Refactor lambda source code (#7)

* (remove): upload code from s3 function

* (fix): ref to non-declare resource

* (add): new idea to manage terraform

* (update): source code to new algo

* (fix): lambda edge variable overflow

* (update): document

* (update): README.md

* (remove): comment path

* (update): change additional policies to map instead of list deu to un-predicted variable

* (update): s3 version to v1.0.4

* (add): local tag to ssm parameter store

* (add): tracing mode enable

* (add): change log

* (fix): set default tracing mode if received from upstream

* (update): order of variables

* (update): CHANGELOG

* (update): README

* chore: add community friendly templates

* (update): CHANGELOG

* (update): .gitignore

* (update): variable name and README

* (update): variable name and README

* (update): README

* (update): variables naming

* (add): complete example

* (update): repo name

* (update): example for simple usage

* (update): example simple

* (update): example simple

* (update): lambda complete usage

* (update): lambda complete usage

* (update): README and CHANGELOG

* (update): README and CHANGELOG

Co-authored-by: Pongsak Sanguanwong <pongsak.sanguanwong@gmail.com>

Author: xshot9011

.gitignore

@@ -24,6 +24,7 @@ crash.*.log
 # to change depending on the environment.
 #
 *.tfvars
+!terraform.*example*.tfvars
 
 # Ignore override files as they are usually used to override resources locally and so
 # are not checked in

.pre-commit-config.yaml

@@ -11,7 +11,7 @@ repos:
         args:
           - "--args=--only=terraform_deprecated_interpolation"
           - "--args=--only=terraform_deprecated_index"
-          # - "--args=--only=terraform_unused_declarations"
+          - "--args=--only=terraform_unused_declarations"
           - "--args=--only=terraform_comment_syntax"
           - "--args=--only=terraform_documented_outputs"
           - "--args=--only=terraform_documented_variables"

CHANGELOG.md

@@ -0,0 +1,46 @@
+# Change Log
+
+All notable changes to this module will be documented in this file.
+
+## [1.1.0] - 2022-07-22
+
+### Changed
+
+- Remove upload code from s3
+  - S3 source code is used for versioning
+- Change `additional_lambda_role_policy_arn` to map from list
+
+### Added
+
+- Enable Tracing
+
+## [v1.0.2] - 2022-07-01
+
+### Added
+
+- Add default log retention 90 days, KMS encryption support
+
+### Fixed
+
+- Fix kms security issue by @xshot9011 in #9
+
+## [v1.0.1] - 2022-06-08
+
+### Added
+
+- Add resource base policy for lambda
+
+## [v1.0.0] - 2022-05-17
+
+### Added 
+
+- Since Lambdas are uploaded via zip files, we generate a zip file from the path specified.
+- Upload the zip file containing the build artifacts to S3.
+- Allow access to this lambda function from AWS.
+- Allow lambda to generate logs.
+- Construct a role that AWS services can adopt in order to invoke our function.
+- This policy also has the capability to write logs to CloudWatch.
+- Create the secret SSM parameters that can be retrieved and decoded by the lambda function.
+- Create an IAM policy document granting the ability to read and retrieve SSM parameter values.
+- Develop a policy based on the SSM policy paper
+- Custom policies to attach to this role

