Skip to content

Commit

Permalink
Deploy Lambda with Terraform
Browse files Browse the repository at this point in the history
Includes IAM permissions, X-Ray, function URL and records the environment deployment in GitHub.

For VEGA-1942 #minor
  • Loading branch information
gregtyler committed Oct 9, 2023
1 parent d0a8a6f commit 81a2d17
Show file tree
Hide file tree
Showing 19 changed files with 373 additions and 21 deletions.
22 changes: 11 additions & 11 deletions .github/workflows/env-deploy.yml
Original file line number Diff line number Diff line change
Expand Up @@ -25,9 +25,9 @@ on:
jobs:
terraform_environment_workflow:
runs-on: ubuntu-latest
# environment:
# name: ${{ inputs.workspace_name }} popup environment
# url: ${{ steps.terraform_outputs.outputs.url }}
environment:
name: ${{ inputs.workspace_name }} popup environment
url: ${{ steps.terraform_outputs.outputs.url }}
steps:
- uses: actions/checkout@v4
with:
Expand Down Expand Up @@ -73,11 +73,11 @@ jobs:
terraform apply -lock-timeout=300s -input=false -auto-approve -parallelism=30
working-directory: ./terraform/environment

# - name: Terraform Outputs
# id: terraform_outputs
# env:
# TF_WORKSPACE: ${{ inputs.workspace_name }}
# TF_VAR_app_version: ${{ inputs.version_tag }}
# run: |
# echo "url=$(terraform output -raw app_fqdn)" >> $GITHUB_OUTPUT
# working-directory: ./terraform/environment
- name: Terraform Outputs
id: terraform_outputs
env:
TF_WORKSPACE: ${{ inputs.workspace_name }}
TF_VAR_app_version: ${{ inputs.version_tag }}
run: |
echo "url=$(terraform output -raw lambda_url)" >> $GITHUB_OUTPUT
working-directory: ./terraform/environment
2 changes: 1 addition & 1 deletion .github/workflows/workflow-pr.yml
Original file line number Diff line number Diff line change
Expand Up @@ -73,7 +73,7 @@ jobs:

deploy-pr-env:
name: Deploy PR Environment
needs: [build, generate-environment-workspace-name]
needs: [build, generate-tags, generate-environment-workspace-name]
uses: ./.github/workflows/env-deploy.yml
with:
workspace_name: ${{ needs.generate-environment-workspace-name.outputs.environment_workspace_name }}
Expand Down
8 changes: 3 additions & 5 deletions lambda/create/main.go
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,6 @@ package main

import (
"encoding/json"
"log"
"os"
"time"

Expand Down Expand Up @@ -30,10 +29,9 @@ type Lambda struct {
logger Logger
}

func (l *Lambda) HandleEvent(event events.APIGatewayProxyRequest) (events.APIGatewayProxyResponse, error) {
func (l *Lambda) HandleEvent(event events.LambdaFunctionURLRequest) (events.LambdaFunctionURLResponse, error) {
var data shared.Case
log.Print(event)
response := events.APIGatewayProxyResponse{
response := events.LambdaFunctionURLResponse{
StatusCode: 500,
Body: "{\"code\":\"INTERNAL_SERVER_ERROR\",\"detail\":\"Internal server error\"}",
}
Expand Down Expand Up @@ -94,7 +92,7 @@ func main() {

l := &Lambda{
ddb: dynamodb.New(sess),
tableName: "deeds",
tableName: os.Getenv("DDB_TABLE_NAME_DEEDS"),
logger: logging.New(os.Stdout, "opg-data-lpa-deed"),
}

