-
Notifications
You must be signed in to change notification settings - Fork 0
/
cyhy-kevsync-lambda.tf
108 lines (93 loc) · 3.56 KB
/
cyhy-kevsync-lambda.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
# Create a Lambda function that runs the cyhy-kevsync-lambda code on a schedule.
#
# Prerequisites:
# - A cyhy-kevsync Lambda deployment package stored in an S3 bucket (see the
# kevsync_lambda_s3_bucket and kevsync_lambda_s3_key variables)
# - A valid CyHy configuration stored in the Systems Manager (SSM) Parameter
# Store of the Cyber Hygiene account (see the kevsync_lambda_config_ssm_key
# variable)
# Fetch the Lambda deployment package from the S3 bucket where it is stored
# so that we can check its version ID and update the Lambda function when a new
# version is uploaded.
data "aws_s3_object" "kevsync_lambda" {
provider = aws.provisionaccount
bucket = var.kevsync_lambda_s3_bucket
key = var.kevsync_lambda_s3_key
}
module "kevsync_lambda" {
providers = {
aws = aws.provisionaccount
}
source = "terraform-aws-modules/lambda/aws"
version = "7.9.0"
allowed_triggers = {
kevsync = {
principal = "events.amazonaws.com"
source_arn = module.kevsync_eventbridge.eventbridge_rule_arns["${var.kevsync_lambda_name}"]
}
}
attach_network_policy = true
attach_policy_statements = true
cloudwatch_logs_retention_in_days = var.kevsync_lambda_cloudwatch_logs_retention_in_days
# This is necessary to avoid the following error:
# "InvalidParameterValueException: We currently do not support adding policies
# for $LATEST." For more, see
# https://github.com/terraform-aws-modules/terraform-aws-lambda/blob/v7.9.0/README.md#faq
create_current_version_allowed_triggers = false
create_package = false
description = var.kevsync_lambda_description
environment_variables = merge({ "CYHY_CONFIG_SSM_PATH" = var.kevsync_lambda_config_ssm_key }, var.kevsync_lambda_env_variables)
function_name = var.kevsync_lambda_name
handler = var.kevsync_lambda_handler
policy_statements = {
ssm_read = {
effect = "Allow",
actions = ["ssm:GetParameter"],
resources = ["arn:aws:ssm:${var.aws_region}:${local.cyhy_account_id}:parameter${var.kevsync_lambda_config_ssm_key}"]
},
}
runtime = var.kevsync_lambda_runtime
s3_existing_package = {
bucket = var.kevsync_lambda_s3_bucket
key = var.kevsync_lambda_s3_key
version_id = data.aws_s3_object.kevsync_lambda.version_id
}
tags = var.tags
timeout = var.kevsync_lambda_timeout
vpc_security_group_ids = [module.ec2.security_group_id]
vpc_subnet_ids = module.subnets.private_subnet_ids
}
# Invoke the Lamdba function to initially load KEV data into the database
resource "aws_lambda_invocation" "kevsync" {
provider = aws.provisionaccount
function_name = module.kevsync_lambda.lambda_function_name
input = "{}"
}
# Schedule the Lambda function
module "kevsync_eventbridge" {
providers = {
aws = aws.provisionaccount
}
source = "terraform-aws-modules/eventbridge/aws"
version = "3.11.0"
# We are using the default bus, so no need to create it here.
create_bus = false
# The role allowing the Lambda to be triggered by this EventBridge rule is
# created by the Lambda module, so no need to create it here.
create_role = false
rules = {
"${var.kevsync_lambda_name}" = {
description = format("Executes %s Lambda on a schedule", var.kevsync_lambda_name)
schedule_expression = var.kevsync_lambda_schedule
}
}
tags = var.tags
targets = {
"${var.kevsync_lambda_name}" = [
{
arn = module.kevsync_lambda.lambda_function_arn
name = var.kevsync_lambda_name
}
]
}
}