Merge pull request #1 from SPHTech-Platform/feature/support-for-vpc-subnet-ids

niroz89 · web-flow · commit 67f56ba67bd0 · 2023-04-13T14:43:59.000+08:00
Add support for vpc_subnet_ids and vpc_security_group_ids
diff --git a/LICENSE b/LICENSE
@@ -19,4 +19,4 @@ AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
 LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
 OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
 SOFTWARE.
-Footer
+Footer
diff --git a/README.md b/README.md
@@ -8,14 +8,15 @@ Terraform module for creating the lambda and the github actions IAM Role deploye
 | Name | Version |
 |------|---------|
 | <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.0 |
+| <a name="requirement_archive"></a> [archive](#requirement\_archive) | ~> 1.3 |
 | <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 4.27 |
 
 ## Providers
 
 | Name | Version |
 |------|---------|
 | <a name="provider_archive"></a> [archive](#provider\_archive) | 2.3.0 |
-| <a name="provider_aws"></a> [aws](#provider\_aws) | 4.58.0 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | 4.62.0 |
 
 ## Modules
 
@@ -42,23 +43,35 @@ Terraform module for creating the lambda and the github actions IAM Role deploye
 |------|-------------|------|---------|:--------:|
 | <a name="input_addition_lambda_policy"></a> [addition\_lambda\_policy](#input\_addition\_lambda\_policy) | List of additional policies for the lambda execution | `list(string)` | `[]` | no |
 | <a name="input_additional_deployer_role"></a> [additional\_deployer\_role](#input\_additional\_deployer\_role) | (Optional) Additional Deployer Policy Role | `list(any)` | `[]` | no |
+| <a name="input_additional_lambda_policy_statements"></a> [additional\_lambda\_policy\_statements](#input\_additional\_lambda\_policy\_statements) | Additional Inline Lambda Policy Statements | `any` | `{}` | no |
 | <a name="input_allowed_triggers"></a> [allowed\_triggers](#input\_allowed\_triggers) | Map of allowed triggers to create Lambda permissions | `map(any)` | `{}` | no |
 | <a name="input_app_metadata"></a> [app\_metadata](#input\_app\_metadata) | Application component prefix, name used to generate resource names | <pre>object({<br>    prefix = string<br>    name   = string<br>    env    = string<br>  })</pre> | n/a | yes |
+| <a name="input_attach_network_policy"></a> [attach\_network\_policy](#input\_attach\_network\_policy) | Flag to attach network policy to use VPC subnet and security group | `bool` | `true` | no |
 | <a name="input_authorization_type"></a> [authorization\_type](#input\_authorization\_type) | The type of authentication that the Lambda Function URL uses. Set to 'AWS\_IAM' to restrict access to authenticated IAM users only. Set to 'NONE' to bypass IAM authentication and create a public endpoint. | `string` | `"AWS_IAM"` | no |
 | <a name="input_cors"></a> [cors](#input\_cors) | CORS settings to be used by the Lambda Function URL | `any` | `{}` | no |
 | <a name="input_create_gha_deployer"></a> [create\_gha\_deployer](#input\_create\_gha\_deployer) | Flag for creating Github Actions Deployer deployer | `bool` | `true` | no |
 | <a name="input_function_description"></a> [function\_description](#input\_function\_description) | Lambda Function Description | `string` | `""` | no |
 | <a name="input_function_index_handler"></a> [function\_index\_handler](#input\_function\_index\_handler) | Lambda Function Index Handler | `string` | `"index.handler"` | no |
-| <a name="input_function_name"></a> [function\_name](#input\_function\_name) | Lambda Function Name | `string` | `""` | no |
+| <a name="input_function_name"></a> [function\_name](#input\_function\_name) | Lambda Function Name | `string` | n/a | yes |
 | <a name="input_function_prefix"></a> [function\_prefix](#input\_function\_prefix) | Prefix for the IAM role for lambda functions | `string` | `""` | no |
 | <a name="input_github_branches"></a> [github\_branches](#input\_github\_branches) | List of github branches allowed for oidc subject claims. | `list(string)` | `[]` | no |
 | <a name="input_github_environments"></a> [github\_environments](#input\_github\_environments) | (Optional) Allow GitHub action to deploy to all (default) or to one of the environments in the list. | `list(string)` | <pre>[<br>  "*"<br>]</pre> | no |
 | <a name="input_github_repo"></a> [github\_repo](#input\_github\_repo) | GitHub repository to grant access to assume a role via OIDC. | `string` | n/a | yes |
 | <a name="input_lambda_environment_variables"></a> [lambda\_environment\_variables](#input\_lambda\_environment\_variables) | A map that defines environment variables for the Lambda Function. | `map(string)` | `{}` | no |
 | <a name="input_lambda_runtime"></a> [lambda\_runtime](#input\_lambda\_runtime) | Lambda Function runtime | `string` | `"nodejs18.x"` | no |
 | <a name="input_role_name"></a> [role\_name](#input\_role\_name) | (Optional) role name of the created role, if not provided the github\_repo will be used to generate. | `string` | `null` | no |
+| <a name="input_vpc_security_group_ids"></a> [vpc\_security\_group\_ids](#input\_vpc\_security\_group\_ids) | Listof Security Groups | `list(string)` | n/a | yes |
+| <a name="input_vpc_subnet_ids"></a> [vpc\_subnet\_ids](#input\_vpc\_subnet\_ids) | List of Subnet Ids | `list(string)` | n/a | yes |
 
