From f7df746be4bf1e2f5f4759ac9d708583ab7eba98 Mon Sep 17 00:00:00 2001 From: Eric Yablonowitz Date: Wed, 5 Feb 2020 21:06:21 -0500 Subject: [PATCH 01/37] tf12 fixes --- lambda_function/bucket_trigger.tf | 6 ++-- lambda_function/chicken-egg.tf | 2 +- lambda_function/event_source_mapping.tf | 10 +++--- lambda_function/iam.tf | 6 ++-- lambda_function/lambda_function.tf | 30 +++++++++--------- lambda_function/outputs.tf | 4 +-- lambda_function/permission.tf | 14 ++++----- lambda_function/schedule_trigger.tf | 16 +++++----- lambda_function/sns_topic_subscription.tf | 12 +++---- lambda_function/variables.tf | 38 +++++++++++------------ 10 files changed, 69 insertions(+), 69 deletions(-) diff --git a/lambda_function/bucket_trigger.tf b/lambda_function/bucket_trigger.tf index dbbcd79..5450f92 100644 --- a/lambda_function/bucket_trigger.tf +++ b/lambda_function/bucket_trigger.tf @@ -1,9 +1,9 @@ resource "aws_s3_bucket_notification" "bucket_notification" { - count = "${var.bucket_trigger["enabled"] ? 1 : 0}" - bucket = "${var.bucket_trigger["bucket"]}" + count = var.bucket_trigger["enabled"] ? 1 : 0 + bucket = var.bucket_trigger["bucket"] lambda_function { - lambda_function_arn = "${aws_lambda_function.lambda.arn}" + lambda_function_arn = aws_lambda_function.lambda.arn events = ["s3:ObjectCreated:*"] } } diff --git a/lambda_function/chicken-egg.tf b/lambda_function/chicken-egg.tf index 2d69e61..38db325 100644 --- a/lambda_function/chicken-egg.tf +++ b/lambda_function/chicken-egg.tf @@ -1,5 +1,5 @@ data "archive_file" "lambda_placeholder" { - count = "${var.create_empty_function ? 1 : 0}" + count = var.create_empty_function ? 1 : 0 type = "zip" output_path = "${path.module}/placeholder.zip" diff --git a/lambda_function/event_source_mapping.tf b/lambda_function/event_source_mapping.tf index 8184ad1..774f03f 100644 --- a/lambda_function/event_source_mapping.tf +++ b/lambda_function/event_source_mapping.tf @@ -1,8 +1,8 @@ # Process events from SQS queue, DynamoDB, Kinesis resource "aws_lambda_event_source_mapping" "lambda" { - count = "${length(var.source_mappings)}" - batch_size = "${lookup(var.source_mappings[count.index], "batch_size")}" - event_source_arn = "${lookup(var.source_mappings[count.index], "event_source_arn")}" - enabled = "${lookup(var.source_mappings[count.index], "enabled")}" - function_name = "${aws_lambda_function.lambda.arn}" + count = length(var.source_mappings) + batch_size = lookup(var.source_mappings[count.index], "batch_size") + event_source_arn = lookup(var.source_mappings[count.index], "event_source_arn") + enabled = lookup(var.source_mappings[count.index], "enabled") + function_name = aws_lambda_function.lambda.arn } diff --git a/lambda_function/iam.tf b/lambda_function/iam.tf index 4d41db5..0e6cd9a 100644 --- a/lambda_function/iam.tf +++ b/lambda_function/iam.tf @@ -33,9 +33,9 @@ EOF } resource "aws_iam_role_policy" "lambda_policy" { - count = "${length(var.policies) == 0 ? 0 : 1}" + count = length(var.policies) == 0 ? 0 : 1 name = "${var.function_name}-lambda-policy" - role = "${aws_iam_role.lambda.id}" + role = aws_iam_role.lambda.id policy = < Date: Wed, 5 Feb 2020 21:39:26 -0500 Subject: [PATCH 02/37] add codebuild --- lambda_function/ci.tf | 100 +++++++++++++++++++++++++++++++++++ lambda_function/variables.tf | 8 +++ 2 files changed, 108 insertions(+) create mode 100644 lambda_function/ci.tf diff --git a/lambda_function/ci.tf b/lambda_function/ci.tf new file mode 100644 index 0000000..02979ca --- /dev/null +++ b/lambda_function/ci.tf @@ -0,0 +1,100 @@ +data "aws_ssm_parameter" "github_token" { + name = var.github_token_ssm_param +} + +resource "aws_codebuild_source_credential" "github_token" { + auth_type = "PERSONAL_ACCESS_TOKEN" + server_type = "GITHUB" + token = data.aws_ssm_parameter.github_token.value +} + +resource "aws_iam_role" "codebuild" { + name = "codebuild_${var.function_name}" + + assume_role_policy = < Date: Mon, 17 Feb 2020 09:56:05 -0500 Subject: [PATCH 03/37] init support lambda layers --- lambda_function/lambda_function.tf | 1 + lambda_function/outputs.tf | 2 +- lambda_function/variables.tf | 5 + lambda_layer/.gitignore | 1 + lambda_layer/chicken-egg.tf | 18 ++++ lambda_layer/ci.tf | 100 ++++++++++++++++++ lambda_layer/lambda_layer.tf | 11 ++ lambda_layer/outputs.tf | 3 + .../placeholders/java8/placeholder.txt | 1 + lambda_layer/placeholders/nodejs6.10/index.js | 7 ++ lambda_layer/placeholders/nodejs8.10/index.js | 7 ++ lambda_layer/placeholders/python2.7/index.py | 9 ++ lambda_layer/placeholders/python3.6/index.py | 9 ++ lambda_layer/placeholders/python3.7/index.py | 9 ++ lambda_layer/variables.tf | 37 +++++++ 15 files changed, 219 insertions(+), 1 deletion(-) create mode 100644 lambda_layer/.gitignore create mode 100644 lambda_layer/chicken-egg.tf create mode 100644 lambda_layer/ci.tf create mode 100644 lambda_layer/lambda_layer.tf create mode 100644 lambda_layer/outputs.tf create mode 100644 lambda_layer/placeholders/java8/placeholder.txt create mode 100644 lambda_layer/placeholders/nodejs6.10/index.js create mode 100644 lambda_layer/placeholders/nodejs8.10/index.js create mode 100644 lambda_layer/placeholders/python2.7/index.py create mode 100644 lambda_layer/placeholders/python3.6/index.py create mode 100644 lambda_layer/placeholders/python3.7/index.py create mode 100644 lambda_layer/variables.tf diff --git a/lambda_function/lambda_function.tf b/lambda_function/lambda_function.tf index 4e0bce0..c7007c4 100644 --- a/lambda_function/lambda_function.tf +++ b/lambda_function/lambda_function.tf @@ -9,6 +9,7 @@ resource "aws_lambda_function" "lambda" { memory_size = var.memory_size reserved_concurrent_executions = var.reserved_concurrent_executions publish = var.publish + layers = var.layers vpc_config { subnet_ids = var.vpc_config["subnet_ids"] diff --git a/lambda_function/outputs.tf b/lambda_function/outputs.tf index 658712b..191345a 100644 --- a/lambda_function/outputs.tf +++ b/lambda_function/outputs.tf @@ -1,3 +1,3 @@ -output "lambda_arn" { +output "arn" { value = aws_lambda_function.lambda.arn } \ No newline at end of file diff --git a/lambda_function/variables.tf b/lambda_function/variables.tf index e99f6e2..ab6539c 100644 --- a/lambda_function/variables.tf +++ b/lambda_function/variables.tf @@ -110,4 +110,9 @@ variable "github_token_ssm_param" { variable "github_url" { type = string +} + +variable "layers" { + type = list(string) + default = [] } \ No newline at end of file diff --git a/lambda_layer/.gitignore b/lambda_layer/.gitignore new file mode 100644 index 0000000..d217e18 --- /dev/null +++ b/lambda_layer/.gitignore @@ -0,0 +1 @@ +placeholder.zip \ No newline at end of file diff --git a/lambda_layer/chicken-egg.tf b/lambda_layer/chicken-egg.tf new file mode 100644 index 0000000..77ec276 --- /dev/null +++ b/lambda_layer/chicken-egg.tf @@ -0,0 +1,18 @@ +data "archive_file" "lambda_placeholder" { + count = var.create_empty_layer ? 1 : 0 + type = "zip" + output_path = "${path.module}/placeholder.zip" + + source_dir = "${path.module}/placeholders/${var.runtime}" +} + +locals { + source = { + "python2.7" = "${path.module}/placeholders/python2.7" + "python3.7" = "${path.module}/placeholders/python3.7/" + "python3.6" = "${path.module}/placeholders/python3.6/" + "nodejs6.10" = "${path.module}/placeholders/nodejs6.10/" + "nodejs8.10" = "${path.module}/placeholders/nodejs8.10/" + java8 = "${path.module}/placeholders/java8" + } +} diff --git a/lambda_layer/ci.tf b/lambda_layer/ci.tf new file mode 100644 index 0000000..7e14fdd --- /dev/null +++ b/lambda_layer/ci.tf @@ -0,0 +1,100 @@ +data "aws_ssm_parameter" "github_token" { + name = var.github_token_ssm_param +} + +resource "aws_codebuild_source_credential" "github_token" { + auth_type = "PERSONAL_ACCESS_TOKEN" + server_type = "GITHUB" + token = data.aws_ssm_parameter.github_token.value +} + +resource "aws_iam_role" "codebuild" { + name = "codebuild_${var.layer_name}" + + assume_role_policy = < { + const response = { + statusCode: 200, + body: JSON.stringify('Hello from Lambda!'), + }; + callback(null, response); +}; diff --git a/lambda_layer/placeholders/nodejs8.10/index.js b/lambda_layer/placeholders/nodejs8.10/index.js new file mode 100644 index 0000000..2af5e7d --- /dev/null +++ b/lambda_layer/placeholders/nodejs8.10/index.js @@ -0,0 +1,7 @@ +exports.handler = async (event) => { + const response = { + statusCode: 200, + body: JSON.stringify('Hello from Lambda!'), + }; + return response; +}; diff --git a/lambda_layer/placeholders/python2.7/index.py b/lambda_layer/placeholders/python2.7/index.py new file mode 100644 index 0000000..98b644f --- /dev/null +++ b/lambda_layer/placeholders/python2.7/index.py @@ -0,0 +1,9 @@ +import json + + +def lambda_handler(event, context): + print(json.dumps(event)) + return { + 'statusCode': 200, + 'body': event + } diff --git a/lambda_layer/placeholders/python3.6/index.py b/lambda_layer/placeholders/python3.6/index.py new file mode 100644 index 0000000..98b644f --- /dev/null +++ b/lambda_layer/placeholders/python3.6/index.py @@ -0,0 +1,9 @@ +import json + + +def lambda_handler(event, context): + print(json.dumps(event)) + return { + 'statusCode': 200, + 'body': event + } diff --git a/lambda_layer/placeholders/python3.7/index.py b/lambda_layer/placeholders/python3.7/index.py new file mode 100644 index 0000000..98b644f --- /dev/null +++ b/lambda_layer/placeholders/python3.7/index.py @@ -0,0 +1,9 @@ +import json + + +def lambda_handler(event, context): + print(json.dumps(event)) + return { + 'statusCode': 200, + 'body': event + } diff --git a/lambda_layer/variables.tf b/lambda_layer/variables.tf new file mode 100644 index 0000000..21b918d --- /dev/null +++ b/lambda_layer/variables.tf @@ -0,0 +1,37 @@ +variable "aws_region" { + default = "us-east-1" + description = "The region of AWS" +} + +variable "layer_name" { + type = string +} + +variable "description" { + type = string +} + +variable "runtime" { + type = string +} + +variable "filename" { + type = string + default = "" +} + +variable "create_empty_layer" { + default = true +} + +variable "reserved_concurrent_executions" { + default = "-1" +} + +variable "github_token_ssm_param" { + type = string +} + +variable "github_url" { + type = string +} \ No newline at end of file From 39159eac8c35677e41d7da050e371b2de4b266da Mon Sep 17 00:00:00 2001 From: Eric Yablonowitz Date: Wed, 19 Feb 2020 06:50:14 -0500 Subject: [PATCH 04/37] readme updates and ci conditionals --- README.md | 60 ++++++++++++++++++++++++++++-------- lambda_function/ci.tf | 22 ++++++++++--- lambda_function/variables.tf | 4 ++- lambda_layer/ci.tf | 22 ++++++++++--- lambda_layer/lambda_layer.tf | 3 +- 5 files changed, 86 insertions(+), 25 deletions(-) diff --git a/README.md b/README.md index 69a5a01..3f60277 100644 --- a/README.md +++ b/README.md @@ -1,17 +1,35 @@ # terraform-aws-lambda -terraform module for provisioning a lambda function +This repo contains Terraform modules to manage Lamdbas: -For most scenarios I would reccomend using the "create_empty_function" argument, rather than using terraform to deploy the function code. Once all infrastructure, functions, and permisisons have been provisioned using terraform, you should use your CI/CD tooling to deploy the function code, typically with and **aws lambda update** command. +| Directory | Module Description | +| ------------------ | -------------------------------------------------- | +| lambda_function/ | Lambda Function and IAM, Trigger, and CI resources | +| lambda_layer/ | Lambda Layer and CI resources | +These modules are primarily designed to deploy Lambda functions and layers with _placeholder_ code and then use an +external CI/CD process to manage the function and layer code independently of Terraform. -# Arguments -Many of the module arguments map