Loading functions.tf 0 → 100644 +180 −0 Original line number Diff line number Diff line locals { function_name_prefix = local.Name functions = [ "_dns", ] } data "aws_iam_policy_document" "lambda_assume_policy" { statement { effect = "Allow" actions = ["sts:AssumeRole"] principals { type = "Service" identifiers = ["lambda.amazonaws.com"] } } } locals { lambda_assume_policy_doc = data.aws_iam_policy_document.lambda_assume_policy.json } resource "aws_iam_role" "lambda" { name = local.Name assume_role_policy = local.lambda_assume_policy_doc tags = local.common_tags } locals { lambda_role_arn = aws_iam_role.lambda.arn lambda_role_name = aws_iam_role.lambda.name } output "lambda_role_arn" { description = "ARN of the Lambda function IAM role." value = local.lambda_role_arn } output "lambda_role_name" { description = "Name of the Lambda function IAM role." value = local.lambda_role_name } locals { function_role_policies = [ local.publish_policy_arn, #local.log_policy_arn, "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole", ] } resource "aws_iam_role_policy_attachment" "function" { count = length(local.function_role_policies) role = local.lambda_role_name policy_arn = local.function_role_policies[count.index] } variable "runtime" { default = "python3.8" description = "The Lambda function runtime." type = string } output "runtime" { description = "The Lambda function runtime." value = var.runtime } variable "memory_size" { default = 128 description = "Amount of memory in MB allocated to the function invocation." type = number } output "memory_size" { description = "Amount of memory in MB allocated to the function invocation." value = var.memory_size } variable "timeout" { default = 30 description = "Amouyynt of time in seconds the function has to run." type = number } output "timeout" { description = "Amount of memory in MB allocated to the function invocation." value = var.timeout } resource "aws_lambda_function" "function" { count = length(local.functions) runtime = var.runtime function_name = "${local.function_name_prefix}_${local.functions[count.index]}" role = local.lambda_role_arn source_code_hash = filebase64sha256("payload.zip") s3_bucket = local.payloads_bucket_name s3_key = local.payload_object_name s3_object_version = local.payload_object_version package_type = "Zip" handler = "${local.functions[count.index]}.handler" description = "${local.module} ${local.functions[count.index]} check in ${local.env}." memory_size = var.memory_size tags = local.common_tags timeout = var.timeout environment { variables = { ENV = local.env MODULE = local.module TOPIC_ARN = local.topic_arn VERSION = local.payload_object_version } } # Create the log group with retention before the function is created. # Otherwise it's created without retention and need to be imported. depends_on = [ aws_cloudwatch_log_group.lambda, ] } locals { function_arns = aws_lambda_function.function.*.arn function_names = aws_lambda_function.function.*.id function_versions = aws_lambda_function.function.*.version } output "function_arns" { description = "ARNs of the Lambda functions." value = local.function_arns } output "function_names" { description = "Names of the Lambda functions." value = local.function_names } output "function_versions" { description = "Versions of the Lambda functions." value = local.function_versions } output "function_version_mapping" { description = "Mapping of the function and version." value = zipmap(local.functions, local.function_versions) } resource "aws_lambda_alias" "function" { count = length(local.functions) name = "${local.function_name_prefix}_${local.functions[count.index]}" function_name = local.function_arns[count.index] function_version = local.function_versions[count.index] } locals { function_alias_arns = aws_lambda_alias.function.*.arn function_alias_names = aws_lambda_alias.function.*.name } output "function_alias_arns" { description = "ARNs of the Lambda functions aliases." value = local.function_alias_arns } output "function_alias_names" { description = "Names of the Lambda functions aliases." value = local.function_alias_names } resource "aws_lambda_permission" "cloudwatch" { count = length(local.function_arns) statement_id = "AllowExecutionFromCloudWatch" action = "lambda:InvokeFunction" principal = "events.amazonaws.com" source_arn = local.cloudwatch_rule_arn function_name = local.function_names[count.index] qualifier = local.function_alias_names[count.index] } log-groups.tf 0 → 100644 +59 −0 Original line number Diff line number Diff line resource "aws_cloudwatch_log_group" "lambda" { count = length(local.functions) name = "/aws/lambda/${local.function_name_prefix}_${local.functions[count.index]}" retention_in_days = var.log_retention tags = local.common_tags } locals { log_group_arns = aws_cloudwatch_log_group.lambda.