From 18c2ec08b965b10fce089d8d3a83505f9a4476a5 Mon Sep 17 00:00:00 2001 From: sedthawut tipkanpirome Date: Thu, 9 Jun 2022 17:19:35 +0700 Subject: [PATCH 01/35] (remove): upload code from s3 function --- main.tf | 40 +++++++++++++++++----------------------- variables.tf | 10 +++++----- 2 files changed, 22 insertions(+), 28 deletions(-) diff --git a/main.tf b/main.tf index 3516f04..350bc06 100644 --- a/main.tf +++ b/main.tf @@ -4,10 +4,11 @@ locals { name = format("%s-%s-%s", var.prefix, var.environment, var.name) - lambda_role_arn = var.is_create_lambda_role ? aws_iam_role.this[0].arn : var.lambda_role_arn - bucket_name = var.is_upload_form_s3 ? var.bucket_name : var.is_create_lambda_bucket ? element(module.s3[*].bucket_name, 0) : var.bucket_name - object_key = var.is_upload_form_s3 ? data.aws_s3_object.this[0].key : aws_s3_object.this[0].id - object_version_id = var.is_upload_form_s3 ? data.aws_s3_object.this[0].version_id : aws_s3_object.this[0].version_id + lambda_role_arn = var.is_create_lambda_role ? aws_iam_role.this[0].arn : var.lambda_role_arn + + bucket_name = var.is_create_lambda_bucket ? element(module.s3[*].bucket_name, 0) : var.bucket_name + object_key = var.is_edge ? aws_s3_object.this[0].id : data.archive_file.this[0].key + object_version_id = var.is_edge ? aws_s3_object.this[0].version_id : data.archive_file.this[0].version_id tags = merge( { @@ -21,11 +22,10 @@ locals { locals { raise_is_lambda_role_arn_empty = var.is_create_lambda_role == false && var.lambda_role_arn == "" ? file("Variable `lambda_role_arn` is required when `is_create_lambda_role` is false") : "pass" - raise_bucket_name_empty = var.is_upload_form_s3 && length(var.bucket_name) == 0 ? file("Variable `bucket_name` is required when `is_upload_form_s3` is true") : "pass" - raise_file_name_empty = var.is_upload_form_s3 && length(var.file_name) == 0 ? file("Variable `file_name` is required when `is_upload_form_s3` is true") : "pass" + raise_bucket_name_empty = var.is_create_lambda_bucket == false && length(var.bucket_name) == 0 ? file("Variable `bucket_name` is required when `is_create_lambda_bucket` is false") : "pass" - raise_compressed_local_file_dir_empty = var.is_upload_form_s3 == false && length(var.compressed_local_file_dir) == 0 ? file("Variable `compressed_local_file_dir` is required when `is_upload_form_s3` is false") : "pass" - raise_file_globs_empty = var.is_upload_form_s3 == false && length(var.file_globs) == 0 ? file("Variable `file_globs` is required when `is_upload_form_s3` is false") : "pass" + raise_compressed_local_file_dir_empty = length(var.compressed_local_file_dir) == 0 ? file("Variable `compressed_local_file_dir` is required") : "pass" + raise_file_globs_empty = length(var.file_globs) == 0 ? file("Variable `file_globs` is required") : "pass" } /* -------------------------------------------------------------------------- */ @@ -33,8 +33,6 @@ locals { /* -------------------------------------------------------------------------- */ /* -------------------------------- ZIP File -------------------------------- */ data "archive_file" "zip_file" { - count = var.is_upload_form_s3 == false ? 1 : 0 - type = "zip" output_path = format("%s/%s.zip", var.compressed_local_file_dir, local.name) @@ -64,7 +62,7 @@ data "archive_file" "zip_file" { } module "s3" { - count = var.is_create_lambda_bucket && var.is_upload_form_s3 == false ? 1 : 0 + count = var.is_create_lambda_bucket && var.is_edge ? 1 : 0 source = "git@github.com:oozou/terraform-aws-s3.git?ref=v1.0.2" @@ -80,20 +78,13 @@ module "s3" { tags = var.tags } -data "aws_s3_object" "this" { - count = var.is_upload_form_s3 ? 1 : 0 - - bucket = local.bucket_name - key = var.file_name -} - resource "aws_s3_object" "this" { - count = var.is_upload_form_s3 == false ? 1 : 0 + count = var.is_create_lambda_bucket && var.is_edge ? 1 : 0 - bucket = var.is_create_lambda_bucket ? element(module.s3[*].bucket_name, 0) : var.bucket_name + bucket = element(module.s3[*].bucket_name, 0) key = format("%s.zip", local.name) - source = data.archive_file.zip_file[0].output_path - etag = data.archive_file.zip_file[0].output_md5 + source = data.archive_file.zip_file.output_path + etag = data.archive_file.zip_file.output_md5 tags = merge(local.tags, { "Name" = format("%s.zip", local.name) }) } @@ -261,11 +252,14 @@ resource "aws_lambda_function" "this" { function_name = format("%s-function", local.name) description = format("Lambda function: %s", local.name) - # Read the file from s3 + # Read source code from s3 s3_bucket = local.bucket_name s3_key = local.object_key s3_object_version = local.object_version_id + # Read source code from local + source_code_hash = filebase64sha256(data.archive_file.zip_file.output_path) + # Specification timeout = var.timeout memory_size = var.memory_size diff --git a/variables.tf b/variables.tf index 6867dc7..fedae09 100644 --- a/variables.tf +++ b/variables.tf @@ -100,11 +100,11 @@ variable "additional_lambda_role_policy_arns" { /* -------------------------------------------------------------------------- */ /* S3 Lambda Source Code */ /* -------------------------------------------------------------------------- */ -variable "is_upload_form_s3" { - description = "Whether to upload the source code from s3 or not" - type = bool - default = true -} +# variable "is_upload_form_s3" { +# description = "Whether to upload the source code from s3 or not" +# type = bool +# default = true +# } variable "file_name" { description = "The compressed file name used to upload to lambda use when is_upload_form_s3 is true" From 5668f78a77fdd7d853c3f9a74602fd77c481a9b8 Mon Sep 17 00:00:00 2001 From: sedthawut tipkanpirome Date: Thu, 9 Jun 2022 17:23:29 +0700 Subject: [PATCH 02/35] (fix): ref to non-declare resource --- main.tf | 12 ++++++------ variables.tf | 12 ------------ 2 files changed, 6 insertions(+), 18 deletions(-) diff --git a/main.tf b/main.tf index 350bc06..297b228 100644 --- a/main.tf +++ b/main.tf @@ -7,8 +7,8 @@ locals { lambda_role_arn = var.is_create_lambda_role ? aws_iam_role.this[0].arn : var.lambda_role_arn bucket_name = var.is_create_lambda_bucket ? element(module.s3[*].bucket_name, 0) : var.bucket_name - object_key = var.is_edge ? aws_s3_object.this[0].id : data.archive_file.this[0].key - object_version_id = var.is_edge ? aws_s3_object.this[0].version_id : data.archive_file.this[0].version_id + object_key = var.is_edge ? aws_s3_object.this[0].id : null + object_version_id = var.is_edge ? aws_s3_object.this[0].version_id : null tags = merge( { @@ -32,7 +32,7 @@ locals { /* S3 */ /* -------------------------------------------------------------------------- */ /* -------------------------------- ZIP File -------------------------------- */ -data "archive_file" "zip_file" { +data "archive_file" "this" { type = "zip" output_path = format("%s/%s.zip", var.compressed_local_file_dir, local.name) @@ -83,8 +83,8 @@ resource "aws_s3_object" "this" { bucket = element(module.s3[*].bucket_name, 0) key = format("%s.zip", local.name) - source = data.archive_file.zip_file.output_path - etag = data.archive_file.zip_file.output_md5 + source = data.archive_file.this.output_path + etag = data.archive_file.this.output_md5 tags = merge(local.tags, { "Name" = format("%s.zip", local.name) }) } @@ -258,7 +258,7 @@ resource "aws_lambda_function" "this" { s3_object_version = local.object_version_id # Read source code from local - source_code_hash = filebase64sha256(data.archive_file.zip_file.output_path) + source_code_hash = filebase64sha256(data.archive_file.this.output_path) # Specification timeout = var.timeout diff --git a/variables.tf b/variables.tf index fedae09..9c3f2da 100644 --- a/variables.tf +++ b/variables.tf @@ -100,18 +100,6 @@ variable "additional_lambda_role_policy_arns" { /* -------------------------------------------------------------------------- */ /* S3 Lambda Source Code */ /* -------------------------------------------------------------------------- */ -# variable "is_upload_form_s3" { -# description = "Whether to upload the source code from s3 or not" -# type = bool -# default = true -# } - -variable "file_name" { - description = "The compressed file name used to upload to lambda use when is_upload_form_s3 is true" - type = string - default = "" -} - variable "is_create_lambda_bucket" { description = "Whether to create lambda bucket or not" type = bool From 662ad354692a31d93e13e73cf7bec192b0fd8963 Mon Sep 17 00:00:00 2001 From: sedthawut tipkanpirome Date: Thu, 9 Jun 2022 17:47:41 +0700 Subject: [PATCH 03/35] (add): new idea to manage terraform --- main.tf | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/main.tf b/main.tf index 297b228..eeed31e 100644 --- a/main.tf +++ b/main.tf @@ -1,3 +1,12 @@ +# +# if lambd_edge: +# if is_create_lambda_bucket: +# _must_specific the bucket_name +# else: +# _auto_create s3 bucket to keep versioning +# else: +# # ignore is_create_lambda_bucket just upload from local + /* -------------------------------------------------------------------------- */ /* Generic */ /* -------------------------------------------------------------------------- */ @@ -6,7 +15,7 @@ locals { lambda_role_arn = var.is_create_lambda_role ? aws_iam_role.this[0].arn : var.lambda_role_arn - bucket_name = var.is_create_lambda_bucket ? element(module.s3[*].bucket_name, 0) : var.bucket_name + bucket_name = var.is_create_lambda_bucket ? try(module.s3[0].bucket_name, "") : var.bucket_name object_key = var.is_edge ? aws_s3_object.this[0].id : null object_version_id = var.is_edge ? aws_s3_object.this[0].version_id : null From fd408e69f2b0be17423e039d66c361c20bbf5f84 Mon Sep 17 00:00:00 2001 From: sedthawut tipkanpirome Date: Thu, 9 Jun 2022 18:24:24 +0700 Subject: [PATCH 04/35] (update): source code to new algo --- main.tf | 24 +++++++++++++----------- variables.tf | 1 - 2 files changed, 13 insertions(+), 12 deletions(-) diff --git a/main.tf b/main.tf index eeed31e..5d3a5f9 100644 --- a/main.tf +++ b/main.tf @@ -1,9 +1,10 @@ # # if lambd_edge: # if is_create_lambda_bucket: -# _must_specific the bucket_name -# else: # _auto_create s3 bucket to keep versioning +# else: +# create the bucket name +# read bucket_name # else: # # ignore is_create_lambda_bucket just upload from local @@ -15,7 +16,7 @@ locals { lambda_role_arn = var.is_create_lambda_role ? aws_iam_role.this[0].arn : var.lambda_role_arn - bucket_name = var.is_create_lambda_bucket ? try(module.s3[0].bucket_name, "") : var.bucket_name + bucket_name = var.is_edge ? var.is_create_lambda_bucket ? module.s3[0].bucket_name : var.bucket_name : null object_key = var.is_edge ? aws_s3_object.this[0].id : null object_version_id = var.is_edge ? aws_s3_object.this[0].version_id : null @@ -31,16 +32,14 @@ locals { locals { raise_is_lambda_role_arn_empty = var.is_create_lambda_role == false && var.lambda_role_arn == "" ? file("Variable `lambda_role_arn` is required when `is_create_lambda_role` is false") : "pass" - raise_bucket_name_empty = var.is_create_lambda_bucket == false && length(var.bucket_name) == 0 ? file("Variable `bucket_name` is required when `is_create_lambda_bucket` is false") : "pass" - - raise_compressed_local_file_dir_empty = length(var.compressed_local_file_dir) == 0 ? file("Variable `compressed_local_file_dir` is required") : "pass" - raise_file_globs_empty = length(var.file_globs) == 0 ? file("Variable `file_globs` is required") : "pass" + raise_bucket_name_empty = var.is_edge && var.is_create_lambda_bucket == false && length(var.bucket_name) == 0 ? file("Variable `bucket_name` is required when `is_create_lambda_bucket` is false") : "pass" + raise_local_file_dir_empty = length(var.compressed_local_file_dir) == 0 ? file("Variable `compressed_local_file_dir` is required") : "pass" + raise_file_globs_empty = length(var.file_globs) == 0 ? file("Variable `file_globs` is required") : "pass" } /* -------------------------------------------------------------------------- */ -/* S3 */ +/* Zip File */ /* -------------------------------------------------------------------------- */ -/* -------------------------------- ZIP File -------------------------------- */ data "archive_file" "this" { type = "zip" output_path = format("%s/%s.zip", var.compressed_local_file_dir, local.name) @@ -70,8 +69,11 @@ data "archive_file" "this" { } } +/* -------------------------------------------------------------------------- */ +/* S3 */ +/* -------------------------------------------------------------------------- */ module "s3" { - count = var.is_create_lambda_bucket && var.is_edge ? 1 : 0 + count = var.is_edge && var.is_create_lambda_bucket ? 1 : 0 source = "git@github.com:oozou/terraform-aws-s3.git?ref=v1.0.2" @@ -88,7 +90,7 @@ module "s3" { } resource "aws_s3_object" "this" { - count = var.is_create_lambda_bucket && var.is_edge ? 1 : 0 + count = var.is_edge && var.is_create_lambda_bucket ? 1 : 0 bucket = element(module.s3[*].bucket_name, 0) key = format("%s.zip", local.name) diff --git a/variables.tf b/variables.tf index 9c3f2da..cc1aa87 100644 --- a/variables.tf +++ b/variables.tf @@ -170,7 +170,6 @@ variable "runtime" { variable "handler" { description = "Function entrypoint in your code." type = string - default = "index.handler" } /* -------------------------------------------------------------------------- */ From 60757af0c4602bc4104bf2fe7c70d6aa532c72b7 Mon Sep 17 00:00:00 2001 From: sedthawut tipkanpirome Date: Thu, 9 Jun 2022 19:49:33 +0700 Subject: [PATCH 05/35] (fix): lambda edge variable overflow --- main.tf | 8 ++------ 1 file changed, 2 insertions(+), 6 deletions(-) diff --git a/main.tf b/main.tf index 5d3a5f9..5e7e714 100644 --- a/main.tf +++ b/main.tf @@ -16,6 +16,7 @@ locals { lambda_role_arn = var.is_create_lambda_role ? aws_iam_role.this[0].arn : var.lambda_role_arn + file_name = var.is_edge ? null : data.archive_file.this.output_path bucket_name = var.is_edge ? var.is_create_lambda_bucket ? module.s3[0].bucket_name : var.bucket_name : null object_key = var.is_edge ? aws_s3_object.this[0].id : null object_version_id = var.is_edge ? aws_s3_object.this[0].version_id : null @@ -269,6 +270,7 @@ resource "aws_lambda_function" "this" { s3_object_version = local.object_version_id # Read source code from local + filename = local.file_name source_code_hash = filebase64sha256(data.archive_file.this.output_path) # Specification @@ -296,12 +298,6 @@ resource "aws_lambda_function" "this" { role = local.lambda_role_arn - lifecycle { - ignore_changes = [ - last_modified, - ] - } - tags = merge(local.tags, { "Name" = format("%s-function", local.name) }) } From 250195a9211ef076b082c934fde7381673c35628 Mon Sep 17 00:00:00 2001 From: sedthawut tipkanpirome Date: Fri, 10 Jun 2022 00:11:52 +0700 Subject: [PATCH 06/35] (update): document --- README.md | 116 ++++++++++++------------------------------------------ 1 file changed, 26 insertions(+), 90 deletions(-) diff --git a/README.md b/README.md index 5476570..98d9fd6 100644 --- a/README.md +++ b/README.md @@ -2,101 +2,35 @@ ## Usage -### Source code form bucket - ```terraform -module "lambda_from_bucket" { - source = "" +module "lambda" { + # source = "git@github.com:oozou/terraform-aws-lambda.git?ref=refactor/lambda-source-code" + source = "../terraform-aws-lambda-edge" prefix = "oozou" - environment = "test" - name = "bakara" - - is_edge = false # Defautl is `fault`, If you want to publish to the edge don't forget to override aws's provider to virgina - - # Source code configuration. If is_upload_form_s3 is `true` - is_upload_form_s3 = true # Default is `true` - bucket_name = "oozou-test-loal-lambda-bucket-557291035693-48fexi" - file_name = "oozou-test-loal.zip" - - # Lambda Env - runtime = "nodejs12.x" - handler = "index.handler" # Default `"index.handler"` - - # Lambda Specification - timeout = 3 # Default is `3` seconds - memory_size = 128 # Default is `128` MB, the more mem size increase, the performance is better - reserved_concurrent_executions = -1 - ## Optional to connect Lambda to VPC - vpc_config = { - security_group_ids = ["sg-028f637312eea735e"] - subnet_ids_to_associate = ["subnet-0b853f8c85796d72d", "subnet-07c068b4b51262793", "subnet-0362f68c559ef7716"] - } - dead_letter_target_arn = "arn:aws:sns:ap-southeast-1:557291035693:demo" # To send failed processing to target, Default is `""` - - # IAM - is_create_lambda_role = true # Default is `true` - lambda_role_arn = "" # If `is_create_lambda_role` is `false` - additional_lambda_role_policy_arns = ["arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccess", ] # The policies that you want to attach to IAM Role created by only this module - - # Resource policy - lambda_permission_configuration = { - lambda_on_my_account = { - pricipal = "apigateway.amazonaws.com" - source_arn = "arn:aws:execute-api:ap-southeast-1:557291035693:lk36vflbha/*/*/" - } - lambda_on_my_another_account_wrong = { - pricipal = "apigateway.amazonaws.com" - source_arn = "arn:aws:execute-api:ap-southeast-1:562563527952:q6pwa6wgr6/*/*/" - source_account = "557291035693" # Optional just to restrict the permission - } - lambda_on_my_another_account_correct = { - pricipal = "apigateway.amazonaws.com" - source_arn = "arn:aws:execute-api:ap-southeast-1:557291035693:wpj4t3scmb/*/*/" - } - } - - # Logging - is_create_cloudwatch_log_group = true # Default is `true` - retention_in_days = 30 # Default is `30` - - # Secret for lambda function - ssm_params = {} + environment = "dev" + name = "demo" - tags = { "Workspace" = "xxx-yyy-zzz" } -} - -``` + is_edge = true # Defautl is `fault`, If you want to publish to the edge don't forget to override aws's provider to virgina -### Source code from local + # If is_edge is `false`, ignore this config + is_create_lambda_bucket = true # Default is `false`; plz use false, if not 1 lambda: 1 bucket + bucket_name = "" # If `is_create_lambda_bucket` is `false`; specified this, default is `""` -```terraform -module "lambda_from_local" { - source = "" - - prefix = "oozou" - environment = "test" - name = "local" - - is_edge = false # Defautl is `fault`, If you want to publish to the edge don't forget to override aws's provider to virgina - - # Source code configuration. If is_upload_form_s3 is `false` - is_upload_form_s3 = false # Default is `true` + # Source code source_code_dir = "./src" - file_globs = ["index.js"] + file_globs = ["main.py"] compressed_local_file_dir = "./outputs" - is_create_lambda_bucket = true # Default is `false`; plz use false, if not 1 lambda: 1 bucket - bucket_name = "" # If `is_create_lambda_bucket` is `false`; specified this, default is `""` # Lambda Env - runtime = "nodejs12.x" - handler = "index.handler" # Default `"index.handler"` + runtime = "python3.9" + handler = "main.lambda_handler" # Lambda Specification timeout = 3 # Default is `3` seconds memory_size = 128 # Default is `128` MB, the more mem size increase, the performance is better reserved_concurrent_executions = -1 - ## Optional to connect Lambda to VPC + # Optional to connect Lambda to VPC vpc_config = { security_group_ids = ["sg-028f637312eea735e"] subnet_ids_to_associate = ["subnet-0b853f8c85796d72d", "subnet-07c068b4b51262793", "subnet-0362f68c559ef7716"] @@ -129,13 +63,18 @@ module "lambda_from_local" { is_create_cloudwatch_log_group = true # Default is `true` retention_in_days = 30 # Default is `30` - # Secret for lambda function - ssm_params = { - "DATABASE_PASSWORD" = "abdhegcg2365daA" - "DATABASE_HOST" = "www.google.com" + # Env + ssm_params = {} + plaintext_params = { + region = "ap-southeast-1" + cluster_name = "oozou-dev-test-schedule-cluster" + nodegroup_name = "oozou-dev-test-schedule-custom-nodegroup" + min = 1, + max = 1, + desired = 1 } - tags = { "Workspace" = "pc" } + tags = var.generics_info["custom_tags"] } ``` @@ -175,13 +114,12 @@ module "lambda_from_local" { | [aws_lambda_permission.allow_serivce](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_permission) | resource | | [aws_s3_object.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_object) | resource | | [aws_ssm_parameter.params](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ssm_parameter) | resource | -| [archive_file.zip_file](https://registry.terraform.io/providers/hashicorp/archive/2.2.0/docs/data-sources/file) | data source | +| [archive_file.this](https://registry.terraform.io/providers/hashicorp/archive/2.2.0/docs/data-sources/file) | data source | | [aws_iam_policy_document.assume_role_policy_doc](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | | [aws_iam_policy_document.lambda_access_vpc](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | | [aws_iam_policy_document.lambda_logs_policy_doc](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | | [aws_iam_policy_document.lambda_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | | [aws_iam_policy_document.secret_access_policy_doc](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | -| [aws_s3_object.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/s3_object) | data source | ## Inputs @@ -194,13 +132,11 @@ module "lambda_from_local" { | [dead\_letter\_target\_arn](#input\_dead\_letter\_target\_arn) | Dead letter queue configuration that specifies the queue or topic where Lambda sends asynchronous events when they fail processing. | `string` | `null` | no | | [environment](#input\_environment) | Environment Variable used as a prefix | `string` | n/a | yes | | [file\_globs](#input\_file\_globs) | list of files or globs that you want included from the source\_code\_dir | `list(string)` | `[]` | no | -| [file\_name](#input\_file\_name) | The compressed file name used to upload to lambda use when is\_upload\_form\_s3 is true | `string` | `""` | no | -| [handler](#input\_handler) | Function entrypoint in your code. | `string` | `"index.handler"` | no | +| [handler](#input\_handler) | Function entrypoint in your code. | `string` | n/a | yes | | [is\_create\_cloudwatch\_log\_group](#input\_is\_create\_cloudwatch\_log\_group) | Whether to create cloudwatch log group or not | `bool` | `true` | no | | [is\_create\_lambda\_bucket](#input\_is\_create\_lambda\_bucket) | Whether to create lambda bucket or not | `bool` | `false` | no | | [is\_create\_lambda\_role](#input\_is\_create\_lambda\_role) | Whether to create lamda role or not | `bool` | `true` | no | | [is\_edge](#input\_is\_edge) | Whether lambda is lambda@Edge or not | `bool` | `false` | no | -| [is\_upload\_form\_s3](#input\_is\_upload\_form\_s3) | Whether to upload the source code from s3 or not | `bool` | `true` | no | | [lambda\_permission\_configuration](#input\_lambda\_permission\_configuration) | principal - (Required) The principal who is getting this permission e.g., s3.amazonaws.com, an AWS account ID, or any valid AWS service principal such as events.amazonaws.com or sns.amazonaws.com.
source\_arn - (Optional) When the principal is an AWS service, the ARN of the specific resource within that service to grant permission to. Without this, any resource from
source\_account - (Optional) This parameter is used for S3 and SES. The AWS account ID (without a hyphen) of the source owner. | `any` | `{}` | no | | [lambda\_role\_arn](#input\_lambda\_role\_arn) | The arn of role that already created by something to asso with lambda | `string` | `""` | no | | [memory\_size](#input\_memory\_size) | (Optional) Amount of memory in MB your Lambda Function can use at runtime. Defaults to 128. | `number` | `128` | no | From f77485ebb4777bd949a6a9b5c57fdafd05f38551 Mon Sep 17 00:00:00 2001 From: sedthawut tipkanpirome Date: Fri, 10 Jun 2022 00:16:34 +0700 Subject: [PATCH 07/35] (update): README.md --- README.md | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/README.md b/README.md index 98d9fd6..2a891ee 100644 --- a/README.md +++ b/README.md @@ -4,8 +4,7 @@ ```terraform module "lambda" { - # source = "git@github.com:oozou/terraform-aws-lambda.git?ref=refactor/lambda-source-code" - source = "../terraform-aws-lambda-edge" + source = "git@github.com:oozou/terraform-aws-lambda.git?ref=v1.0.2" prefix = "oozou" environment = "dev" From c9a7d861a48838069303c38142df07752313a1b8 Mon Sep 17 00:00:00 2001 From: sedthawut tipkanpirome Date: Fri, 10 Jun 2022 00:20:14 +0700 Subject: [PATCH 08/35] (remove): comment path --- main.tf | 10 ---------- 1 file changed, 10 deletions(-) diff --git a/main.tf b/main.tf index 5e7e714..d8157f5 100644 --- a/main.tf +++ b/main.tf @@ -1,13 +1,3 @@ -# -# if lambd_edge: -# if is_create_lambda_bucket: -# _auto_create s3 bucket to keep versioning -# else: -# create the bucket name -# read bucket_name -# else: -# # ignore is_create_lambda_bucket just upload from local - /* -------------------------------------------------------------------------- */ /* Generic */ /* -------------------------------------------------------------------------- */ From a73dbcd1231c328e39b23a7ab5e7465e15769f1c Mon Sep 17 00:00:00 2001 From: sedthawut tipkanpirome Date: Fri, 10 Jun 2022 16:06:13 +0700 Subject: [PATCH 09/35] (update): change additional policies to map instead of list deu to un-predicted variable --- README.md | 63 +++++++++++++++++++++++++++------------------------- main.tf | 2 +- variables.tf | 8 +++---- 3 files changed, 38 insertions(+), 35 deletions(-) diff --git a/README.md b/README.md index 2a891ee..b811ec7 100644 --- a/README.md +++ b/README.md @@ -38,8 +38,11 @@ module "lambda" { # IAM is_create_lambda_role = true # Default is `true` - lambda_role_arn = "" # If `is_create_lambda_role` is `false` - additional_lambda_role_policy_arns = ["arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccess", ] # The policies that you want to attach to IAM Role created by only this module + lambda_role_arn = "" + # The policies that you want to attach to IAM Role created by only this module # If `is_create_lambda_role` is `false` + additional_lambda_role_policy_arn = { + allow_lambda_to_read_s3 = "arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccess" + } # Resource policy lambda_permission_configuration = { @@ -122,34 +125,34 @@ module "lambda" { ## Inputs -| Name | Description | Type | Default | Required | -|--------------------------------------------------------------------------------------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-------------------------------------------------------------------------------------------------------------------------|-------------------------------------------------------------------------------------|:--------:| -| [additional\_lambda\_role\_policy\_arns](#input\_additional\_lambda\_role\_policy\_arns) | List of policies ARNs to attach to the lambda | `list(string)` | `[]` | no | -| [bucket\_name](#input\_bucket\_name) | Name of the bucket to put the file in. Alternatively, an S3 access point ARN can be specified. | `string` | `""` | no | -| [compressed\_local\_file\_dir](#input\_compressed\_local\_file\_dir) | A path to the directory to store plan time generated local files | `string` | `""` | no | -| [config\_file\_name](#input\_config\_file\_name) | The name of the file var.plaintext\_params will be written to as json | `string` | `"config.json"` | no | -| [dead\_letter\_target\_arn](#input\_dead\_letter\_target\_arn) | Dead letter queue configuration that specifies the queue or topic where Lambda sends asynchronous events when they fail processing. | `string` | `null` | no | -| [environment](#input\_environment) | Environment Variable used as a prefix | `string` | n/a | yes | -| [file\_globs](#input\_file\_globs) | list of files or globs that you want included from the source\_code\_dir | `list(string)` | `[]` | no | -| [handler](#input\_handler) | Function entrypoint in your code. | `string` | n/a | yes | -| [is\_create\_cloudwatch\_log\_group](#input\_is\_create\_cloudwatch\_log\_group) | Whether to create cloudwatch log group or not | `bool` | `true` | no | -| [is\_create\_lambda\_bucket](#input\_is\_create\_lambda\_bucket) | Whether to create lambda bucket or not | `bool` | `false` | no | -| [is\_create\_lambda\_role](#input\_is\_create\_lambda\_role) | Whether to create lamda role or not | `bool` | `true` | no | -| [is\_edge](#input\_is\_edge) | Whether lambda is lambda@Edge or not | `bool` | `false` | no | -| [lambda\_permission\_configuration](#input\_lambda\_permission\_configuration) | principal - (Required) The principal who is getting this permission e.g., s3.amazonaws.com, an AWS account ID, or any valid AWS service principal such as events.amazonaws.com or sns.amazonaws.com.
source\_arn - (Optional) When the principal is an AWS service, the ARN of the specific resource within that service to grant permission to. Without this, any resource from
source\_account - (Optional) This parameter is used for S3 and SES. The AWS account ID (without a hyphen) of the source owner. | `any` | `{}` | no | -| [lambda\_role\_arn](#input\_lambda\_role\_arn) | The arn of role that already created by something to asso with lambda | `string` | `""` | no | -| [memory\_size](#input\_memory\_size) | (Optional) Amount of memory in MB your Lambda Function can use at runtime. Defaults to 128. | `number` | `128` | no | -| [name](#input\_name) | Name of the ECS cluster to create | `string` | n/a | yes | -| [plaintext\_params](#input\_plaintext\_params) | Lambda@Edge does not support env vars, so it is a common pattern to exchange Env vars for values read from a config file.
! PLAINTEXT
const config = JSON.parse(readFileSync('./config.json'))
  const someConfigValue = config.SomeKey
| `map(string)` | `{}` | no | -| [prefix](#input\_prefix) | The prefix name of customer to be displayed in AWS console and resource | `string` | n/a | yes | -| [reserved\_concurrent\_executions](#input\_reserved\_concurrent\_executions) | (Optional) Amount of reserved concurrent executions for this lambda function. A value of 0 disables lambda from being triggered and -1 removes any concurrency limitations. Defaults to Unreserved Concurrency Limits -1. See Managing Concurrency | `number` | `-1` | no | -| [retention\_in\_days](#input\_retention\_in\_days) | Retention day for cloudwatch log group | `number` | `30` | no | -| [runtime](#input\_runtime) | The runtime of the lambda function | `string` | n/a | yes | -| [source\_code\_dir](#input\_source\_code\_dir) | An absolute path to the directory containing the code to upload to lambda | `string` | `""` | no | -| [ssm\_params](#input\_ssm\_params) | Lambda@Edge does not support env vars, so it is a common pattern to exchange Env vars for SSM params.
! SECRET

