Update modules and fix bugs

Co-authored-by: Ezequiel Bellver <ebellver@itba.edu.ar>

README.md

@@ -2,11 +2,130 @@
 
 Best Stock Management System application.
 
-## Diagrama de arquitectura
+## Descripción de los módulos
 
-<!-- ![architecture](docs/diagram.png) -->
+### Api gateway
 
-<img src="docs/diagram.png" alt="drawing" width="1000"/>
+Recibe pedidos HTTPS. Pueden ser POST o GET. EN el caso de GET, va directo a la lambda de lectura de la tabla. En el caso de POST, se encola en el SQS para luego ir a la lambda.
+
+### Cloudfront
+
+Realiza cache de la API y del S3.
+
+### Dynamo DB
+
+Guarda los datos de los stocks de los usuarios.
+
+### Lambda
+
+Definimos 2 lambdas.
+Una se encarga de realizar escrituras al DynamoDB y la otra de realizar lecturas.
+
+### S3
+
+Definimos 3 buckets. Uno para logs y dos para front.
+
+### SQS
+
+Se encarga de encolar POSTs recibidos por la API. Luego dispara la lambda correspondiente
+
+### VPC
+
+Este módulo es [externo](https://registry.terraform.io/modules/terraform-aws-modules/vpc/aws/latest).
+
+## Descripción y referencia de funciones y meta-argumentos
+
+*Los links solo hacen referencia a la primera aparición en cada archivo.*
+
+### Funciones
+Junto a cada función se especifica para qué se usa.
+
+> **file**: devuelve como string el contenido del archivo `index.html`. Esto es utilizado para luego poder modificarlo (pues actúa como un template ya que tiene la variable `ENDPOINT` parametrizada) y usarlo.
+    > - [organization/datasources.tf](terraform/organization/datasources.tf#L14)
+
+> **flatten**: retorna una lista de una dimensión con los elementos de una lista de listas pues así lo espera el módulo.
+    > - [organization/vpc.tf](terraform/organization/vpc.tf#L78)
+
+> **format**: arma el `path` para un filename dado.
+    > - [modules/s3/main.tf](terraform/modules/s3/main.tf#L39)
+
+> **jsonencode**: arma un string con un objeto JSON.
+    > - [modules/apigw/main.tf](terraform/modules/apigw/main.tf#L89)
+
+> **length**: calcula el largo de `custom_origin_config` para saber si debe hacer un `for_each` sobre sus elementos, es decir, para saber si se lo definieron en el archivo que usa el módulo en cuestión.
+    > - [modules/cloudfront/main.tf](terraform/modules/cloudfront/main.tf#L20)
+
+> **lookup**: obtiene el valor de un mapa para una key.
+    > - [modules/cloudfront/main.tf](terraform/modules/cloudfront/main.tf#L16)
+
+> **replace**: modifica el `path` para hacerlo válido.
+    > - [modules/s3/main.tf](terraform/modules/s3/main.tf#L38)
+    > - [organization/cloudfront.tf](terraform/organization/cloudfront.tf#L13)
+
+> **sha1**: computa el `SHA1` del string de la configuración del apigw para saber si se necesita forzar el redeploy del módulo.
+    > - [modules/apigw/main.tf](terraform/modules/apigw/main.tf#L103)
+
+> **try**: en caso de que no haya objetos, se utiliza un objeto vacío.
+    > - [modules/s3/main.tf](terraform/modules/s3/main.tf#L35)
+    > - [organization/s3.tf](terraform/organization/s3.tf#L10)
+    
+
+### Meta-argumentos
+
+> **count**
+    > - [modules/s3/main.tf](terraform/modules/s3/main.tf#L18)
+
+> **depends_on**
+    > - [modules/apigw/main.tf](terraform/modules/apigw/main.tf#L78)
+    > - [organization/apigw.tf](terraform/organization/apigw.tf#L8)
+    > - [organization/cloudfront.tf](terraform/organization/cloudfront.tf#L3)
+    > - [organization/lambda.tf](terraform/organization/lambda.tf#L9)
+    > - [organization/sqs.tf](terraform/organization/sqs.tf#L8)
+
+> **for_each**
+    > - [modules/cloudfront/main.tf](terraform/modules/cloudfront/main.tf#L12)
+    > - [modules/dynamodb/main.tf](terraform/modules/dynamodb/main.tf#L12)
+    > - [modules/lambda/main.tf](terraform/modules/lambda/main.tf#L15)
+    > - [modules/s3/main.tf](terraform/modules/s3/main.tf#L35)
+    > - [organization/lambda.tf](terraform/organization/lambda.tf#L2)
+    > - [organization/s3.tf](terraform/organization/s3.tf#L2)
+
+> **lifecycle**
+    > - [modules/apigw/main.tf](terraform/modules/apigw/main.tf#L114)
+
+## Diagrama de arquitectura deployada
+
+<img src="docs/architecture.png" alt="architecture" width="800"/>
+
+## Rúbrica
+
+<table>
+    <tr>
+        <th>Alumno</th>
+        <th>Legajo</th>
+        <th>Participación</th>
+    </tr>
+    <tr>
+        <td>Bellver, Ezequiel</td>
+        <td>61268</td>
+        <td>25%</td>
+    </tr>
+    <tr>
+        <td>Burgos, Satiago Eduardo</td>
+        <td>55193</td>
+        <td>25%</td>
+    </tr>
+    <tr>
+        <td>Lo Coco, Santiago</td>
+        <td>61301</td>
+        <td>25%</td>
+    </tr>
+    <tr>
+        <td>Oillataguerre, Amparo</td>
+        <td>58714</td>
+        <td>25%</td>
+    </tr>
+</table>
 