 ## Outputs
 
-No outputs.
+| Name | Description |
+|------|-------------|
+| <a name="output_lambda_cloudwatch_log_group_arn"></a> [lambda\_cloudwatch\_log\_group\_arn](#output\_lambda\_cloudwatch\_log\_group\_arn) | Lambda Cloudwatch Log group |
+| <a name="output_lambda_cloudwatch_log_group_name"></a> [lambda\_cloudwatch\_log\_group\_name](#output\_lambda\_cloudwatch\_log\_group\_name) | Lambda Cloudwatch Log group |
+| <a name="output_lambda_function_arn"></a> [lambda\_function\_arn](#output\_lambda\_function\_arn) | Lambda Function ARN |
+| <a name="output_lambda_function_name"></a> [lambda\_function\_name](#output\_lambda\_function\_name) | Lambda Function Name |
+| <a name="output_lambda_role_arn"></a> [lambda\_role\_arn](#output\_lambda\_role\_arn) | ARN of the IAM role created for the Lambda Function |
+| <a name="output_lambda_role_name"></a> [lambda\_role\_name](#output\_lambda\_role\_name) | The name of the IAM role created for the Lambda Function |
+| <a name="output_lambda_role_unique_id"></a> [lambda\_role\_unique\_id](#output\_lambda\_role\_unique\_id) | The unique id of the IAM role created for the Lambda Function |
 <!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
diff --git a/gha_deployer.tf b/gha_deployer.tf
@@ -28,7 +28,7 @@ module "github_actions_repo" {
   default_conditions          = ["allow_environment", "allow_main"]
   github_environments         = var.github_environments
 
-  conditions = (var.github_branches != []) ? [
+  conditions = (length(var.github_branches) > 0) ? [
     {
       test     = "StringLike"
       variable = "token.actions.githubusercontent.com:sub"
diff --git a/main.tf b/main.tf
@@ -11,20 +11,26 @@ module "lambda" {
   source  = "terraform-aws-modules/lambda/aws"
   version = "~> 4.10.1"
 
