From 66cb9d47a30c257aada1d4ed539122f54f1ecd52 Mon Sep 17 00:00:00 2001 From: sedthawut tipkanpirome Date: Mon, 23 May 2022 12:54:02 +0700 Subject: [PATCH 1/9] (add): resource based polciy call by service and account ? --- main.tf | 64 ++++++++++++++++++++++++++++++++++++++++++++++++---- variables.tf | 33 +++++++++++++++++++++++++++ 2 files changed, 93 insertions(+), 4 deletions(-) diff --git a/main.tf b/main.tf index 3f84240..44d847a 100644 --- a/main.tf +++ b/main.tf @@ -4,7 +4,8 @@ locals { name = format("%s-%s-%s", var.prefix, var.environment, var.name) - lambda_role_arn = var.is_create_lambda_role ? aws_iam_role.this[0].arn : var.lambda_role_arn + service_resource_based_policy_count = var.resource_type_to_allow_invoke == "service" ? 1 : 0 + lambda_role_arn = var.is_create_lambda_role ? aws_iam_role.this[0].arn : var.lambda_role_arn tags = merge( { @@ -59,7 +60,7 @@ module "s3" { prefix = var.prefix environment = var.environment - bucket_name = format("%s-lambda-bucket", var.name) + bucket_name = var.is_edge ? format("%s-lambda-edge-bucket", var.name) : format("%s-lambda-bucket", var.name) force_s3_destroy = true @@ -78,6 +79,59 @@ resource "aws_s3_object" "this" { tags = merge(local.tags, { "Name" = format("%s.zip", local.name) }) } +/* -------------------------------------------------------------------------- */ +/* Resource Based Policy */ +/* -------------------------------------------------------------------------- */ +# data "aws_iam_policy_document" "service_caller" { +# count = local.service_resource_based_policy_count + +# statement { +# sid = "AllowInvokeLambdaFunctionFromService" + +# actions = [ +# "lambda:InvokeFunction" +# ] + +# resources = [aws_lambda_function.this.arn] + +# principals { +# type = "AWS" +# identifiers = ["*"] +# } + +# condition { +# test = "StringEquals" +# variable = "kms:ViaService" +# values = var.service_info.aws_service_names +# } + +# condition { +# test = "StringEquals" +# variable = "kms:CallerAccount" +# values = var.service_info.aws_service_principals +# } +# } +# } + + +# data "aws_iam_policy_document" "lambda_policy" { +# source_policy_documents = local.service_resource_based_policy_count == 1 ? [ +# xxxxxxx, data.aws_iam_policy_document.service_caller[0].json] : [ +# xxxxxxx, data.aws_iam_policy_document.account_caller[0].json +# ] +# # override_policy_documents = var.additional_policies +# } + +resource "aws_lambda_permission" "allow_serivce" { + count = local.service_resource_based_policy_count + + statement_id = "AllowExecutionFromService" + action = "lambda:InvokeFunction" + function_name = aws_lambda_function.this.function_name + principal = var.service_info.aws_service_principal + source_arn = var.service_info.aws_service_arn +} + /* -------------------------------------------------------------------------- */ /* IAM Role */ /* -------------------------------------------------------------------------- */ @@ -93,9 +147,11 @@ data "aws_iam_policy_document" "assume_role_policy_doc" { principals { type = "Service" - identifiers = [ + identifiers = var.is_edge ? [ "edgelambda.amazonaws.com", "lambda.amazonaws.com", + ] : [ + "lambda.amazonaws.com", ] } } @@ -127,7 +183,7 @@ resource "aws_iam_role" "this" { resource "aws_iam_role_policy" "logs_role_policy" { count = var.is_create_lambda_role ? 1 : 0 - name = format("%s-lambda-at-edge-log-access-policy", local.name) + name = var.is_edge ? format("%s-lambda-at-edge-log-access-policy", local.name) : format("%s-lambda-log-access-policy", local.name) role = aws_iam_role.this[0].id policy = data.aws_iam_policy_document.lambda_logs_policy_doc[0].json } diff --git a/variables.tf b/variables.tf index 780811a..886f856 100644 --- a/variables.tf +++ b/variables.tf @@ -66,6 +66,33 @@ variable "config_file_name" { type = string default = "config.json" } +/* -------------------------------------------------------------------------- */ +/* Resource Based Policy */ +/* -------------------------------------------------------------------------- */ +variable "resource_type_to_allow_invoke" { + description = "Resource to allow to invoke this lambda function" + type = string + validation { + condition = contains(["service", "account"], var.resource_type_to_allow_invoke) + error_message = "Valid values for `resource_type_to_allow_invoke` are `service` and `account`." + } +} + +variable "service_info" { + description = <> The principal who is getting this permission e.g., s3.amazonaws.com, an AWS account ID, or any valid AWS service principal such as events.amazonaws.com or sns.amazonaws.com. + aws_service_arn >> When the principal is an AWS service, the ARN of the specific resource within that service to grant permission to. + EOF + type = object({ + aws_service_arn = string + aws_service_principal = string + }) + default = { + aws_service_arn = "" + aws_service_principal = "" + } +} + /* -------------------------------------------------------------------------- */ /* IAM */ /* -------------------------------------------------------------------------- */ @@ -104,6 +131,12 @@ variable "bucket_name" { /* -------------------------------------------------------------------------- */ /* Lambda Function */ /* -------------------------------------------------------------------------- */ +variable "is_edge" { + description = "Whether lambda is lambda@Edge or not" + type = bool + default = false +} + variable "runtime" { description = "The runtime of the lambda function" type = string From ac83ec50a044e74002181ddae21683513c17a52e Mon Sep 17 00:00:00 2001 From: sedthawut tipkanpirome Date: Mon, 23 May 2022 15:02:34 +0700 Subject: [PATCH 2/9] (add): resource permission restrict to service or account --- README.md | 33 ++++++++++++++++++++++------ main.tf | 61 +++++++++++----------------------------------------- variables.tf | 23 +++----------------- 3 files changed, 41 insertions(+), 76 deletions(-) diff --git a/README.md b/README.md index 4b9a6cb..511664a 100644 --- a/README.md +++ b/README.md @@ -4,11 +4,13 @@ ```terraform module "lambda" { - source = "../" + source = "" - prefix = "sbth" - environment = "dev" - name = "sigv4-request-to-s3" + prefix = "oozou" + environment = "test" + name = "jukkee" + + is_edge = false # Default is `false` # File to read from source_code_dir = "./src" @@ -18,8 +20,8 @@ module "lambda" { local_file_dir = "./outputs" # S3 to upload source code to - is_create_lambda_bucket = true # Default is `false`; plz use false, if not 1 lambda: 1 bucket - bucket_name = "arn:aws:s3:::nanan" # If `is_create_lambda_bucket` is `false`; specified this, default is `""` + is_create_lambda_bucket = true # Default is `false`; plz use false, if not 1 lambda: 1 bucket + bucket_name = "" # If `is_create_lambda_bucket` is `false`; specified this, default is `""` # Lambda Config runtime = "nodejs12.x" @@ -30,6 +32,23 @@ module "lambda" { lambda_role_arn = "" # If `is_create_lambda_role` is `false` additional_lambda_role_policy_arns = ["arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccess"] # The policies that you want to attach to IAM Role created by only this module + # Resource policy + lambda_permission_configuration = { + lambda_on_my_account = { + pricipal = "apigateway.amazonaws.com" + source_arn = "arn:aws:execute-api:ap-southeast-1:557291035693:lk36vflbha/*/*/" + } + lambda_on_my_another_account_wrong = { + pricipal = "apigateway.amazonaws.com" + source_arn = "arn:aws:execute-api:ap-southeast-1:562563527952:q6pwa6wgr6/*/*/" + source_account = "557291035693" # Optional just to restrict the permission + } + lambda_on_my_another_account_correct = { + pricipal = "apigateway.amazonaws.com" + source_arn = "arn:aws:execute-api:ap-southeast-1:562563527952:q6pwa6wgr6/*/*/" + } + } + # Logging is_create_cloudwatch_log_group = true # Default is `true` retention_in_days = 30 # Default is `30` @@ -40,7 +59,7 @@ module "lambda" { "DATABASE_HOST" = "www.google.com" } - tags = { "Workspace" = "pc" } + tags = { "Workspace" = "xxx-yyy-zzz" } } ``` diff --git a/main.tf b/main.tf index 44d847a..87e810f 100644 --- a/main.tf +++ b/main.tf @@ -4,8 +4,7 @@ locals { name = format("%s-%s-%s", var.prefix, var.environment, var.name) - service_resource_based_policy_count = var.resource_type_to_allow_invoke == "service" ? 