lambda support vpc (#20)

* lambda support vpc

* fmt

* add doc

* fix rejects

* fix rejects

* update CI spectral scan action version

---------

Co-authored-by: Gavriel Hagag <[email protected]>

Author: gabbyhagag

.github/workflows/scan.yml

@@ -13,7 +13,7 @@ jobs:
     steps:
       - uses: actions/checkout@v2
       - name: Install and run Spectral CI
-        uses: spectralops/spectral-github-action@v3
+        uses: spectralops/spectral-github-action@v4
         with:
           spectral-dsn: ${{ env.SPECTRAL_DSN }}
           spectral-args: scan --unpack --ok --engines secrets,iac

CHANGELOG.md

@@ -1,6 +1,11 @@
 # Change Log
 
 All notable changes to this project will be documented in this file.
+
+## [4.2.0] - 2024-12-01
+### Added
+- Added VPC support to Lambda function
+
 ## [4.1.0] - 2024-11-13
 ### Added
 - Support for self hosted github

README.md

@@ -52,6 +52,7 @@ Terraform configuration used to create the required AWS resources for integratin
 | <a name="input_secrets_names"></a> [secrets\_names](#input\_secrets\_names) | Names of secrets to create | `list(string)` | `null` | no |
 | <a name="input_store_secret_in_secrets_manager"></a> [store\_secret\_in\_secrets\_manager](#input\_store\_secret\_in\_secrets\_manager) | Whether to store your secrets in secrets manager, default is false | `bool` | `false` | no |
 | <a name="input_tags"></a> [tags](#input\_tags) | A collection of tags grouped by key representing it's target resource. | `map(map(string))` | <pre>{<br>  "api_gateway": {},<br>  "iam": {},<br>  "lambda": {}<br>}</pre> | no |
+| <a name="input_vpc_config"></a> [vpc\_config](#input\_vpc\_config) | Configuration block for VPC settings for the Lambda function, including subnet IDs and security group IDs. | <pre>object({<br>  subnet_ids         = list(string)<br>  security_group_ids = list(string)<br>})</pre> | `null` | no |
 
 ### env_vars
 

examples/vpc-in-lambda.tf

@@ -0,0 +1,15 @@
+module "spectral_lambda_integration" {
+  source = "github.com/SpectralOps/spectral-terraform-lambda-integration"
+
+  integration_type = "gitlab"
+
+  env_vars = {
+    # Required environment variables for GitLab integration
+  }
+  
+  # With VPC configuration
+  vpc_config = {
+    subnet_ids         = ["subnet-12345678", "subnet-87654321"]
+    security_group_ids = ["sg-12345678"]
+  }
+}

modules/lambda/lambda.tf

@@ -1,3 +1,5 @@
+data "aws_partition" "current" {}
+
 locals {
   runtime                     = "nodejs20.x"
   lambda_source_code_zip_path = coalesce(var.lambda_source_code_path, "${path.module}/source_code/${var.integration_type}/${var.lambda_source_code_filename}")
@@ -21,6 +23,18 @@ resource "aws_lambda_function" "spectral_scanner_lambda" {
   environment {
     variables = var.env_vars
   }
+
+  dynamic "vpc_config" {
+    for_each = var.vpc_config != null ? [var.vpc_config] : []
+    content {
+      subnet_ids         = vpc_config.value.subnet_ids
+      security_group_ids = vpc_config.value.security_group_ids
+    }
+  }
+
+  depends_on = [
+    aws_iam_role_policy.lambda_vpc_policy,
+  ]
 }
 
 resource "aws_cloudwatch_log_group" "lambda_log_group" {
@@ -32,4 +46,16 @@ resource "aws_cloudwatch_log_group" "lambda_log_group" {
     var.global_tags,
     lookup(var.tags, "lambda", {}),
   )
+}
+
+data "aws_iam_policy" "lambda_vpc_policy" {
+  count = var.vpc_config != null ? 1 : 0
+  arn   = "arn:${data.aws_partition.current.partition}:iam::aws:policy/service-role/AWSLambdaENIManagementAccess"
+}
+
+resource "aws_iam_role_policy" "lambda_vpc_policy" {
+  count  = var.vpc_config != null ? 1 : 0
+  name   = "lambda-vpc-policy"
+  role   = var.lambda_role_id
+  policy = data.aws_iam_policy.lambda_vpc_policy[0].policy
 }

modules/lambda/variables.tf

@@ -86,8 +86,22 @@ variable "role_arn" {
   description = "The lambda source code filename"
 }
 
+variable "lambda_role_id" {
+  type        = string
+  description = "The lambda role id"
+}
+
 variable "lambda_handler" {
   type        = string
   description = "The handler of the handler"
   default     = "handler.app"
+}
+
+variable "vpc_config" {
+  type = object({
+    subnet_ids         = list(string)
+    security_group_ids = list(string)
+  })
+  description = "The VPC configuration for the lambda"
+  default     = null
 }

modules/role/outputs.tf

@@ -4,4 +4,8 @@ output "lambda_role_name" {
 
 output "lambda_role_arn" {
   value = aws_iam_role.lambda_execution_role.arn
+}
+
+output "lambda_role_id" {
+  value = aws_iam_role.lambda_execution_role.id
 }

multiple-lambdas-integration.tf

@@ -18,6 +18,8 @@ module "frontend_lambda_function" {
   lambda_source_code_filename = "frontend.zip"
   lambda_source_code_path     = var.frontend_lambda_source_code_path
   role_arn                    = module.lambda_role.lambda_role_arn
+  vpc_config                  = var.vpc_config
+  lambda_role_id              = module.lambda_role.lambda_role_id
 }
 
 module "backend_lambda_function" {
@@ -40,6 +42,8 @@ module "backend_lambda_function" {
   lambda_source_code_filename = "backend.zip"
   lambda_source_code_path     = var.backend_lambda_source_code_path
   role_arn                    = module.lambda_role.lambda_role_arn
+  vpc_config                  = var.vpc_config
+  lambda_role_id              = module.lambda_role.lambda_role_id
 }
 
 data "aws_iam_policy_document" "lambda_invoke_policy_document" {

single-lambda-integration.tf

@@ -16,4 +16,6 @@ module "lambda_function" {
   lambda_source_code_filename = "app.zip"
   lambda_source_code_path     = var.lambda_source_code_path
   role_arn                    = module.lambda_role.lambda_role_arn
+  vpc_config                  = var.vpc_config
+  lambda_role_id              = module.lambda_role.lambda_role_id
 }

variables.tf

@@ -116,4 +116,13 @@ variable "gateway_api_integration_timeout_milliseconds" {
   description = "Timeout for the API Gateway to wait for lambda response"
   type        = number
   default     = 29000
+}
+
+variable "vpc_config" {
+  description = "VPC configuration for the Lambda function"
+  type = object({
+    subnet_ids         = list(string)
+    security_group_ids = list(string)
+  })
+  default = null
 }