-  function_name              = var.function_name
-  description                = var.function_description
-  role_name                  = "${var.function_name}-role"
-  handler                    = var.function_index_handler
-  runtime                    = var.lambda_runtime
-  create_package             = false
-  environment_variables      = var.lambda_environment_variables
-  allowed_triggers           = var.allowed_triggers
-  create_lambda_function_url = true
-  authorization_type         = var.authorization_type
-  cors                       = var.cors
-  attach_policy_jsons        = true
-  ignore_source_code_hash    = true
+  function_name                           = var.function_name
+  description                             = var.function_description
+  role_name                               = "${var.function_name}-role"
+  handler                                 = var.function_index_handler
+  runtime                                 = var.lambda_runtime
+  create_package                          = false
+  environment_variables                   = var.lambda_environment_variables
+  allowed_triggers                        = var.allowed_triggers
+  create_lambda_function_url              = true
+  create_current_version_allowed_triggers = false
+  authorization_type                      = var.authorization_type
+  cors                                    = var.cors
+  attach_policy_jsons                     = true
+  ignore_source_code_hash                 = true
   # dummy package, package is delegated to CI pipeline
   local_existing_package = data.archive_file.dummy.output_path
   policy_jsons           = var.addition_lambda_policy
+  policy_statements      = var.additional_lambda_policy_statements
+
+  vpc_subnet_ids         = var.vpc_subnet_ids
+  vpc_security_group_ids = var.vpc_security_group_ids
+  attach_network_policy  = var.attach_network_policy
 }
diff --git a/outputs.tf b/outputs.tf
@@ -0,0 +1,36 @@
+output "lambda_function_arn" {
+  description = "Lambda Function ARN"
+  value       = module.lambda.lambda_function_arn
+}
+
+output "lambda_function_name" {
+  description = "Lambda Function Name"
+  value       = module.lambda.lambda_function_name
+}
+
+# Cloudwatch Log Group
+output "lambda_cloudwatch_log_group_arn" {
+  description = "Lambda Cloudwatch Log group"
+  value       = module.lambda.lambda_cloudwatch_log_group_arn
+}
+
+output "lambda_cloudwatch_log_group_name" {
+  description = "Lambda Cloudwatch Log group"
+  value       = module.lambda.lambda_cloudwatch_log_group_name
+}
+
+# IAM Role
+output "lambda_role_arn" {
+  description = "ARN of the IAM role created for the Lambda Function"
+  value       = module.lambda.lambda_role_arn
+}
+
+output "lambda_role_name" {
+  description = "The name of the IAM role created for the Lambda Function"
+  value       = module.lambda.lambda_role_name
+}
+
+output "lambda_role_unique_id" {
+  description = "The unique id of the IAM role created for the Lambda Function"
+  value       = module.lambda.lambda_role_unique_id
+}
diff --git a/variables.tf b/variables.tf
@@ -15,7 +15,6 @@ variable "app_metadata" {
 variable "function_name" {
   description = "Lambda Function Name"
   type        = string
-  default     = ""
 }
 
 variable "function_description" {
@@ -104,3 +103,25 @@ variable "addition_lambda_policy" {
   type        = list(string)
   default     = []
 }
+
+variable "additional_lambda_policy_statements" {
+  description = "Additional Inline Lambda Policy Statements"
+  type        = any
+  default     = {}
+}
+
+variable "vpc_subnet_ids" {
+  description = "List of Subnet Ids"
+  type        = list(string)
+}
+
+variable "vpc_security_group_ids" {
+  description = "Listof Security Groups"
+  type        = list(string)
+}
+
+variable "attach_network_policy" {
+  description = "Flag to attach network policy to use VPC subnet and security group"
+  type        = bool
+  default     = true
+}
diff --git a/versions.tf b/versions.tf
@@ -7,5 +7,6 @@ terraform {
       source  = "hashicorp/aws"
       version = ">= 4.27"
     }
+    archive = "~> 1.3"
   }
 }

Original file line number	Diff line number	Diff line change
`@@ -28,7 +28,7 @@ module "github_actions_repo" {`
`28`	`28`	`default_conditions = ["allow_environment", "allow_main"]`
`29`	`29`	`github_environments = var.github_environments`
`30`	`30`
`31`		`- conditions = (var.github_branches != []) ? [`
	`31`	`+ conditions = (length(var.github_branches) > 0) ? [`
`32`	`32`	`{`
`33`	`33`	`test = "StringLike"`
`34`	`34`	`variable = "token.actions.githubusercontent.com:sub"`
Original file line number	Diff line number	Diff line change
`@@ -7,5 +7,6 @@ terraform {`
`7`	`7`	`source = "hashicorp/aws"`
`8`	`8`	`version = ">= 4.27"`
`9`	`9`	`}`
	`10`	`+ archive = "~> 1.3"`
`10`	`11`	`}`
`11`	`12`	`}`