1 : 0 - lambda_role_arn = var.is_create_lambda_role ? aws_iam_role.this[0].arn : var.lambda_role_arn + lambda_role_arn = var.is_create_lambda_role ? aws_iam_role.this[0].arn : var.lambda_role_arn tags = merge( { @@ -82,54 +81,18 @@ resource "aws_s3_object" "this" { /* -------------------------------------------------------------------------- */ /* Resource Based Policy */ /* -------------------------------------------------------------------------- */ -# data "aws_iam_policy_document" "service_caller" { -# count = local.service_resource_based_policy_count - -# statement { -# sid = "AllowInvokeLambdaFunctionFromService" - -# actions = [ -# "lambda:InvokeFunction" -# ] - -# resources = [aws_lambda_function.this.arn] - -# principals { -# type = "AWS" -# identifiers = ["*"] -# } - -# condition { -# test = "StringEquals" -# variable = "kms:ViaService" -# values = var.service_info.aws_service_names -# } - -# condition { -# test = "StringEquals" -# variable = "kms:CallerAccount" -# values = var.service_info.aws_service_principals -# } -# } -# } - - -# data "aws_iam_policy_document" "lambda_policy" { -# source_policy_documents = local.service_resource_based_policy_count == 1 ? [ -# xxxxxxx, data.aws_iam_policy_document.service_caller[0].json] : [ -# xxxxxxx, data.aws_iam_policy_document.account_caller[0].json -# ] -# # override_policy_documents = var.additional_policies -# } - resource "aws_lambda_permission" "allow_serivce" { - count = local.service_resource_based_policy_count - - statement_id = "AllowExecutionFromService" - action = "lambda:InvokeFunction" - function_name = aws_lambda_function.this.function_name - principal = var.service_info.aws_service_principal - source_arn = var.service_info.aws_service_arn + for_each = var.lambda_permission_configuration + + statement_id = format("AllowExecutionFrom-%s", each.key) + action = "lambda:InvokeFunction" + function_name = aws_lambda_function.this.function_name + principal = lookup(each.value, "pricipal", null) + source_arn = lookup(each.value, "source_arn", null) + source_account = lookup(each.value, "source_account", null) + # principal_org_id = lookup(each.value, "principal_org_id", "") + # Terraform aws says not support by doc support + # https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_permission#principal_org_id } /* -------------------------------------------------------------------------- */ diff --git a/variables.tf b/variables.tf index 886f856..c3363d9 100644 --- a/variables.tf +++ b/variables.tf @@ -69,28 +69,11 @@ variable "config_file_name" { /* -------------------------------------------------------------------------- */ /* Resource Based Policy */ /* -------------------------------------------------------------------------- */ -variable "resource_type_to_allow_invoke" { - description = "Resource to allow to invoke this lambda function" - type = string - validation { - condition = contains(["service", "account"], var.resource_type_to_allow_invoke) - error_message = "Valid values for `resource_type_to_allow_invoke` are `service` and `account`." - } -} - -variable "service_info" { +variable "lambda_permission_configuration" { description = <> The principal who is getting this permission e.g., s3.amazonaws.com, an AWS account ID, or any valid AWS service principal such as events.amazonaws.com or sns.amazonaws.com. - aws_service_arn >> When the principal is an AWS service, the ARN of the specific resource within that service to grant permission to. EOF - type = object({ - aws_service_arn = string - aws_service_principal = string - }) - default = { - aws_service_arn = "" - aws_service_principal = "" - } + type = any + default = {} } /* -------------------------------------------------------------------------- */ From 05e903293b0f31825a53991b30fbf1675fbea457 Mon Sep 17 00:00:00 2001 From: sedthawut tipkanpirome Date: Mon, 23 May 2022 15:09:56 +0700 Subject: [PATCH 3/9] (update): variable description, terraform usage doc --- README.md | 108 ++++++++++++++++++++++++++------------------------- variables.tf | 27 +++---------- 2 files changed, 61 insertions(+), 74 deletions(-) diff --git a/README.md b/README.md index 511664a..723a48a 100644 --- a/README.md +++ b/README.md @@ -67,72 +67,76 @@ module "lambda" { ## Requirements -| Name | Version | -|---------------------------------------------------------------------------|----------| +| Name | Version | +|------|---------| | [terraform](#requirement\_terraform) | >= 1.0.0 | -| [archive](#requirement\_archive) | 2.2.0 | -| [aws](#requirement\_aws) | >= 4.00 | +| [archive](#requirement\_archive) | 2.2.0 | +| [aws](#requirement\_aws) | >= 4.00 | ## Providers -| Name | Version | -|---------------------------------------------------------------|---------| -| [archive](#provider\_archive) | 2.2.0 | -| [aws](#provider\_aws) | 4.13.0 | +| Name | Version | +|------|---------| +| [archive](#provider\_archive) | 2.2.0 | +| [aws](#provider\_aws) | 4.13.0 | ## Modules -| Name | Source | Version | -|--------------------------------------------|-------------------------------------------|---------| -| [s3](#module\_s3) | git@github.com:oozou/terraform-aws-s3.git | v1.0.2 | +| Name | Source | Version | +|------|--------|---------| +| [s3](#module\_s3) | git@github.com:oozou/terraform-aws-s3.git | v1.0.2 | ## Resources -| Name | Type | -|----------------------------------------------------------------------------------------------------------------------------------------------------------------|-------------| -| [aws_cloudwatch_log_group.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_group) | resource | -| [aws_iam_policy.ssm_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource | -| [aws_iam_role.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource | -| [aws_iam_role_policy.logs_role_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource | -| [aws_iam_role_policy_attachment.ssm_policy_attachment](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource | -| [aws_iam_role_policy_attachment.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource | -| [aws_lambda_function.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_function) | resource | -| [aws_s3_object.