 ## Autores
 - Bellver, Ezequiel (61268)

terraform/modules/apigw/main.tf

@@ -3,9 +3,8 @@
 # ---------------------------------------------------------------------------
 
 resource "aws_api_gateway_rest_api" "this" {
-  name        = var.name
-  description = var.description
-  tags        = var.tags
+  name = var.name
+  tags = var.tags
 }
 
 resource "aws_api_gateway_resource" "this" {
@@ -17,7 +16,7 @@ resource "aws_api_gateway_resource" "this" {
 resource "aws_api_gateway_method" "stock_get" {
   rest_api_id   = aws_api_gateway_rest_api.this.id
   resource_id   = aws_api_gateway_resource.this.id
-  http_method   = "GET"
+  http_method   = var.lambda[0].http_method
   authorization = "NONE"
 }
 
@@ -41,7 +40,7 @@ resource "aws_api_gateway_integration" "stock_get" {
   http_method             = aws_api_gateway_method.stock_get.http_method
   integration_http_method = "POST"
   type                    = "AWS_PROXY"
-  uri                     = var.lambda[1].lambda_function_arn
+  uri                     = var.lambda[0].lambda_function_arn
 }
 
 resource "aws_api_gateway_integration" "this" {
@@ -80,10 +79,10 @@ EOF
 }
 
 resource "aws_api_gateway_integration" "options" {
-  rest_api_id             = aws_api_gateway_rest_api.this.id
-  resource_id             = aws_api_gateway_resource.this.id
-  http_method             = aws_api_gateway_method.options.http_method
-  type                    = "MOCK"
+  rest_api_id = aws_api_gateway_rest_api.this.id
+  resource_id = aws_api_gateway_resource.this.id
+  http_method = aws_api_gateway_method.options.http_method
+  type        = "MOCK"
 
   request_parameters = {}
   request_templates = {
@@ -225,7 +224,7 @@ resource "aws_api_gateway_integration_response" "options200" {
 resource "aws_lambda_permission" "this" {
   statement_id  = "AllowExecutionFromAPIGateway"
   action        = "lambda:InvokeFunction"
-  function_name = var.lambda[1].lambda_function_name
+  function_name = var.lambda[0].lambda_function_name
   principal     = "apigateway.amazonaws.com"
-  source_arn    = "${var.lambda[1].lambda_source_arn}:${aws_api_gateway_rest_api.this.id}/*/${aws_api_gateway_method.stock_get.http_method}${aws_api_gateway_resource.this.path}"
+  source_arn    = "${var.lambda[0].lambda_source_arn}:${aws_api_gateway_rest_api.this.id}/*/${aws_api_gateway_method.stock_get.http_method}${aws_api_gateway_resource.this.path}"
 }

terraform/modules/apigw/variables.tf

@@ -8,12 +8,6 @@ variable "name" {
   default     = ""
 }
 
-variable "description" {
-  description = "The description of the API."
-  type        = string
-  default     = null
-}
-
 variable "tags" {
   description = "A mapping of tags to assign to API gateway resources."
   type        = map(string)
@@ -21,13 +15,16 @@ variable "tags" {
 }
 
 variable "sqs_arn" {
-  type = string
+  description = "ARN of the SQS."
+  type        = string
 }
 
 variable "role_arn" {
-  type = string
+  description = "ARN of the IAM role (credentials)."
+  type        = string
 }
 
 variable "lambda" {
-  type = list(any)
+  description = "List of lambdas the API will execute."
+  type        = list(any)
 }

terraform/modules/dynamodb/main.tf

@@ -17,6 +17,7 @@ resource "aws_dynamodb_table" "this" {
     }
   }
 
-  hash_key = var.hash_key
-  tags     = var.tags
+  hash_key  = var.hash_key
+  range_key = var.range_key
+  tags      = var.tags
 }

terraform/modules/s3/main.tf

@@ -14,15 +14,41 @@ resource "aws_s3_bucket_policy" "this" {
   policy = data.aws_iam_policy_document.this.json
 }
 