*.arn log_group_names = aws_cloudwatch_log_group.lambda.*.name } output "log_group_arns" { description = "ARNs of the CloudWatch log groups for Lambda function invocations." value = local.log_group_arns } output "log_group_names" { description = "Names of the CloudWatch log groups for Lambda function invocations." value = local.log_group_names } data "aws_iam_policy_document" "log" { statement { effect = "Allow" actions = [ "logs:CreateLogStream", "logs:PutLogEvents", ] resources = [for arn in local.log_group_arns : "${arn}/*"] } } locals { log_policy_doc = data.aws_iam_policy_document.log.json } resource "aws_iam_policy" "log" { name = "${local.module}-${local.env}-log" policy = local.log_policy_doc tags = local.common_tags } locals { log_policy_arn = aws_iam_policy.log.arn log_policy_name = aws_iam_policy.log.name } output "log_policy_arn" { value = local.log_policy_arn description = "CloudWatch log IAM policy ARN." } output "log_policy_name" { value = local.log_policy_name description = "CloudWatch log IAM policy name." } main.tf +65 −1 Original line number Diff line number Diff line Loading @@ -12,8 +12,72 @@ locals { Name = "${local.module}-${local.env}" } output "env" { description = "Environment (prod/dev etc.)." value = local.env } output "module" { description = "The name of the Terraform module, used to tagging resources." value = local.module } variable "region" { default = "us-east-1" description = "AWS region." type = string } output "region" { description = "AWS region." value = var.region } provider "aws" { region = var.region } provider "template" {} resource "aws_resourcegroups_group" "group" { name = local.Name tags = local.common_tags resource_query { query = <<EOF { "ResourceTypeFilters": [ "AWS::AllSupported" ], "TagFilters": [ { "Key": "Module", "Values": ["${local.module}"] }, { "Key": "Environment", "Values": ["${local.env}"] } ] } EOF } } locals { resource_group_arn = aws_resourcegroups_group.group.arn resource_group_name = aws_resourcegroups_group.group.name } output "resource_group_arn" { description = "ARN of the resource group." value = local.resource_group_arn } output "resource_group_name" { description = "Name of the resource group." value = local.resource_group_name } variable "log_retention" { default = 3 description = "Number of days to retain logs." type = number } outputs.tfdeleted 100644 → 0 +0 −14 Original line number Diff line number Diff line output "env" { description = "Environment (prod/dev etc.)." value = local.env } output "module" { description = "The name of the Terraform module, used to tagging resources." value = local.module } output "region" { description = "AWS region." value = var.region } s3.tf 0 → 100644 +53 −0 Original line number Diff line number Diff line resource "aws_s3_bucket" "payloads" { bucket = local.Name tags = local.common_tags acl = "private" versioning { enabled = true } } locals { payloads_bucket_arn = aws_s3_bucket.payloads.arn payloads_bucket_name = aws_s3_bucket.payloads.bucket } output "payloads_bucket_arn" { description = "ARN of the payloads S3 bucket." value = local.payloads_bucket_arn } output "payloads_bucket_name" { description = "Name of the payloads S3 bucket." value = local.payloads_bucket_name } resource "aws_s3_bucket_object" "payload" { bucket = local.payloads_bucket_name key = "${local.env}/payload.zip" source = "payload.zip" etag = filemd5("payload.zip") tags = local.common_tags } locals { payload_object_etag = aws_s3_bucket_object.payload.etag payload_object_name = aws_s3_bucket_object.payload.key payload_object_version = aws_s3_bucket_object.payload.version_id } output "payload_object_etag" { description = "ETag of the payload S3 object." value = local.payload_object_etag } output "payload_object_name" { description = "Name of the payload S3 object." value = local.payload_object_name } output "payload_object_version" { description = "Version of the payload S3 object." value = local.payload_object_version } Loading