README.md

@@ -0,0 +1,76 @@
+module "lambda" {
+  source = "../../"
+
+  prefix      = "oozou"
+  environment = "devops"
+  name        = "demo"
+
+  is_edge = false # Defautl is `false`, If you want to publish to the edge don't forget to override aws's provider to virgina
+
+  # If is_edge is `false`, ignore this config
+  is_create_lambda_bucket = true # Default is `false`; plz use false, if not 1 lambda: 1 bucket
+  bucket_name             = ""   # If `is_create_lambda_bucket` is `false`; specified this, default is `""`
+
+  # Source code
+  source_code_dir           = "./src"
+  file_globs                = ["index.js"]
+  compressed_local_file_dir = "./outputs"
+
+  # Lambda Env
+  runtime = "nodejs12.x"
+  handler = "index.handler"
+
+  # Lambda Specification
+  timeout                        = 3
+  memory_size                    = 128
+  reserved_concurrent_executions = -1
+
+  # Optional to connect Lambda to VPC
+  vpc_config = {
+    security_group_ids      = ["sg-028f637312eea735e"]
+    subnet_ids_to_associate = ["subnet-0b853f8c85796d72d", "subnet-07c068b4b51262793", "subnet-0362f68c559ef7716"]
+  }
+  dead_letter_target_arn = "arn:aws:sns:ap-southeast-1:557291035693:demo" # To send failed processing to target, Default is `""`
+
+  # IAM
+  is_create_lambda_role = true # Default is `true`
+  lambda_role_arn       = ""   # If `is_create_lambda_role` is `false`
+  # The policies that you want to attach to IAM Role created by only this module                                                   # If `is_create_lambda_role` is `false`
+  additional_lambda_role_policy_arns = {
+    allow_lambda_to_read_s3 = "arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccess"
+  }
+
+  # Resource policy
+  lambda_permission_configurations = {
+    lambda_on_my_account = {
+      pricipal   = "apigateway.amazonaws.com"
+      source_arn = "arn:aws:execute-api:ap-southeast-1:557291035112:lk36vflbha/*/*/"
+    }
+    lambda_on_my_another_account_wrong = {
+      pricipal       = "apigateway.amazonaws.com"
+      source_arn     = "arn:aws:execute-api:ap-southeast-1:224563527112:q6pwa6wgr6/*/*/"
+      source_account = "557291035112"
+    }
+    lambda_on_my_another_account_correct = {
+      pricipal   = "apigateway.amazonaws.com"
+      source_arn = "arn:aws:execute-api:ap-southeast-1:557291035112:wpj4t3scmb/*/*/"
+    }
+  }
+
+  # Logging
+  is_create_cloudwatch_log_group   = true # Default is `true`
+  cloudwatch_log_retention_in_days = 90   # Default is `90`
+
+  # Env
+  ssm_params = {}
+  plaintext_params = {
+    region         = "ap-southeast-1"
+    cluster_name   = "oozou-dev-test-schedule-cluster"
+    nodegroup_name = "oozou-dev-test-schedule-custom-nodegroup"
+    min            = 1,
+    max            = 1,
+    desired        = 1
+  }
+
+  tags = { "Workspace" = "900-oozou-sandbox-terraform" }
+}

examples/complete/main.tf

@@ -0,0 +1,18 @@
+var http = require('http')
+
+exports.handler = (event, context, callback) => {
+  const options = {
+    hostname: event.Host,
+    port: event.Port
+  }
+
+  const response = {};
+
+  http.get(options, (res) => {
+    response.httpStatus = res.statusCode
+    callback(null, response)
+  }).on('error', (err) => {
+    callback(null, err.message);
+  })
+
+};

examples/complete/outputs.tf

@@ -0,0 +1,45 @@
+module "lambda" {
+  source = "../../"
+
+  prefix      = "oozou"
+  environment = "devops"
+  name        = "demo"
+
+  source_code_dir           = "./src"
+  file_globs                = ["index.js"]
+  compressed_local_file_dir = "./outputs"
+
+  runtime = "nodejs12.x"
+  handler = "index.handler"
+
+  additional_lambda_role_policy_arns = {
+    allow_lambda_to_read_s3 = "arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccess"
+  }
+  lambda_permission_configurations = {
+    lambda_on_my_account = {
+      pricipal   = "apigateway.amazonaws.com"
+      source_arn = "arn:aws:execute-api:ap-southeast-1:557291035112:lk36vflbha/*/*/"
+    }
+    lambda_on_my_another_account_wrong = {
+      pricipal       = "apigateway.amazonaws.com"
+      source_arn     = "arn:aws:execute-api:ap-southeast-1:224563527112:q6pwa6wgr6/*/*/"
+      source_account = "557291035112"
+    }
+    lambda_on_my_another_account_correct = {
+      pricipal   = "apigateway.amazonaws.com"
+      source_arn = "arn:aws:execute-api:ap-southeast-1:557291035112:wpj4t3scmb/*/*/"
+    }
+  }
+
+  ssm_params = {}
+  plaintext_params = {
+    region         = "ap-southeast-1"
+    cluster_name   = "oozou-dev-test-schedule-cluster"
+    nodegroup_name = "oozou-dev-test-schedule-custom-nodegroup"
+    min            = 1,
+    max            = 1,
+    desired        = 1
+  }
+
+  tags = { "Workspace" = "900-oozou-sandbox-terraform" }
+}