directly to the aws_lambda_function resource arguments: +You can optionally provide a GitHub repo containing your function or layer code and the modules will create a simple +CodeBuild job to deploy it. + +## Arguments + +### Common + +| argument | Description | Default | +| ------------------------- | --------------------------------------------------------------------------| ------------ | +| github_url | GitHub URL of function or layer code. Enables CodeBuild. Assumes buildspec.yml at root of repo. Requires github_token_ssm_param | "" | +| github_token_ssm_param | SSM Parameter containing GitHub token with permission to create webhook | "" | + +### lambda_function +Many of the module arguments map directly to the [aws_lambda_function](https://www.terraform.io/docs/providers/aws/r/lambda_function.html) resource arguments: * function_name * filename * description * runtime * handler * timeout +* layers * memory_size * environment_variables * tags @@ -19,17 +37,30 @@ Many of the module arguments map directly to the aws_lambda_function resource ar * reserved_concurrent_executions * publish -Additional arguments are: -* **create_empty_function** - (Required) (bool) - Create an empty lambda function without the actual code if set to true -* **policies** - (Required) (list) - The module automatically creates a base IAM role for each lambda, This is a list of statement policies to add to that role. The contents are converted to json using the jsonencode() function. -* **permissions** - (Optional) (list) - A list of external resources which can invoke the lambda function such as s3 bucket / sns topic. Properties are: - * statement_id - * action - * principal - * source_arn +Additional arguments: + +| argument | Description | Default | +| ------------------------- | --------------------------------------------------------------------------| ------------ | +| create_empty_function | Create an empty lambda function without the actual code if set to true | True | +| policies | List of statement policies to add to module-manageg Lambda IAM role role. | [] | +| permissions | list of external resources which can invoke the lambda function | {} | + +### lambda_layer +Many of the module arguments map directly to the [aws_lambda_layer_version](https://www.terraform.io/docs/providers/aws/r/lambda_layer_version.html) resource arguments: +* layer_name +* filename +* description +* runtime + + +Additional arguments: +| argument | Description | Default | +| ------------------------- | --------------------------------------------------------------------------| ------------ | +| create_empty_layer | Create an empty lambda layer without the actual code if set to true | True | -# Event trigger arguments + +# Function Event trigger arguments ## SNS topic trigger * **sns_topic_subscription** (Optional) (map) - The SNS topic ARN which trigger the lambda function` @@ -66,3 +97,6 @@ Ensure you add the following permissions to the lambda role * event_source_arn (string) - arn of the event source * batch_size (int) - The largest number of records that Lambda will retrieve from your event source at the time of invocation + + +[]: https://www.terraform.io/docs/providers/aws/r/lambda_function.html \ No newline at end of file diff --git a/lambda_function/ci.tf b/lambda_function/ci.tf index 02979ca..4b42eb4 100644 --- a/lambda_function/ci.tf +++ b/lambda_function/ci.tf @@ -1,14 +1,20 @@ data "aws_ssm_parameter" "github_token" { + count = var.github_token_ssm_param == "" ? 0 : 1 + name = var.github_token_ssm_param } resource "aws_codebuild_source_credential" "github_token" { + count = var.github_token_ssm_param == "" ? 0 : 1 + auth_type = "PERSONAL_ACCESS_TOKEN" server_type = "GITHUB" - token = data.aws_ssm_parameter.github_token.value + token = data.aws_ssm_parameter.github_token[0].value } resource "aws_iam_role" "codebuild" { + count = var.github_url == "" ? 0 : 1 + name = "codebuild_${var.function_name}" assume_role_policy = < Date: Wed, 19 Feb 2020 11:44:02 -0500 Subject: [PATCH 05/37] python/provided placeholders --- lambda_layer/placeholders/provided/bin/placeholder.sh | 1 + lambda_layer/placeholders/python3.8/index.py | 9 +++++++++ 2 files changed, 10 insertions(+) create mode 100644 lambda_layer/placeholders/provided/bin/placeholder.sh create mode 100644 lambda_layer/placeholders/python3.8/index.py diff --git a/lambda_layer/placeholders/provided/bin/placeholder.sh b/lambda_layer/placeholders/provided/bin/placeholder.sh new file mode 100644 index 0000000..fdffa2a --- /dev/null +++ b/lambda_layer/placeholders/provided/bin/placeholder.sh @@ -0,0 +1 @@ +# placeholder diff --git a/lambda_layer/placeholders/python3.8/index.py b/lambda_layer/placeholders/python3.8/index.py new file mode 100644 index 0000000..98b644f --- /dev/null +++ b/lambda_layer/placeholders/python3.8/index.py @@ -0,0 +1,9 @@ +import json + + +def lambda_handler(event, context): + print(json.dumps(event)) + return { + 'statusCode': 200, + 'body': event + } From 4e508569d372a0491f197ed14b6a0622f038de22 Mon Sep 17 00:00:00 2001 From: TJ Leonard Date: Wed, 19 Feb 2020 12:14:26 -0500 Subject: [PATCH 06/37] variable for codebuild image --- lambda_layer/ci.tf | 2 +- lambda_layer/variables.tf | 7 ++++++- 2 files changed, 7 insertions(+), 2 deletions(-) diff --git a/lambda_layer/ci.tf b/lambda_layer/ci.tf index 5b87177..2edbe4c 100644 --- a/lambda_layer/ci.tf +++ b/lambda_layer/ci.tf @@ -76,7 +76,7 @@ resource "aws_codebuild_project" "lambda" { environment { compute_type = "BUILD_GENERAL1_SMALL" - image = "aws/codebuild/standard:1.0" + image = var.codebuild_image type = "LINUX_CONTAINER" image_pull_credentials_type = "CODEBUILD" } diff --git a/lambda_layer/variables.tf b/lambda_layer/variables.tf index 21b918d..2a4b6cd 100644 --- a/lambda_layer/variables.tf +++ b/lambda_layer/variables.tf @@ -34,4 +34,9 @@ variable "github_token_ssm_param" { variable "github_url" { type = string -} \ No newline at end of file +} + +variable "codebuild_image" { + type = string + default = "aws/codebuild/standard:1.0" +} From 443ac681914897c67237b3dcee46335aea7b9f8e Mon Sep 17 00:00:00 2001 From: TJ Leonard Date: Wed, 19 Feb 2020 12:31:18 -0500 Subject: [PATCH 07/37] add priv mode --- lambda_layer/ci.tf | 1 + lambda_layer/variables.tf | 5 +++++ 2 files changed, 6 insertions(+) diff --git a/lambda_layer/ci.tf b/lambda_layer/ci.tf index 2edbe4c..19a789d 100644 --- a/lambda_layer/ci.tf +++ b/lambda_layer/ci.tf @@ -79,6 +79,7 @@ resource "aws_codebuild_project" "lambda" { image = var.codebuild_image type = "LINUX_CONTAINER" image_pull_credentials_type = "CODEBUILD" + privileged_mode = var.privileged_mode } source { diff --git a/lambda_layer/variables.tf b/lambda_layer/variables.tf index 2a4b6cd..ad6e29f 100644 --- a/lambda_layer/variables.tf +++ b/lambda_layer/variables.tf @@ -40,3 +40,8 @@ variable "codebuild_image" { type = string default = "aws/codebuild/standard:1.0" } + +variable "privileged_mode" { + type = string + default = false +} From 8a1d1ae162f98cc7d11ccd9ab26e0571dada8074 Mon Sep 17 00:00:00 2001 From: TJ Leonard Date: Wed, 19 Feb 2020 13:59:25 -0500 Subject: [PATCH 08/37] adjust token --- lambda_layer/ci.tf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/lambda_layer/ci.tf b/lambda_layer/ci.tf index 19a789d..3d2951f 100644 --- a/lambda_layer/ci.tf +++ b/lambda_layer/ci.tf @@ -9,7 +9,7 @@ resource "aws_codebuild_source_credential" "github_token" { auth_type = "PERSONAL_ACCESS_TOKEN" server_type = "GITHUB" - token = data.aws_ssm_parameter.github_token[0].value + token = data.aws_ssm_parameter.github_token.value } resource "aws_iam_role" "codebuild" { @@ -89,7 +89,7 @@ resource "aws_codebuild_project" "lambda" { auth { type = "OAUTH" - resource = aws_codebuild_source_credential.github_token[0].arn + resource = aws_codebuild_source_credential.github_token.arn } } } From 28b2b41ee55dd59bf04ede8cdb4e58ba9035feb2 Mon Sep 17 00:00:00 2001 From: TJ Leonard Date: Wed, 19 Feb 2020 14:05:30 -0500 Subject: [PATCH 09/37] adjust token --- lambda_layer/ci.tf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/lambda_layer/ci.tf b/lambda_layer/ci.tf index 3d2951f..19a789d 100644 --- a/lambda_layer/ci.tf +++ b/lambda_layer/ci.tf @@ -9,7 +9,7 @@ resource "aws_codebuild_source_credential" "github_token" { auth_type = "PERSONAL_ACCESS_TOKEN" server_type = "GITHUB" - token = data.aws_ssm_parameter.github_token.value + token = data.aws_ssm_parameter.github_token[0].value } resource "aws_iam_role" "codebuild" { @@ -89,7 +89,7 @@ resource "aws_codebuild_project" "lambda" { auth { type = "OAUTH" - resource = aws_codebuild_source_credential.github_token.arn + resource = aws_codebuild_source_credential.github_token[0].arn } } } From 940de771d8ba37f9d58e892a0049b215f0d219c7 Mon Sep 17 00:00:00 2001 From: TJ Leonard Date: Wed, 19 Feb 2020 14:09:06 -0500 Subject: [PATCH 10/37] adjust token --- lambda_layer/ci.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lambda_layer/ci.tf b/lambda_layer/ci.tf index 19a789d..bd4abea 100644 --- a/lambda_layer/ci.tf +++ b/lambda_layer/ci.tf @@ -89,7 +89,7 @@ resource "aws_codebuild_project" "lambda" { auth { type = "OAUTH" - resource = aws_codebuild_source_credential.github_token[0].arn + resource = aws_codebuild_source_credential.github_token[0].token } } } From a9c1174573167ed64cb616021ce7e3d567fc2c2a Mon Sep 17 00:00:00 2001 From: TJ Leonard Date: Wed, 19 Feb 2020 14:31:41 -0500 Subject: [PATCH 11/37] fmt --- lambda_layer/ci.tf | 2 +- lambda_layer/lambda_layer.tf | 8 ++++---- lambda_layer/variables.tf | 4 ++-- 3 files changed, 7 insertions(+), 7 deletions(-) diff --git a/lambda_layer/ci.tf b/lambda_layer/ci.tf index bd4abea..19a789d 100644 --- a/lambda_layer/ci.tf +++ b/lambda_layer/ci.tf @@ -89,7 +89,7 @@ resource "aws_codebuild_project" "lambda" { auth { type = "OAUTH" - resource = aws_codebuild_source_credential.github_token[0].token + resource = aws_codebuild_source_credential.github_token[0].arn } } } diff --git a/lambda_layer/lambda_layer.tf b/lambda_layer/lambda_layer.tf index 2608ccd..9b07795 100644 --- a/lambda_layer/lambda_layer.tf +++ b/lambda_layer/lambda_layer.tf @@ -1,8 +1,8 @@ resource "aws_lambda_layer_version" "layer" { - layer_name = var.layer_name - description = var.description - filename = var.create_empty_layer ? "${path.module}/placeholder.zip" : var.filename - compatible_runtimes = [var.runtime] + layer_name = var.layer_name + description = var.description + filename = var.create_empty_layer ? "${path.module}/placeholder.zip" : var.filename + compatible_runtimes = [var.runtime] lifecycle { ignore_changes = [ diff --git a/lambda_layer/variables.tf b/lambda_layer/variables.tf index ad6e29f..d05b48b 100644 --- a/lambda_layer/variables.tf +++ b/lambda_layer/variables.tf @@ -37,11 +37,11 @@ variable "github_url" { } variable "codebuild_image" { - type = string + type = string default = "aws/codebuild/standard:1.0" } variable "privileged_mode" { - type = string + type = string default = false } From e6973854f4a6dd64229193f43af49b51200aaef2 Mon Sep 17 00:00:00 2001 From: TJ Leonard Date: Wed, 19 Feb 2020 15:34:46 -0500 Subject: [PATCH 12/37] update readme; move cb creds to variable --- README.md | 3 +++ lambda_function/ci.tf | 16 +--------------- lambda_function/variables.tf | 4 ++++ lambda_layer/ci.tf | 16 +--------------- lambda_layer/variables.tf | 4 ++++ 5 files changed, 13 insertions(+), 30 deletions(-) diff --git a/README.md b/README.md index 3f60277..fd7bf25 100644 --- a/README.md +++ b/README.md @@ -20,6 +20,7 @@ CodeBuild job to deploy it. | ------------------------- | --------------------------------------------------------------------------| ------------ | | github_url | GitHub URL of function or layer code. Enables CodeBuild. Assumes buildspec.yml at root of repo. Requires github_token_ssm_param | "" | | github_token_ssm_param | SSM Parameter containing GitHub token with permission to create webhook | "" | +| codebuild_credential_arn | AWS Codebuild source credential for accessing github | "" | ### lambda_function Many of the module arguments map directly to the [aws_lambda_function](https://www.terraform.io/docs/providers/aws/r/lambda_function.html) resource arguments: @@ -58,6 +59,8 @@ Additional arguments: | argument | Description | Default | | ------------------------- | --------------------------------------------------------------------------| ------------ | | create_empty_layer | Create an empty lambda layer without the actual code if set to true | True | +| codebuild_image | Specify Codebuild's [image](https://docs.aws.amazon.com/codebuild/latest/userguide/build-env-ref-available.html) | "aws/codebuild/standard:1.0" | +| privileged_mode | Run the docker container with [privilege](https://docs.docker.com/engine/reference/run/#runtime-privilege-and-linux-capabilities) | False | # Function Event trigger arguments diff --git a/lambda_function/ci.tf b/lambda_function/ci.tf index 4b42eb4..b950bf5 100644 --- a/lambda_function/ci.tf +++ b/lambda_function/ci.tf @@ -1,17 +1,3 @@ -data "aws_ssm_parameter" "github_token" { - count = var.github_token_ssm_param == "" ? 0 : 1 - - name = var.github_token_ssm_param -} - -resource "aws_codebuild_source_credential" "github_token" { - count = var.github_token_ssm_param == "" ? 0 : 1 - - auth_type = "PERSONAL_ACCESS_TOKEN" - server_type = "GITHUB" - token = data.aws_ssm_parameter.github_token[0].value -} - resource "aws_iam_role" "codebuild" { count = var.github_url == "" ? 0 : 1 @@ -88,7 +74,7 @@ resource "aws_codebuild_project" "lambda" { auth { type = "OAUTH" - resource = aws_codebuild_source_credential.github_token[0].arn + resource = var.codebuild_credential_arn } } } diff --git a/lambda_function/variables.tf b/lambda_function/variables.tf index b5b84bf..10b13ac 100644 --- a/lambda_function/variables.tf +++ b/lambda_function/variables.tf @@ -117,4 +117,8 @@ variable "github_url" { variable "layers" { type = list(string) default = [] +} + +variable "codebuild_credential_arn" { + type = string } \ No newline at end of file diff --git a/lambda_layer/ci.tf b/lambda_layer/ci.tf index 19a789d..14ca611 100644 --- a/lambda_layer/ci.tf +++ b/lambda_layer/ci.tf @@ -1,17 +1,3 @@ -data "aws_ssm_parameter" "github_token" { - count = var.github_token_ssm_param == "" ? 0 : 1 - - name = var.github_token_ssm_param -} - -resource "aws_codebuild_source_credential" "github_token" { - count = var.github_token_ssm_param == "" ? 0 : 1 - - auth_type = "PERSONAL_ACCESS_TOKEN" - server_type = "GITHUB" - token = data.aws_ssm_parameter.github_token[0].value -} - resource "aws_iam_role" "codebuild" { count = var.github_url == "" ? 0 : 1 @@ -89,7 +75,7 @@ resource "aws_codebuild_project" "lambda" { auth { type = "OAUTH" - resource = aws_codebuild_source_credential.github_token[0].arn + resource = var.codebuild_credential_arn } } } diff --git a/lambda_layer/variables.tf b/lambda_layer/variables.tf index d05b48b..073feeb 100644 --- a/lambda_layer/variables.tf +++ b/lambda_layer/variables.tf @@ -45,3 +45,7 @@ variable "privileged_mode" { type = string default = false } + +variable "codebuild_credential_arn" { + type = string +} From 6524218b9d4d5fdbee94708f8d21c667a1d0d074 Mon Sep 17 00:00:00 2001 From: Eric Yablonowitz Date: Thu, 20 Feb 2020 06:14:07 -0500 Subject: [PATCH 13/37] construct codebuild credential arn and add iam role output and clarify readme --- README.md | 19 +++++++++++++++++-- lambda_function/ci.tf | 5 ++++- lambda_function/outputs.tf | 4 ++++ lambda_function/variables.tf | 8 ++------ lambda_layer/ci.tf | 5 ++++- lambda_layer/variables.tf | 7 ++----- 6 files changed, 33 insertions(+), 15 deletions(-) diff --git a/README.md b/README.md index fd7bf25..be44d05 100644 --- a/README.md +++ b/README.md @@ -19,7 +19,6 @@ CodeBuild job to deploy it. | argument | Description | Default | | ------------------------- | --------------------------------------------------------------------------| ------------ | | github_url | GitHub URL of function or layer code. Enables CodeBuild. Assumes buildspec.yml at root of repo. Requires github_token_ssm_param | "" | -| github_token_ssm_param | SSM Parameter containing GitHub token with permission to create webhook | "" | | codebuild_credential_arn | AWS Codebuild source credential for accessing github | "" | ### lambda_function @@ -44,7 +43,7 @@ Additional arguments: | ------------------------- | --------------------------------------------------------------------------| ------------ | | create_empty_function | Create an empty lambda function without the actual code if set to true | True | | policies | List of statement policies to add to module-manageg Lambda IAM role role. | [] | -| permissions | list of external resources which can invoke the lambda function | {} | +| permissions | map of external resources which can invoke the lambda function | { enabled = false } | ### lambda_layer Many of the module arguments map directly to the [aws_lambda_layer_version](https://www.terraform.io/docs/providers/aws/r/lambda_layer_version.html) resource arguments: @@ -62,6 +61,22 @@ Additional arguments: | codebuild_image | Specify Codebuild's [image](https://docs.aws.amazon.com/codebuild/latest/userguide/build-env-ref-available.html) | "aws/codebuild/standard:1.0" | | privileged_mode | Run the docker container with [privilege](https://docs.docker.com/engine/reference/run/#runtime-privilege-and-linux-capabilities) | False | +# CodeBuild + +This module will optionally create a CodeBuild job and trigger webhook to deploy your Lambda function or layer from a +GitHub repository. + +To enable creation of a CodeBuild job you must: + * Supply the github_url module argument + * Import a GitHub credential using [awscli](https://docs.aws.amazon.com/cli/latest/reference/codebuild/import-source-credentials.html) + or [Terraform](https://www.terraform.io/docs/providers/aws/r/codebuild_source_credential.html). + This credential must have admin access to your repository to create the webhook. + +--- + > **_NOTE:_** At the time of this writing, [each AWS account is limited to one GitHub CodeBuild credential](https://forums.aws.amazon.com/thread.jspa?threadID=308688&tstart=0). + > + > The module will try to construct the ARN of the CodeBuild credential as arn:aws:codebuild:::token/github. You can optionally override this using the module's codebuild_credential_arn argument. +--- # Function Event trigger arguments diff --git a/lambda_function/ci.tf b/lambda_function/ci.tf index b950bf5..f41a098 100644 --- a/lambda_function/ci.tf +++ b/lambda_function/ci.tf @@ -1,3 +1,6 @@ +data "aws_region" "current" {} +data "aws_caller_identity" "current" {} + resource "aws_iam_role" "codebuild" { count = var.github_url == "" ? 0 : 1 @@ -74,7 +77,7 @@ resource "aws_codebuild_project" "lambda" { auth { type = "OAUTH" - resource = var.codebuild_credential_arn + resource = var.codebuild_credential_arn == "" ? "arn:aws:codebuild:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:token/github" : var.codebuild_credential_arn } } } diff --git a/lambda_function/outputs.tf b/lambda_function/outputs.tf index 191345a..1004074 100644 --- a/lambda_function/outputs.tf +++ b/lambda_function/outputs.tf @@ -1,3 +1,7 @@ output "arn" { value = aws_lambda_function.lambda.arn +} + +output "role" { + value = aws_iam_role.lambda } \ No newline at end of file diff --git a/lambda_function/variables.tf b/lambda_function/variables.tf index 10b13ac..c3d7c65 100644 --- a/lambda_function/variables.tf +++ b/lambda_function/variables.tf @@ -104,11 +104,6 @@ variable "reserved_concurrent_executions" { default = "-1" } -variable "github_token_ssm_param" { - type = string - default = "" -} - variable "github_url" { type = string default = "" @@ -120,5 +115,6 @@ variable "layers" { } variable "codebuild_credential_arn" { - type = string + type = string + default = "" } \ No newline at end of file diff --git a/lambda_layer/ci.tf b/lambda_layer/ci.tf index 14ca611..4993ce0 100644 --- a/lambda_layer/ci.tf +++ b/lambda_layer/ci.tf @@ -1,3 +1,6 @@ +data "aws_region" "current" {} +data "aws_caller_identity" "current" {} + resource "aws_iam_role" "codebuild" { count = var.github_url == "" ? 0 : 1 @@ -75,7 +78,7 @@ resource "aws_codebuild_project" "lambda" { auth { type = "OAUTH" - resource = var.codebuild_credential_arn + resource = var.codebuild_credential_arn == "" ? "arn:aws:codebuild:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:token/github" : var.codebuild_credential_arn } } } diff --git a/lambda_layer/variables.tf b/lambda_layer/variables.tf index 073feeb..7000ef6 100644 --- a/lambda_layer/variables.tf +++ b/lambda_layer/variables.tf @@ -28,10 +28,6 @@ variable "reserved_concurrent_executions" { default = "-1" } -variable "github_token_ssm_param" { - type = string -} - variable "github_url" { type = string } @@ -47,5 +43,6 @@ variable "privileged_mode" { } variable "codebuild_credential_arn" { - type = string + type = string + default = "" } From 95d03e95dc405ec19b591a1793c861e3ae14721c Mon Sep 17 00:00:00 2001 From: TJ Leonard Date: Fri, 21 Feb 2020 10:11:16 -0500 Subject: [PATCH 14/37] add build_timeout. default 60 min (codebuilds default) --- README.md | 1 + lambda_function/ci.tf | 2 +- lambda_function/variables.tf | 11 ++++++++--- lambda_layer/ci.tf | 2 +- lambda_layer/variables.tf | 5 +++++ 5 files changed, 16 insertions(+), 5 deletions(-) diff --git a/README.md b/README.md index be44d05..6e242d6 100644 --- a/README.md +++ b/README.md @@ -20,6 +20,7 @@ CodeBuild job to deploy it. | ------------------------- | --------------------------------------------------------------------------| ------------ | | github_url | GitHub URL of function or layer code. Enables CodeBuild. Assumes buildspec.yml at root of repo. Requires github_token_ssm_param | "" | | codebuild_credential_arn | AWS Codebuild source credential for accessing github | "" | +| build_timeout | Codebuild Timeout in minutes. | "60" | ### lambda_function Many of the module arguments map directly to the [aws_lambda_function](https://www.terraform.io/docs/providers/aws/r/lambda_function.html) resource arguments: diff --git a/lambda_function/ci.tf b/lambda_function/ci.tf index f41a098..3c08f95 100644 --- a/lambda_function/ci.tf +++ b/lambda_function/ci.tf @@ -56,7 +56,7 @@ resource "aws_codebuild_project" "lambda" { count = var.github_url == "" ? 0 : 1 name = var.function_name - build_timeout = "5" + build_timeout = var.build_timeout service_role = aws_iam_role.codebuild[0].arn artifacts { diff --git a/lambda_function/variables.tf b/lambda_function/variables.tf index c3d7c65..be0c064 100644 --- a/lambda_function/variables.tf +++ b/lambda_function/variables.tf @@ -105,16 +105,21 @@ variable "reserved_concurrent_executions" { } variable "github_url" { - type = string + type = string default = "" } variable "layers" { - type = list(string) + type = list(string) default = [] } variable "codebuild_credential_arn" { type = string default = "" -} \ No newline at end of file +} + +variable "build_timeout" { + type = string + default = "60" +} diff --git a/lambda_layer/ci.tf b/lambda_layer/ci.tf index 4993ce0..8781d2c 100644 --- a/lambda_layer/ci.tf +++ b/lambda_layer/ci.tf @@ -56,7 +56,7 @@ resource "aws_codebuild_project" "lambda" { count = var.github_url == "" ? 