Expand Down
4 changes: 2 additions & 2 deletions lambda/shared/problem.go
Original file line number Diff line number Diff line change
Expand Up @@ -42,7 +42,7 @@ var ProblemInvalidRequest Problem = Problem{
Detail: "Invalid request",
}

func (problem Problem) Respond() (events.APIGatewayProxyResponse, error) {
func (problem Problem) Respond() (events.LambdaFunctionURLResponse, error) {
var errorString = ""
for _, ve := range problem.Errors {
errorString += fmt.Sprintf("%s %s, ", ve.Source, ve.Detail)
Expand All @@ -64,7 +64,7 @@ func (problem Problem) Respond() (events.APIGatewayProxyResponse, error) {
body = []byte("{\"code\":\"INTERNAL_SERVER_ERROR\",\"detail\":\"Internal server error\"}")
}

return events.APIGatewayProxyResponse{
return events.LambdaFunctionURLResponse{
StatusCode: code,
Body: string(body),
}, nil
Expand Down
3 changes: 2 additions & 1 deletion terraform/environment/dynamodb.tf
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,8 @@ resource "aws_dynamodb_table" "deeds_table" {
name = "deeds-${local.environment_name}"
billing_mode = "PAY_PER_REQUEST"
deletion_protection_enabled = local.environment.is_production
stream_enabled = false
stream_enabled = true
stream_view_type = "NEW_AND_OLD_IMAGES"
hash_key = "uid"

server_side_encryption {
Expand Down
4 changes: 4 additions & 0 deletions terraform/environment/outputs.tf
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
output "lambda_url" {
description = "Public URL of 'create' Lambda function"
value = module.eu_west_1.lambda_url
}
72 changes: 72 additions & 0 deletions terraform/environment/region/kms.tf
Original file line number Diff line number Diff line change
@@ -0,0 +1,72 @@
resource "aws_kms_key" "cloudwatch" {
description = "CloudWatch ${terraform.workspace} ${data.aws_region.current.name}"
deletion_window_in_days = 10
policy = data.aws_iam_policy_document.cloudwatch_kms.json
enable_key_rotation = true

provider = aws.region
}

resource "aws_kms_alias" "cloudwatch_standard_alias" {
name = "alias/cloudwatch-${var.environment_name}"
target_key_id = aws_kms_key.cloudwatch.key_id

provider = aws.region
}

data "aws_iam_policy_document" "cloudwatch_kms" {
statement {
sid = "Enable Root account permissions on Key"
effect = "Allow"
actions = ["kms:*"]
resources = ["*"]
principals {
type = "AWS"
identifiers = [
"arn:aws:iam::${data.aws_caller_identity.current.account_id}:root",
]
}
}
statement {
sid = "Allow Key to be used for Encryption"
effect = "Allow"
resources = ["*"]
actions = [
"kms:Encrypt",
"kms:Decrypt",
"kms:ReEncrypt*",
"kms:GenerateDataKey*",
"kms:DescribeKey",
]
principals {
type = "Service"
identifiers = ["logs.${data.aws_region.current.name}.amazonaws.com"]
}
}
statement {
sid = "Key Administrator"
effect = "Allow"
resources = ["*"]
actions = [
"kms:Create*",
"kms:Describe*",
"kms:Enable*",
"kms:List*",
"kms:Put*",
"kms:Update*",
"kms:Revoke*",
"kms:Disable*",
"kms:Get*",
"kms:Delete*",
"kms:TagResource",
"kms:UntagResource",
"kms:ScheduleKeyDeletion",
"kms:CancelKeyDeletion"
]

principals {
type = "AWS"
identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:role/breakglass"]
}
}
}
51 changes: 51 additions & 0 deletions terraform/environment/region/main.tf
Original file line number Diff line number Diff line change
@@ -0,0 +1,51 @@
locals {
functions = toset([
"create",
# "get",
# "update",
])
}

module "lambda" {
for_each = local.functions
source = "../../modules/lambda"

environment_name = var.environment_name
lambda_name = each.key
ecr_image_uri = "${data.aws_ecr_repository.lambda[each.key].repository_url}:${var.app_version}"
cloudwatch_kms_key_id = aws_kms_key.cloudwatch.arn