examples/complete/src/index.js

@@ -0,0 +1,18 @@
+var http = require('http')
+
+exports.handler = (event, context, callback) => {
+  const options = {
+    hostname: event.Host,
+    port: event.Port
+  }
+
+  const response = {};
+
+  http.get(options, (res) => {
+    response.httpStatus = res.statusCode
+    callback(null, response)
+  }).on('error', (err) => {
+    callback(null, err.message);
+  })
+
+};

examples/complete/variables.tf

@@ -4,10 +4,12 @@
 locals {
   name = format("%s-%s-%s", var.prefix, var.environment, var.name)
 
-  lambda_role_arn   = var.is_create_lambda_role ? aws_iam_role.this[0].arn : var.lambda_role_arn
-  bucket_name       = var.is_upload_form_s3 ? var.bucket_name : var.is_create_lambda_bucket ? element(module.s3[*].bucket_name, 0) : var.bucket_name
-  object_key        = var.is_upload_form_s3 ? data.aws_s3_object.this[0].key : aws_s3_object.this[0].id
-  object_version_id = var.is_upload_form_s3 ? data.aws_s3_object.this[0].version_id : aws_s3_object.this[0].version_id
+  lambda_role_arn = var.is_create_lambda_role ? aws_iam_role.this[0].arn : var.lambda_role_arn
+
+  file_name         = var.is_edge ? null : data.archive_file.this.output_path
+  bucket_name       = var.is_edge ? var.is_create_lambda_bucket ? module.s3[0].bucket_name : var.bucket_name : null
+  object_key        = var.is_edge ? aws_s3_object.this[0].id : null
+  object_version_id = var.is_edge ? aws_s3_object.this[0].version_id : null
 
   tags = merge(
     {
@@ -21,20 +23,15 @@ locals {
 locals {
   raise_is_lambda_role_arn_empty = var.is_create_lambda_role == false && var.lambda_role_arn == "" ? file("Variable `lambda_role_arn` is required when `is_create_lambda_role` is false") : "pass"
 
-  raise_bucket_name_empty = var.is_upload_form_s3 && length(var.bucket_name) == 0 ? file("Variable `bucket_name` is required when `is_upload_form_s3` is true") : "pass"
-  raise_file_name_empty   = var.is_upload_form_s3 && length(var.file_name) == 0 ? file("Variable `file_name` is required when `is_upload_form_s3` is true") : "pass"
-
-  raise_compressed_local_file_dir_empty = var.is_upload_form_s3 == false && length(var.compressed_local_file_dir) == 0 ? file("Variable `compressed_local_file_dir` is required when `is_upload_form_s3` is false") : "pass"
-  raise_file_globs_empty                = var.is_upload_form_s3 == false && length(var.file_globs) == 0 ? file("Variable `file_globs` is required when `is_upload_form_s3` is false") : "pass"
+  raise_bucket_name_empty    = var.is_edge && var.is_create_lambda_bucket == false && length(var.bucket_name) == 0 ? file("Variable `bucket_name` is required when `is_create_lambda_bucket` is false") : "pass"
+  raise_local_file_dir_empty = length(var.compressed_local_file_dir) == 0 ? file("Variable `compressed_local_file_dir` is required") : "pass"
+  raise_file_globs_empty     = length(var.file_globs) == 0 ? file("Variable `file_globs` is required") : "pass"
 }
 
 /* -------------------------------------------------------------------------- */
-/*                                     S3                                     */
+/*                                  Zip File                                  */
 /* -------------------------------------------------------------------------- */
-/* -------------------------------- ZIP File -------------------------------- */
-data "archive_file" "zip_file" {
-  count = var.is_upload_form_s3 == false ? 1 : 0
-
+data "archive_file" "this" {
   type        = "zip"
   output_path = format("%s/%s.zip", var.compressed_local_file_dir, local.name)
 
@@ -63,10 +60,13 @@ data "archive_file" "zip_file" {
   }
 }
 
+/* -------------------------------------------------------------------------- */
+/*                                     S3                                     */
+/* -------------------------------------------------------------------------- */
 module "s3" {
-  count = var.is_create_lambda_bucket && var.is_upload_form_s3 == false ? 1 : 0
+  count = var.is_edge && var.is_create_lambda_bucket ? 1 : 0
 