0 : 1 name = var.layer_name - build_timeout = "5" + build_timeout = var.build_timeout service_role = aws_iam_role.codebuild[0].arn artifacts { diff --git a/lambda_layer/variables.tf b/lambda_layer/variables.tf index 7000ef6..6a28f5c 100644 --- a/lambda_layer/variables.tf +++ b/lambda_layer/variables.tf @@ -46,3 +46,8 @@ variable "codebuild_credential_arn" { type = string default = "" } + +variable "build_timeout" { + type = string + default = "60" +} From afb464a87baad79c0d0cc687a0c123db2753dcba Mon Sep 17 00:00:00 2001 From: Eric Yablonowitz Date: Tue, 14 Apr 2020 12:13:22 -0400 Subject: [PATCH 15/37] add bucket trigger filters --- README.md | 4 +++- examples/lambda-s3-bucket-event-trigger/main.tf | 2 ++ lambda_function/bucket_trigger.tf | 2 ++ 3 files changed, 7 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index 6e242d6..2f7eb7f 100644 --- a/README.md +++ b/README.md @@ -99,9 +99,11 @@ In addition to the trigger, make sure you * Add sufficient permissions to the lambda role to interact with s3 (E.g s3:GetObject) * Add the source resource has permissions to invoke the lambda (see **permissions** argument) -* **bucket_trigger** - (Optional) (map) - Configures the lambda function to trigger on s3 bucket ObjectCreated events. Has two properties: +* **bucket_trigger** - (Optional) (map) - Configures the lambda function to trigger on s3 bucket ObjectCreated events: * enabled (bool) - true | false * bucket (string) - The bucket name only (Not the full bucket arn!) + * filter_prefix (string) - Only trigger for objects with this prefix (must be null if no filter) + * filter_suffix (string) - Only trigger for objects with this suffix (must be null if no filter) ## SQS trigger diff --git a/examples/lambda-s3-bucket-event-trigger/main.tf b/examples/lambda-s3-bucket-event-trigger/main.tf index 94e8d5c..996c472 100644 --- a/examples/lambda-s3-bucket-event-trigger/main.tf +++ b/examples/lambda-s3-bucket-event-trigger/main.tf @@ -37,6 +37,8 @@ module "lambda_s3_trigger" { bucket_trigger = { enabled = true bucket = "${aws_s3_bucket.example.bucket}" + filter_prefix = "images/" + filter_suffix = null } permissions = { diff --git a/lambda_function/bucket_trigger.tf b/lambda_function/bucket_trigger.tf index 5450f92..88de19c 100644 --- a/lambda_function/bucket_trigger.tf +++ b/lambda_function/bucket_trigger.tf @@ -5,5 +5,7 @@ resource "aws_s3_bucket_notification" "bucket_notification" { lambda_function { lambda_function_arn = aws_lambda_function.lambda.arn events = ["s3:ObjectCreated:*"] + filter_prefix = var.bucket_trigger["filter_prefix"] + filter_suffix = var.bucket_trigger["filter_suffix"] } } From fd74537c145bdad3a3a4ac256ee753d5f8cad61e Mon Sep 17 00:00:00 2001 From: eyablonowitz Date: Thu, 16 Apr 2020 09:09:16 -0400 Subject: [PATCH 16/37] Update main.tf --- examples/lambda-s3-bucket-event-trigger/main.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/examples/lambda-s3-bucket-event-trigger/main.tf b/examples/lambda-s3-bucket-event-trigger/main.tf index 996c472..a2945c4 100644 --- a/examples/lambda-s3-bucket-event-trigger/main.tf +++ b/examples/lambda-s3-bucket-event-trigger/main.tf @@ -38,7 +38,7 @@ module "lambda_s3_trigger" { enabled = true bucket = "${aws_s3_bucket.example.bucket}" filter_prefix = "images/" - filter_suffix = null + filter_suffix = "" } permissions = { From 4ec3ccdd876595df1e9922583088178a76f0c5e3 Mon Sep 17 00:00:00 2001 From: eyablonowitz Date: Thu, 16 Apr 2020 09:10:25 -0400 Subject: [PATCH 17/37] Update README.md --- README.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index 2f7eb7f..9cb76a6 100644 --- a/README.md +++ b/README.md @@ -102,8 +102,8 @@ In addition to the trigger, make sure you * **bucket_trigger** - (Optional) (map) - Configures the lambda function to trigger on s3 bucket ObjectCreated events: * enabled (bool) - true | false * bucket (string) - The bucket name only (Not the full bucket arn!) - * filter_prefix (string) - Only trigger for objects with this prefix (must be null if no filter) - * filter_suffix (string) - Only trigger for objects with this suffix (must be null if no filter) + * filter_prefix (string) - Only trigger for objects with this prefix (must be "" if no filter) + * filter_suffix (string) - Only trigger for objects with this suffix (must be "" if no filter) ## SQS trigger @@ -120,4 +120,4 @@ Ensure you add the following permissions to the lambda role -[]: https://www.terraform.io/docs/providers/aws/r/lambda_function.html \ No newline at end of file +[]: https://www.terraform.io/docs/providers/aws/r/lambda_function.html From ea8298c0e663da7d0ad85a8db6368b51b5513984 Mon Sep 17 00:00:00 2001 From: David Berkowicz Date: Mon, 27 Apr 2020 14:58:38 -0400 Subject: [PATCH 18/37] Added new output - function_name --- lambda_function/outputs.tf | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/lambda_function/outputs.tf b/lambda_function/outputs.tf index 1004074..eeb6686 100644 --- a/lambda_function/outputs.tf +++ b/lambda_function/outputs.tf @@ -4,4 +4,8 @@ output "arn" { output "role" { value = aws_iam_role.lambda -} \ No newline at end of file +} + +output "function_name" { + value = aws_lambda_function.function_name +} From 37d34c143e92e00f9ffa82a2d4a28501679c9279 Mon Sep 17 00:00:00 2001 From: David Berkowicz Date: Mon, 27 Apr 2020 16:10:57 -0400 Subject: [PATCH 19/37] Fixed missing property --- lambda_function/outputs.