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_object) | resource | -| [aws_ssm_parameter.params](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ssm_parameter) | resource | -| [archive_file.zip_file](https://registry.terraform.io/providers/hashicorp/archive/2.2.0/docs/data-sources/file) | data source | -| [aws_iam_policy_document.assume_role_policy_doc](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | -| [aws_iam_policy_document.lambda_logs_policy_doc](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | -| [aws_iam_policy_document.secret_access_policy_doc](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | +| Name | Type | +|------|------| +| [aws_cloudwatch_log_group.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_group) | resource | +| [aws_iam_policy.ssm_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource | +| [aws_iam_role.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource | +| [aws_iam_role_policy.logs_role_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource | +| [aws_iam_role_policy_attachment.ssm_policy_attachment](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource | +| [aws_iam_role_policy_attachment.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource | +| [aws_lambda_function.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_function) | resource | +| [aws_lambda_permission.allow_serivce](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_permission) | resource | +| [aws_s3_object.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_object) | resource | +| [aws_ssm_parameter.params](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ssm_parameter) | resource | +| [archive_file.zip_file](https://registry.terraform.io/providers/hashicorp/archive/2.2.0/docs/data-sources/file) | data source | +| [aws_iam_policy_document.assume_role_policy_doc](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | +| [aws_iam_policy_document.lambda_logs_policy_doc](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | +| [aws_iam_policy_document.secret_access_policy_doc](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | ## Inputs -| Name | Description | Type | Default | Required | -|--------------------------------------------------------------------------------------------------------------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|----------------|-------------------|:--------:| -| [additional\_lambda\_role\_policy\_arns](#input\_additional\_lambda\_role\_policy\_arns) | List of policies ARNs to attach to the lambda | `list(string)` | `[]` | no | -| [bucket\_name](#input\_bucket\_name) | Name of the bucket to put the file in. Alternatively, an S3 access point ARN can be specified. | `string` | `""` | no | -| [config\_file\_name](#input\_config\_file\_name) | The name of the file var.plaintext\_params will be written to as json | `string` | `"config.json"` | no | -| [environment](#input\_environment) | Environment Variable used as a prefix | `string` | n/a | yes | -| [file\_globs](#input\_file\_globs) | list of files or globs that you want included from the source\_code\_dir | `list(string)` | n/a | yes | -| [handler](#input\_handler) | Function entrypoint in your code. | `string` | `"index.handler"` | no | -| [is\_create\_cloudwatch\_log\_group](#input\_is\_create\_cloudwatch\_log\_group) | Whether to create cloudwatch log group or not | `bool` | `true` | no | -| [is\_create\_lambda\_bucket](#input\_is\_create\_lambda\_bucket) | Whether to create lambda bucket or not | `bool` | `false` | no | -| [local\_file\_dir](#input\_local\_file\_dir) | A path to the directory to store plan time generated local files | `string` | n/a | yes | -| [name](#input\_name) | Name of the ECS cluster to create | `string` | n/a | yes | -| [plaintext\_params](#input\_plaintext\_params) | Lambda@Edge does not support env vars, so it is a common pattern to exchange Env vars for values read from a config file.

So instead of using env vars like:
`const someEnvValue = process.env.SOME_ENV`

you would have lookups from a config file:
const config = JSON.parse(readFileSync('./config.json'))
  const someConfigValue = config.SomeKey
Compared to var.ssm\_params, you should use this variable when you have non-secret things that you want very quick access
to during the execution of your lambda function. | `map(string)` | `{}` | no | -| [prefix](#input\_prefix) | The prefix name of customer to be displayed in AWS console and resource | `string` | n/a | yes | -| [retention\_in\_days](#input\_retention\_in\_days) | Retention day for cloudwatch log group | `number` | `30` | no | -| [runtime](#input\_runtime) | The runtime of the lambda function | `string` | n/a | yes | -| [source\_code\_dir](#input\_source\_code\_dir) | An absolute path to the directory containing the code to upload to lambda | `string` | n/a | yes | -| [ssm\_params](#input\_ssm\_params) | Lambda@Edge does not support env vars, so it is a common pattern to exchange Env vars for SSM params.

So instead of using env vars like:
`const someEnvValue = process.env.SOME_ENV`

you would have lookups in SSM, like:
`const someEnvValue = await ssmClient.getParameter({ Name: 'SOME_SSM_PARAM_NAME', WithDecryption: true })`

These params should have names that are unique within an AWS account, so it is a good idea to use a common
prefix in front of the param names, such as:
params = {
    COMMON_PREFIX_REGION = "eu-west-1"
    COMMON_PREFIX_NAME   = "Joeseph Schreibvogel"
  }
Compared to var.plaintext\_params, you should use this variable when you have secret data that you don't want written in plaintext in a file
in your lambda .zip file. These params will need to be fetched via a Promise at runtime, so there may be small performance delays. | `map(string)` | `{}` | no | -| [tags](#input\_tags) | Custom tags which can be passed on to the AWS resources. They should be key value pairs having distinct keys | `map(any)` | `{}` | no | +| Name | Description | Type | Default | Required | +|------|-------------|------|---------|:--------:| +| [additional\_lambda\_role\_policy\_arns](#input\_additional\_lambda\_role\_policy\_arns) | List of policies ARNs to attach to the lambda | `list(string)` | `[]` | no | +| [bucket\_name](#input\_bucket\_name) | Name of the bucket to put the file in. Alternatively, an S3 access point ARN can be specified. | `string` | `""` | no | +| [config\_file\_name](#input\_config\_file\_name) | The name of the file var.plaintext\_params will be written to as json | `string` | `"config.json"` | no | +| [environment](#input\_environment) | Environment Variable used as a prefix | `string` | n/a | yes | +| [file\_globs](#input\_file\_globs) | list of files or globs that you want included from the source\_code\_dir | `list(string)` | n/a | yes | +| [handler](#input\_handler) | Function entrypoint in your code. | `string` | `"index.handler"` | no | +| [is\_create\_cloudwatch\_log\_group](#input\_is\_create\_cloudwatch\_log\_group) | Whether to create cloudwatch log group or not | `bool` | `true` | no | +| [is\_create\_lambda\_bucket](#input\_is\_create\_lambda\_bucket) | Whether to create lambda bucket or not | `bool` | `false` | no | +| [is\_create\_lambda\_role](#input\_is\_create\_lambda\_role) | Whether to create lamda role or not | `bool` | `true` | no | +| [is\_edge](#input\_is\_edge) | Whether lambda is lambda@Edge or not | `bool` | `false` | no | +| [lambda\_permission\_configuration](#input\_lambda\_permission\_configuration) | principal - (Required) The principal who is getting this permission e.g., s3.amazonaws.com, an AWS account ID, or any valid AWS service principal such as events.amazonaws.com or sns.amazonaws.com.