functions.tf 0 → 100644 +180 −0 Original line number Diff line number Diff line locals { function_name_prefix = local.Name functions = [ "_dns", ] } data "aws_iam_policy_document" "lambda_assume_policy" { statement { effect = "Allow" actions = ["sts:AssumeRole"] principals { type = "Service" identifiers = ["lambda.amazonaws.com"] } } } locals { lambda_assume_policy_doc = data.aws_iam_policy_document.lambda_assume_policy.json } resource "aws_iam_role" "lambda" { name = local.Name assume_role_policy = local.lambda_assume_policy_doc tags = local.common_tags } locals { lambda_role_arn = aws_iam_role.lambda.arn lambda_role_name = aws_iam_role.lambda.name } output "lambda_role_arn" { description = "ARN of the Lambda function IAM role." value = local.lambda_role_arn } output "lambda_role_name" { description = "Name of the Lambda function IAM role." value = local.lambda_role_name } locals { function_role_policies = [ local.publish_policy_arn, #local.log_policy_arn, "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole", ] } resource "aws_iam_role_policy_attachment" "function" { count = length(local.function_role_policies) role = local.lambda_role_name policy_arn = local.function_role_policies[count.index] } variable "runtime" { default = "python3.8" description = "The Lambda function runtime." type = string } output "runtime" { description = "The Lambda function runtime." value = var.runtime } variable "memory_size" { default = 128 description = "Amount of memory in MB allocated to the function invocation." type = number } output "memory_size" { description = "Amount of memory in MB allocated to the function invocation." value = var.memory_size } variable "timeout" { default = 30 description = "Amouyynt of time in seconds the function has to run." type = number } output "timeout" { description = "Amount of memory in MB allocated to the function invocation." value = var.timeout } resource "aws_lambda_function" "function" { count = length(local.functions) runtime = var.runtime function_name = "${local.function_name_prefix}_${local.functions[count.index]}" role = local.lambda_role_arn source_code_hash = filebase64sha256("payload.zip") s3_bucket = local.payloads_bucket_name s3_key = local.payload_object_name s3_object_version = local.payload_object_version package_type = "Zip" handler = "${local.functions[count.index]}.handler" description = "${local.module} ${local.functions[count.index]} check in ${local.env}." memory_size = var.memory_size tags = local.common_tags timeout = var.timeout environment { variables = { ENV = local.env MODULE = local.module TOPIC_ARN = local.topic_arn VERSION = local.payload_object_version } } # Create the log group with retention before the function is created. # Otherwise it's created without retention and need to be imported. depends_on = [ aws_cloudwatch_log_group.lambda, ] } locals { function_arns = aws_lambda_function.function.*.arn function_names = aws_lambda_function.function.*.id function_versions = aws_lambda_function.function.*.version } output "function_arns" { description = "ARNs of the Lambda functions." value = local.function_arns } output "function_names" { description = "Names of the Lambda functions." value = local.function_names } output "function_versions" { description = "Versions of the Lambda functions." value = local.function_versions } output "function_version_mapping" { description = "Mapping of the function and version." value = zipmap(local.functions, local.function_versions) } resource "aws_lambda_alias" "function" { count = length(local.functions) name = "${local.function_name_prefix}_${local.functions[count.index]}" function_name = local.function_arns[count.index] function_version = local.function_versions[count.index] } locals { function_alias_arns = aws_lambda_alias.function.*.arn function_alias_names = aws_lambda_alias.function.*.name } output "function_alias_arns" { description = "ARNs of the Lambda functions aliases." value = local.function_alias_arns } output "function_alias_names" { description = "Names of the Lambda functions aliases." value = local.function_alias_names } resource "aws_lambda_permission" "cloudwatch" { count = length(local.function_arns) statement_id = "AllowExecutionFromCloudWatch" action = "lambda:InvokeFunction" principal = "events.amazonaws.com" source_arn = local.cloudwatch_rule_arn function_name = local.function_names[count.index] qualifier = local.function_alias_names[count.index] }