-  source = "git@github.com:oozou/terraform-aws-s3.git?ref=v1.0.2"
+  source = "git@github.com:oozou/terraform-aws-s3.git?ref=v1.0.4"
 
   prefix      = var.prefix
   environment = var.environment
@@ -80,20 +80,13 @@ module "s3" {
   tags = var.tags
 }
 
-data "aws_s3_object" "this" {
-  count = var.is_upload_form_s3 ? 1 : 0
-
-  bucket = local.bucket_name
-  key    = var.file_name
-}
-
 resource "aws_s3_object" "this" {
-  count = var.is_upload_form_s3 == false ? 1 : 0
+  count = var.is_edge && var.is_create_lambda_bucket ? 1 : 0
 
-  bucket = var.is_create_lambda_bucket ? element(module.s3[*].bucket_name, 0) : var.bucket_name
+  bucket = element(module.s3[*].bucket_name, 0)
   key    = format("%s.zip", local.name)
-  source = data.archive_file.zip_file[0].output_path
-  etag   = data.archive_file.zip_file[0].output_md5
+  source = data.archive_file.this.output_path
+  etag   = data.archive_file.this.output_md5
 
   tags = merge(local.tags, { "Name" = format("%s.zip", local.name) })
 }
@@ -102,7 +95,7 @@ resource "aws_s3_object" "this" {
 /*                            Resource Based Policy                           */
 /* -------------------------------------------------------------------------- */
 resource "aws_lambda_permission" "allow_serivce" {
-  for_each = var.lambda_permission_configuration
+  for_each = var.lambda_permission_configurations
 
   statement_id   = format("AllowExecutionFrom-%s", each.key)
   action         = "lambda:InvokeFunction"
@@ -199,7 +192,7 @@ resource "aws_iam_role_policy" "logs_role_policy" {
 }
 
 resource "aws_iam_role_policy_attachment" "this" {
-  for_each = var.is_create_lambda_role ? toset(var.additional_lambda_role_policy_arns) : toset([])
+  for_each = var.is_create_lambda_role ? var.additional_lambda_role_policy_arns : {}
 
   role       = aws_iam_role.this[0].name
   policy_arn = each.value
@@ -219,7 +212,7 @@ resource "aws_ssm_parameter" "params" {
   type = "SecureString"
   tier = length(each.value) > 4096 ? "Advanced" : "Standard"
 
-  tags = var.tags
+  tags = local.tags
 }
 
 data "aws_iam_policy_document" "secret_access_policy_doc" {
@@ -261,16 +254,27 @@ resource "aws_lambda_function" "this" {
   function_name = format("%s-function", local.name)
   description   = format("Lambda function: %s", local.name)
 
-  # Read the file from s3
+  # Read source code from s3
   s3_bucket         = local.bucket_name
   s3_key            = local.object_key
   s3_object_version = local.object_version_id
 
+  # Read source code from local
+  filename         = local.file_name
+  source_code_hash = filebase64sha256(data.archive_file.this.output_path)
+
   # Specification
   timeout                        = var.timeout
   memory_size                    = var.memory_size
   reserved_concurrent_executions = var.reserved_concurrent_executions
 
+  # Code Env
+  publish = true # Force public new version
+  runtime = var.runtime
+  handler = var.handler
+
+  role = local.lambda_role_arn
+
   vpc_config {
     security_group_ids = var.vpc_config.security_group_ids
     subnet_ids         = var.vpc_config.subnet_ids_to_associate
@@ -284,17 +288,11 @@ resource "aws_lambda_function" "this" {
     }
   }
 
-  # Code Env
-  publish = true # Force public new version
-  runtime = var.runtime
-  handler = var.handler
-
-  role = local.lambda_role_arn
-
-  lifecycle {
-    ignore_changes = [
-      last_modified,
-    ]
+  dynamic "tracing_config" {
+    for_each = var.tracing_mode == null ? [] : [true]
+    content {
+      mode = var.tracing_mode
+    }
   }
 
   tags = merge(local.tags, { "Name" = format("%s-function", local.name) })