source\_arn - (Optional) When the principal is an AWS service, the ARN of the specific resource within that service to grant permission to. Without this, any resource from
source\_account - (Optional) This parameter is used for S3 and SES. The AWS account ID (without a hyphen) of the source owner. | `any` | `{}` | no | +| [lambda\_role\_arn](#input\_lambda\_role\_arn) | The arn of role that already created by something to asso with lambda | `string` | `""` | no | +| [local\_file\_dir](#input\_local\_file\_dir) | A path to the directory to store plan time generated local files | `string` | n/a | yes | +| [name](#input\_name) | Name of the ECS cluster to create | `string` | n/a | yes | +| [plaintext\_params](#input\_plaintext\_params) | Lambda@Edge does not support env vars, so it is a common pattern to exchange Env vars for values read from a config file.
! PLAINTEXT
const config = JSON.parse(readFileSync('./config.json'))
  const someConfigValue = config.SomeKey
| `map(string)` | `{}` | no | +| [prefix](#input\_prefix) | The prefix name of customer to be displayed in AWS console and resource | `string` | n/a | yes | +| [retention\_in\_days](#input\_retention\_in\_days) | Retention day for cloudwatch log group | `number` | `30` | no | +| [runtime](#input\_runtime) | The runtime of the lambda function | `string` | n/a | yes | +| [source\_code\_dir](#input\_source\_code\_dir) | An absolute path to the directory containing the code to upload to lambda | `string` | n/a | yes | +| [ssm\_params](#input\_ssm\_params) | Lambda@Edge does not support env vars, so it is a common pattern to exchange Env vars for SSM params.
! SECRET

you would have lookups in SSM, like:
`const someEnvValue = await ssmClient.getParameter({ Name: 'SOME_SSM_PARAM_NAME', WithDecryption: true })` | `map(string)` | `{}` | no | +| [tags](#input\_tags) | Custom tags which can be passed on to the AWS resources. They should be key value pairs having distinct keys | `map(any)` | `{}` | no | ## Outputs -| Name | Description | -|---------------------------------------------------------------------------------------------------|--------------------------------------------------------------| -| [arn](#output\_arn) | Amazon Resource Name (ARN) identifying your Lambda Function. | -| [execution\_role\_arn](#output\_execution\_role\_arn) | n/a | -| [execution\_role\_name](#output\_execution\_role\_name) | n/a | -| [function\_arn](#output\_function\_arn) | n/a | -| [function\_name](#output\_function\_name) | Name of AWS Lambda function | +| Name | Description | +|------|-------------| +| [arn](#output\_arn) | Amazon Resource Name (ARN) identifying your Lambda Function. | +| [execution\_role\_arn](#output\_execution\_role\_arn) | Role arn of lambda | +| [function\_arn](#output\_function\_arn) | function arn | +| [function\_name](#output\_function\_name) | Name of AWS Lambda function | diff --git a/variables.tf b/variables.tf index c3363d9..6c8449c 100644 --- a/variables.tf +++ b/variables.tf @@ -44,18 +44,12 @@ variable "file_globs" { variable "plaintext_params" { description = < Date: Mon, 23 May 2022 15:11:18 +0700 Subject: [PATCH 4/9] (update): table space --- README.md | 112 +++++++++++++++++++++++++++--------------------------- 1 file changed, 56 insertions(+), 56 deletions(-) diff --git a/README.md b/README.md index 723a48a..76f651b 100644 --- a/README.md +++ b/README.md @@ -67,76 +67,76 @@ module "lambda" { ## Requirements -| Name | Version | -|------|---------| +| Name | Version | +|---------------------------------------------------------------------------|----------| | [terraform](#requirement\_terraform) | >= 1.0.0 | -| [archive](#requirement\_archive) | 2.2.0 | -| [aws](#requirement\_aws) | >= 4.00 | +| [archive](#requirement\_archive) | 2.2.0 | +| [aws](#requirement\_aws) | >= 4.00 | ## Providers -| Name | Version | -|------|---------| -| [archive](#provider\_archive) | 2.2.0 | -| [aws](#provider\_aws) | 4.13.0 | +| Name | Version | +|---------------------------------------------------------------|---------| +| [archive](#provider\_archive) | 2.2.0 | +| [aws](#provider\_aws) | 4.13.0 | ## Modules -| Name | Source | Version | -|------|--------|---------| -| [s3](#module\_s3) | git@github.com:oozou/terraform-aws-s3.git | v1.0.2 | +| Name | Source | Version | +|--------------------------------------------|-------------------------------------------|---------| +| [s3](#module\_s3) | git@github.com:oozou/terraform-aws-s3.git | v1.0.2 | ## Resources -| Name | Type | -|------|------| -| [aws_cloudwatch_log_group.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_group) | resource | -| [aws_iam_policy.ssm_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource | -| [aws_iam_role.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource | -| [aws_iam_role_policy.logs_role_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource | -| [aws_iam_role_policy_attachment.ssm_policy_attachment](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource | -| [aws_iam_role_policy_attachment.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource | -| [aws_lambda_function.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_function) | resource | -| [aws_lambda_permission.allow_serivce](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_permission) | resource | -| [aws_s3_object.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_object) | resource | -| [aws_ssm_parameter.params](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ssm_parameter) | resource | -| [archive_file.zip_file](https://registry.terraform.io/providers/hashicorp/archive/2.2.0/docs/data-sources/file) | data source | -| [aws_iam_policy_document.assume_role_policy_doc](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | -| [aws_iam_policy_document.lambda_logs_policy_doc](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | -| [aws_iam_policy_document.secret_access_policy_doc](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | +| Name | Type | +|----------------------------------------------------------------------------------------------------------------------------------------------------------------|-------------| +| [aws_cloudwatch_log_group.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_group) | resource | +| [aws_iam_policy.ssm_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource | +| [aws_iam_role.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource | +| [aws_iam_role_policy.logs_role_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource | +| [aws_iam_role_policy_attachment.ssm_policy_attachment](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource | +| [aws_iam_role_policy_attachment.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource | +| [aws_lambda_function.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_function) | resource | +| [aws_lambda_permission.allow_serivce](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_permission) | resource | +| [aws_s3_object.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_object) | resource | +| [aws_ssm_parameter.params](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ssm_parameter) | resource | +| [archive_file.zip_file](https://registry.terraform.io/providers/hashicorp/archive/2.2.0/docs/data-sources/file) | data source | +| [aws_iam_policy_document.assume_role_policy_doc](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | +| [aws_iam_policy_document.lambda_logs_policy_doc](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | +| [aws_iam_policy_document.secret_access_policy_doc](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | ## Inputs -| Name | Description | Type | Default | Required | -|------|-------------|------|---------|:--------:| -| [additional\_lambda\_role\_policy\_arns](#input\_additional\_lambda\_role\_policy\_arns) | List of policies ARNs to attach to the lambda | `list(string)` | `[]` | no | -| [bucket\_name](#input\_bucket\_name) | Name of the bucket to put the file in. Alternatively, an S3 access point ARN can be specified. | `string` | `""` | no | -| [config\_file\_name](#input\_config\_file\_name) | The name of the file var.plaintext\_params will be written to as json | `string` | `"config.json"` | no | -| [environment](#input\_environment) | Environment Variable used as a prefix | `string` | n/a | yes | -| [file\_globs](#input\_file\_globs) | list of files or globs that you want included from the source\_code\_dir | `list(string)` | n/a | yes | -| [handler](#input\_handler) | Function entrypoint in your code. | `string` | `"index.handler"` | no | -| [is\_create\_cloudwatch\_log\_group](#input\_is\_create\_cloudwatch\_log\_group) | Whether to create cloudwatch log group or not | `bool` | `true` | no | -| [is\_create\_lambda\_bucket](#input\_is\_create\_lambda\_bucket) | Whether to create lambda bucket or not | `bool` | `false` | no | -| [is\_create\_lambda\_role](#input\_is\_create\_lambda\_role) | Whether to create lamda role or not | `bool` | `true` | no | -| [is\_edge](#input\_is\_edge) | Whether lambda is lambda@Edge or not | `bool` | `false` | no | -| [lambda\_permission\_configuration](#input\_lambda\_permission\_configuration) | principal - (Required) The principal who is getting this permission e.g., s3.amazonaws.com, an AWS account ID, or any valid AWS service principal such as events.amazonaws.com or sns.amazonaws.com.