log-groups.tf 0 → 100644 +59 −0 Original line number Diff line number Diff line resource "aws_cloudwatch_log_group" "lambda" { count = length(local.functions) name = "/aws/lambda/${local.function_name_prefix}_${local.functions[count.index]}" retention_in_days = var.log_retention tags = local.common_tags } locals { log_group_arns = aws_cloudwatch_log_group.lambda.*.arn log_group_names = aws_cloudwatch_log_group.lambda.*.name } output "log_group_arns" { description = "ARNs of the CloudWatch log groups for Lambda function invocations." value = local.log_group_arns } output "log_group_names" { description = "Names of the CloudWatch log groups for Lambda function invocations." value = local.log_group_names } data "aws_iam_policy_document" "log" { statement { effect = "Allow" actions = [ "logs:CreateLogStream", "logs:PutLogEvents", ] resources = [for arn in local.log_group_arns : "${arn}/*"] } } locals { log_policy_doc = data.aws_iam_policy_document.log.json } resource "aws_iam_policy" "log" { name = "${local.module}-${local.env}-log" policy = local.log_policy_doc tags = local.common_tags } locals { log_policy_arn = aws_iam_policy.log.arn log_policy_name = aws_iam_policy.log.name } output "log_policy_arn" { value = local.log_policy_arn description = "CloudWatch log IAM policy ARN." } output "log_policy_name" { value = local.log_policy_name description = "CloudWatch log IAM policy name." }
main.tf +65 −1 Original line number Diff line number Diff line Loading @@ -12,8 +12,72 @@ locals { Name = "${local.module}-${local.env}" } output "env" { description = "Environment (prod/dev etc.)." value = local.env } output "module" { description = "The name of the Terraform module, used to tagging resources." value = local.module } variable "region" { default = "us-east-1" description = "AWS region." type = string } output "region" { description = "AWS region." value = var.region } provider "aws" { region = var.region } provider "template" {} resource "aws_resourcegroups_group" "group" { name = local.Name tags = local.common_tags resource_query { query = <<EOF { "ResourceTypeFilters": [ "AWS::AllSupported" ], "TagFilters": [ { "Key": "Module", "Values": ["${local.module}"] }, { "Key": "Environment", "Values": ["${local.env}"] } ] } EOF } } locals { resource_group_arn = aws_resourcegroups_group.group.arn resource_group_name = aws_resourcegroups_group.group.name } output "resource_group_arn" { description = "ARN of the resource group." value = local.resource_group_arn } output "resource_group_name" { description = "Name of the resource group." value = local.resource_group_name } variable "log_retention" { default = 3 description = "Number of days to retain logs." type = number }
outputs.tfdeleted 100644 → 0 +0 −14 Original line number Diff line number Diff line output "env" { description = "Environment (prod/dev etc.)." value = local.env } output "module" { description = "The name of the Terraform module, used to tagging resources." value = local.module } output "region" { description = "AWS region." value = var.region }
s3.tf 0 → 100644 +53 −0 Original line number Diff line number Diff line resource "aws_s3_bucket" "payloads" { bucket = local.Name tags = local.common_tags acl = "private" versioning { enabled = true } } locals { payloads_bucket_arn = aws_s3_bucket.payloads.arn payloads_bucket_name = aws_s3_bucket.payloads.bucket } output "payloads_bucket_arn" { description = "ARN of the payloads S3 bucket." value = local.payloads_bucket_arn } output "payloads_bucket_name" { description = "Name of the payloads S3 bucket." value = local.payloads_bucket_name } resource "aws_s3_bucket_object" "payload" { bucket = local.payloads_bucket_name key = "${local.env}/payload.zip" source = "payload.zip" etag = filemd5("payload.zip") tags = local.common_tags } locals { payload_object_etag = aws_s3_bucket_object.payload.etag payload_object_name = aws_s3_bucket_object.payload.key payload_object_version = aws_s3_bucket_object.payload.version_id } output "payload_object_etag" { description = "ETag of the payload S3 object." value = local.payload_object_etag } output "payload_object_name" { description = "Name of the payload S3 object." value = local.payload_object_name } output "payload_object_version" { description = "Version of the payload S3 object." value = local.payload_object_version }