you would have lookups in SSM, like:
`const someEnvValue = await ssmClient.getParameter({ Name: 'SOME_SSM_PARAM_NAME', WithDecryption: true })` | `map(string)` | `{}` | no | -| [tags](#input\_tags) | Custom tags which can be passed on to the AWS resources. They should be key value pairs having distinct keys | `map(any)` | `{}` | no | -| [timeout](#input\_timeout) | (Optional) Amount of time your Lambda Function has to run in seconds. Defaults to 3. | `number` | `3` | no | -| [vpc\_config](#input\_vpc\_config) | For network connectivity to AWS resources in a VPC, specify a list of security groups and subnets in the VPC.
When you connect a function to a VPC, it can only access resources and the internet through that VPC. See VPC Settings.

security\_group\_ids - (Required) List of security group IDs associated with the Lambda function.
subnet\_ids\_to\_associate - (Required) List of subnet IDs associated with the Lambda function. | 
object({
    security_group_ids      = list(string)
    subnet_ids_to_associate = list(string)
  })
| 
{
  "security_group_ids": [],
  "subnet_ids_to_associate": []
}
| no | +| Name | Description | Type | Default | Required | +|-----------------------------------------------------------------------------------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-------------------------------------------------------------------------------------------------------------------------|-------------------------------------------------------------------------------------|:--------:| +| [additional\_lambda\_role\_policy\_arn](#input\_additional\_lambda\_role\_policy\_arn) | Map of policies ARNs to attach to the lambda | `map(string)` | `{}` | no | +| [bucket\_name](#input\_bucket\_name) | Name of the bucket to put the file in. Alternatively, an S3 access point ARN can be specified. | `string` | `""` | no | +| [compressed\_local\_file\_dir](#input\_compressed\_local\_file\_dir) | A path to the directory to store plan time generated local files | `string` | `""` | no | +| [config\_file\_name](#input\_config\_file\_name) | The name of the file var.plaintext\_params will be written to as json | `string` | `"config.json"` | no | +| [dead\_letter\_target\_arn](#input\_dead\_letter\_target\_arn) | Dead letter queue configuration that specifies the queue or topic where Lambda sends asynchronous events when they fail processing. | `string` | `null` | no | +| [environment](#input\_environment) | Environment Variable used as a prefix | `string` | n/a | yes | +| [file\_globs](#input\_file\_globs) | list of files or globs that you want included from the source\_code\_dir | `list(string)` | `[]` | no | +| [handler](#input\_handler) | Function entrypoint in your code. | `string` | n/a | yes | +| [is\_create\_cloudwatch\_log\_group](#input\_is\_create\_cloudwatch\_log\_group) | Whether to create cloudwatch log group or not | `bool` | `true` | no | +| [is\_create\_lambda\_bucket](#input\_is\_create\_lambda\_bucket) | Whether to create lambda bucket or not | `bool` | `false` | no | +| [is\_create\_lambda\_role](#input\_is\_create\_lambda\_role) | Whether to create lamda role or not | `bool` | `true` | no | +| [is\_edge](#input\_is\_edge) | Whether lambda is lambda@Edge or not | `bool` | `false` | no | +| [lambda\_permission\_configuration](#input\_lambda\_permission\_configuration) | principal - (Required) The principal who is getting this permission e.g., s3.amazonaws.com, an AWS account ID, or any valid AWS service principal such as events.amazonaws.com or sns.amazonaws.com.
source\_arn - (Optional) When the principal is an AWS service, the ARN of the specific resource within that service to grant permission to. Without this, any resource from
source\_account - (Optional) This parameter is used for S3 and SES. The AWS account ID (without a hyphen) of the source owner. | `any` | `{}` | no | +| [lambda\_role\_arn](#input\_lambda\_role\_arn) | The arn of role that already created by something to asso with lambda | `string` | `""` | no | +| [memory\_size](#input\_memory\_size) | (Optional) Amount of memory in MB your Lambda Function can use at runtime. Defaults to 128. | `number` | `128` | no | +| [name](#input\_name) | Name of the ECS cluster to create | `string` | n/a | yes | +| [plaintext\_params](#input\_plaintext\_params) | Lambda@Edge does not support env vars, so it is a common pattern to exchange Env vars for values read from a config file.
! PLAINTEXT
const config = JSON.parse(readFileSync('./config.json'))
  const someConfigValue = config.SomeKey
| `map(string)` | `{}` | no | +| [prefix](#input\_prefix) | The prefix name of customer to be displayed in AWS console and resource | `string` | n/a | yes | +| [reserved\_concurrent\_executions](#input\_reserved\_concurrent\_executions) | (Optional) Amount of reserved concurrent executions for this lambda function. A value of 0 disables lambda from being triggered and -1 removes any concurrency limitations. Defaults to Unreserved Concurrency Limits -1. See Managing Concurrency | `number` | `-1` | no | +| [retention\_in\_days](#input\_retention\_in\_days) | Retention day for cloudwatch log group | `number` | `30` | no | +| [runtime](#input\_runtime) | The runtime of the lambda function | `string` | n/a | yes | +| [source\_code\_dir](#input\_source\_code\_dir) | An absolute path to the directory containing the code to upload to lambda | `string` | `""` | no | +| [ssm\_params](#input\_ssm\_params) | Lambda@Edge does not support env vars, so it is a common pattern to exchange Env vars for SSM params.
! SECRET

you would have lookups in SSM, like:
`const someEnvValue = await ssmClient.getParameter({ Name: 'SOME_SSM_PARAM_NAME', WithDecryption: true })` | `map(string)` | `{}` | no | +| [tags](#input\_tags) | Custom tags which can be passed on to the AWS resources. They should be key value pairs having distinct keys | `map(any)` | `{}` | no | +| [timeout](#input\_timeout) | (Optional) Amount of time your Lambda Function has to run in seconds. Defaults to 3. | `number` | `3` | no | +| [vpc\_config](#input\_vpc\_config) | For network connectivity to AWS resources in a VPC, specify a list of security groups and subnets in the VPC.
When you connect a function to a VPC, it can only access resources and the internet through that VPC. See VPC Settings.

