From 34a02e59aec600aa95380e11ba21575dbaaafaed Mon Sep 17 00:00:00 2001 From: Santiago Lo Coco Date: Fri, 21 Oct 2022 07:29:20 -0300 Subject: [PATCH] Add lambda and vpc modules Co-authored-by: Ezequiel Bellver --- terraform/modules/lambda/main.tf | 25 ++++ terraform/modules/lambda/outputs.tf | 9 ++ terraform/modules/lambda/variables.tf | 44 +++++++ terraform/modules/lambda/versions.tf | 10 ++ terraform/modules/vpc/main.tf | 175 ++++++++++++++++++++++++++ 5 files changed, 263 insertions(+) create mode 100644 terraform/modules/lambda/main.tf create mode 100644 terraform/modules/lambda/outputs.tf create mode 100644 terraform/modules/lambda/variables.tf create mode 100644 terraform/modules/lambda/versions.tf create mode 100644 terraform/modules/vpc/main.tf diff --git a/terraform/modules/lambda/main.tf b/terraform/modules/lambda/main.tf new file mode 100644 index 0000000..3149514 --- /dev/null +++ b/terraform/modules/lambda/main.tf @@ -0,0 +1,25 @@ +# ------------------------------------------------------------------------------ +# Amazon Lambda +# ------------------------------------------------------------------------------ + +resource "aws_lambda_function" "this" { + + filename = var.lambda_info.filename + function_name = var.lambda_info.function_name + role = var.iam_role_arn + handler = var.lambda_info.handler + runtime = var.runtime + + tags = { + name = "lambda${var.lambda_info.function_name}" + } +} + +resource "aws_lambda_permission" "this" { + statement_id = "AllowExecutionFromAPIGateway" + action = "lambda:InvokeFunction" + function_name = aws_lambda_function.this.function_name + principal = "apigateway.amazonaws.com" + + source_arn = "${var.apigw_execution_arn}/*/${var.lambda_info.method}${var.lambda_info.path}" +} diff --git a/terraform/modules/lambda/outputs.tf b/terraform/modules/lambda/outputs.tf new file mode 100644 index 0000000..bf0d7d3 --- /dev/null +++ b/terraform/modules/lambda/outputs.tf @@ -0,0 +1,9 @@ +output "invoke_arn" { + description = "The lambda function's invoke ARN" + value = aws_lambda_function.this.invoke_arn +} + +output "function_name" { + description = "The lambda function's name" + value = aws_lambda_function.this.function_name +} \ No newline at end of file diff --git a/terraform/modules/lambda/variables.tf b/terraform/modules/lambda/variables.tf new file mode 100644 index 0000000..8fea18b --- /dev/null +++ b/terraform/modules/lambda/variables.tf @@ -0,0 +1,44 @@ +# ------------------------------------------------------------------------ +# Amazon Lambda variables +# ------------------------------------------------------------------------ + +variable "account_id" { + type = string + description = "The current Accound ID" +} + +variable "local_path" { + type = string + description = "Local path" +} + +variable "lambda_info" { + type = map(string) + description = "Contains all necesary lambda info" +} + +variable "apigw_execution_arn" { + type = string + description = "API GW execution ARN" +} + +variable "subnet_ids" { + type = list(any) + description = "The list of subnets created" +} + +variable "sg_ids" { + type = list(any) + description = "The list of subnets created" +} + +variable "runtime" { + type = string + description = "Lambda function runtime language" + default = "python3.12" +} + +variable "iam_role_arn" { + type = string + description = "IAM role arn" +} \ No newline at end of file diff --git a/terraform/modules/lambda/versions.tf b/terraform/modules/lambda/versions.tf new file mode 100644 index 0000000..eb9ed4c --- /dev/null +++ b/terraform/modules/lambda/versions.tf @@ -0,0 +1,10 @@ +terraform { + required_version = ">= 1.0.6" + + required_providers { + aws = { + source = "hashicorp/aws" + version = ">= 4.10.0" + } + } +} \ No newline at end of file diff --git a/terraform/modules/vpc/main.tf b/terraform/modules/vpc/main.tf new file mode 100644 index 0000000..158571a --- /dev/null +++ b/terraform/modules/vpc/main.tf @@ -0,0 +1,175 @@ +# module "vpc" { +# source = "terraform-aws-modules/vpc/aws" + +# name = "my-vpc" +# cidr = "10.0.0.0/16" + +# azs = ["eu-west-1a", "eu-west-1b", "eu-west-1c"] +# private_subnets = ["10.0.1.0/24", "10.0.2.0/24", "10.0.3.0/24"] +# public_subnets = ["10.0.101.0/24", "10.0.102.0/24", "10.0.103.0/24"] + +# enable_nat_gateway = true +# enable_vpn_gateway = true + +# tags = { +# Terraform = "true" +# Environment = "dev" +# } +# } + +locals { + name = "ex-${replace(basename(path.cwd), "_", "-")}" + region = "eu-west-1" + + tags = { + Example = local.name + GithubRepo = "terraform-aws-vpc" + GithubOrg = "terraform-aws-modules" + } +} + +################################################################################ +# VPC Module +################################################################################ + +module "vpc" { + source = "terraform-aws-modules/vpc/aws" + + name = local.name + cidr = "10.0.0.0/16" + + azs = ["${local.region}a", "${local.region}b"] + private_subnets = ["10.0.1.0/24", "10.0.2.0/24"] + public_subnets = ["10.0.3.0/24", "10.0.4.0/24"] + + create_database_subnet_group = false + + manage_default_network_acl = true + default_network_acl_tags = { Name = "${local.name}-default" } + + manage_default_route_table = true + default_route_table_tags = { Name = "${local.name}-default" } + + manage_default_security_group = true + default_security_group_tags = { Name = "${local.name}-default" } + + enable_dns_hostnames = true + enable_dns_support = true + + enable_nat_gateway = true + single_nat_gateway = true + + # enable_vpn_gateway = false + + # enable_dhcp_options = false + + # enable_flow_log = true + # create_flow_log_cloudwatch_log_group = true + # create_flow_log_cloudwatch_iam_role = true + # flow_log_max_aggregation_interval = 60 + + tags = local.tags +} + +module "vpc_endpoints" { + source = "terraform-aws-modules/vpc/aws//modules/vpc-endpoints" + + vpc_id = module.vpc.vpc_id + security_group_ids = [data.aws_security_group.default.id] + + endpoints = { + dynamodb = { + service = "dynamodb" + service_type = "Gateway" + route_table_ids = flatten([module.vpc.intra_route_table_ids, module.vpc.private_route_table_ids, module.vpc.public_route_table_ids]) + policy = data.aws_iam_policy_document.dynamodb_endpoint_policy.json + tags = { Name = "dynamodb-vpc-endpoint" } + }, + lambda = { + service = "lambda" + private_dns_enabled = true + subnet_ids = module.vpc.private_subnets + }, + ses = { + service = "ses" + subnet_ids = ["subnet-12345678", "subnet-87654321"] + tags = { Name = "ses-vpc-endpoint" } + }, + } + + tags = merge(local.tags, { + Project = "Secret" + Endpoint = "true" + }) +} + +module "vpc_endpoints_nocreate" { + source = "../../modules/vpc-endpoints" + + create = false +} + +################################################################################ +# Supporting Resources +################################################################################ + +data "aws_security_group" "default" { + name = "default" + vpc_id = module.vpc.vpc_id +} + +data "aws_iam_policy_document" "dynamodb_endpoint_policy" { + statement { + effect = "Deny" + actions = ["dynamodb:*"] + resources = ["*"] + + principals { + type = "*" + identifiers = ["*"] + } + + condition { + test = "StringNotEquals" + variable = "aws:sourceVpce" + + values = [module.vpc.vpc_id] + } + } +} + +data "aws_iam_policy_document" "generic_endpoint_policy" { + statement { + effect = "Deny" + actions = ["*"] + resources = ["*"] + + principals { + type = "*" + identifiers = ["*"] + } + + condition { + test = "StringNotEquals" + variable = "aws:SourceVpc" + + values = [module.vpc.vpc_id] + } + } +} + +resource "aws_security_group" "vpc_tls" { + name_prefix = "${local.name}-vpc_tls" + description = "Allow TLS inbound traffic" + vpc_id = module.vpc.vpc_id + + ingress { + description = "TLS from VPC" + from_port = 443 + to_port = 443 + protocol = "tcp" + cidr_blocks = [module.vpc.vpc_cidr_block] + } + + tags = local.tags +} \ No newline at end of file