Merge pull request #27 from byu-oit/add-vpc-input

Add vpc input
byu-oit · Mar 16, 2021 · 70692dd · 70692dd
2 parents 0fbb3cc + 1c07a53
commit 70692dd
Show file tree

Hide file tree

Showing 4 changed files with 67 additions and 1 deletion.
diff --git a/README.md b/README.md
@@ -14,7 +14,7 @@ You can provide a postman collection and environment to be tested in one of two
 1. Provided in your github repo
     ```hcl
     module "postman_test_lambda" {
-      source = "github.com/byu-oit/terraform-aws-postman-test-lambda?ref=v2.4.0"
+      source = "github.com/byu-oit/terraform-aws-postman-test-lambda?ref=v2.5.0"
         app_name                      = "simple-example"
         postman_collection_file       = "terraform-aws-postman-test-lambda-example.postman_collection.json"
         postman_environment_file      = "terraform-aws-postman-test-lambda-env.postman_environment.json"
@@ -89,6 +89,8 @@ module "lambda_api" {
 | tags                          | map(string) | A map of AWS Tags to attach to each resource created                                                                                                 | {}      |
 | timeout                       | number      | The max number of seconds the lambda will run for without stopping.                                                | 30      |
 | memory_size                   | number      | The size of the memory of the lambda                                                                               | 128     |
+| vpc_id                        | string      | The id of the VPC the lambda will be behind if VPC configuration is desired. (must be provided with lambda_vpc_subnet_ids)          | null      |
+| vpc_subnet_ids         | list(string) | A list of subnet ids the lambda will be put in if VPC configuration is desired. (must be provided with vpc_id) | [] |
 
 ## Outputs
 | Name            | Type                                                                                              | Description                                                               |
@@ -97,6 +99,7 @@ module "lambda_api" {
 | lambda_iam_role | [object](https://www.terraform.io/docs/providers/aws/r/iam_role.html#attributes-reference)        | Created IAM role for the `lambda_function`                                |
 | postman_files_bucket | [object](https://www.terraform.io/docs/providers/aws/r/s3_bucket.html#attributes-reference)  | Created S3 Bucket where local postman files are uploaded                  |
 | cloudwatch_log_group | [object](https://www.terraform.io/docs/providers/aws/r/cloudwatch_log_group.html#attributes-reference)  | Created CloudWatch Log Group for the postman lambda logs       |
+| lambda_security_group | [object](https://www.terraform.io/docs/providers/aws/r/security_group.html#attributes-reference) | Created security group for the lambda's VPC configuration. |
 
 ## Contributing
 To contribute to this terraform module make a feature branch and create a Pull Request to the `master` branch.

diff --git a/main.tf b/main.tf
@@ -17,6 +17,7 @@ locals {
     POSTMAN_API_KEY          = var.postman_api_key
   }
   lambda_function_name = "${var.app_name}-postman-tests"
+  using_vpc_config     = length(var.vpc_subnet_ids) > 0
 }
 
 # -----------------------------------------------------------------------------
@@ -175,6 +176,11 @@ resource "aws_lambda_function" "test_lambda" {
   depends_on = [
     aws_cloudwatch_log_group.lambda_logs,
   ]
+
+  vpc_config {
+    subnet_ids         = var.vpc_subnet_ids
+    security_group_ids = local.using_vpc_config ? [aws_security_group.lambda_vpc_sg[0].id] : []
+  }
 }
 
 resource "aws_iam_role" "test_lambda" {
@@ -226,6 +232,47 @@ resource "aws_iam_role_policy" "test_lambda" {
 EOF
 }
 
+# Role that allows lambda to create vpc config
+resource "aws_iam_role_policy" "lambda_vpc_policy" {
+  count = local.using_vpc_config ? 1 : 0
+
+  name = "${var.app_name}-postman-tests-vpc-policy"
+  role = aws_iam_role.test_lambda.name
+
+  policy = <<EOF
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Action": [
+        "ec2:CreateNetworkInterface",
+        "ec2:DescribeNetworkInterfaces",
+        "ec2:DeleteNetworkInterface"
+      ],
+      "Effect": "Allow",
+      "Resource": "*"
+    }
+  ]
+}
+  EOF
+}
+
+# A bare minimum security group for doing vpc config.
+resource "aws_security_group" "lambda_vpc_sg" {
+  count = local.using_vpc_config ? 1 : 0
+
+  name        = "${var.app_name}-postman-tests"
+  description = "Bare minimum security group for lambda."
+  vpc_id      = var.vpc_id
+
+  egress {
+    from_port   = 0
+    to_port     = 0
+    protocol    = "-1"
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+}
+
 resource "aws_cloudwatch_log_group" "lambda_logs" {
   name              = "/aws/lambda/${local.lambda_function_name}"
   retention_in_days = var.log_retention_in_days

diff --git a/outputs.tf b/outputs.tf
@@ -13,3 +13,7 @@ output "postman_files_bucket" {
 output "cloudwatch_log_group" {
   value = aws_cloudwatch_log_group.lambda_logs
 }
+
+output "lambda_security_group" {
+  value = local.using_vpc_config ? aws_security_group.lambda_vpc_sg[0] : null
+}
diff --git a/variables.tf b/variables.tf
@@ -67,3 +67,15 @@ variable "timeout" {
   description = "the amount of time the lambda is allowed to run for"
   default     = 30
 }
+
+variable "vpc_subnet_ids" {
+  type        = list(string)
+  description = "Subnet ids that the lambda should be in."
+  default     = []
+}
+
+variable "vpc_id" {
+  type        = string
+  description = "ID for the lambda's VPC"
+  default     = null
+}