source\_arn - (Optional) When the principal is an AWS service, the ARN of the specific resource within that service to grant permission to. Without this, any resource from
source\_account - (Optional) This parameter is used for S3 and SES. The AWS account ID (without a hyphen) of the source owner. | `any` | `{}` | no | -| [lambda\_role\_arn](#input\_lambda\_role\_arn) | The arn of role that already created by something to asso with lambda | `string` | `""` | no | -| [local\_file\_dir](#input\_local\_file\_dir) | A path to the directory to store plan time generated local files | `string` | n/a | yes | -| [name](#input\_name) | Name of the ECS cluster to create | `string` | n/a | yes | -| [plaintext\_params](#input\_plaintext\_params) | Lambda@Edge does not support env vars, so it is a common pattern to exchange Env vars for values read from a config file.
! PLAINTEXT
const config = JSON.parse(readFileSync('./config.json'))
  const someConfigValue = config.SomeKey
| `map(string)` | `{}` | no | -| [prefix](#input\_prefix) | The prefix name of customer to be displayed in AWS console and resource | `string` | n/a | yes | -| [retention\_in\_days](#input\_retention\_in\_days) | Retention day for cloudwatch log group | `number` | `30` | no | -| [runtime](#input\_runtime) | The runtime of the lambda function | `string` | n/a | yes | -| [source\_code\_dir](#input\_source\_code\_dir) | An absolute path to the directory containing the code to upload to lambda | `string` | n/a | yes | -| [ssm\_params](#input\_ssm\_params) | Lambda@Edge does not support env vars, so it is a common pattern to exchange Env vars for SSM params.
! SECRET

you would have lookups in SSM, like:
`const someEnvValue = await ssmClient.getParameter({ Name: 'SOME_SSM_PARAM_NAME', WithDecryption: true })` | `map(string)` | `{}` | no | -| [tags](#input\_tags) | Custom tags which can be passed on to the AWS resources. They should be key value pairs having distinct keys | `map(any)` | `{}` | no | +| Name | Description | Type | Default | Required | +|--------------------------------------------------------------------------------------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|----------------|-------------------|:--------:| +| [additional\_lambda\_role\_policy\_arns](#input\_additional\_lambda\_role\_policy\_arns) | List of policies ARNs to attach to the lambda | `list(string)` | `[]` | no | +| [bucket\_name](#input\_bucket\_name) | Name of the bucket to put the file in. Alternatively, an S3 access point ARN can be specified. | `string` | `""` | no | +| [config\_file\_name](#input\_config\_file\_name) | The name of the file var.plaintext\_params will be written to as json | `string` | `"config.json"` | no | +| [environment](#input\_environment) | Environment Variable used as a prefix | `string` | n/a | yes | +| [file\_globs](#input\_file\_globs) | list of files or globs that you want included from the source\_code\_dir | `list(string)` | n/a | yes | +| [handler](#input\_handler) | Function entrypoint in your code. | `string` | `"index.handler"` | no | +| [is\_create\_cloudwatch\_log\_group](#input\_is\_create\_cloudwatch\_log\_group) | Whether to create cloudwatch log group or not | `bool` | `true` | no | +| [is\_create\_lambda\_bucket](#input\_is\_create\_lambda\_bucket) | Whether to create lambda bucket or not | `bool` | `false` | no | +| [is\_create\_lambda\_role](#input\_is\_create\_lambda\_role) | Whether to create lamda role or not | `bool` | `true` | no | +| [is\_edge](#input\_is\_edge) | Whether lambda is lambda@Edge or not | `bool` | `false` | no | +| [lambda\_permission\_configuration](#input\_lambda\_permission\_configuration) | principal - (Required) The principal who is getting this permission e.g., s3.amazonaws.com, an AWS account ID, or any valid AWS service principal such as events.amazonaws.com or sns.amazonaws.com.
source\_arn - (Optional) When the principal is an AWS service, the ARN of the specific resource within that service to grant permission to. Without this, any resource from
source\_account - (Optional) This parameter is used for S3 and SES. The AWS account ID (without a hyphen) of the source owner. | `any` | `{}` | no | +| [lambda\_role\_arn](#input\_lambda\_role\_arn) | The arn of role that already created by something to asso with lambda | `string` | `""` | no | +| [local\_file\_dir](#input\_local\_file\_dir) | A path to the directory to store plan time generated local files | `string` | n/a | yes | +| [name](#input\_name) | Name of the ECS cluster to create | `string` | n/a | yes | +| [plaintext\_params](#input\_plaintext\_params) | Lambda@Edge does not support env vars, so it is a common pattern to exchange Env vars for values read from a config file.
! PLAINTEXT
const config = JSON.parse(readFileSync('./config.json'))
  const someConfigValue = config.SomeKey
| `map(string)` | `{}` | no | +| [prefix](#input\_prefix) | The prefix name of customer to be displayed in AWS console and resource | `string` | n/a | yes | +| [retention\_in\_days](#input\_retention\_in\_days) | Retention day for cloudwatch log group | `number` | `30` | no | +| [runtime](#input\_runtime) | The runtime of the lambda function | `string` | n/a | yes | +| [source\_code\_dir](#input\_source\_code\_dir) | An absolute path to the directory containing the code to upload to lambda | `string` | n/a | yes | +| [ssm\_params](#input\_ssm\_params) | Lambda@Edge does not support env vars, so it is a common pattern to exchange Env vars for SSM params.