security\_group\_ids - (Required) List of security group IDs associated with the Lambda function.
subnet\_ids\_to\_associate - (Required) List of subnet IDs associated with the Lambda function. | 
object({
    security_group_ids      = list(string)
    subnet_ids_to_associate = list(string)
  })
| 
{
  "security_group_ids": [],
  "subnet_ids_to_associate": []
}
| no | ## Outputs diff --git a/main.tf b/main.tf index d8157f5..ea51b64 100644 --- a/main.tf +++ b/main.tf @@ -192,7 +192,7 @@ resource "aws_iam_role_policy" "logs_role_policy" { } resource "aws_iam_role_policy_attachment" "this" { - for_each = var.is_create_lambda_role ? toset(var.additional_lambda_role_policy_arns) : toset([]) + for_each = var.is_create_lambda_role ? var.additional_lambda_role_policy_arn : {} role = aws_iam_role.this[0].name policy_arn = each.value diff --git a/variables.tf b/variables.tf index cc1aa87..4904584 100644 --- a/variables.tf +++ b/variables.tf @@ -91,10 +91,10 @@ variable "lambda_role_arn" { default = "" } -variable "additional_lambda_role_policy_arns" { - description = "List of policies ARNs to attach to the lambda" - type = list(string) - default = [] +variable "additional_lambda_role_policy_arn" { + description = "Map of policies ARNs to attach to the lambda" + type = map(string) + default = {} } /* -------------------------------------------------------------------------- */ From 42bb07d014c60f485db4ddbeec7d1beab7853114 Mon Sep 17 00:00:00 2001 From: sedthawut tipkanpirome Date: Wed, 15 Jun 2022 18:38:38 +0700 Subject: [PATCH 10/35] (update): s3 version to v1.0.4 --- main.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/main.tf b/main.tf index ea51b64..9a227ba 100644 --- a/main.tf +++ b/main.tf @@ -66,7 +66,7 @@ data "archive_file" "this" { module "s3" { count = var.is_edge && var.is_create_lambda_bucket ? 1 : 0 - source = "git@github.com:oozou/terraform-aws-s3.git?ref=v1.0.2" + source = "git@github.com:oozou/terraform-aws-s3.git?ref=v1.0.4" prefix = var.prefix environment = var.environment From 2febdb7cc3a46eaaf53da1d616fc523a80d7ada0 Mon Sep 17 00:00:00 2001 From: sedthawut tipkanpirome Date: Mon, 20 Jun 2022 13:58:15 +0700 Subject: [PATCH 11/35] (add): local tag to ssm parameter store --- main.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/main.tf b/main.tf index 9a227ba..4b9a2ce 100644 --- a/main.tf +++ b/main.tf @@ -212,7 +212,7 @@ resource "aws_ssm_parameter" "params" { type = "SecureString" tier = length(each.value) > 4096 ? "Advanced" : "Standard" - tags = var.tags + tags = local.tags } data "aws_iam_policy_document" "secret_access_policy_doc" { From 4f2677a4ce6629b6690e99f8de7ff1edf1732e43 Mon Sep 17 00:00:00 2001 From: sedthawut tipkanpirome Date: Thu, 23 Jun 2022 15:06:24 +0700 Subject: [PATCH 12/35] (add): tracing mode enable --- main.tf | 19 +++++++++++++------ variables.tf | 10 ++++++++++ 2 files changed, 23 insertions(+), 6 deletions(-) diff --git a/main.tf b/main.tf index 4b9a2ce..108c9be 100644 --- a/main.tf +++ b/main.tf @@ -268,6 +268,13 @@ resource "aws_lambda_function" "this" { memory_size = var.memory_size reserved_concurrent_executions = var.reserved_concurrent_executions + # Code Env + publish = true # Force public new version + runtime = var.runtime + handler = var.handler + + role = local.lambda_role_arn + vpc_config { security_group_ids = var.vpc_config.security_group_ids subnet_ids = var.vpc_config.subnet_ids_to_associate @@ -281,12 +288,12 @@ resource "aws_lambda_function" "this" { } } - # Code Env - publish = true # Force public new version - runtime = var.runtime - handler = var.handler - - role = local.lambda_role_arn + dynamic "tracing_config" { + for_each = var.tracing_mode == null ? [] : [true] + content { + mode = var.tracing_mode + } + } tags = merge(local.tags, { "Name" = format("%s-function", local.name) }) } diff --git a/variables.tf b/variables.tf index 4904584..53f133e 100644 --- a/variables.tf +++ b/variables.tf @@ -162,6 +162,16 @@ variable "dead_letter_target_arn" { default = null } +variable "tracing_mode" { + description = "Tracing mode of the Lambda Function. Valid value can be either PassThrough or Active." + type = string + default = null + validation { + condition = contains(["PassThrough", "Active"], var.tracing_mode) + error_message = "Valid values for account_mode are PassThrough and Active." + } +} + variable "runtime" { description = "The runtime of the lambda function" type = string From 286fa8cdf960f679702c54f50afef49ffa3f60b8 Mon Sep 17 00:00:00 2001 From: sedthawut tipkanpirome Date: Thu, 23 Jun 2022 18:04:17 +0700 Subject: [PATCH 13/35] (add): change log --- CHANGELOG.md | 6 ++++++ 1 file changed, 6 insertions(+) create mode 100644 CHANGELOG.md diff --git a/CHANGELOG.md b/CHANGELOG.md new file mode 100644 index 0000000..3e104d0 --- /dev/null +++ b/CHANGELOG.md @@ -0,0 +1,6 @@ +# CHANGE + +- Remove upload code from s3 + - S3 source code is used for versioning +- Change `additional_lambda_role_policy_arn` to map from list +- Enable Tracing From 7ddd43afcc8a69724a5e16677067ce2bf62dbe57 Mon Sep 17 00:00:00 2001 From: sedthawut tipkanpirome Date: Fri, 1 Jul 2022 09:49:45 +0700 Subject: [PATCH 14/35] (fix): set default tracing mode if received from upstream --- variables.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/variables.tf b/variables.tf index 53f133e..b843bd9 100644 --- a/variables.tf +++ b/variables.tf @@ -165,7 +165,7 @@ variable "dead_letter_target_arn" { variable "tracing_mode" { description = "Tracing mode of the Lambda Function. Valid value can be either PassThrough or Active." type = string - default = null + default = "PassThrough" validation { condition = contains(["PassThrough", "Active"], var.tracing_mode) error_message = "Valid values for account_mode are PassThrough and Active." From e8131abf2fc97caece7aa75ca307f96cc74c08f2 Mon Sep 17 00:00:00 2001 From: sedthawut tipkanpirome Date: Wed, 13 Jul 2022 15:06:26 +0700 Subject: [PATCH 15/35] (update): order of variables --- variables.tf | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/variables.tf b/variables.tf index fce12d4..4ee4907 100644 --- a/variables.tf +++ b/variables.tf @@ -1,8 +1,8 @@ /* -------------------------------------------------------------------------- */ /* Generic */ /* -------------------------------------------------------------------------- */ -variable "name" { - description = "Name of the ECS cluster to create" +variable "prefix" { + description = "The prefix name of customer to be displayed in AWS console and resource" type = string } @@ -11,8 +11,8 @@ variable "environment" { type = string } -variable "prefix" { - description = "The prefix name of customer to be displayed in AWS console and resource" +variable "name" { + description = "Name of the ECS cluster to create" type = string } From 059a212d47e8a150a1f5c7ae5c6b2a4e2b94a1e9 Mon Sep 17 00:00:00 2001 From: sedthawut tipkanpirome Date: Wed, 20 Jul 2022 11:12:45 +0700 Subject: [PATCH 16/35] (update): CHANGELOG --- CHANGELOG.md | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 3e104d0..abb10f8 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,4 +1,8 @@ -# CHANGE +# Change Log + +All notable changes to this module will be documented in this file. + +## [1.0.3] - 2022-07-20 - Remove upload code from s3 - S3 source code is used for versioning From 9efd4c6e432cf3bf1ca5315a77ef285757314408 Mon Sep 17 00:00:00 2001 From: sedthawut tipkanpirome Date: Thu, 21 Jul 2022 13:13:12 +0700 Subject: [PATCH 17/35] (update): README --- README.md | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index b811ec7..2aba558 100644 --- a/README.md +++ b/README.md @@ -100,7 +100,7 @@ module "lambda" { | Name | Source | Version | |--------------------------------------------|-------------------------------------------|---------| -| [s3](#module\_s3) | git@github.com:oozou/terraform-aws-s3.git | v1.0.2 | +| [s3](#module\_s3) | git@github.com:oozou/terraform-aws-s3.git | v1.0.4 | ## Resources @@ -129,6 +129,8 @@ module "lambda" { |-----------------------------------------------------------------------------------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-------------------------------------------------------------------------------------------------------------------------|-------------------------------------------------------------------------------------|:--------:| | [additional\_lambda\_role\_policy\_arn](#input\_additional\_lambda\_role\_policy\_arn) | Map of policies ARNs to attach to the lambda | `map(string)` | `{}` | no | | [bucket\_name](#input\_bucket\_name) | Name of the bucket to put the file in. Alternatively, an S3 access point ARN can be specified. | `string` | `""` | no | +| [cloudwatch\_log\_kms\_key\_id](#input\_cloudwatch\_log\_kms\_key\_id) | The ARN for the KMS encryption key. | `string` | `null` | no | +| [cloudwatch\_log\_retention\_in\_days](#input\_cloudwatch\_log\_retention\_in\_days) | Retention day for cloudwatch log group | `number` | `90` | no | | [compressed\_local\_file\_dir](#input\_compressed\_local\_file\_dir) | A path to the directory to store plan time generated local files | `string` | `""` | no | | [config\_file\_name](#input\_config\_file\_name) | The name of the file var.plaintext\_params will be written to as json | `string` | `"config.json"` | no | | [dead\_letter\_target\_arn](#input\_dead\_letter\_target\_arn) | Dead letter queue configuration that specifies the queue or topic where Lambda sends asynchronous events when they fail processing. | `string` | `null` | no | @@ -146,12 +148,12 @@ module "lambda" { | [plaintext\_params](#input\_plaintext\_params) | Lambda@Edge does not support env vars, so it is a common pattern to exchange Env vars for values read from a config file.
! PLAINTEXT
const config = JSON.parse(readFileSync('./config.json'))
  const someConfigValue = config.SomeKey
| `map(string)` | `{}` | no | | [prefix](#input\_prefix) | The prefix name of customer to be displayed in AWS console and resource | `string` | n/a | yes | | [reserved\_concurrent\_executions](#input\_reserved\_concurrent\_executions) | (Optional) Amount of reserved concurrent executions for this lambda function. A value of 0 disables lambda from being triggered and -1 removes any concurrency limitations. Defaults to Unreserved Concurrency Limits -1. See Managing Concurrency | `number` | `-1` | no | -| [retention\_in\_days](#input\_retention\_in\_days) | Retention day for cloudwatch log group | `number` | `30` | no | | [runtime](#input\_runtime) | The runtime of the lambda function | `string` | n/a | yes | | [source\_code\_dir](#input\_source\_code\_dir) | An absolute path to the directory containing the code to upload to lambda | `string` | `""` | no | | [ssm\_params](#input\_ssm\_params) | Lambda@Edge does not support env vars, so it is a common pattern to exchange Env vars for SSM params.
! SECRET

you would have lookups in SSM, like:
`const someEnvValue = await ssmClient.getParameter({ Name: 'SOME_SSM_PARAM_NAME', WithDecryption: true })` | `map(string)` | `{}` | no | | [tags](#input\_tags) | Custom tags which can be passed on to the AWS resources. They should be key value pairs having distinct keys | `map(any)` | `{}` | no | | [timeout](#input\_timeout) | (Optional) Amount of time your Lambda Function has to run in seconds. Defaults to 3. | `number` | `3` | no | +| [tracing\_mode](#input\_tracing\_mode) | Tracing mode of the Lambda Function. Valid value can be either PassThrough or Active. | `string` | `"PassThrough"` | no | | [vpc\_config](#input\_vpc\_config) | For network connectivity to AWS resources in a VPC, specify a list of security groups and subnets in the VPC.
When you connect a function to a VPC, it can only access resources and the internet through that VPC. See VPC Settings.

