fcebb10474a2b11b0e2534a86a9081d182db Mon Sep 17 00:00:00 2001 From: edulop Date: Mon, 12 Apr 2021 17:12:16 -0400 Subject: [PATCH 8/9] moore permis --- aws-lambda-function/main.tf | 1 + 1 file changed, 1 insertion(+) diff --git a/aws-lambda-function/main.tf b/aws-lambda-function/main.tf index 1009e3df..fff208b5 100644 --- a/aws-lambda-function/main.tf +++ b/aws-lambda-function/main.tf @@ -129,6 +129,7 @@ data "aws_iam_policy_document" "role" { effect = "Allow" actions = [ "ec2:CreateNetworkInterface", + "ec2:DescribeNetworkInterfaces", ] resources = [ From d19d4880bbe1984291d023025876ce5e9ca75fcf Mon Sep 17 00:00:00 2001 From: edulop Date: Mon, 12 Apr 2021 17:17:50 -0400 Subject: [PATCH 9/9] moore permis --- aws-lambda-function/main.tf | 1 + 1 file changed, 1 insertion(+) diff --git a/aws-lambda-function/main.tf b/aws-lambda-function/main.tf index fff208b5..740b82b3 100644 --- a/aws-lambda-function/main.tf +++ b/aws-lambda-function/main.tf @@ -130,6 +130,7 @@ data "aws_iam_policy_document" "role" { actions = [ "ec2:CreateNetworkInterface", "ec2:DescribeNetworkInterfaces", + "ec2:DeleteNetworkInterface", ] resources = [