! SECRET

you would have lookups in SSM, like:
`const someEnvValue = await ssmClient.getParameter({ Name: 'SOME_SSM_PARAM_NAME', WithDecryption: true })` | `map(string)` | `{}` | no | +| [tags](#input\_tags) | Custom tags which can be passed on to the AWS resources. They should be key value pairs having distinct keys | `map(any)` | `{}` | no | ## Outputs -| Name | Description | -|------|-------------| -| [arn](#output\_arn) | Amazon Resource Name (ARN) identifying your Lambda Function. | -| [execution\_role\_arn](#output\_execution\_role\_arn) | Role arn of lambda | -| [function\_arn](#output\_function\_arn) | function arn | -| [function\_name](#output\_function\_name) | Name of AWS Lambda function | +| Name | Description | +|------------------------------------------------------------------------------------------------|--------------------------------------------------------------| +| [arn](#output\_arn) | Amazon Resource Name (ARN) identifying your Lambda Function. | +| [execution\_role\_arn](#output\_execution\_role\_arn) | Role arn of lambda | +| [function\_arn](#output\_function\_arn) | function arn | +| [function\_name](#output\_function\_name) | Name of AWS Lambda function | From 912976225615ab26a42a0e0e543ee6b54acf8eb5 Mon Sep 17 00:00:00 2001 From: sedthawut tipkanpirome Date: Tue, 24 May 2022 11:54:41 +0700 Subject: [PATCH 5/9] (update): cloudwatch log group naming --- main.tf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/main.tf b/main.tf index 87e810f..2a66886 100644 --- a/main.tf +++ b/main.tf @@ -240,8 +240,8 @@ resource "aws_lambda_function" "this" { resource "aws_cloudwatch_log_group" "this" { count = var.is_create_cloudwatch_log_group ? 1 : 0 - name = format("%s-lambda-log-group", local.name) + name = format("/aws/lambda/%s-function", local.name) retention_in_days = var.retention_in_days - tags = merge(local.tags, { "Name" = format("%s-lambda-log-group", local.name) }) + tags = merge(local.tags, { "Name" = format("/aws/lambda/%s-function", local.name) }) } From 69d64b7f3172a738a9b297e0eb2c3708dbc6bdac Mon Sep 17 00:00:00 2001 From: sedthawut tipkanpirome Date: Tue, 24 May 2022 16:49:35 +0700 Subject: [PATCH 6/9] (add): lambda config to vpc, mem, timeout, failed processing target --- README.md | 25 ++++++++++++++++++------- main.tf | 52 +++++++++++++++++++++++++++++++++++++++++++++++++--- variables.tf | 42 ++++++++++++++++++++++++++++++++++++++++++ 3 files changed, 109 insertions(+), 10 deletions(-) diff --git a/README.md b/README.md index 76f651b..37c45b3 100644 --- a/README.md +++ b/README.md @@ -4,13 +4,13 @@ ```terraform module "lambda" { - source = "" + source = "../" prefix = "oozou" environment = "test" - name = "jukkee" + name = "resource" - is_edge = false # Default is `false` + is_edge = false # Defautl is `fault`, If you want to publish to the edge don't forget to override aws's provider to virgina # File to read from source_code_dir = "./src" @@ -23,14 +23,25 @@ module "lambda" { is_create_lambda_bucket = true # Default is `false`; plz use false, if not 1 lambda: 1 bucket bucket_name = "" # If `is_create_lambda_bucket` is `false`; specified this, default is `""` - # Lambda Config + # Lambda Env runtime = "nodejs12.x" handler = "index.handler" # Default `"index.handler"` + # Lambda Specification + timeout = 3 # Default is `3` seconds + memory_size = 128 # Default is `128` MB, the more mem size increase, the performance is better + reserved_concurrent_executions = -1 + ## Optional to connect Lambda to VPC + vpc_config = { + security_group_ids = ["sg-028f637312eea735e"] + subnet_ids_to_associate = ["subnet-0b853f8c85796d72d", "subnet-07c068b4b51262793", "subnet-0362f68c559ef7716"] + } + dead_letter_target_arn = "arn:aws:sns:ap-southeast-1:557291035693:demo" # To send failed processing to target + # IAM - is_create_lambda_role = true # Default is `true` - lambda_role_arn = "" # If `is_create_lambda_role` is `false` - additional_lambda_role_policy_arns = ["arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccess"] # The policies that you want to attach to IAM Role created by only this module + is_create_lambda_role = true # Default is `true` + lambda_role_arn = "" # If `is_create_lambda_role` is `false` + additional_lambda_role_policy_arns = ["arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccess", ] # The policies that you want to attach to IAM Role created by only this module # Resource policy lambda_permission_configuration = { diff --git a/main.tf b/main.tf index 2a66886..4cda388 100644 --- a/main.tf +++ b/main.tf @@ -134,6 +134,33 @@ data "aws_iam_policy_document" "lambda_logs_policy_doc" { } } +data "aws_iam_policy_document" "lambda_access_vpc" { + count = var.is_create_lambda_role ? 1 : 0 + + # Allow to connect to VPC + statement { + effect = "Allow" + actions = [ + "ec2:CreateNetworkInterface", + "ec2:DescribeNetworkInterfaces", + "ec2:DeleteNetworkInterface", + "ec2:DescribeSecurityGroups", + "ec2:DescribeSubnets", + "ec2:DescribeVpcs" + ] + resources = ["*"] + } +} + +data "aws_iam_policy_document" "lambda_policy" { + count = var.is_create_lambda_role ? 1 : 0 + + source_policy_documents = [ + data.aws_iam_policy_document.lambda_logs_policy_doc[0].json, + data.aws_iam_policy_document.lambda_access_vpc[0].json + ] +} + resource "aws_iam_role" "this" { count = var.is_create_lambda_role ? 1 : 0 @@ -148,7 +175,7 @@ resource "aws_iam_role_policy" "logs_role_policy" { name = var.is_edge ? format("%s-lambda-at-edge-log-access-policy", local.name) : format("%s-lambda-log-access-policy", local.name) role = aws_iam_role.this[0].id - policy = data.aws_iam_policy_document.lambda_logs_policy_doc[0].json + policy = data.aws_iam_policy_document.lambda_policy[0].json } resource "aws_iam_role_policy_attachment" "this" { @@ -220,10 +247,29 @@ resource "aws_lambda_function" "this" { s3_object_version = aws_s3_object.this.version_id source_code_hash = filebase64sha256(data.archive_file.zip_file.output_path) - publish = true + # Specification + timeout = var.timeout + memory_size = var.memory_size + reserved_concurrent_executions = var.reserved_concurrent_executions + + vpc_config { + security_group_ids = var.vpc_config.security_group_ids + subnet_ids = var.vpc_config.subnet_ids_to_associate + } + + dynamic "dead_letter_config" { + for_each = var.dead_letter_target_arn == null ? [] : [true] + content { + target_arn = var.dead_letter_target_arn + } + } + + # Code Env + publish = true # Force public new version runtime = var.runtime handler = var.handler - role = local.lambda_role_arn + + role = local.lambda_role_arn lifecycle { ignore_changes = [ diff --git a/variables.tf b/variables.tf index 6c8449c..d7de2d1 100644 --- a/variables.tf +++ b/variables.tf @@ -117,6 +117,48 @@ variable "is_edge" { default = false } +variable "timeout" { + description = "(Optional) Amount of time your Lambda Function has to run in seconds. Defaults to 3." + type = number + default = 3 +} + +variable "memory_size" { + description = "(Optional) Amount of memory in MB your Lambda Function can use at runtime. Defaults to 128." + type = number + default = 128 +} + +variable "reserved_concurrent_executions" { + description = "(Optional) Amount of reserved concurrent executions for this lambda function. A value of 0 disables lambda from being triggered and -1 removes any concurrency limitations. Defaults to Unreserved Concurrency