security\_group\_ids - (Required) List of security group IDs associated with the Lambda function.
subnet\_ids\_to\_associate - (Required) List of subnet IDs associated with the Lambda function. | 
object({
    security_group_ids      = list(string)
    subnet_ids_to_associate = list(string)
  })
| 
{
  "security_group_ids": [],
  "subnet_ids_to_associate": []
}
| no | ## Outputs From d1b02430aba1a963771a340b2710d08c0b641793 Mon Sep 17 00:00:00 2001 From: Pongsak Sanguanwong Date: Fri, 22 Jul 2022 10:14:27 +0700 Subject: [PATCH 18/35] chore: add community friendly templates --- .github/ISSUE_TEMPLATE/bug_report.md | 37 ++++ .github/ISSUE_TEMPLATE/feature_request.md | 20 +++ .github/PULL_REQUEST_TEMPLATE.md | 24 +++ CONTRIBUTING.md | 88 ++++++++++ LICENSE | 201 ++++++++++++++++++++++ SECURITY.md | 23 +++ 6 files changed, 393 insertions(+) create mode 100644 .github/ISSUE_TEMPLATE/bug_report.md create mode 100644 .github/ISSUE_TEMPLATE/feature_request.md create mode 100644 .github/PULL_REQUEST_TEMPLATE.md create mode 100644 CONTRIBUTING.md create mode 100644 LICENSE create mode 100644 SECURITY.md diff --git a/.github/ISSUE_TEMPLATE/bug_report.md b/.github/ISSUE_TEMPLATE/bug_report.md new file mode 100644 index 0000000..d00a412 --- /dev/null +++ b/.github/ISSUE_TEMPLATE/bug_report.md @@ -0,0 +1,37 @@ +--- +name: Bug report +about: Create a report to help us improve +title: 'Fix' +labels: '' +assignees: '' + +--- + +**What happened?** +A clear and concise description of what the bug is. + +**Provider Version** +v1.2.3 + +**Module Version** +v1.2.3 + + +**What Terraform runner are you seeing the problem on?** +- Terraform Cloud / MacOS / Linux / Windows + +**Screenshots** +If applicable, add screenshots to help explain your problem. + +**Desktop (please complete the following information):** + - OS: [e.g. iOS] + - Browser [e.g. chrome, safari] + - Version [e.g. 22] + +**Relevant log output:** +``` +echo $SOMETHING +``` + +**Additional context** +Add any other context about the problem here. diff --git a/.github/ISSUE_TEMPLATE/feature_request.md b/.github/ISSUE_TEMPLATE/feature_request.md new file mode 100644 index 0000000..13cb98a --- /dev/null +++ b/.github/ISSUE_TEMPLATE/feature_request.md @@ -0,0 +1,20 @@ +--- +name: Feature request +about: Suggest an idea for this project +title: 'feat: ' +labels: 'enhancement' +assignees: '' + +--- + +**Is your feature request related to a problem? Please describe.** +A clear and concise description of what the problem is. Ex. I'm always frustrated when [...] + +**Describe the solution you'd like** +A clear and concise description of what you want to happen. + +**Describe alternatives you've considered** +A clear and concise description of any alternative solutions or features you've considered. + +**Additional context** +Add any other context or screenshots about the feature request here. \ No newline at end of file diff --git a/.github/PULL_REQUEST_TEMPLATE.md b/.github/PULL_REQUEST_TEMPLATE.md new file mode 100644 index 0000000..c3cfd1a --- /dev/null +++ b/.github/PULL_REQUEST_TEMPLATE.md @@ -0,0 +1,24 @@ +# Submit a pull request :rocket: + +Thank you for help us contribute! Please give us more information about this PR. + +--- +## What :kissing: +### Adds +- Resource xxxx + +### Fixes +- Resouces yyyyyy + +### Changes +- Changes var `terraform_depecated` to `terraform_new` + + +## Why :pleading_face: +- Add resource xxx to make the terraform more +- Fix bug on resource yyyyy +- Change depecated var + + +## Other Info +- Please see about the version of terraform x.x.x for depecated var diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md new file mode 100644 index 0000000..8ff3f8a --- /dev/null +++ b/CONTRIBUTING.md @@ -0,0 +1,88 @@ +# Contributing + +When contributing to this repository, please first discuss the change you wish to make via the issue, +We prepare the PR template to make it standards. + +Please note we have a code of conduct, please follow it in all your interactions with the project. + +## Pull Request Process + +1. Ensure you have test your contributions on your locals, and remove any .terraform before put it back. (.gitignore will do that.) +2. Please don't forget to generate the terraform docs and update the usage. +3. Run the pre-commit hook to lint and validate the terraform. +4. Help us to update the other docs like Changelog.md + +## Code of Conduct + +### Our Pledge + +In the interest of fostering an open and welcoming environment, we as +contributors and maintainers pledge to making participation in our project and +our community a harassment-free experience for everyone, regardless of age, body +size, disability, ethnicity, gender identity and expression, level of experience, +nationality, personal appearance, race, religion, or sexual identity and +orientation. + +### Our Standards + +Examples of behavior that contributes to creating a positive environment +include: + +* Using welcoming and inclusive language +* Being respectful of differing viewpoints and experiences +* Gracefully accepting constructive criticism +* Focusing on what is best for the community +* Showing empathy towards other community members + +Examples of unacceptable behavior by participants include: + +* The use of sexualized language or imagery and unwelcome sexual attention or +advances +* Trolling, insulting/derogatory comments, and personal or political attacks +* Public or private harassment +* Publishing others' private information, such as a physical or electronic + address, without explicit permission +* Other conduct which could reasonably be considered inappropriate in a + professional setting + +### Our Responsibilities + +Project maintainers are responsible for clarifying the standards of acceptable +behavior and are expected to take appropriate and fair corrective action in +response to any instances of unacceptable behavior. + +Project maintainers have the right and responsibility to remove, edit, or +reject comments, commits, code, wiki edits, issues, and other contributions +that are not aligned to this Code of Conduct, or to ban temporarily or +permanently any contributor for other behaviors that they deem inappropriate, +threatening, offensive, or harmful. + +### Scope + +This Code of Conduct applies both within project spaces and in public spaces +when an individual is representing the project or its community. Examples of +representing a project or community include using an official project e-mail +address, posting via an official social media account, or acting as an appointed +representative at an online or offline event. Representation of a project may be +further defined and clarified by project maintainers. + +### Enforcement + +Instances of abusive, harassing, or otherwise unacceptable behavior may be +reported by contacting the project team at [devops@oozou.com]. All +complaints will be reviewed and investigated and will result in a response that +is deemed necessary and appropriate to the circumstances. The project team is +obligated to maintain confidentiality with regard to the reporter of an incident. +Further details of specific enforcement policies may be posted separately. + +Project maintainers who do not follow or enforce the Code of Conduct in good +faith may face temporary or permanent repercussions as determined by other +members of the project's leadership. + +### Attribution + +This Code of Conduct is adapted from the [Contributor Covenant][homepage], version 1.4, +available at [http://contributor-covenant.org/version/1/4][version] + +[homepage]: http://contributor-covenant.org +[version]: http://contributor-covenant.org/version/1/4/ diff --git a/LICENSE b/LICENSE new file mode 100644 index 0000000..29834ef --- /dev/null +++ b/LICENSE @@ -0,0 +1,201 @@ + Apache License + Version 2.0, January 2004 + http://www.apache.org/licenses/ + + TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION + + 1. Definitions. + + "License" shall mean the terms and conditions for use, reproduction, + and distribution as defined by Sections 1 through 9 of this document. + + "Licensor" shall mean the copyright owner or entity authorized by + the copyright owner that is granting the License. + + "Legal Entity" shall mean the union of the acting entity and all + other entities that control, are controlled by, or are under common + control with that entity. For the purposes of this definition, + "control" means (i) the power, direct or indirect, to cause the + direction or management of such entity, whether by contract or + otherwise, or (ii) ownership of fifty percent (50%) or more of the + outstanding shares, or (iii) beneficial ownership of such entity. + + "You" (or "Your") shall mean an individual or Legal Entity + exercising permissions granted by this License. + + "Source" form shall mean the preferred form for making modifications, + including but not limited to software source code, documentation + source, and configuration files. + + "Object" form shall mean any form resulting from mechanical + transformation or translation of a Source form, including but + not limited to compiled object code, generated documentation, + and conversions to other media types. + + "Work" shall mean the work of authorship, whether in Source or + Object form, made available under the License, as indicated by a + copyright notice that is included in or attached to the work + (an example is provided in the Appendix below). + + "Derivative Works" shall mean any work, whether in Source or Object + form, that is based on (or derived from) the Work and for which the + editorial revisions, annotations, elaborations, or other modifications + represent, as a whole, an original work of authorship. For the purposes + of this License, Derivative Works shall not include works that remain + separable from, or merely link (or bind by name) to the interfaces of, + the Work and Derivative Works thereof. + + "Contribution" shall mean any work of authorship, including + the original version of the Work and any modifications or additions + to that Work or Derivative Works thereof, that is intentionally + submitted to Licensor for inclusion in the Work by the copyright owner + or by an individual or Legal Entity authorized to submit on behalf of + the copyright owner. For the purposes of this definition, "submitted" + means any form of electronic, verbal, or written communication sent + to the Licensor or its representatives, including but not limited to + communication on electronic mailing lists, source code control systems, + and issue tracking systems that are managed by, or on behalf of, the + Licensor for the purpose of discussing and improving the Work, but + excluding communication that is conspicuously marked or otherwise + designated in writing by the copyright owner as "Not a Contribution." + + "Contributor" shall mean Licensor and any individual or Legal Entity + on behalf of whom a Contribution has been received by Licensor and + subsequently incorporated within the Work. + + 2. Grant of Copyright License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + copyright license to reproduce, prepare Derivative Works of, + publicly display, publicly perform, sublicense, and distribute the + Work and such Derivative Works in Source or Object form. + + 3. Grant of Patent License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + (except as stated in this section) patent license to make, have made, + use, offer to sell, sell, import, and otherwise transfer the Work, + where such license applies only to those patent claims licensable + by such Contributor that are necessarily infringed by their + Contribution(s) alone or by combination of their Contribution(s) + with the Work to which such Contribution(s) was submitted. If You + institute patent litigation against any entity (including a + cross-claim or counterclaim in a lawsuit) alleging that the Work + or a Contribution incorporated within the Work constitutes direct + or contributory patent infringement, then any patent licenses + granted to You under this License for that Work shall terminate + as of the date such litigation is filed. + + 4. Redistribution. You may reproduce and distribute copies of the + Work or Derivative Works thereof in any medium, with or without + modifications, and in Source or Object form, provided that You + meet the following conditions: + + (a) You must give any other recipients of the Work or + Derivative Works a copy of this License; and + + (b) You must cause any modified files to carry prominent notices + stating that You changed the files; and + + (c) You must retain, in the Source form of any Derivative Works + that You distribute, all copyright, patent, trademark, and + attribution notices from the Source form of the Work, + excluding those notices that do not pertain to any part of + the Derivative Works; and + + (d) If the Work includes a "NOTICE" text file as part of its + distribution, then any Derivative Works that You distribute must + include a readable copy of the attribution notices contained + within such NOTICE file, excluding those notices that do not + pertain to any part of the Derivative Works, in at least one + of the following places: within a NOTICE text file distributed + as part of the Derivative Works; within the Source form or + documentation, if provided along with the Derivative Works; or, + within a display generated by the Derivative Works, if and + wherever such third-party notices normally appear. The contents + of the NOTICE file are for informational purposes only and + do not modify the License. You may add Your own attribution + notices within Derivative Works that You distribute, alongside + or as an addendum to the NOTICE text from the Work, provided + that such additional attribution notices cannot be construed + as modifying the License. + + You may add Your own copyright statement to Your modifications and + may provide additional or different license terms and conditions + for use, reproduction, or distribution of Your modifications, or + for any such Derivative Works as a whole, provided Your use, + reproduction, and distribution of the Work otherwise complies with + the conditions stated in this License. + + 5. Submission of Contributions. Unless You explicitly state otherwise, + any Contribution intentionally submitted for inclusion in the Work + by You to the Licensor shall be under the terms and conditions of + this License, without any additional terms or conditions. + Notwithstanding the above, nothing herein shall supersede or modify + the terms of any separate license agreement you may have executed + with Licensor regarding such Contributions. + + 6. Trademarks. This License does not grant permission to use the trade + names, trademarks, service marks, or product names of the Licensor, + except as required for reasonable and customary use in describing the + origin of the Work and reproducing the content of the NOTICE file. + + 7. Disclaimer of Warranty. Unless required by applicable law or + agreed to in writing, Licensor provides the Work (and each + Contributor provides its Contributions) on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + implied, including, without limitation, any warranties or conditions + of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A + PARTICULAR PURPOSE. You are solely responsible for determining the + appropriateness of using or redistributing the Work and assume any + risks associated with Your exercise of permissions under this License. + + 8. Limitation of Liability. In no event and under no legal theory, + whether in tort (including negligence), contract, or otherwise, + unless required by applicable law (such as deliberate and grossly + negligent acts) or agreed to in writing, shall any Contributor be + liable to You for damages, including any direct, indirect, special, + incidental, or consequential damages of any character arising as a + result of this License or out of the use or inability to use the + Work (including but not limited to damages for loss of goodwill, + work stoppage, computer failure or malfunction, or any and all + other commercial damages or losses), even if such Contributor + has been advised of the possibility of such damages. + + 9. Accepting Warranty or Additional Liability. While redistributing + the Work or Derivative Works thereof, You may choose to offer, + and charge a fee for, acceptance of support, warranty, indemnity, + or other liability obligations and/or rights consistent with this + License. However, in accepting such obligations, You may act only + on Your own behalf and on Your sole responsibility, not on behalf + of any other Contributor, and only if You agree to indemnify, + defend, and hold each Contributor harmless for any liability + incurred by, or claims asserted against, such Contributor by reason + of your accepting any such warranty or additional liability. + + END OF TERMS AND CONDITIONS + + APPENDIX: How to apply the Apache License to your work. + + To apply the Apache License to your work, attach the following + boilerplate notice, with the fields enclosed by brackets "[]" + replaced with your own identifying information. (Don't include + the brackets!) The text should be enclosed in the appropriate + comment syntax for the file format. We also recommend that a + file or class name and description of purpose be included on the + same "printed page" as the copyright notice for easier + identification within third-party archives. + + Copyright 2022-2022 OOZOU + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. diff --git a/SECURITY.md b/SECURITY.md new file mode 100644 index 0000000..4c045ab --- /dev/null +++ b/SECURITY.md @@ -0,0 +1,23 @@ +# Security Policy + +## Supported Versions + +| Version | Supported | +| ------- | ------------------ | +| 1.0.x | :white_check_mark: | + + +## Reporting a Vulnerability + +The Oozou terraform module take all security vulnerabilities seriously. Thank you for help us improving +our project. We are welcome your contribute on the Security PR. + +For the PR, Our team will review and left the comment if we have any conceren and let's we fixed that first before we reviewing and merge it. :smile: + + +Your can also report the vulnerabilities by emailing to Oozou DevOps team at: +``` +devops@oozou.com +``` + +We will acknowledge your email within 72 hours on workday, and will send a more details response within 5 days. After the initial email start, we will investigate the security issue snd fix it as soon as possible. \ No newline at end of file From fd11beb38b9c9b2dbf71a28d03b40efb4be8165e Mon Sep 17 00:00:00 2001 From: sedthawut tipkanpirome Date: Fri, 22 Jul 2022 13:35:04 +0700 Subject: [PATCH 19/35] (update): CHANGELOG --- CHANGELOG.md | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index abb10f8..15bd76e 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,9 +2,14 @@ All notable changes to this module will be documented in this file. -## [1.0.3] - 2022-07-20 +## [1.0.3] - 2022-07-22 + +### Changed - Remove upload code from s3 - S3 source code is used for versioning - Change `additional_lambda_role_policy_arn` to map from list + +### Added + - Enable Tracing From 921a7ef1c236066a9dd973b85e4f3d60edb385d3 Mon Sep 17 00:00:00 2001 From: sedthawut tipkanpirome Date: Fri, 22 Jul 2022 14:04:06 +0700 Subject: [PATCH 20/35] (update): .gitignore --- .gitignore | 1 + 1 file changed, 1 insertion(+) diff --git a/.gitignore b/.gitignore index 50955f8..1d20e8f 100644 --- a/.gitignore +++ b/.gitignore @@ -24,6 +24,7 @@ crash.*.log # to change depending on the environment. # *.tfvars +!terraform.*example*.tfvars # Ignore override files as they are usually used to override resources locally and so # are not checked in From 44cb932543fd4306fe55e4b955c9d0ee1aa87d33 Mon Sep 17 00:00:00 2001 From: sedthawut tipkanpirome Date: Fri, 22 Jul 2022 14:18:56 +0700 Subject: [PATCH 21/35] (update): variable name and README --- README.md | 62 ++++++++++++++++++++++++++-------------------------- variables.tf | 2 +- 2 files changed, 32 insertions(+), 32 deletions(-) diff --git a/README.md b/README.md index 2aba558..012f641 100644 --- a/README.md +++ b/README.md @@ -40,7 +40,7 @@ module "lambda" { is_create_lambda_role = true # Default is `true` lambda_role_arn = "" # The policies that you want to attach to IAM Role created by only this module # If `is_create_lambda_role` is `false` - additional_lambda_role_policy_arn = { + additional_lambda_role_policy_arns = { allow_lambda_to_read_s3 = "arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccess" } @@ -125,36 +125,36 @@ module "lambda" { ## Inputs -| Name | Description | Type | Default | Required | -|-----------------------------------------------------------------------------------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-------------------------------------------------------------------------------------------------------------------------|-------------------------------------------------------------------------------------|:--------:| -| [additional\_lambda\_role\_policy\_arn](#input\_additional\_lambda\_role\_policy\_arn) | Map of policies ARNs to attach to the lambda | `map(string)` | `{}` | no | -| [bucket\_name](#input\_bucket\_name) | Name of the bucket to put the file in. Alternatively, an S3 access point ARN can be specified. | `string` | `""` | no | -| [cloudwatch\_log\_kms\_key\_id](#input\_cloudwatch\_log\_kms\_key\_id) | The ARN for the KMS encryption key. | `string` | `null` | no | -| [cloudwatch\_log\_retention\_in\_days](#input\_cloudwatch\_log\_retention\_in\_days) | Retention day for cloudwatch log group | `number` | `90` | no | -| [compressed\_local\_file\_dir](#input\_compressed\_local\_file\_dir) | A path to the directory to store plan time generated local files | `string` | `""` | no | -| [config\_file\_name](#input\_config\_file\_name) | The name of the file var.plaintext\_params will be written to as json | `string` | `"config.json"` | no | -| [dead\_letter\_target\_arn](#input\_dead\_letter\_target\_arn) | Dead letter queue configuration that specifies the queue or topic where Lambda sends asynchronous events when they fail processing. | `string` | `null` | no | -| [environment](#input\_environment) | Environment Variable used as a prefix | `string` | n/a | yes | -| [file\_globs](#input\_file\_globs) | list of files or globs that you want included from the source\_code\_dir | `list(string)` | `[]` | no | -| [handler](#input\_handler) | Function entrypoint in your code. | `string` | n/a | yes | -| [is\_create\_cloudwatch\_log\_group](#input\_is\_create\_cloudwatch\_log\_group) | Whether to create cloudwatch log group or not | `bool` | `true` | no | -| [is\_create\_lambda\_bucket](#input\_is\_create\_lambda\_bucket) | Whether to create lambda bucket or not | `bool` | `false` | no | -| [is\_create\_lambda\_role](#input\_is\_create\_lambda\_role) | Whether to create lamda role or not | `bool` | `true` | no | -| [is\_edge](#input\_is\_edge) | Whether lambda is lambda@Edge or not | `bool` | `false` | no | -| [lambda\_permission\_configuration](#input\_lambda\_permission\_configuration) | principal - (Required) The principal who is getting this permission e.g., s3.amazonaws.com, an AWS account ID, or any valid AWS service principal such as events.amazonaws.com or sns.amazonaws.com.
source\_arn - (Optional) When the principal is an AWS service, the ARN of the specific resource within that service to grant permission to. Without this, any resource from
source\_account - (Optional) This parameter is used for S3 and SES. The AWS account ID (without a hyphen) of the source owner. | `any` | `{}` | no | -| [lambda\_role\_arn](#input\_lambda\_role\_arn) | The arn of role that already created by something to asso with lambda | `string` | `""` | no | -| [memory\_size](#input\_memory\_size) | (Optional) Amount of memory in MB your Lambda Function can use at runtime. Defaults to 128. | `number` | `128` | no | -| [name](#input\_name) | Name of the ECS cluster to create | `string` | n/a | yes | -| [plaintext\_params](#input\_plaintext\_params) | Lambda@Edge does not support env vars, so it is a common pattern to exchange Env vars for values read from a config file.
! PLAINTEXT
const config = JSON.parse(readFileSync('./config.json'))
  const someConfigValue = config.SomeKey
| `map(string)` | `{}` | no | -| [prefix](#input\_prefix) | The prefix name of customer to be displayed in AWS console and resource | `string` | n/a | yes | -| [reserved\_concurrent\_executions](#input\_reserved\_concurrent\_executions) | (Optional) Amount of reserved concurrent executions for this lambda function. A value of 0 disables lambda from being triggered and -1 removes any concurrency limitations. Defaults to Unreserved Concurrency Limits -1. See Managing Concurrency | `number` | `-1` | no | -| [runtime](#input\_runtime) | The runtime of the lambda function | `string` | n/a | yes | -| [source\_code\_dir](#input\_source\_code\_dir) | An absolute path to the directory containing the code to upload to lambda | `string` | `""` | no | -| [ssm\_params](#input\_ssm\_params) | Lambda@Edge does not support env vars, so it is a common pattern to exchange Env vars for SSM params.
! SECRET

you would have lookups in SSM, like:
`const someEnvValue = await ssmClient.getParameter({ Name: 'SOME_SSM_PARAM_NAME', WithDecryption: true })` | `map(string)` | `{}` | no | -| [tags](#input\_tags) | Custom tags which can be passed on to the AWS resources. They should be key value pairs having distinct keys | `map(any)` | `{}` | no | -| [timeout](#input\_timeout) | (Optional) Amount of time your Lambda Function has to run in seconds. Defaults to 3. | `number` | `3` | no | -| [tracing\_mode](#input\_tracing\_mode) | Tracing mode of the Lambda Function. Valid value can be either PassThrough or Active. | `string` | `"PassThrough"` | no | -| [vpc\_config](#input\_vpc\_config) | For network connectivity to AWS resources in a VPC, specify a list of security groups and subnets in the VPC.
When you connect a function to a VPC, it can only access resources and the internet through that VPC. See VPC Settings.