+resource "aws_s3_bucket_logging" "this" {
+  count = var.type == 2 ? 1 : 0
+  bucket = trimsuffix(var.bucket_name, "-logs")
+
+  target_bucket = aws_s3_bucket.this.id
+  target_prefix = "log/"
+}
+
 resource "aws_s3_bucket_website_configuration" "this" {
+  count = var.type == 1 ? 1 : 0
   bucket = aws_s3_bucket.this.id
 
-  index_document {
-    suffix = "index.html"
+  dynamic "index_document" {
+    for_each = try([var.website["index_document"]], [])
+
+    content {
+      suffix = index_document.value
+    }
   }
 
-  error_document {
-    key = "error.html"
+  dynamic "error_document" {
+    for_each = try([var.website["error_document"]], [])
+
+    content {
+      key = error_document.value
+    }
+  }
+
+  dynamic "redirect_all_requests_to" {
+    for_each = try([var.website["redirect_all_requests_to"]], [])
+
+    content {
+      host_name = redirect_all_requests_to.value.host_name
+      protocol  = try(redirect_all_requests_to.value.protocol, null)
+    }
   }
 }
 

terraform/modules/s3/outputs.tf

@@ -14,5 +14,5 @@ output "arn" {
 
 output "website_endpoint" {
   description = "The website endpoint, if the bucket is configured with a website. If not, this will be an empty string."
-  value       = aws_s3_bucket_website_configuration.this.website_endpoint
+  value       = var.type == 1 ? aws_s3_bucket_website_configuration.this[0].website_endpoint :  ""
 }

terraform/modules/s3/variables.tf

@@ -13,14 +13,26 @@ variable "objects" {
   default     = {}
 }
 
+variable "website" {
+  type        = map(any)
+  description = ""
+  default     = {}
+}
+
 variable "block_public_access" {
   type        = bool
   default     = true
-  description = "Determines the S3 account-level Public Access Block configuration. For more information about these settings, see the AWS S3 documentation: https://docs.aws.amazon.com/AmazonS3/latest/dev/access-control-block-public-access.html"
+  description = "Determines the S3 account-level Public Access Block configuration."
 }
 
 variable "bucket_acl" {
   type        = string
   default     = "private"
-  description = "The canned ACL to apply. Valid values are private, public-read, public-read-write, aws-exec-read, authenticated-read, and log-delivery-write. Defaults to private. For more information about these settings, see the AWS S3 documentation: https://docs.aws.amazon.com/AmazonS3/latest/userguide/acl-overview.html#canned-acl"
+  description = "The canned ACL to apply. Valid values are private, public-read, public-read-write, aws-exec-read, authenticated-read, and log-delivery-write. Defaults to private."
+}
+
+variable "type" {
+  type        = number
+  default     = 1
+  description = "Determines the type of the bucket. 1 for static website. 2 for logs."
 }

terraform/modules/sqs/main.tf

@@ -24,7 +24,7 @@ resource "aws_lambda_permission" "allows_sqs_to_trigger_lambda" {
 
 resource "aws_lambda_event_source_mapping" "event_source_mapping" {
   batch_size       = 1
-  event_source_arn =  aws_sqs_queue.this.arn
+  event_source_arn = aws_sqs_queue.this.arn
   enabled          = true
-  function_name    =  var.lambda_name
-}
+  function_name    = var.lambda_name
+}

terraform/organization/apigw.tf

@@ -9,25 +9,21 @@ module "apigw" {
     module.lambda, module.sqs
   ]
 
-  name                 = "AWSAPIGateway-g3"
-  description          = "..."
+  name        = "AWSAPIGateway-g3"
+
   lambda = [
     {
-      lambda_function_arn  = module.lambda["lambdaSQS"].lambda_function_arn
-      lambda_function_name = module.lambda["lambdaSQS"].lambda_function_name
-      lambda_source_arn    = "arn:aws:execute-api:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}"
-    },
-    {
+      http_method          = "GET"
       lambda_function_arn  = module.lambda["lambdaDB"].lambda_function_arn
       lambda_function_name = module.lambda["lambdaDB"].lambda_function_name
       lambda_source_arn    = "arn:aws:execute-api:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}"
     }
   ]
-  
-  role_arn             = "arn:aws:iam::${data.aws_caller_identity.current.account_id}:role/LabRole"
-  sqs_arn                = "arn:aws:apigateway:${data.aws_region.current.name}:sqs:path/AWS-SQS-g3"
+
+  role_arn = "arn:aws:iam::${data.aws_caller_identity.current.account_id}:role/LabRole"
+  sqs_arn  = "arn:aws:apigateway:${data.aws_region.current.name}:sqs:path/AWS-SQS-g3"
 