environment_variables = {
DDB_TABLE_NAME_DEEDS = var.dynamodb_name
}

providers = {
aws = aws.region
}
}

data "aws_ecr_repository" "lambda" {
for_each = local.functions
name = "lpa-store/lambda/api-${each.key}"
provider = aws.management
}

resource "aws_iam_role_policy" "lambda" {
for_each = local.functions
name = "lambda"
role = module.lambda[each.key].iam_role_id
policy = data.aws_iam_policy_document.lambda_access_ddb.json
provider = aws.region
}

data "aws_iam_policy_document" "lambda_access_ddb" {
statement {
sid = "allowDynamoDB"
effect = "Allow"
resources = [var.dynamodb_arn]
actions = [
"dynamodb:PutItem",
"dynamodb:GetItem",
]
}
}
4 changes: 4 additions & 0 deletions terraform/environment/region/outputs.tf
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
output "lambda_url" {
description = "Public URL of 'create' Lambda function"
value = module.lambda["create"].function_url
}
25 changes: 25 additions & 0 deletions terraform/environment/region/terraform.tf
Original file line number Diff line number Diff line change
@@ -0,0 +1,25 @@
terraform {
required_version = ">= 1.4.0"

required_providers {
aws = {
source = "hashicorp/aws"
configuration_aliases = [
aws.region,
aws.management,
]
}
}
}

data "aws_region" "current" {
provider = aws.region
}

data "aws_caller_identity" "current" {
provider = aws.region
}

data "aws_default_tags" "current" {
provider = aws.region
}
19 changes: 19 additions & 0 deletions terraform/environment/region/variables.tf
Original file line number Diff line number Diff line change
@@ -0,0 +1,19 @@
variable "environment_name" {
description = "The name of the environment the region is deployed to"
type = string
}

variable "app_version" {
description = "Version of application to deploy"
type = string
}

variable "dynamodb_arn" {
description = "ARN of DynamoDB table"
type = string
}

variable "dynamodb_name" {
description = "Name of DynamoDB table"
type = string
}
27 changes: 27 additions & 0 deletions terraform/environment/regions.tf
Original file line number Diff line number Diff line change
@@ -0,0 +1,27 @@
module "eu_west_1" {
source = "./region"

app_version = var.app_version
dynamodb_arn = aws_dynamodb_table.deeds_table.arn
dynamodb_name = aws_dynamodb_table.deeds_table.name
environment_name = local.environment_name

providers = {
aws.region = aws.eu_west_1
aws.management = aws.management_eu_west_1
}
}

module "eu_west_2" {
source = "./region"

app_version = var.app_version
dynamodb_arn = aws_dynamodb_table_replica.deeds_table.arn
dynamodb_name = aws_dynamodb_table.deeds_table.name
environment_name = local.environment_name

providers = {
aws.region = aws.eu_west_2
aws.management = aws.management_eu_west_2
}
}
16 changes: 15 additions & 1 deletion terraform/environment/terraform.tf
Original file line number Diff line number Diff line change
Expand Up @@ -60,7 +60,7 @@ provider "aws" {
}

provider "aws" {
alias = "management"
alias = "management_eu_west_1"
region = "eu-west-1"

assume_role {
Expand All @@ -72,3 +72,17 @@ provider "aws" {
tags = local.default_tags
}
}

provider "aws" {
alias = "management_eu_west_2"
region = "eu-west-2"

assume_role {
role_arn = "arn:aws:iam::311462405659:role/${var.management_role}"
session_name = "terraform-session"
}

default_tags {
tags = local.default_tags
}
}
6 changes: 6 additions & 0 deletions terraform/environment/variables.tf
Original file line number Diff line number Diff line change
Expand Up @@ -39,3 +39,9 @@ variable "management_role" {
type = string
default = "lpa-store-ci"
}

variable "app_version" {
description = "Version of application to deploy"
type = string
default = "latest"
}
Loading

0 comments on commit 81a2d17

Please sign in to comment.