security\_group\_ids - (Required) List of security group IDs associated with the Lambda function.
subnet\_ids\_to\_associate - (Required) List of subnet IDs associated with the Lambda function. | 
object({
    security_group_ids      = list(string)
    subnet_ids_to_associate = list(string)
  })
| 
{
  "security_group_ids": [],
  "subnet_ids_to_associate": []
}
| no | +| Name | Description | Type | Default | Required | +|--------------------------------------------------------------------------------------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-------------------------------------------------------------------------------------------------------------------------|-------------------------------------------------------------------------------------|:--------:| +| [additional\_lambda\_role\_policy\_arns](#input\_additional\_lambda\_role\_policy\_arns) | Map of policies ARNs to attach to the lambda | `map(string)` | `{}` | no | +| [bucket\_name](#input\_bucket\_name) | Name of the bucket to put the file in. Alternatively, an S3 access point ARN can be specified. | `string` | `""` | no | +| [cloudwatch\_log\_kms\_key\_id](#input\_cloudwatch\_log\_kms\_key\_id) | The ARN for the KMS encryption key. | `string` | `null` | no | +| [cloudwatch\_log\_retention\_in\_days](#input\_cloudwatch\_log\_retention\_in\_days) | Retention day for cloudwatch log group | `number` | `90` | no | +| [compressed\_local\_file\_dir](#input\_compressed\_local\_file\_dir) | A path to the directory to store plan time generated local files | `string` | `""` | no | +| [config\_file\_name](#input\_config\_file\_name) | The name of the file var.plaintext\_params will be written to as json | `string` | `"config.json"` | no | +| [dead\_letter\_target\_arn](#input\_dead\_letter\_target\_arn) | Dead letter queue configuration that specifies the queue or topic where Lambda sends asynchronous events when they fail processing. | `string` | `null` | no | +| [environment](#input\_environment) | Environment Variable used as a prefix | `string` | n/a | yes | +| [file\_globs](#input\_file\_globs) | list of files or globs that you want included from the source\_code\_dir | `list(string)` | `[]` | no | +| [handler](#input\_handler) | Function entrypoint in your code. | `string` | n/a | yes | +| [is\_create\_cloudwatch\_log\_group](#input\_is\_create\_cloudwatch\_log\_group) | Whether to create cloudwatch log group or not | `bool` | `true` | no | +| [is\_create\_lambda\_bucket](#input\_is\_create\_lambda\_bucket) | Whether to create lambda bucket or not | `bool` | `false` | no | +| [is\_create\_lambda\_role](#input\_is\_create\_lambda\_role) | Whether to create lamda role or not | `bool` | `true` | no | +| [is\_edge](#input\_is\_edge) | Whether lambda is lambda@Edge or not | `bool` | `false` | no | +| [lambda\_permission\_configuration](#input\_lambda\_permission\_configuration) | principal - (Required) The principal who is getting this permission e.g., s3.amazonaws.com, an AWS account ID, or any valid AWS service principal such as events.amazonaws.com or sns.amazonaws.com.
source\_arn - (Optional) When the principal is an AWS service, the ARN of the specific resource within that service to grant permission to. Without this, any resource from
source\_account - (Optional) This parameter is used for S3 and SES. The AWS account ID (without a hyphen) of the source owner. | `any` | `{}` | no | +| [lambda\_role\_arn](#input\_lambda\_role\_arn) | The arn of role that already created by something to asso with lambda | `string` | `""` | no | +| [memory\_size](#input\_memory\_size) | (Optional) Amount of memory in MB your Lambda Function can use at runtime. Defaults to 128. | `number` | `128` | no | +| [name](#input\_name) | Name of the ECS cluster to create | `string` | n/a | yes | +| [plaintext\_params](#input\_plaintext\_params) | Lambda@Edge does not support env vars, so it is a common pattern to exchange Env vars for values read from a config file.
! PLAINTEXT
const config = JSON.parse(readFileSync('./config.json'))
  const someConfigValue = config.SomeKey
| `map(string)` | `{}` | no | +| [prefix](#input\_prefix) | The prefix name of customer to be displayed in AWS console and resource | `string` | n/a | yes | +| [reserved\_concurrent\_executions](#input\_reserved\_concurrent\_executions) | (Optional) Amount of reserved concurrent executions for this lambda function. A value of 0 disables lambda from being triggered and -1 removes any concurrency limitations. Defaults to Unreserved Concurrency Limits -1. See Managing Concurrency | `number` | `-1` | no | +| [runtime](#input\_runtime) | The runtime of the lambda function | `string` | n/a | yes | +| [source\_code\_dir](#input\_source\_code\_dir) | An absolute path to the directory containing the code to upload to lambda | `string` | `""` | no | +| [ssm\_params](#input\_ssm\_params) | Lambda@Edge does not support env vars, so it is a common pattern to exchange Env vars for SSM params.
! SECRET

you would have lookups in SSM, like:
`const someEnvValue = await ssmClient.getParameter({ Name: 'SOME_SSM_PARAM_NAME', WithDecryption: true })` | `map(string)` | `{}` | no | +| [tags](#input\_tags) | Custom tags which can be passed on to the AWS resources. They should be key value pairs having distinct keys | `map(any)` | `{}` | no | +| [timeout](#input\_timeout) | (Optional) Amount of time your Lambda Function has to run in seconds. Defaults to 3. | `number` | `3` | no | +| [tracing\_mode](#input\_tracing\_mode) | Tracing mode of the Lambda Function. Valid value can be either PassThrough or Active. | `string` | `"PassThrough"` | no | +| [vpc\_config](#input\_vpc\_config) | For network connectivity to AWS resources in a VPC, specify a list of security groups and subnets in the VPC.
When you connect a function to a VPC, it can only access resources and the internet through that VPC. See VPC Settings.

security\_group\_ids - (Required) List of security group IDs associated with the Lambda function.
subnet\_ids\_to\_associate - (Required) List of subnet IDs associated with the Lambda function. | 
object({
    security_group_ids      = list(string)
    subnet_ids_to_associate = list(string)
  })
| 
{
  "security_group_ids": [],
  "subnet_ids_to_associate": []
}
| no | ## Outputs diff --git a/variables.tf b/variables.tf index 4ee4907..dedb007 100644 --- a/variables.tf +++ b/variables.tf @@ -91,7 +91,7 @@ variable "lambda_role_arn" { default = "" } -variable "additional_lambda_role_policy_arn" { +variable "additional_lambda_role_policy_arns" { description = "Map of policies ARNs to attach to the lambda" type = map(string) default = {} From 5c81f771da1901a4a03c100a1ebc1ec02e372ee1 Mon Sep 17 00:00:00 2001 From: sedthawut tipkanpirome Date: Fri, 22 Jul 2022 14:39:55 +0700 Subject: [PATCH 22/35] (update): variable name and README --- README.md | 132 +++++++++++++++++++++++++-------------------------- variables.tf | 2 +- 2 files changed, 67 insertions(+), 67 deletions(-) diff --git a/README.md b/README.md index 012f641..ed920eb 100644 --- a/README.md +++ b/README.md @@ -45,7 +45,7 @@ module "lambda" { } # Resource policy - lambda_permission_configuration = { + lambda_permission_configurations = { lambda_on_my_account = { pricipal = "apigateway.amazonaws.com" source_arn = "arn:aws:execute-api:ap-southeast-1:557291035693:lk36vflbha/*/*/" @@ -83,85 +83,85 @@ module "lambda" { ## Requirements -| Name | Version | -|---------------------------------------------------------------------------|----------| +| Name | Version | +|------|---------| | [terraform](#requirement\_terraform) | >= 1.0.0 | -| [archive](#requirement\_archive) | 2.2.0 | -| [aws](#requirement\_aws) | >= 4.00 | +| [archive](#requirement\_archive) | 2.2.0 | +| [aws](#requirement\_aws) | >= 4.00 | ## Providers -| Name | Version | -|---------------------------------------------------------------|---------| -| [archive](#provider\_archive) | 2.2.0 | -| [aws](#provider\_aws) | 4.13.0 | +| Name | Version | +|------|---------| +| [archive](#provider\_archive) | 2.2.0 | +| [aws](#provider\_aws) | 4.23.0 | ## Modules -| Name | Source | Version | -|--------------------------------------------|-------------------------------------------|---------| -| [s3](#module\_s3) | git@github.com:oozou/terraform-aws-s3.git | v1.0.4 | +| Name | Source | Version | +|------|--------|---------| +| [s3](#module\_s3) | git@github.com:oozou/terraform-aws-s3.git | v1.0.4 | ## Resources -| Name | Type | -|----------------------------------------------------------------------------------------------------------------------------------------------------------------|-------------| -| [aws_cloudwatch_log_group.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_group) | resource | -| [aws_iam_policy.ssm_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource | -| [aws_iam_role.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource | -| [aws_iam_role_policy.logs_role_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource | -| [aws_iam_role_policy_attachment.ssm_policy_attachment](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource | -| [aws_iam_role_policy_attachment.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource | -| [aws_lambda_function.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_function) | resource | -| [aws_lambda_permission.allow_serivce](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_permission) | resource | -| [aws_s3_object.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_object) | resource | -| [aws_ssm_parameter.params](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ssm_parameter) | resource | -| [archive_file.this](https://registry.terraform.io/providers/hashicorp/archive/2.2.0/docs/data-sources/file) | data source | -| [aws_iam_policy_document.assume_role_policy_doc](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | -| [aws_iam_policy_document.lambda_access_vpc](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | -| [aws_iam_policy_document.lambda_logs_policy_doc](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | -| [aws_iam_policy_document.lambda_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | -| [aws_iam_policy_document.secret_access_policy_doc](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | +| Name | Type | +|------|------| +| [aws_cloudwatch_log_group.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_group) | resource | +| [aws_iam_policy.ssm_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource | +| [aws_iam_role.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource | +| [aws_iam_role_policy.logs_role_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource | +| [aws_iam_role_policy_attachment.ssm_policy_attachment](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource | +| [aws_iam_role_policy_attachment.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource | +| [aws_lambda_function.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_function) | resource | +| [aws_lambda_permission.allow_serivce](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_permission) | resource | +| [aws_s3_object.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_object) | resource | +| [aws_ssm_parameter.params](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ssm_parameter) | resource | +| [archive_file.this](https://registry.terraform.io/providers/hashicorp/archive/2.2.0/docs/data-sources/file) | data source | +| [aws_iam_policy_document.assume_role_policy_doc](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | +| [aws_iam_policy_document.lambda_access_vpc](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | +| [aws_iam_policy_document.lambda_logs_policy_doc](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | +| [aws_iam_policy_document.lambda_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | +| [aws_iam_policy_document.secret_access_policy_doc](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | ## Inputs -| Name | Description | Type | Default | Required | -|--------------------------------------------------------------------------------------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-------------------------------------------------------------------------------------------------------------------------|-------------------------------------------------------------------------------------|:--------:| -| [additional\_lambda\_role\_policy\_arns](#input\_additional\_lambda\_role\_policy\_arns) | Map of policies ARNs to attach to the lambda | `map(string)` | `{}` | no | -| [bucket\_name](#input\_bucket\_name) | Name of the bucket to put the file in. Alternatively, an S3 access point ARN can be specified. | `string` | `""` | no | -| [cloudwatch\_log\_kms\_key\_id](#input\_cloudwatch\_log\_kms\_key\_id) | The ARN for the KMS encryption key. | `string` | `null` | no | -| [cloudwatch\_log\_retention\_in\_days](#input\_cloudwatch\_log\_retention\_in\_days) | Retention day for cloudwatch log group | `number` | `90` | no | -| [compressed\_local\_file\_dir](#input\_compressed\_local\_file\_dir) | A path to the directory to store plan time generated local files | `string` | `""` | no | -| [config\_file\_name](#input\_config\_file\_name) | The name of the file var.plaintext\_params will be written to as json | `string` | `"config.json"` | no | -| [dead\_letter\_target\_arn](#input\_dead\_letter\_target\_arn) | Dead letter queue configuration that specifies the queue or topic where Lambda sends asynchronous events when they fail processing. | `string` | `null` | no | -| [environment](#input\_environment) | Environment Variable used as a prefix | `string` | n/a | yes | -| [file\_globs](#input\_file\_globs) | list of files or globs that you want included from the source\_code\_dir | `list(string)` | `[]` | no | -| [handler](#input\_handler) | Function entrypoint in your code. | `string` | n/a | yes | -| [is\_create\_cloudwatch\_log\_group](#input\_is\_create\_cloudwatch\_log\_group) | Whether to create cloudwatch log group or not | `bool` | `true` | no | -| [is\_create\_lambda\_bucket](#input\_is\_create\_lambda\_bucket) | Whether to create lambda bucket or not | `bool` | `false` | no | -| [is\_create\_lambda\_role](#input\_is\_create\_lambda\_role) | Whether to create lamda role or not | `bool` | `true` | no | -| [is\_edge](#input\_is\_edge) | Whether lambda is lambda@Edge or not | `bool` | `false` | no | -| [lambda\_permission\_configuration](#input\_lambda\_permission\_configuration) | principal - (Required) The principal who is getting this permission e.g., s3.amazonaws.com, an AWS account ID, or any valid AWS service principal such as events.amazonaws.com or sns.amazonaws.com.
source\_arn - (Optional) When the principal is an AWS service, the ARN of the specific resource within that service to grant permission to. Without this, any resource from
source\_account - (Optional) This parameter is used for S3 and SES. The AWS account ID (without a hyphen) of the source owner. | `any` | `{}` | no | -| [lambda\_role\_arn](#input\_lambda\_role\_arn) | The arn of role that already created by something to asso with lambda | `string` | `""` | no | -| [memory\_size](#input\_memory\_size) | (Optional) Amount of memory in MB your Lambda Function can use at runtime. Defaults to 128. | `number` | `128` | no | -| [name](#input\_name) | Name of the ECS cluster to create | `string` | n/a | yes | -| [plaintext\_params](#input\_plaintext\_params) | Lambda@Edge does not support env vars, so it is a common pattern to exchange Env vars for values read from a config file.
! PLAINTEXT
const config = JSON.parse(readFileSync('./config.json'))
  const someConfigValue = config.SomeKey
| `map(string)` | `{}` | no | -| [prefix](#input\_prefix) | The prefix name of customer to be displayed in AWS console and resource | `string` | n/a | yes | -| [reserved\_concurrent\_executions](#input\_reserved\_concurrent\_executions) | (Optional) Amount of reserved concurrent executions for this lambda function. A value of 0 disables lambda from being triggered and -1 removes any concurrency limitations. Defaults to Unreserved Concurrency Limits -1. See Managing Concurrency | `number` | `-1` | no | -| [runtime](#input\_runtime) | The runtime of the lambda function | `string` | n/a | yes | -| [source\_code\_dir](#input\_source\_code\_dir) | An absolute path to the directory containing the code to upload to lambda | `string` | `""` | no | -| [ssm\_params](#input\_ssm\_params) | Lambda@Edge does not support env vars, so it is a common pattern to exchange Env vars for SSM params.
! SECRET

you would have lookups in SSM, like:
`const someEnvValue = await ssmClient.getParameter({ Name: 'SOME_SSM_PARAM_NAME', WithDecryption: true })` | `map(string)` | `{}` | no | -| [tags](#input\_tags) | Custom tags which can be passed on to the AWS resources. They should be key value pairs having distinct keys | `map(any)` | `{}` | no | -| [timeout](#input\_timeout) | (Optional) Amount of time your Lambda Function has to run in seconds. Defaults to 3. | `number` | `3` | no | -| [tracing\_mode](#input\_tracing\_mode) | Tracing mode of the Lambda Function. Valid value can be either PassThrough or Active. | `string` | `"PassThrough"` | no | -| [vpc\_config](#input\_vpc\_config) | For network connectivity to AWS resources in a VPC, specify a list of security groups and subnets in the VPC.
When you connect a function to a VPC, it can only access resources and the internet through that VPC. See VPC Settings.

security\_group\_ids - (Required) List of security group IDs associated with the Lambda function.
subnet\_ids\_to\_associate - (Required) List of subnet IDs associated with the Lambda function. | 
object({
    security_group_ids      = list(string)
    subnet_ids_to_associate = list(string)
  })
| 
{
  "security_group_ids": [],
  "subnet_ids_to_associate": []
}
| no | +| Name | Description | Type | Default | Required | +|------|-------------|------|---------|:--------:| +| [additional\_lambda\_role\_policy\_arns](#input\_additional\_lambda\_role\_policy\_arns) | Map of policies ARNs to attach to the lambda | `map(string)` | `{}` | no | +| [bucket\_name](#input\_bucket\_name) | Name of the bucket to put the file in. Alternatively, an S3 access point ARN can be specified. | `string` | `""` | no | +| [cloudwatch\_log\_kms\_key\_id](#input\_cloudwatch\_log\_kms\_key\_id) | The ARN for the KMS encryption key. | `string` | `null` | no | +| [cloudwatch\_log\_retention\_in\_days](#input\_cloudwatch\_log\_retention\_in\_days) | Retention day for cloudwatch log group | `number` | `90` | no | +| [compressed\_local\_file\_dir](#input\_compressed\_local\_file\_dir) | A path to the directory to store plan time generated local files | `string` | `""` | no | +| [config\_file\_name](#input\_config\_file\_name) | The name of the file var.plaintext\_params will be written to as json | `string` | `"config.json"` | no | +| [dead\_letter\_target\_arn](#input\_dead\_letter\_target\_arn) | Dead letter queue configuration that specifies the queue or topic where Lambda sends asynchronous events when they fail processing. | `string` | `null` | no | +| [environment](#input\_environment) | Environment Variable used as a prefix | `string` | n/a | yes | +| [file\_globs](#input\_file\_globs) | list of files or globs that you want included from the source\_code\_dir | `list(string)` | `[]` | no | +| [handler](#input\_handler) | Function entrypoint in your code. | `string` | n/a | yes | +| [is\_create\_cloudwatch\_log\_group](#input\_is\_create\_cloudwatch\_log\_group) | Whether to create cloudwatch log group or not | `bool` | `true` | no | +| [is\_create\_lambda\_bucket](#input\_is\_create\_lambda\_bucket) | Whether to create lambda bucket or not | `bool` | `false` | no | +| [is\_create\_lambda\_role](#input\_is\_create\_lambda\_role) | Whether to create lamda role or not | `bool` | `true` | no | +| [is\_edge](#input\_is\_edge) | Whether lambda is lambda@Edge or not | `bool` | `false` | no | +| [lambda\_permission\_configurations](#input\_lambda\_permission\_configurations) | principal - (Required) The principal who is getting this permission e.g., s3.amazonaws.com, an AWS account ID, or any valid AWS service principal such as events.amazonaws.com or sns.amazonaws.com.
source\_arn - (Optional) When the principal is an AWS service, the ARN of the specific resource within that service to grant permission to. Without this, any resource from
source\_account - (Optional) This parameter is used for S3 and SES. The AWS account ID (without a hyphen) of the source owner. | `any` | `{}` | no | +| [lambda\_role\_arn](#input\_lambda\_role\_arn) | The arn of role that already created by something to asso with lambda | `string` | `""` | no | +| [memory\_size](#input\_memory\_size) | (Optional) Amount of memory in MB your Lambda Function can use at runtime. Defaults to 128. | `number` | `128` | no | +| [name](#input\_name) | Name of the ECS cluster to create | `string` | n/a | yes | +| [plaintext\_params](#input\_plaintext\_params) | Lambda@Edge does not support env vars, so it is a common pattern to exchange Env vars for values read from a config file.
! PLAINTEXT
const config = JSON.parse(readFileSync('./config.json'))
  const someConfigValue = config.SomeKey
| `map(string)` | `{}` | no | +| [prefix](#input\_prefix) | The prefix name of customer to be displayed in AWS console and resource | `string` | n/a | yes | +| [reserved\_concurrent\_executions](#input\_reserved\_concurrent\_executions) | (Optional) Amount of reserved concurrent executions for this lambda function. A value of 0 disables lambda from being triggered and -1 removes any concurrency limitations. Defaults to Unreserved Concurrency Limits -1. See Managing Concurrency | `number` | `-1` | no | +| [runtime](#input\_runtime) | The runtime of the lambda function | `string` | n/a | yes | +| [source\_code\_dir](#input\_source\_code\_dir) | An absolute path to the directory containing the code to upload to lambda | `string` | `""` | no | +| [ssm\_params](#input\_ssm\_params) | Lambda@Edge does not support env vars, so it is a common pattern to exchange Env vars for SSM params.
! SECRET

you would have lookups in SSM, like:
`const someEnvValue = await ssmClient.getParameter({ Name: 'SOME_SSM_PARAM_NAME', WithDecryption: true })` | `map(string)` | `{}` | no | +| [tags](#input\_tags) | Custom tags which can be passed on to the AWS resources. They should be key value pairs having distinct keys | `map(any)` | `{}` | no | +| [timeout](#input\_timeout) | (Optional) Amount of time your Lambda Function has to run in seconds. Defaults to 3. | `number` | `3` | no | +| [tracing\_mode](#input\_tracing\_mode) | Tracing mode of the Lambda Function. Valid value can be either PassThrough or Active. | `string` | `"PassThrough"` | no | +| [vpc\_config](#input\_vpc\_config) | For network connectivity to AWS resources in a VPC, specify a list of security groups and subnets in the VPC.
When you connect a function to a VPC, it can only access resources and the internet through that VPC. See VPC Settings.