   tags = {
-    name = "Api Gateway"
+    name = "api-gateway-g3"
   }
 }

terraform/organization/html/index.html

@@ -245,15 +245,6 @@
         color: #D2E2FF;
     }
 
-    /* .style {
-        max-width: 400px;
-        margin: 50px auto;
-        background: #fff;
-        border-radius: 2px;
-        padding: 20px;
-        font-family: Georgia, "Times New Roman", Times, serif;
-    } */
-
     .style {
         background: #2471FF;
         border: none;

terraform/organization/locals.tf

@@ -4,9 +4,16 @@ locals {
 
   s3 = {
     website = {
+      type = 1
       bucket_name = local.bucket_name
+      bucket_acl = "public-read"
       path        = "../resources"
 
+      website = {
+        index_document = "index.html"
+        error_document = "error.html"
+      }
+
       objects = {
         error = {
           filename     = "html/error.html"
@@ -24,11 +31,22 @@ locals {
     }
 
     www-website = {
+      type = 1
+      website = {
+        redirect_all_requests_to = {
+          host_name = "${local.bucket_name}.s3-website-${data.aws_region.current.name}.amazonaws.com"
+          protocol = "http"
+        }
+      }
+
       bucket_name = "www.${local.bucket_name}"
+      bucket_acl = "public-read"
     }
 
     logs = {
+      type = 2
       bucket_name = "${local.bucket_name}-logs"
+      bucket_acl = "log-delivery-write"
     }
   }
 

terraform/organization/s3.tf

@@ -7,8 +7,10 @@ module "s3" {
   }
 
   bucket_name   = each.value.bucket_name
+  type          = each.value.type
+  website       = try(each.value.website, {})
   objects       = try(each.value.objects, {})
-  bucket_acl    = "public-read"
+  bucket_acl    = each.value.bucket_acl
 }
 
 resource "aws_s3_object" "this" {

terraform/organization/vpc.tf

@@ -75,21 +75,15 @@ module "vpc_endpoints" {
     dynamodb = {
       service         = "dynamodb"
       service_type    = "Gateway"
-      route_table_ids = flatten([module.vpc.intra_route_table_ids, module.vpc.private_route_table_ids, module.vpc.public_route_table_ids])
+      route_table_ids = flatten([module.vpc.private_route_table_ids])
       policy          = data.aws_iam_policy_document.this.json
       tags            = { Name = "dynamodb-vpc-endpoint" }
       security_group_ids = [aws_security_group.dynamodb_sg.id]
-    },
-    lambda = {
-      service             = "lambda"
-      private_dns_enabled = true
-      subnet_ids          = module.vpc.private_subnets
-    },
+    }
   }
 
   tags = {
     Name = "vpc-g3-bsmsapp"
-    Project  = "Secret"
     Endpoint = "true"
   }
 }
@@ -126,46 +120,6 @@ resource "aws_security_group" "dynamodb_sg" {
   }
 }
 
-data "aws_iam_policy_document" "dynamodb_endpoint_policy" {
-  statement {
-    effect    = "Deny"
-    actions   = ["dynamodb:*"]
-    resources = ["*"]
-
-    principals {
-      type        = "*"
-      identifiers = ["*"]
-    }
-
-    condition {
-      test     = "StringNotEquals"
-      variable = "aws:sourceVpce"
-
-      values = [module.vpc.vpc_id]
-    }
-  }
-}
-
-data "aws_iam_policy_document" "generic_endpoint_policy" {
-  statement {
-    effect    = "Deny"
-    actions   = ["*"]
-    resources = ["*"]
-
-    principals {
-      type        = "*"
-      identifiers = ["*"]
-    }
-
-    condition {
-      test     = "StringNotEquals"
-      variable = "aws:SourceVpc"
-
-      values = [module.vpc.vpc_id]
-    }
-  }
-}
-
 resource "aws_security_group" "vpc_tls" {
   name_prefix = "vpc-g3-bsmsapp-vpc_tls"
   description = "Allow TLS inbound traffic"
@@ -183,7 +137,3 @@ resource "aws_security_group" "vpc_tls" {
     Name = "vpc-g3-bsmsapp"
   }
 }
-
-# output "aws_security_group_dynamodb" {
-#   value       = aws_security_group.dynamodb_sg.id
-# }