Limits -1. See Managing Concurrency" + type = number + default = -1 +} + +variable "vpc_config" { + description = < Date: Tue, 24 May 2022 16:50:05 +0700 Subject: [PATCH 7/9] (update): README.md --- README.md | 53 ++++++++++++++++++++++++++++++----------------------- 1 file changed, 30 insertions(+), 23 deletions(-) diff --git a/README.md b/README.md index 37c45b3..3053b87 100644 --- a/README.md +++ b/README.md @@ -113,34 +113,41 @@ module "lambda" { | [aws_ssm_parameter.params](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ssm_parameter) | resource | | [archive_file.zip_file](https://registry.terraform.io/providers/hashicorp/archive/2.2.0/docs/data-sources/file) | data source | | [aws_iam_policy_document.assume_role_policy_doc](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | +| [aws_iam_policy_document.lambda_access_vpc](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | | [aws_iam_policy_document.lambda_logs_policy_doc](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | +| [aws_iam_policy_document.lambda_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | | [aws_iam_policy_document.secret_access_policy_doc](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | ## Inputs -| Name | Description | Type | Default | Required | -|--------------------------------------------------------------------------------------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|----------------|-------------------|:--------:| -| [additional\_lambda\_role\_policy\_arns](#input\_additional\_lambda\_role\_policy\_arns) | List of policies ARNs to attach to the lambda | `list(string)` | `[]` | no | -| [bucket\_name](#input\_bucket\_name) | Name of the bucket to put the file in. Alternatively, an S3 access point ARN can be specified. | `string` | `""` | no | -| [config\_file\_name](#input\_config\_file\_name) | The name of the file var.plaintext\_params will be written to as json | `string` | `"config.json"` | no | -| [environment](#input\_environment) | Environment Variable used as a prefix | `string` | n/a | yes | -| [file\_globs](#input\_file\_globs) | list of files or globs that you want included from the source\_code\_dir | `list(string)` | n/a | yes | -| [handler](#input\_handler) | Function entrypoint in your code. | `string` | `"index.handler"` | no | -| [is\_create\_cloudwatch\_log\_group](#input\_is\_create\_cloudwatch\_log\_group) | Whether to create cloudwatch log group or not | `bool` | `true` | no | -| [is\_create\_lambda\_bucket](#input\_is\_create\_lambda\_bucket) | Whether to create lambda bucket or not | `bool` | `false` | no | -| [is\_create\_lambda\_role](#input\_is\_create\_lambda\_role) | Whether to create lamda role or not | `bool` | `true` | no | -| [is\_edge](#input\_is\_edge) | Whether lambda is lambda@Edge or not | `bool` | `false` | no | -| [lambda\_permission\_configuration](#input\_lambda\_permission\_configuration) | principal - (Required) The principal who is getting this permission e.g., s3.amazonaws.com, an AWS account ID, or any valid AWS service principal such as events.amazonaws.com or sns.amazonaws.com.
source\_arn - (Optional) When the principal is an AWS service, the ARN of the specific resource within that service to grant permission to. Without this, any resource from
source\_account - (Optional) This parameter is used for S3 and SES. The AWS account ID (without a hyphen) of the source owner. | `any` | `{}` | no | -| [lambda\_role\_arn](#input\_lambda\_role\_arn) | The arn of role that already created by something to asso with lambda | `string` | `""` | no | -| [local\_file\_dir](#input\_local\_file\_dir) | A path to the directory to store plan time generated local files | `string` | n/a | yes | -| [name](#input\_name) | Name of the ECS cluster to create | `string` | n/a | yes | -| [plaintext\_params](#input\_plaintext\_params) | Lambda@Edge does not support env vars, so it is a common pattern to exchange Env vars for values read from a config file.
! PLAINTEXT
const config = JSON.parse(readFileSync('./config.json'))
  const someConfigValue = config.SomeKey
| `map(string)` | `{}` | no | -| [prefix](#input\_prefix) | The prefix name of customer to be displayed in AWS console and resource | `string` | n/a | yes | -| [retention\_in\_days](#input\_retention\_in\_days) | Retention day for cloudwatch log group | `number` | `30` | no | -| [runtime](#input\_runtime) | The runtime of the lambda function | `string` | n/a | yes | -| [source\_code\_dir](#input\_source\_code\_dir) | An absolute path to the directory containing the code to upload to lambda | `string` | n/a | yes | -| [ssm\_params](#input\_ssm\_params) | Lambda@Edge does not support env vars, so it is a common pattern to exchange Env vars for SSM params.
! SECRET

you would have lookups in SSM, like:
`const someEnvValue = await ssmClient.getParameter({ Name: 'SOME_SSM_PARAM_NAME', WithDecryption: true })` | `map(string)` | `{}` | no | -| [tags](#input\_tags) | Custom tags which can be passed on to the AWS resources. They should be key value pairs having distinct keys | `map(any)` | `{}` | no | +| Name | Description | Type | Default | Required | +|--------------------------------------------------------------------------------------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-------------------------------------------------------------------------------------------------------------------------|-------------------------------------------------------------------------------------|:--------:| +| [additional\_lambda\_role\_policy\_arns](#input\_additional\_lambda\_role\_policy\_arns) | List of policies ARNs to attach to the lambda | `list(string)` | `[]` | no | +| [bucket\_name](#input\_bucket\_name) | Name of the bucket to put the file in. Alternatively, an S3 access point ARN can be specified. | `string` | `""` | no | +| [config\_file\_name](#input\_config\_file\_name) | The name of the file var.plaintext\_params will be written to as json | `string` | `"config.json"` | no | +| [dead\_letter\_target\_arn](#input\_dead\_letter\_target\_arn) | Dead letter queue configuration that specifies the queue or topic where Lambda sends asynchronous events when they fail processing. | `string` | `null` | no | +| [environment](#input\_environment) | Environment Variable used as a prefix | `string` | n/a | yes | +| [file\_globs](#input\_file\_globs) | list of files or globs that you want included from the source\_code\_dir | `list(string)` | n/a | yes | +| [handler](#input\_handler) | Function entrypoint in your code. | `string` | `"index.handler"` | no | +| [is\_create\_cloudwatch\_log\_group](#input\_is\_create\_cloudwatch\_log\_group) | Whether to create cloudwatch log group or not | `bool` | `true` | no | +| [is\_create\_lambda\_bucket](#input\_is\_create\_lambda\_bucket) | Whether to create lambda bucket or not | `bool` | `false` | no | +| [is\_create\_lambda\_role](#input\_is\_create\_lambda\_role) | Whether to create lamda role or not | `bool` | `true` | no | +| [is\_edge](#input\_is\_edge) | Whether lambda is lambda@Edge or not | `bool` | `false` | no | +| [lambda\_permission\_configuration](#input\_lambda\_permission\_configuration) | principal - (Required) The principal who is getting this permission e.g., s3.amazonaws.com, an AWS account ID, or any valid AWS service principal such as events.amazonaws.com or sns.amazonaws.com.