security\_group\_ids - (Required) List of security group IDs associated with the Lambda function.
subnet\_ids\_to\_associate - (Required) List of subnet IDs associated with the Lambda function. | 
object({
    security_group_ids      = list(string)
    subnet_ids_to_associate = list(string)
  })
| 
{
  "security_group_ids": [],
  "subnet_ids_to_associate": []
}
| no | ## Outputs -| Name | Description | -|------------------------------------------------------------------------------------------------|--------------------------------------------------------------| -| [arn](#output\_arn) | Amazon Resource Name (ARN) identifying your Lambda Function. | -| [execution\_role\_arn](#output\_execution\_role\_arn) | Role arn of lambda | -| [function\_arn](#output\_function\_arn) | function arn | -| [function\_name](#output\_function\_name) | Name of AWS Lambda function | +| Name | Description | +|------|-------------| +| [arn](#output\_arn) | Amazon Resource Name (ARN) identifying your Lambda Function. | +| [execution\_role\_arn](#output\_execution\_role\_arn) | Role arn of lambda | +| [function\_arn](#output\_function\_arn) | function arn | +| [function\_name](#output\_function\_name) | Name of AWS Lambda function | diff --git a/variables.tf b/variables.tf index dedb007..b2101b8 100644 --- a/variables.tf +++ b/variables.tf @@ -66,7 +66,7 @@ variable "config_file_name" { /* -------------------------------------------------------------------------- */ /* Resource Based Policy */ /* -------------------------------------------------------------------------- */ -variable "lambda_permission_configuration" { +variable "lambda_permission_configurations" { description = < Date: Fri, 22 Jul 2022 14:40:15 +0700 Subject: [PATCH 23/35] (update): README --- README.md | 130 +++++++++++++++++++++++++++--------------------------- 1 file changed, 65 insertions(+), 65 deletions(-) diff --git a/README.md b/README.md index ed920eb..5664f66 100644 --- a/README.md +++ b/README.md @@ -83,85 +83,85 @@ module "lambda" { ## Requirements -| Name | Version | -|------|---------| +| Name | Version | +|---------------------------------------------------------------------------|----------| | [terraform](#requirement\_terraform) | >= 1.0.0 | -| [archive](#requirement\_archive) | 2.2.0 | -| [aws](#requirement\_aws) | >= 4.00 | +| [archive](#requirement\_archive) | 2.2.0 | +| [aws](#requirement\_aws) | >= 4.00 | ## Providers -| Name | Version | -|------|---------| -| [archive](#provider\_archive) | 2.2.0 | -| [aws](#provider\_aws) | 4.23.0 | +| Name | Version | +|---------------------------------------------------------------|---------| +| [archive](#provider\_archive) | 2.2.0 | +| [aws](#provider\_aws) | 4.23.0 | ## Modules -| Name | Source | Version | -|------|--------|---------| -| [s3](#module\_s3) | git@github.com:oozou/terraform-aws-s3.git | v1.0.4 | +| Name | Source | Version | +|--------------------------------------------|-------------------------------------------|---------| +| [s3](#module\_s3) | git@github.com:oozou/terraform-aws-s3.git | v1.0.4 | ## Resources -| Name | Type | -|------|------| -| [aws_cloudwatch_log_group.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_group) | resource | -| [aws_iam_policy.ssm_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource | -| [aws_iam_role.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource | -| [aws_iam_role_policy.logs_role_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource | -| [aws_iam_role_policy_attachment.ssm_policy_attachment](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource | -| [aws_iam_role_policy_attachment.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource | -| [aws_lambda_function.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_function) | resource | -| [aws_lambda_permission.allow_serivce](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_permission) | resource | -| [aws_s3_object.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_object) | resource | -| [aws_ssm_parameter.params](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ssm_parameter) | resource | -| [archive_file.this](https://registry.terraform.io/providers/hashicorp/archive/2.2.0/docs/data-sources/file) | data source | -| [aws_iam_policy_document.assume_role_policy_doc](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | -| [aws_iam_policy_document.lambda_access_vpc](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | -| [aws_iam_policy_document.lambda_logs_policy_doc](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | -| [aws_iam_policy_document.lambda_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | -| [aws_iam_policy_document.secret_access_policy_doc](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | +| Name | Type | +|----------------------------------------------------------------------------------------------------------------------------------------------------------------|-------------| +| [aws_cloudwatch_log_group.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_group) | resource | +| [aws_iam_policy.ssm_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource | +| [aws_iam_role.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource | +| [aws_iam_role_policy.logs_role_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource | +| [aws_iam_role_policy_attachment.ssm_policy_attachment](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource | +| [aws_iam_role_policy_attachment.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource | +| [aws_lambda_function.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_function) | resource | +| [aws_lambda_permission.allow_serivce](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_permission) | resource | +| [aws_s3_object.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_object) | resource | +| [aws_ssm_parameter.params](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ssm_parameter) | resource | +| [archive_file.this](https://registry.terraform.io/providers/hashicorp/archive/2.2.0/docs/data-sources/file) | data source | +| [aws_iam_policy_document.assume_role_policy_doc](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | +| [aws_iam_policy_document.lambda_access_vpc](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | +| [aws_iam_policy_document.lambda_logs_policy_doc](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | +| [aws_iam_policy_document.lambda_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | +| [aws_iam_policy_document.secret_access_policy_doc](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | ## Inputs -| Name | Description | Type | Default | Required | -|------|-------------|------|---------|:--------:| -| [additional\_lambda\_role\_policy\_arns](#input\_additional\_lambda\_role\_policy\_arns) | Map of policies ARNs to attach to the lambda | `map(string)` | `{}` | no | -| [bucket\_name](#input\_bucket\_name) | Name of the bucket to put the file in. Alternatively, an S3 access point ARN can be specified. | `string` | `""` | no | -| [cloudwatch\_log\_kms\_key\_id](#input\_cloudwatch\_log\_kms\_key\_id) | The ARN for the KMS encryption key. | `string` | `null` | no | -| [cloudwatch\_log\_retention\_in\_days](#input\_cloudwatch\_log\_retention\_in\_days) | Retention day for cloudwatch log group | `number` | `90` | no | -| [compressed\_local\_file\_dir](#input\_compressed\_local\_file\_dir) | A path to the directory to store plan time generated local files | `string` | `""` | no | -| [config\_file\_name](#input\_config\_file\_name) | The name of the file var.plaintext\_params will be written to as json | `string` | `"config.json"` | no | -| [dead\_letter\_target\_arn](#input\_dead\_letter\_target\_arn) | Dead letter queue configuration that specifies the queue or topic where Lambda sends asynchronous events when they fail processing. | `string` | `null` | no | -| [environment](#input\_environment) | Environment Variable used as a prefix | `string` | n/a | yes | -| [file\_globs](#input\_file\_globs) | list of files or globs that you want included from the source\_code\_dir | `list(string)` | `[]` | no | -| [handler](#input\_handler) | Function entrypoint in your code. | `string` | n/a | yes | -| [is\_create\_cloudwatch\_log\_group](#input\_is\_create\_cloudwatch\_log\_group) | Whether to create cloudwatch log group or not | `bool` | `true` | no | -| [is\_create\_lambda\_bucket](#input\_is\_create\_lambda\_bucket) | Whether to create lambda bucket or not | `bool` | `false` | no | -| [is\_create\_lambda\_role](#input\_is\_create\_lambda\_role) | Whether to create lamda role or not | `bool` | `true` | no | -| [is\_edge](#input\_is\_edge) | Whether lambda is lambda@Edge or not | `bool` | `false` | no | -| [lambda\_permission\_configurations](#input\_lambda\_permission\_configurations) | principal - (Required) The principal who is getting this permission e.g., s3.amazonaws.com, an AWS account ID, or any valid AWS service principal such as events.amazonaws.com or sns.amazonaws.com.
source\_arn - (Optional) When the principal is an AWS service, the ARN of the specific resource within that service to grant permission to. Without this, any resource from
source\_account - (Optional) This parameter is used for S3 and SES. The AWS account ID (without a hyphen) of the source owner. | `any` | `{}` | no | -| [lambda\_role\_arn](#input\_lambda\_role\_arn) | The arn of role that already created by something to asso with lambda | `string` | `""` | no | -| [memory\_size](#input\_memory\_size) | (Optional) Amount of memory in MB your Lambda Function can use at runtime. Defaults to 128. | `number` | `128` | no | -| [name](#input\_name) | Name of the ECS cluster to create | `string` | n/a | yes | -| [plaintext\_params](#input\_plaintext\_params) | Lambda@Edge does not support env vars, so it is a common pattern to exchange Env vars for values read from a config file.
! PLAINTEXT
const config = JSON.parse(readFileSync('./config.json'))
  const someConfigValue = config.SomeKey
| `map(string)` | `{}` | no | -| [prefix](#input\_prefix) | The prefix name of customer to be displayed in AWS console and resource | `string` | n/a | yes | -| [reserved\_concurrent\_executions](#input\_reserved\_concurrent\_executions) | (Optional) Amount of reserved concurrent executions for this lambda function. A value of 0 disables lambda from being triggered and -1 removes any concurrency limitations. Defaults to Unreserved Concurrency Limits -1. See Managing Concurrency | `number` | `-1` | no | -| [runtime](#input\_runtime) | The runtime of the lambda function | `string` | n/a | yes | -| [source\_code\_dir](#input\_source\_code\_dir) | An absolute path to the directory containing the code to upload to lambda | `string` | `""` | no | -| [ssm\_params](#input\_ssm\_params) | Lambda@Edge does not support env vars, so it is a common pattern to exchange Env vars for SSM params.
! SECRET

you would have lookups in SSM, like:
`const someEnvValue = await ssmClient.getParameter({ Name: 'SOME_SSM_PARAM_NAME', WithDecryption: true })` | `map(string)` | `{}` | no | -| [tags](#input\_tags) | Custom tags which can be passed on to the AWS resources. They should be key value pairs having distinct keys | `map(any)` | `{}` | no | -| [timeout](#input\_timeout) | (Optional) Amount of time your Lambda Function has to run in seconds. Defaults to 3. | `number` | `3` | no | -| [tracing\_mode](#input\_tracing\_mode) | Tracing mode of the Lambda Function. Valid value can be either PassThrough or Active. | `string` | `"PassThrough"` | no | -| [vpc\_config](#input\_vpc\_config) | For network connectivity to AWS resources in a VPC, specify a list of security groups and subnets in the VPC.
When you connect a function to a VPC, it can only access resources and the internet through that VPC. See VPC Settings.

security\_group\_ids - (Required) List of security group IDs associated with the Lambda function.
subnet\_ids\_to\_associate - (Required) List of subnet IDs associated with the Lambda function. | 
object({
    security_group_ids      = list(string)
    subnet_ids_to_associate = list(string)
  })
| 
{
  "security_group_ids": [],
  "subnet_ids_to_associate": []
}
| no | +| Name | Description | Type | Default | Required | +|--------------------------------------------------------------------------------------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-------------------------------------------------------------------------------------------------------------------------|-------------------------------------------------------------------------------------|:--------:| +| [additional\_lambda\_role\_policy\_arns](#input\_additional\_lambda\_role\_policy\_arns) | Map of policies ARNs to attach to the lambda | `map(string)` | `{}` | no | +| [bucket\_name](#input\_bucket\_name) | Name of the bucket to put the file in. Alternatively, an S3 access point ARN can be specified. | `string` | `""` | no | +| [cloudwatch\_log\_kms\_key\_id](#input\_cloudwatch\_log\_kms\_key\_id) | The ARN for the KMS encryption key. | `string` | `null` | no | +| [cloudwatch\_log\_retention\_in\_days](#input\_cloudwatch\_log\_retention\_in\_days) | Retention day for cloudwatch log group | `number` | `90` | no | +| [compressed\_local\_file\_dir](#input\_compressed\_local\_file\_dir) | A path to the directory to store plan time generated local files | `string` | `""` | no | +| [config\_file\_name](#input\_config\_file\_name) | The name of the file var.plaintext\_params will be written to as json | `string` | `"config.json"` | no | +| [dead\_letter\_target\_arn](#input\_dead\_letter\_target\_arn) | Dead letter queue configuration that specifies the queue or topic where Lambda sends asynchronous events when they fail processing. | `string` | `null` | no | +| [environment](#input\_environment) | Environment Variable used as a prefix | `string` | n/a | yes | +| [file\_globs](#input\_file\_globs) | list of files or globs that you want included from the source\_code\_dir | `list(string)` | `[]` | no | +| [handler](#input\_handler) | Function entrypoint in your code. | `string` | n/a | yes | +| [is\_create\_cloudwatch\_log\_group](#input\_is\_create\_cloudwatch\_log\_group) | Whether to create cloudwatch log group or not | `bool` | `true` | no | +| [is\_create\_lambda\_bucket](#input\_is\_create\_lambda\_bucket) | Whether to create lambda bucket or not | `bool` | `false` | no | +| [is\_create\_lambda\_role](#input\_is\_create\_lambda\_role) | Whether to create lamda role or not | `bool` | `true` | no | +| [is\_edge](#input\_is\_edge) | Whether lambda is lambda@Edge or not | `bool` | `false` | no | +| [lambda\_permission\_configurations](#input\_lambda\_permission\_configurations) | principal - (Required) The principal who is getting this permission e.g., s3.amazonaws.com, an AWS account ID, or any valid AWS service principal such as events.amazonaws.com or sns.amazonaws.com.
source\_arn - (Optional) When the principal is an AWS service, the ARN of the specific resource within that service to grant permission to. Without this, any resource from
source\_account - (Optional) This parameter is used for S3 and SES. The AWS account ID (without a hyphen) of the source owner. | `any` | `{}` | no | +| [lambda\_role\_arn](#input\_lambda\_role\_arn) | The arn of role that already created by something to asso with lambda | `string` | `""` | no | +| [memory\_size](#input\_memory\_size) | (Optional) Amount of memory in MB your Lambda Function can use at runtime. Defaults to 128. | `number` | `128` | no | +| [name](#input\_name) | Name of the ECS cluster to create | `string` | n/a | yes | +| [plaintext\_params](#input\_plaintext\_params) | Lambda@Edge does not support env vars, so it is a common pattern to exchange Env vars for values read from a config file.
! PLAINTEXT
const config = JSON.parse(readFileSync('./config.json'))
  const someConfigValue = config.SomeKey
| `map(string)` | `{}` | no | +| [prefix](#input\_prefix) | The prefix name of customer to be displayed in AWS console and resource | `string` | n/a | yes | +| [reserved\_concurrent\_executions](#input\_reserved\_concurrent\_executions) | (Optional) Amount of reserved concurrent executions for this lambda function. A value of 0 disables lambda from being triggered and -1 removes any concurrency limitations. Defaults to Unreserved Concurrency Limits -1. See Managing Concurrency | `number` | `-1` | no | +| [runtime](#input\_runtime) | The runtime of the lambda function | `string` | n/a | yes | +| [source\_code\_dir](#input\_source\_code\_dir) | An absolute path to the directory containing the code to upload to lambda | `string` | `""` | no | +| [ssm\_params](#input\_ssm\_params) | Lambda@Edge does not support env vars, so it is a common pattern to exchange Env vars for SSM params.
! SECRET

you would have lookups in SSM, like:
`const someEnvValue = await ssmClient.getParameter({ Name: 'SOME_SSM_PARAM_NAME', WithDecryption: true })` | `map(string)` | `{}` | no | +| [tags](#input\_tags) | Custom tags which can be passed on to the AWS resources. They should be key value pairs having distinct keys | `map(any)` | `{}` | no | +| [timeout](#input\_timeout) | (Optional) Amount of time your Lambda Function has to run in seconds. Defaults to 3. | `number` | `3` | no | +| [tracing\_mode](#input\_tracing\_mode) | Tracing mode of the Lambda Function. Valid value can be either PassThrough or Active. | `string` | `"PassThrough"` | no | +| [vpc\_config](#input\_vpc\_config) | For network connectivity to AWS resources in a VPC, specify a list of security groups and subnets in the VPC.
When you connect a function to a VPC, it can only access resources and the internet through that VPC. See VPC Settings.

