diff --git a/README.md b/README.md index 1bc1055..4bc9e8d 100644 --- a/README.md +++ b/README.md @@ -82,6 +82,8 @@ module "rdscheck-check" { lambda_rate = "rate(30 minutes)" release_version = "v0.0.1" command = "check" + subnet_ids = ["subnet-12345,subnet-6789"] + security_group_ids = ["sg-1234,sg-5678"] lambda_env_vars { variables = { S3_BUCKET = "s3-bucket-with-yaml-file" diff --git a/terraform/terraform.tf b/terraform/terraform.tf index cb7a1d9..d57a448 100644 --- a/terraform/terraform.tf +++ b/terraform/terraform.tf @@ -37,7 +37,8 @@ data "archive_file" "lambda_code" { depends_on = ["null_resource.get_release"] } -resource "aws_lambda_function" "rdscheck_lambda" { +resource "aws_lambda_function" "rdscheck_lambda_copy" { + count = "${var.command != "check" ? 1 : 0}" filename = "${data.archive_file.lambda_code.output_path}" function_name = "${var.command}-rdscheck" role = "${aws_iam_role.rdscheck_iam_role.arn}" @@ -49,6 +50,23 @@ resource "aws_lambda_function" "rdscheck_lambda" { environment = ["${slice(list(var.lambda_env_vars), 0, length(var.lambda_env_vars) == 0 ? 0 : 1)}"] } +resource "aws_lambda_function" "rdscheck_lambda_check" { + count = "${var.command != "copy" ? 1 : 0}" + filename = "${data.archive_file.lambda_code.output_path}" + function_name = "${var.command}-rdscheck" + role = "${aws_iam_role.rdscheck_iam_role.arn}" + handler = "main" + source_code_hash = "${data.archive_file.lambda_code.output_base64sha256}" + runtime = "go1.x" + memory_size = 128 + timeout = 120 + environment = ["${slice(list(var.lambda_env_vars), 0, length(var.lambda_env_vars) == 0 ? 0 : 1)}"] + vpc_config { + subnet_ids = ["${var.subnet_ids}"] + security_group_ids = ["${var.security_group_ids}"] + } +} + data "aws_iam_policy" "AWSLambdaVPCAccessExecutionRole" { count = "${var.command != "copy" ? 1 : 0}" arn = "arn:aws:iam::aws:policy/service-role/AWSLambdaVPCAccessExecutionRole" @@ -93,15 +111,32 @@ resource "aws_cloudwatch_event_rule" "rdscheck_rule" { is_enabled = true } -resource "aws_cloudwatch_event_target" "rdscheck_target" { - rule = "${aws_cloudwatch_event_rule.rdscheck_rule.name}" - arn = "${aws_lambda_function.rdscheck_lambda.arn}" +resource "aws_cloudwatch_event_target" "rdscheck_target_check" { + count = "${var.command != "copy" ? 1 : 0}" + rule = "${aws_cloudwatch_event_rule.rdscheck_rule.name}" + arn = "${aws_lambda_function.rdscheck_lambda_check.arn}" } -resource "aws_lambda_permission" "allow_cloudwatch_to_call_rdscheck" { +resource "aws_cloudwatch_event_target" "rdscheck_target_copy" { + count = "${var.command != "check" ? 1 : 0}" + rule = "${aws_cloudwatch_event_rule.rdscheck_rule.name}" + arn = "${aws_lambda_function.rdscheck_lambda_copy.arn}" +} + +resource "aws_lambda_permission" "allow_cloudwatch_to_call_rdscheck_check" { + count = "${var.command != "copy" ? 1 : 0}" + statement_id = "AllowExecutionFromCloudWatch" + action = "lambda:InvokeFunction" + function_name = "${aws_lambda_function.rdscheck_lambda_check.function_name}" + principal = "events.amazonaws.com" + source_arn = "${aws_cloudwatch_event_rule.rdscheck_rule.arn}" +} + +resource "aws_lambda_permission" "allow_cloudwatch_to_call_rdscheck_copy" { + count = "${var.command != "check" ? 1 : 0}" statement_id = "AllowExecutionFromCloudWatch" action = "lambda:InvokeFunction" - function_name = "${aws_lambda_function.rdscheck_lambda.function_name}" + function_name = "${aws_lambda_function.rdscheck_lambda_copy.function_name}" principal = "events.amazonaws.com" source_arn = "${aws_cloudwatch_event_rule.rdscheck_rule.arn}" } @@ -118,3 +153,13 @@ variable "lambda_env_vars" { type = "map" default = {} } + +variable "security_group_ids" { + type = "list" + default = [] +} + +variable "subnet_ids" { + type = "list" + default = [] +}