source\_arn - (Optional) When the principal is an AWS service, the ARN of the specific resource within that service to grant permission to. Without this, any resource from
source\_account - (Optional) This parameter is used for S3 and SES. The AWS account ID (without a hyphen) of the source owner. | `any` | `{}` | no | +| [lambda\_role\_arn](#input\_lambda\_role\_arn) | The arn of role that already created by something to asso with lambda | `string` | `""` | no | +| [local\_file\_dir](#input\_local\_file\_dir) | A path to the directory to store plan time generated local files | `string` | n/a | yes | +| [memory\_size](#input\_memory\_size) | (Optional) Amount of memory in MB your Lambda Function can use at runtime. Defaults to 128. | `number` | `128` | no | +| [name](#input\_name) | Name of the ECS cluster to create | `string` | n/a | yes | +| [plaintext\_params](#input\_plaintext\_params) | Lambda@Edge does not support env vars, so it is a common pattern to exchange Env vars for values read from a config file.
! PLAINTEXT
const config = JSON.parse(readFileSync('./config.json'))
  const someConfigValue = config.SomeKey
| `map(string)` | `{}` | no | +| [prefix](#input\_prefix) | The prefix name of customer to be displayed in AWS console and resource | `string` | n/a | yes | +| [reserved\_concurrent\_executions](#input\_reserved\_concurrent\_executions) | (Optional) Amount of reserved concurrent executions for this lambda function. A value of 0 disables lambda from being triggered and -1 removes any concurrency limitations. Defaults to Unreserved Concurrency Limits -1. See Managing Concurrency | `number` | `-1` | no | +| [retention\_in\_days](#input\_retention\_in\_days) | Retention day for cloudwatch log group | `number` | `30` | no | +| [runtime](#input\_runtime) | The runtime of the lambda function | `string` | n/a | yes | +| [source\_code\_dir](#input\_source\_code\_dir) | An absolute path to the directory containing the code to upload to lambda | `string` | n/a | yes | +| [ssm\_params](#input\_ssm\_params) | Lambda@Edge does not support env vars, so it is a common pattern to exchange Env vars for SSM params.
! SECRET

you would have lookups in SSM, like:
`const someEnvValue = await ssmClient.getParameter({ Name: 'SOME_SSM_PARAM_NAME', WithDecryption: true })` | `map(string)` | `{}` | no | +| [tags](#input\_tags) | Custom tags which can be passed on to the AWS resources. They should be key value pairs having distinct keys | `map(any)` | `{}` | no | +| [timeout](#input\_timeout) | (Optional) Amount of time your Lambda Function has to run in seconds. Defaults to 3. | `number` | `3` | no | +| [vpc\_config](#input\_vpc\_config) | For network connectivity to AWS resources in a VPC, specify a list of security groups and subnets in the VPC.
When you connect a function to a VPC, it can only access resources and the internet through that VPC. See VPC Settings.

security\_group\_ids - (Required) List of security group IDs associated with the Lambda function.
subnet\_ids\_to\_associate - (Required) List of subnet IDs associated with the Lambda function. | 
object({
    security_group_ids      = list(string)
    subnet_ids_to_associate = list(string)
  })
| 
{
  "security_group_ids": [],
  "subnet_ids_to_associate": []
}
| no | ## Outputs From d04428b380d5bdf8cc5272503c20958b5ab4cd50 Mon Sep 17 00:00:00 2001 From: sedthawut tipkanpirome Date: Tue, 24 May 2022 17:15:48 +0700 Subject: [PATCH 8/9] (update): README.md --- README.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index 3053b87..72d8d1b 100644 --- a/README.md +++ b/README.md @@ -10,7 +10,7 @@ module "lambda" { environment = "test" name = "resource" - is_edge = false # Defautl is `fault`, If you want to publish to the edge don't forget to override aws's provider to virgina + is_edge = false # Default is "false." If you want to publish to the edge, don't forget to change AWS's provider to Virginia. # File to read from source_code_dir = "./src" @@ -29,14 +29,14 @@ module "lambda" { # Lambda Specification timeout = 3 # Default is `3` seconds - memory_size = 128 # Default is `128` MB, the more mem size increase, the performance is better + memory_size = 128 # Default is `128` MB. as memory size increases, performance improves. reserved_concurrent_executions = -1 ## Optional to connect Lambda to VPC vpc_config = { security_group_ids = ["sg-028f637312eea735e"] subnet_ids_to_associate = ["subnet-0b853f8c85796d72d", "subnet-07c068b4b51262793", "subnet-0362f68c559ef7716"] } - dead_letter_target_arn = "arn:aws:sns:ap-southeast-1:557291035693:demo" # To send failed processing to target + dead_letter_target_arn = "arn:aws:sns:ap-southeast-1:557291035693:demo" # Default is `null`; to send failed processing to target # IAM is_create_lambda_role = true # Default is `true` From 1191430d41a66b84b939169858fbd79a7c1df096 Mon Sep 17 00:00:00 2001 From: sedthawut tipkanpirome Date: Wed, 25 May 2022 15:58:08 +0700 Subject: [PATCH 9/9] (fix): comment in org_id --- main.tf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/main.tf b/main.tf index 4cda388..763509a 100644 --- a/main.tf +++ b/main.tf @@ -90,9 +90,9 @@ resource "aws_lambda_permission" "allow_serivce" { principal = lookup(each.value, "pricipal", null) source_arn = lookup(each.value, "source_arn", null) source_account = lookup(each.value, "source_account", null) - # principal_org_id = lookup(each.value, "principal_org_id", "") - # Terraform aws says not support by doc support + # TODO Terraform aws says not support but doc support # https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_permission#principal_org_id + # principal_org_id = lookup(each.value, "principal_org_id", "") } /* -------------------------------------------------------------------------- */