security\_group\_ids - (Required) List of security group IDs associated with the Lambda function.
subnet\_ids\_to\_associate - (Required) List of subnet IDs associated with the Lambda function. | 
object({
    security_group_ids      = list(string)
    subnet_ids_to_associate = list(string)
  })
| 
{
  "security_group_ids": [],
  "subnet_ids_to_associate": []
}
| no | ## Outputs -| Name | Description | -|------|-------------| -| [arn](#output\_arn) | Amazon Resource Name (ARN) identifying your Lambda Function. | -| [execution\_role\_arn](#output\_execution\_role\_arn) | Role arn of lambda | -| [function\_arn](#output\_function\_arn) | function arn | -| [function\_name](#output\_function\_name) | Name of AWS Lambda function | +| Name | Description | +|------------------------------------------------------------------------------------------------|--------------------------------------------------------------| +| [arn](#output\_arn) | Amazon Resource Name (ARN) identifying your Lambda Function. | +| [execution\_role\_arn](#output\_execution\_role\_arn) | Role arn of lambda | +| [function\_arn](#output\_function\_arn) | function arn | +| [function\_name](#output\_function\_name) | Name of AWS Lambda function | From 8ed0d4391dfc25f8b73dc2dc0e912470fa518852 Mon Sep 17 00:00:00 2001 From: sedthawut tipkanpirome Date: Fri, 22 Jul 2022 14:48:20 +0700 Subject: [PATCH 24/35] (update): variables naming --- README.md | 4 ++-- main.tf | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/README.md b/README.md index 5664f66..9b818cd 100644 --- a/README.md +++ b/README.md @@ -62,8 +62,8 @@ module "lambda" { } # Logging - is_create_cloudwatch_log_group = true # Default is `true` - retention_in_days = 30 # Default is `30` + is_create_cloudwatch_log_group = true # Default is `true` + cloudwatch_log_retention_in_days = 30 # Default is `90` # Env ssm_params = {} diff --git a/main.tf b/main.tf index e6af8fe..40f4626 100644 --- a/main.tf +++ b/main.tf @@ -95,7 +95,7 @@ resource "aws_s3_object" "this" { /* Resource Based Policy */ /* -------------------------------------------------------------------------- */ resource "aws_lambda_permission" "allow_serivce" { - for_each = var.lambda_permission_configuration + for_each = var.lambda_permission_configurations statement_id = format("AllowExecutionFrom-%s", each.key) action = "lambda:InvokeFunction" @@ -192,7 +192,7 @@ resource "aws_iam_role_policy" "logs_role_policy" { } resource "aws_iam_role_policy_attachment" "this" { - for_each = var.is_create_lambda_role ? var.additional_lambda_role_policy_arn : {} + for_each = var.is_create_lambda_role ? var.additional_lambda_role_policy_arns : {} role = aws_iam_role.this[0].name policy_arn = each.value From dd15b751c0e72062d8af0ea1ec4cb51eafe3264a Mon Sep 17 00:00:00 2001 From: sedthawut tipkanpirome Date: Fri, 22 Jul 2022 14:56:09 +0700 Subject: [PATCH 25/35] (add): complete example --- examples/completes/main.tf | 39 +++++++ examples/completes/outputs.tf | 0 examples/completes/provider.tf | 3 + examples/completes/src/index.js | 18 +++ examples/completes/terraform.example.tfvars | 51 +++++++++ examples/completes/variables.tf | 121 ++++++++++++++++++++ 6 files changed, 232 insertions(+) create mode 100644 examples/completes/main.tf create mode 100644 examples/completes/outputs.tf create mode 100644 examples/completes/provider.tf create mode 100644 examples/completes/src/index.js create mode 100644 examples/completes/terraform.example.tfvars create mode 100644 examples/completes/variables.tf diff --git a/examples/completes/main.tf b/examples/completes/main.tf new file mode 100644 index 0000000..961e0b6 --- /dev/null +++ b/examples/completes/main.tf @@ -0,0 +1,39 @@ +module "lambda" { + source = "../../" + + prefix = var.generic_info.prefix + environment = var.generic_info.environment + name = var.generic_info.name + + is_edge = var.is_edge + + is_create_lambda_bucket = var.is_create_lambda_bucket + bucket_name = "" + + source_code_dir = "./src" + file_globs = ["main.py"] + compressed_local_file_dir = "./outputs" + + runtime = "nodejs12.x" + handler = "index.handler" + + timeout = var.timeout + memory_size = var.memory_size + reserved_concurrent_executions = -1 + vpc_config = var.vpc_config + dead_letter_target_arn = var.dead_letter_target_arn + + is_create_lambda_role = var.is_create_lambda_role + lambda_role_arn = "" + additional_lambda_role_policy_arns = var.additional_lambda_role_policy_arns + + lambda_permission_configurations = var.lambda_permission_configurations + + is_create_cloudwatch_log_group = var.is_create_cloudwatch_log_group + cloudwatch_log_retention_in_days = var.cloudwatch_log_retention_in_days + + ssm_params = var.ssm_params + plaintext_params = var.plaintext_params + + tags = var.generic_info.custom_tags +} diff --git a/examples/completes/outputs.tf b/examples/completes/outputs.tf new file mode 100644 index 0000000..e69de29 diff --git a/examples/completes/provider.tf b/examples/completes/provider.tf new file mode 100644 index 0000000..15e750f --- /dev/null +++ b/examples/completes/provider.tf @@ -0,0 +1,3 @@ +provider "aws" { + region = var.generic_info.region +} diff --git a/examples/completes/src/index.js b/examples/completes/src/index.js new file mode 100644 index 0000000..afe164e --- /dev/null +++ b/examples/completes/src/index.js @@ -0,0 +1,18 @@ +var http = require('http') + +exports.handler = (event, context, callback) => { + const options = { + hostname: event.Host, + port: event.Port + } + + const response = {}; + + http.get(options, (res) => { + response.httpStatus = res.statusCode + callback(null, response) + }).on('error', (err) => { + callback(null, err.message); + }) + +}; diff --git a/examples/completes/terraform.example.tfvars b/examples/completes/terraform.example.tfvars new file mode 100644 index 0000000..fc9bf57 --- /dev/null +++ b/examples/completes/terraform.example.tfvars @@ -0,0 +1,51 @@ +/* -------------------------------------------------------------------------- */ +/* Generics */ +/* -------------------------------------------------------------------------- */ +generic_info = { + region = "ap-southeast-1", + prefix = "oozou", + environment = "devops", + name = "demo", + custom_tags = { + "Workspace" = "900-oozou-sandbox-terraform" + } +} + +/* -------------------------------------------------------------------------- */ +/* Lambda */ +/* -------------------------------------------------------------------------- */ +# vpc_config = { +# security_group_ids = ["sg-028f637312eea735e"] +# subnet_ids_to_associate = ["subnet-0b853f8c85796d72d", "subnet-07c068b4b51262793", "subnet-0362f68c559ef7716"] +# } + +# dead_letter_target_arn = "arn:aws:sns:ap-southeast-1:557291035693:demo" + +additional_lambda_role_policy_arns = { + allow_lambda_to_read_s3 = "arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccess" +} + +lambda_permission_configurations = { + lambda_on_my_account = { + pricipal = "apigateway.amazonaws.com" + source_arn = "arn:aws:execute-api:ap-southeast-1:557291035112:lk36vflbha/*/*/" + } + lambda_on_my_another_account_wrong = { + pricipal = "apigateway.amazonaws.com" + source_arn = "arn:aws:execute-api:ap-southeast-1:224563527112:q6pwa6wgr6/*/*/" + source_account = "557291035112" + } + lambda_on_my_another_account_correct = { + pricipal = "apigateway.amazonaws.com" + source_arn = "arn:aws:execute-api:ap-southeast-1:557291035112:wpj4t3scmb/*/*/" + } +} + +plaintext_params = { + region = "ap-southeast-1" + cluster_name = "oozou-dev-test-schedule-cluster" + nodegroup_name = "oozou-dev-test-schedule-custom-nodegroup" + min = 1, + max = 1, + desired = 1 +} diff --git a/examples/completes/variables.tf b/examples/completes/variables.tf new file mode 100644 index 0000000..ba7c480 --- /dev/null +++ b/examples/completes/variables.tf @@ -0,0 +1,121 @@ +/* -------------------------------------------------------------------------- */ +/* Generics */ +/* -------------------------------------------------------------------------- */ +variable "generic_info" { + description = "Generic infomation" + type = object({ + region = string + prefix = string + environment = string + name = string + custom_tags = map(any) + }) +} + +/* -------------------------------------------------------------------------- */ +/* Lambda */ +/* -------------------------------------------------------------------------- */ +variable "is_edge" { + description = "Whether lambda is lambda@Edge or not" + type = bool + default = false +} + +variable "is_create_lambda_bucket" { + description = "Whether to create lambda bucket or not" + type = bool + default = true +} + +variable "timeout" { + description = "(Optional) Amount of time your Lambda Function has to run in seconds. Defaults to 3." + type = number + default = 3 +} + +variable "memory_size" { + description = "(Optional) Amount of memory in MB your Lambda Function can use at runtime. Defaults to 128." + type = number + default = 128 +} + +variable "vpc_config" { + description = < Date: Fri, 22 Jul 2022 14:57:09 +0700 Subject: [PATCH 26/35] (update): repo name --- examples/{completes => complete}/main.tf | 0 examples/{completes => complete}/outputs.tf | 0 examples/{completes => complete}/provider.tf | 0 examples/{completes => complete}/src/index.js | 0 examples/{completes => complete}/terraform.example.tfvars | 0 examples/{completes => complete}/variables.tf | 0 6 files changed, 0 insertions(+), 0 deletions(-) rename examples/{completes => complete}/main.tf (100%) rename examples/{completes => complete}/outputs.tf (100%) rename examples/{completes => complete}/provider.tf (100%) rename examples/{completes => complete}/src/index.js (100%) rename examples/{completes => complete}/terraform.example.tfvars (100%) rename examples/{completes => complete}/variables.tf (100%) diff --git a/examples/completes/main.tf b/examples/complete/main.tf similarity index 100% rename from examples/completes/main.tf rename to examples/complete/main.tf diff --git a/examples/completes/outputs.tf b/examples/complete/outputs.tf similarity index 100% rename from examples/completes/outputs.tf rename to examples/complete/outputs.tf diff --git a/examples/completes/provider.tf b/examples/complete/provider.tf similarity index 100% rename from examples/completes/provider.tf rename to examples/complete/provider.tf diff --git a/examples/completes/src/index.js b/examples/complete/src/index.js similarity index 100% rename from examples/completes/src/index.js rename to examples/complete/src/index.js diff --git a/examples/completes/terraform.example.tfvars b/examples/complete/terraform.example.tfvars similarity index 100% rename from examples/completes/terraform.example.tfvars rename to examples/complete/terraform.example.tfvars diff --git a/examples/completes/variables.tf b/examples/complete/variables.tf similarity index 100% rename from examples/completes/variables.tf rename to examples/complete/variables.tf From d91ec545de3f75b754933f7c2a29fae00aa867e0 Mon Sep 17 00:00:00 2001 From: sedthawut tipkanpirome Date: Fri, 22 Jul 2022 15:37:20 +0700 Subject: [PATCH 27/35] (update): example for simple usage --- examples/simple/main.tf | 44 ++++++++++++++++++++++++ examples/simple/provider.tf | 3 ++ examples/simple/src/index.js | 18 ++++++++++ examples/simple/terraform.example.tfvars | 1 + examples/simple/variables.tf | 1 + 5 files changed, 67 insertions(+) create mode 100644 examples/simple/main.tf create mode 100644 examples/simple/provider.tf create mode 100644 examples/simple/src/index.js create mode 100644 examples/simple/terraform.example.tfvars create mode 100644 examples/simple/variables.tf diff --git a/examples/simple/main.tf b/examples/simple/main.tf new file mode 100644 index 0000000..34f0ab9 --- /dev/null +++ b/examples/simple/main.tf @@ -0,0 +1,44 @@ +module "lambda" { + source = "../../" + + prefix = "oozou" + environment = "devops" + name = "demo" + + source_code_dir = "./src" + file_globs = ["index.js"] + compressed_local_file_dir = "./outputs" + + runtime = "nodejs12.x" + handler = "index.handler" + + additional_lambda_role_policy_arns = { + allow_lambda_to_read_s3 = "arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccess" + } + lambda_permission_configurations = { + lambda_on_my_account = { + pricipal = "apigateway.amazonaws.com" + source_arn = "arn:aws:execute-api:ap-southeast-1:557291035112:lk36vflbha/*/*/" + } + lambda_on_my_another_account_wrong = { + pricipal = "apigateway.amazonaws.com" + source_arn = "arn:aws:execute-api:ap-southeast-1:224563527112:q6pwa6wgr6/*/*/" + source_account = "557291035112" + } + lambda_on_my_another_account_correct = { + pricipal = "apigateway.amazonaws.com" + source_arn = "arn:aws:execute-api:ap-southeast-1:557291035112:wpj4t3scmb/*/*/" + } + } + ssm_params = {} + plaintext_params = { + region = "ap-southeast-1" + cluster_name = "oozou-dev-test-schedule-cluster" + nodegroup_name = "oozou-dev-test-schedule-custom-nodegroup" + min = 1, + max = 1, + desired = 1 + } + + tags = { "Workspace" = "900-oozou-sandbox-terraform" } +} diff --git a/examples/simple/provider.tf b/examples/simple/provider.tf new file mode 100644 index 0000000..15e750f --- /dev/null +++ b/examples/simple/provider.tf @@ -0,0 +1,3 @@ +provider "aws" { + region = var.generic_info.region +} diff --git a/examples/simple/src/index.js b/examples/simple/src/index.js new file mode 100644 index 0000000..afe164e --- /dev/null +++ b/examples/simple/src/index.js @@ -0,0 +1,18 @@ +var http = require('http') + +exports.handler = (event, context, callback) => { + const options = { + hostname: event.Host, + port: event.Port + } + + const response = {}; + + http.get(options, (res) => { + response.httpStatus = res.statusCode + callback(null, response) + }).on('error', (err) => { + callback(null, err.message); + }) + +}; diff --git a/examples/simple/terraform.example.tfvars b/examples/simple/terraform.example.tfvars new file mode 100644 index 0000000..8b13789 --- /dev/null +++ b/examples/simple/terraform.example.tfvars @@ -0,0 +1 @@ + diff --git a/examples/simple/variables.tf b/examples/simple/variables.tf new file mode 100644 index 0000000..8b13789 --- /dev/null +++ b/examples/simple/variables.tf @@ -0,0 +1 @@ + From df5fe9198e551a70fcdeba634403ecb31078cfb8 Mon Sep 17 00:00:00 2001 From: sedthawut tipkanpirome Date: Fri, 22 Jul 2022 15:39:48 +0700 Subject: [PATCH 28/35] (update): example simple --- examples/simple/outputs.tf | 0 examples/simple/provider.tf | 3 --- examples/simple/terraform.example.tfvars | 1 - examples/simple/variables.tf | 1 - 4 files changed, 5 deletions(-) create mode 100644 examples/simple/outputs.tf delete mode 100644 examples/simple/provider.tf delete mode 100644 examples/simple/terraform.example.tfvars diff --git a/examples/simple/outputs.tf b/examples/simple/outputs.tf new file mode 100644 index 0000000..e69de29 diff --git a/examples/simple/provider.tf b/examples/simple/provider.tf deleted file mode 100644 index 15e750f..0000000 --- a/examples/simple/provider.tf +++ /dev/null @@ -1,3 +0,0 @@ -provider "aws" { - region = var.generic_info.region -} diff --git a/examples/simple/terraform.example.tfvars b/examples/simple/terraform.example.tfvars deleted file mode 100644 index 8b13789..0000000 --- a/examples/simple/terraform.example.tfvars +++ /dev/null @@ -1 +0,0 @@ - diff --git a/examples/simple/variables.tf b/examples/simple/variables.tf index 8b13789..e69de29 100644 --- a/examples/simple/variables.tf +++ b/examples/simple/variables.tf @@ -1 +0,0 @@ - From 84cd63810e387d7636046dcb7dc71abe14cb57e6 Mon Sep 17 00:00:00 2001 From: sedthawut tipkanpirome Date: Fri, 22 Jul 2022 15:41:54 +0700 Subject: [PATCH 29/35] (update): example simple --- examples/simple/main.tf | 1 + 1 file changed, 1 insertion(+) diff --git a/examples/simple/main.tf b/examples/simple/main.tf index 34f0ab9..98305aa 100644 --- a/examples/simple/main.tf +++ b/examples/simple/main.tf @@ -30,6 +30,7 @@ module "lambda" { source_arn = "arn:aws:execute-api:ap-southeast-1:557291035112:wpj4t3scmb/*/*/" } } + ssm_params = {} plaintext_params = { region = "ap-southeast-1" From 1d44e7b3c24a4994a328fd3cab285843eb4a9fd2 Mon Sep 17 00:00:00 2001 From: sedthawut tipkanpirome Date: Fri, 22 Jul 2022 15:58:06 +0700 Subject: [PATCH 30/35] (update): lambda complete usage --- examples/complete/main.tf | 77 +++++++++---- examples/complete/outputs.tf | 1 + examples/complete/provider.tf | 3 - examples/complete/terraform.example.tfvars | 51 --------- examples/complete/variables.tf | 120 --------------------- 5 files changed, 58 insertions(+), 194 deletions(-) delete mode 100644 examples/complete/provider.tf delete mode 100644 examples/complete/terraform.example.tfvars diff --git a/examples/complete/main.tf b/examples/complete/main.tf index 961e0b6..bae4975 100644 --- a/examples/complete/main.tf +++ b/examples/complete/main.tf @@ -1,39 +1,76 @@ module "lambda" { source = "../../" - prefix = var.generic_info.prefix - environment = var.generic_info.environment - name = var.generic_info.name + prefix = "oozou" + environment = "devops" + name = "demo" - is_edge = var.is_edge + is_edge = false # Defautl is `false`, If you want to publish to the edge don't forget to override aws's provider to virgina - is_create_lambda_bucket = var.is_create_lambda_bucket - bucket_name = "" + # If is_edge is `false`, ignore this config + is_create_lambda_bucket = true # Default is `false`; plz use false, if not 1 lambda: 1 bucket + bucket_name = "" # If `is_create_lambda_bucket` is `false`; specified this, default is `""` + # Source code source_code_dir = "./src" - file_globs = ["main.py"] + file_globs = ["index.js"] compressed_local_file_dir = "./outputs" + # Lambda Env runtime = "nodejs12.x" handler = "index.handler" - timeout = var.timeout - memory_size = var.memory_size + # Lambda Specification + timeout = 3 + memory_size = 128 reserved_concurrent_executions = -1 - vpc_config = var.vpc_config - dead_letter_target_arn = var.dead_letter_target_arn - is_create_lambda_role = var.is_create_lambda_role - lambda_role_arn = "" - additional_lambda_role_policy_arns = var.additional_lambda_role_policy_arns + # Optional to connect Lambda to VPC + vpc_config = { + security_group_ids = ["sg-028f637312eea735e"] + subnet_ids_to_associate = ["subnet-0b853f8c85796d72d", "subnet-07c068b4b51262793", "subnet-0362f68c559ef7716"] + } + dead_letter_target_arn = "arn:aws:sns:ap-southeast-1:557291035693:demo" # To send failed processing to target, Default is `""` - lambda_permission_configurations = var.lambda_permission_configurations + # IAM + is_create_lambda_role = true # Default is `true` + lambda_role_arn = "" # If `is_create_lambda_role` is `false` + # The policies that you want to attach to IAM Role created by only this module # If `is_create_lambda_role` is `false` + additional_lambda_role_policy_arns = { + allow_lambda_to_read_s3 = "arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccess" + } - is_create_cloudwatch_log_group = var.is_create_cloudwatch_log_group - cloudwatch_log_retention_in_days = var.cloudwatch_log_retention_in_days + # Resource policy + lambda_permission_configurations = { + lambda_on_my_account = { + pricipal = "apigateway.amazonaws.com" + source_arn = "arn:aws:execute-api:ap-southeast-1:557291035112:lk36vflbha/*/*/" + } + lambda_on_my_another_account_wrong = { + pricipal = "apigateway.amazonaws.com" + source_arn = "arn:aws:execute-api:ap-southeast-1:224563527112:q6pwa6wgr6/*/*/" + source_account = "557291035112" + } + lambda_on_my_another_account_correct = { + pricipal = "apigateway.amazonaws.com" + source_arn = "arn:aws:execute-api:ap-southeast-1:557291035112:wpj4t3scmb/*/*/" + } + } - ssm_params = var.ssm_params - plaintext_params = var.plaintext_params + # Logging + is_create_cloudwatch_log_group = true # Default is `true` + cloudwatch_log_retention_in_days = 90 # Default is `90` - tags = var.generic_info.custom_tags + # Env + ssm_params = {} + plaintext_params = { + region = "ap-southeast-1" + cluster_name = "oozou-dev-test-schedule-cluster" + nodegroup_name = "oozou-dev-test-schedule-custom-nodegroup" + min = 1, + max = 1, + desired = 1 + } + + tags = { "Workspace" = "900-oozou-sandbox-terraform" } } diff --git a/examples/complete/outputs.tf b/examples/complete/outputs.tf index e69de29..8b13789 100644 --- a/examples/complete/outputs.tf +++ b/examples/complete/outputs.tf @@ -0,0 +1 @@ + diff --git a/examples/complete/provider.tf b/examples/complete/provider.tf deleted file mode 100644 index 15e750f..0000000 --- a/examples/complete/provider.tf +++ /dev/null @@ -1,3 +0,0 @@ -provider "aws" { - region = var.generic_info.region -} diff --git a/examples/complete/terraform.example.tfvars b/examples/complete/terraform.example.tfvars deleted file mode 100644 index fc9bf57..0000000 --- a/examples/complete/terraform.example.tfvars +++ /dev/null @@ -1,51 +0,0 @@ -/* -------------------------------------------------------------------------- */ -/* Generics */ -/* -------------------------------------------------------------------------- */ -generic_info = { - region = "ap-southeast-1", - prefix = "oozou", - environment = "devops", - name = "demo", - custom_tags = { - "Workspace" = "900-oozou-sandbox-terraform" - } -} - -/* -------------------------------------------------------------------------- */ -/* Lambda */ -/* -------------------------------------------------------------------------- */ -# vpc_config = { -# security_group_ids = ["sg-028f637312eea735e"] -# subnet_ids_to_associate = ["subnet-0b853f8c85796d72d", "subnet-07c068b4b51262793", "subnet-0362f68c559ef7716"] -# } - -# dead_letter_target_arn = "arn:aws:sns:ap-southeast-1:557291035693:demo" - -additional_lambda_role_policy_arns = { - allow_lambda_to_read_s3 = "arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccess" -} - -lambda_permission_configurations = { - lambda_on_my_account = { - pricipal = "apigateway.amazonaws.com" - source_arn = "arn:aws:execute-api:ap-southeast-1:557291035112:lk36vflbha/*/*/" - } - lambda_on_my_another_account_wrong = { - pricipal = "apigateway.amazonaws.com" - source_arn = "arn:aws:execute-api:ap-southeast-1:224563527112:q6pwa6wgr6/*/*/" - source_account = "557291035112" - } - lambda_on_my_another_account_correct = { - pricipal = "apigateway.amazonaws.com" - source_arn = "arn:aws:execute-api:ap-southeast-1:557291035112:wpj4t3scmb/*/*/" - } -} - -plaintext_params = { - region = "ap-southeast-1" - cluster_name = "oozou-dev-test-schedule-cluster" - nodegroup_name = "oozou-dev-test-schedule-custom-nodegroup" - min = 1, - max = 1, - desired = 1 -} diff --git a/examples/complete/variables.tf b/examples/complete/variables.tf index ba7c480..8b13789 100644 --- a/examples/complete/variables.tf +++ b/examples/complete/variables.tf @@ -1,121 +1 @@ -/* -------------------------------------------------------------------------- */ -/* Generics */ -/* -------------------------------------------------------------------------- */ -variable "generic_info" { - description = "Generic infomation" - type = object({ - region = string - prefix = string - environment = string - name = string - custom_tags = map(any) - }) -} -/* -------------------------------------------------------------------------- */ -/* Lambda */ -/* -------------------------------------------------------------------------- */ -variable "is_edge" { - description = "Whether lambda is lambda@Edge or not" - type = bool - default = false -} - -variable "is_create_lambda_bucket" { - description = "Whether to create lambda bucket or not" - type = bool - default = true -} - -variable "timeout" { - description = "(Optional) Amount of time your Lambda Function has to run in seconds. Defaults to 3." - type = number - default = 3 -} - -variable "memory_size" { - description = "(Optional) Amount of memory in MB your Lambda Function can use at runtime. Defaults to 128." - type = number - default = 128 -} - -variable "vpc_config" { - description = < Date: Fri, 22 Jul 2022 15:58:40 +0700 Subject: [PATCH 31/35] (update): lambda complete usage --- README.md | 6 +++--- examples/complete/outputs.tf | 1 - examples/complete/variables.tf | 1 - 3 files changed, 3 insertions(+), 5 deletions(-) diff --git a/README.md b/README.md index 9b818cd..875ae9b 100644 --- a/README.md +++ b/README.md @@ -37,9 +37,9 @@ module "lambda" { dead_letter_target_arn = "arn:aws:sns:ap-southeast-1:557291035693:demo" # To send failed processing to target, Default is `""` # IAM - is_create_lambda_role = true # Default is `true` - lambda_role_arn = "" - # The policies that you want to attach to IAM Role created by only this module # If `is_create_lambda_role` is `false` + is_create_lambda_role = true # Default is `true` + lambda_role_arn = "" # If `is_create_lambda_role` is `false` + # The policies that you want to attach to IAM Role created by only this module additional_lambda_role_policy_arns = { allow_lambda_to_read_s3 = "arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccess" } diff --git a/examples/complete/outputs.tf b/examples/complete/outputs.tf index 8b13789..e69de29 100644 --- a/examples/complete/outputs.tf +++ b/examples/complete/outputs.tf @@ -1 +0,0 @@ - diff --git a/examples/complete/variables.tf b/examples/complete/variables.tf index 8b13789..e69de29 100644 --- a/examples/complete/variables.tf +++ b/examples/complete/variables.tf @@ -1 +0,0 @@ - From 2e258ef30719f7f56b7bd3e67ba166e3e7968127 Mon Sep 17 00:00:00 2001 From: sedthawut tipkanpirome Date: Fri, 22 Jul 2022 16:15:24 +0700 Subject: [PATCH 32/35] (update): README and CHANGELOG --- CHANGELOG.md | 34 +++++++++++++++++++++++++++++++++- README.md | 2 +- 2 files changed, 34 insertions(+), 2 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 15bd76e..9f23da6 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,7 +2,7 @@ All notable changes to this module will be documented in this file. -## [1.0.3] - 2022-07-22 +## [1.1.0] - 2022-07-22 ### Changed @@ -13,3 +13,35 @@ All notable changes to this module will be documented in this file. ### Added - Enable Tracing + +## [v1.0.2] - 2022-07-01 + +### Added + +- Add default log retention 90 days, KMS encryption support + +### Fixed + +- Fix kms security issue by @xshot9011 in #9 + +## [v1.0.1] - 2022-06-08 + +### Added + +- Add resource base policy for lambda + +## [v1.0.0] - 2022-05-17 + +### Added + +- Since Lambdas are uploaded via zip files, we generate a zip file from the path specified. +- Upload the zip file containing the build artifacts to S3. +- Allow access to this lambda function from AWS. +- Allow lambda to generate logs. +- Construct a role that AWS services can adopt in order to invoke our function. +- This policy also has the capability to write logs to CloudWatch. +- Create the secret SSM parameters that can be retrieved and decoded by the lambda function. +- Create an IAM policy document granting the ability to read and retrieve SSM parameter values. +- Develop a policy based on the SSM policy paper +- Custom policies to attach to this role + diff --git a/README.md b/README.md index 875ae9b..743da50 100644 --- a/README.md +++ b/README.md @@ -4,7 +4,7 @@ ```terraform module "lambda" { - source = "git@github.com:oozou/terraform-aws-lambda.git?ref=v1.0.2" + source = "git@github.com:oozou/terraform-aws-lambda.git?ref=v1.1.0" prefix = "oozou" environment = "dev" From 2bce9225f9033282b338ed7b0bf0aebde0e758a6 Mon Sep 17 00:00:00 2001 From: sedthawut tipkanpirome Date: Fri, 22 Jul 2022 16:15:33 +0700 Subject: [PATCH 33/35] (update): README and CHANGELOG --- CHANGELOG.md | 1 - 1 file changed, 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 9f23da6..1c49cd8 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -44,4 +44,3 @@ All notable changes to this module will be documented in this file. - Create an IAM policy document granting the ability to read and retrieve SSM parameter values. - Develop a policy based on the SSM policy paper - Custom policies to attach to this role - From e376ef4bdd276211b08bdcdd218166c7ac119e19 Mon Sep 17 00:00:00 2001 From: sedthawut tipkanpirome Date: Fri, 22 Jul 2022 16:56:57 +0700 Subject: [PATCH 34/35] (update): exmaple format and versioning format --- examples/complete/main.tf | 8 ++++---- examples/complete/terraform.example.tfvars | 6 ++++++ examples/complete/variables.tf | 23 ++++++++++++++++++++++ examples/complete/version.tf | 10 ++++++++++ examples/simple/main.tf | 8 ++++---- examples/simple/terraform.example.tfvars | 6 ++++++ examples/simple/variables.tf | 23 ++++++++++++++++++++++ examples/simple/version.tf | 10 ++++++++++ versions.tf | 2 +- 9 files changed, 87 insertions(+), 9 deletions(-) create mode 100644 examples/complete/terraform.example.tfvars create mode 100644 examples/complete/version.tf create mode 100644 examples/simple/terraform.example.tfvars create mode 100644 examples/simple/version.tf diff --git a/examples/complete/main.tf b/examples/complete/main.tf index bae4975..fad5e14 100644 --- a/examples/complete/main.tf +++ b/examples/complete/main.tf @@ -1,9 +1,9 @@ module "lambda" { source = "../../" - prefix = "oozou" - environment = "devops" - name = "demo" + prefix = var.prefix + environment = var.environment + name = var.name is_edge = false # Defautl is `false`, If you want to publish to the edge don't forget to override aws's provider to virgina @@ -72,5 +72,5 @@ module "lambda" { desired = 1 } - tags = { "Workspace" = "900-oozou-sandbox-terraform" } + tags = var.custom_tags } diff --git a/examples/complete/terraform.example.tfvars b/examples/complete/terraform.example.tfvars new file mode 100644 index 0000000..d47f9fc --- /dev/null +++ b/examples/complete/terraform.example.tfvars @@ -0,0 +1,6 @@ +prefix = "example" +environment = "devops" +name = "cms" +custom_tags = { + "Remark" = "terraform-aws-lambda-example" +} diff --git a/examples/complete/variables.tf b/examples/complete/variables.tf index e69de29..648758a 100644 --- a/examples/complete/variables.tf +++ b/examples/complete/variables.tf @@ -0,0 +1,23 @@ +/* -------------------------------------------------------------------------- */ +/* Generics */ +/* -------------------------------------------------------------------------- */ +variable "prefix" { + description = "The prefix name of customer to be displayed in AWS console and resource" + type = string +} + +variable "environment" { + description = "Environment Variable used as a prefix" + type = string +} + +variable "name" { + description = "Name of the ECS cluster and s3 also redis to create" + type = string +} + +variable "custom_tags" { + description = "Custom tags which can be passed on to the AWS resources. They should be key value pairs having distinct keys" + type = map(any) + default = {} +} diff --git a/examples/complete/version.tf b/examples/complete/version.tf new file mode 100644 index 0000000..97f0cf5 --- /dev/null +++ b/examples/complete/version.tf @@ -0,0 +1,10 @@ +terraform { + required_version = ">= 1.0.0" + + required_providers { + aws = { + source = "hashicorp/aws" + version = ">= 4.0.0" + } + } +} diff --git a/examples/simple/main.tf b/examples/simple/main.tf index 98305aa..998974d 100644 --- a/examples/simple/main.tf +++ b/examples/simple/main.tf @@ -1,9 +1,9 @@ module "lambda" { source = "../../" - prefix = "oozou" - environment = "devops" - name = "demo" + prefix = var.prefix + environment = var.environment + name = var.name source_code_dir = "./src" file_globs = ["index.js"] @@ -41,5 +41,5 @@ module "lambda" { desired = 1 } - tags = { "Workspace" = "900-oozou-sandbox-terraform" } + tags = var.custom_tags } diff --git a/examples/simple/terraform.example.tfvars b/examples/simple/terraform.example.tfvars new file mode 100644 index 0000000..d47f9fc --- /dev/null +++ b/examples/simple/terraform.example.tfvars @@ -0,0 +1,6 @@ +prefix = "example" +environment = "devops" +name = "cms" +custom_tags = { + "Remark" = "terraform-aws-lambda-example" +} diff --git a/examples/simple/variables.tf b/examples/simple/variables.tf index e69de29..648758a 100644 --- a/examples/simple/variables.tf +++ b/examples/simple/variables.tf @@ -0,0 +1,23 @@ +/* -------------------------------------------------------------------------- */ +/* Generics */ +/* -------------------------------------------------------------------------- */ +variable "prefix" { + description = "The prefix name of customer to be displayed in AWS console and resource" + type = string +} + +variable "environment" { + description = "Environment Variable used as a prefix" + type = string +} + +variable "name" { + description = "Name of the ECS cluster and s3 also redis to create" + type = string +} + +variable "custom_tags" { + description = "Custom tags which can be passed on to the AWS resources. They should be key value pairs having distinct keys" + type = map(any) + default = {} +} diff --git a/examples/simple/version.tf b/examples/simple/version.tf new file mode 100644 index 0000000..97f0cf5 --- /dev/null +++ b/examples/simple/version.tf @@ -0,0 +1,10 @@ +terraform { + required_version = ">= 1.0.0" + + required_providers { + aws = { + source = "hashicorp/aws" + version = ">= 4.0.0" + } + } +} diff --git a/versions.tf b/versions.tf index 76bfc1d..19a5e29 100644 --- a/versions.tf +++ b/versions.tf @@ -4,7 +4,7 @@ terraform { required_providers { aws = { source = "hashicorp/aws" - version = ">= 4.00" + version = ">= 4.0.0" } archive = { source = "hashicorp/archive" From ae614b79bf2d5bb456a584bd58523d033078e9c8 Mon Sep 17 00:00:00 2001 From: sedthawut tipkanpirome Date: Fri, 22 Jul 2022 17:00:21 +0700 Subject: [PATCH 35/35] (update): README.md for example --- examples/complete/README.md | 35 +++++++++++++++++++++++++++++++++++ examples/simple/README.md | 35 +++++++++++++++++++++++++++++++++++ 2 files changed, 70 insertions(+) create mode 100644 examples/complete/README.md create mode 100644 examples/simple/README.md diff --git a/examples/complete/README.md b/examples/complete/README.md new file mode 100644 index 0000000..324d415 --- /dev/null +++ b/examples/complete/README.md @@ -0,0 +1,35 @@ + +## Requirements + +| Name | Version | +|---------------------------------------------------------------------------|----------| +| [terraform](#requirement\_terraform) | >= 1.0.0 | +| [aws](#requirement\_aws) | >= 4.0.0 | + +## Providers + +No providers. + +## Modules + +| Name | Source | Version | +|--------------------------------------------------------|--------|---------| +| [lambda](#module\_lambda) | ../../ | n/a | + +## Resources + +No resources. + +## Inputs + +| Name | Description | Type | Default | Required | +|-----------------------------------------------------------------------|--------------------------------------------------------------------------------------------------------------|------------|---------|:--------:| +| [custom\_tags](#input\_custom\_tags) | Custom tags which can be passed on to the AWS resources. They should be key value pairs having distinct keys | `map(any)` | `{}` | no | +| [environment](#input\_environment) | Environment Variable used as a prefix | `string` | n/a | yes | +| [name](#input\_name) | Name of the ECS cluster and s3 also redis to create | `string` | n/a | yes | +| [prefix](#input\_prefix) | The prefix name of customer to be displayed in AWS console and resource | `string` | n/a | yes | + +## Outputs + +No outputs. + diff --git a/examples/simple/README.md b/examples/simple/README.md new file mode 100644 index 0000000..324d415 --- /dev/null +++ b/examples/simple/README.md @@ -0,0 +1,35 @@ + +## Requirements + +| Name | Version | +|---------------------------------------------------------------------------|----------| +| [terraform](#requirement\_terraform) | >= 1.0.0 | +| [aws](#requirement\_aws) | >= 4.0.0 | + +## Providers + +No providers. + +## Modules + +| Name | Source | Version | +|--------------------------------------------------------|--------|---------| +| [lambda](#module\_lambda) | ../../ | n/a | + +## Resources + +No resources. + +## Inputs + +| Name | Description | Type | Default | Required | +|-----------------------------------------------------------------------|--------------------------------------------------------------------------------------------------------------|------------|---------|:--------:| +| [custom\_tags](#input\_custom\_tags) | Custom tags which can be passed on to the AWS resources. They should be key value pairs having distinct keys | `map(any)` | `{}` | no | +| [environment](#input\_environment) | Environment Variable used as a prefix | `string` | n/a | yes | +| [name](#input\_name) | Name of the ECS cluster and s3 also redis to create | `string` | n/a | yes | +| [prefix](#input\_prefix) | The prefix name of customer to be displayed in AWS console and resource | `string` | n/a | yes | + +## Outputs + +No outputs. +