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lambda_function/outputs.tf b/lambda_function/outputs.tf index eeb6686..7672793 100644 --- a/lambda_function/outputs.tf +++ b/lambda_function/outputs.tf @@ -7,5 +7,5 @@ output "role" { } output "function_name" { - value = aws_lambda_function.function_name + value = aws_lambda_function.lambda.function_name } From 024935ea6cfcf6a5ebbcfaa817980b077fe9ed1b Mon Sep 17 00:00:00 2001 From: David Berkowicz Date: Tue, 12 May 2020 11:37:52 -0400 Subject: [PATCH 20/37] Parameterized lambda branch for CI purposes --- lambda_function/ci.tf | 2 +- lambda_function/variables.tf | 5 +++++ 2 files changed, 6 insertions(+), 1 deletion(-) diff --git a/lambda_function/ci.tf b/lambda_function/ci.tf index 3c08f95..6f6c0a4 100644 --- a/lambda_function/ci.tf +++ b/lambda_function/ci.tf @@ -95,7 +95,7 @@ resource "aws_codebuild_webhook" "lambda" { filter { type = "HEAD_REF" - pattern = "master" + pattern = var.git_branch } } } diff --git a/lambda_function/variables.tf b/lambda_function/variables.tf index be0c064..11202af 100644 --- a/lambda_function/variables.tf +++ b/lambda_function/variables.tf @@ -123,3 +123,8 @@ variable "build_timeout" { type = string default = "60" } + +variable "git_branch" { + type = string + default = "master" +} \ No newline at end of file From dc6b75d05946a0af5ab19c55b4c2330e7b627ff6 Mon Sep 17 00:00:00 2001 From: David Berkowicz Date: Tue, 12 May 2020 12:52:24 -0400 Subject: [PATCH 21/37] Added git_branch parameter to layers with master default --- lambda_layer/ci.tf | 2 +- lambda_layer/variables.tf | 5 +++++ 2 files changed, 6 insertions(+), 1 deletion(-) diff --git a/lambda_layer/ci.tf b/lambda_layer/ci.tf index 8781d2c..facc269 100644 --- a/lambda_layer/ci.tf +++ b/lambda_layer/ci.tf @@ -96,7 +96,7 @@ resource "aws_codebuild_webhook" "lambda" { filter { type = "HEAD_REF" - pattern = "master" + pattern = var.git_branch } } } diff --git a/lambda_layer/variables.tf b/lambda_layer/variables.tf index 6a28f5c..4d89c2d 100644 --- a/lambda_layer/variables.tf +++ b/lambda_layer/variables.tf @@ -51,3 +51,8 @@ variable "build_timeout" { type = string default = "60" } + +variable "git_branch" { + type = string + default = "master" +} \ No newline at end of file From 62335f3ba68c823f784e95bbfe446a297bd8dd1a Mon Sep 17 00:00:00 2001 From: David Berkowicz Date: Tue, 12 May 2020 12:58:05 -0400 Subject: [PATCH 22/37] Added description to README.md --- README.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index 9cb76a6..ecc17d5 100644 --- a/README.md +++ b/README.md @@ -7,7 +7,8 @@ This repo contains Terraform modules to manage Lamdbas: | lambda_layer/ | Lambda Layer and CI resources | These modules are primarily designed to deploy Lambda functions and layers with _placeholder_ code and then use an -external CI/CD process to manage the function and layer code independently of Terraform. +external CI/CD process to manage the function and layer code independently of Terraform. It is also possible to point +the CI/CD process to a specific feature branch using the git_branch variable. By default, this value is set to *master*. You can optionally provide a GitHub repo containing your function or layer code and the modules will create a simple CodeBuild job to deploy it. @@ -25,6 +26,7 @@ CodeBuild job to deploy it. ### lambda_function Many of the module arguments map directly to the [aws_lambda_function](https://www.terraform.io/docs/providers/aws/r/lambda_function.html) resource arguments: * function_name +* git_branch * filename * description * runtime From aad2506f2324aa8aaf0e949c2721afbaa2ddab39 Mon Sep 17 00:00:00 2001 From: David Berkowicz Date: Tue, 2 Jun 2020 16:17:48 -0400 Subject: [PATCH 23/37] Added lambda:ListVersionByFunction to codebuild policy --- lambda_function/ci.tf | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/lambda_function/ci.tf b/lambda_function/ci.tf index 6f6c0a4..1608e1b 100644 --- a/lambda_function/ci.tf +++ b/lambda_function/ci.tf @@ -45,7 +45,10 @@ resource "aws_iam_role_policy" "codebuild" { { "Effect": "Allow", "Resource": "${aws_lambda_function.lambda.arn}", - "Action": "lambda:UpdateFunctionCode" + "Action": [ + "lambda:UpdateFunctionCode", + "lambda:ListVersionsByFunction" + ] } ] } From dd4e36fa912680a26abc918f49d216cb91143bc4 Mon Sep 17 00:00:00 2001 From: David Berkowicz Date: Tue, 2 Jun 2020 21:54:26 -0400 Subject: [PATCH 24/37] Added lambda:UpdateAlias to perms --- lambda_function/ci.tf | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/lambda_function/ci.tf b/lambda_function/ci.tf index 1608e1b..8f55927 100644 --- a/lambda_function/ci.tf +++ b/lambda_function/ci.tf @@ -47,7 +47,8 @@ resource "aws_iam_role_policy" "codebuild" { "Resource": "${aws_lambda_function.lambda.arn}", "Action": [ "lambda:UpdateFunctionCode", - "lambda:ListVersionsByFunction" + "lambda:ListVersionsByFunction", + "lambda:UpdateAlias" ] } ] From 21343218c60c3b60d53a316a262ca7ddce25505f Mon Sep 17 00:00:00 2001 From: "yzhang@patientping.com" Date: Thu, 3 Dec 2020 17:56:05 -0500 Subject: [PATCH 25/37] upgrade default codebuild to 4.0 --- lambda_layer/variables.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lambda_layer/variables.tf b/lambda_layer/variables.tf index 4d89c2d..0a49647 100644 --- a/lambda_layer/variables.tf +++ b/lambda_layer/variables.tf @@ -34,7 +34,7 @@ variable "github_url" { variable "codebuild_image" { type = string - default = "aws/codebuild/standard:1.0" + default = "aws/codebuild/standard:4.0" } variable "privileged_mode" { From dc3e2a197c73f687bb2ebee32d59ea6d1b90fbdf Mon Sep 17 00:00:00 2001 From: yzhangatpatientping <57906514+yzhangatpatientping@users.noreply.github.com> Date: Fri, 4 Dec 2020 14:03:52 -0500 Subject: [PATCH 26/37] upgrade default codebuild to 4.0 (#11) --- lambda_layer/variables.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lambda_layer/variables.tf b/lambda_layer/variables.tf index 4d89c2d..0a49647 100644 --- a/lambda_layer/variables.tf +++ b/lambda_layer/variables.tf @@ -34,7 +34,7 @@ variable "github_url" { variable "codebuild_image" { type = string - default = "aws/codebuild/standard:1.0" + default = "aws/codebuild/standard:4.0" } variable "privileged_mode" { From 8616dab324b90073d9ea290c5b7f0a75562b8e14 Mon Sep 17 00:00:00 2001 From: "yzhang@patientping.com" Date: Mon, 7 Dec 2020 14:59:42 -0500 Subject: [PATCH 27/37] upgrade codebuilder version --- lambda_function/ci.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lambda_function/ci.tf b/lambda_function/ci.tf index 8f55927..3592f7d 100644 --- a/lambda_function/ci.tf +++ b/lambda_function/ci.tf @@ -69,7 +69,7 @@ resource "aws_codebuild_project" "lambda" { environment { compute_type = "BUILD_GENERAL1_SMALL" - image = "aws/codebuild/standard:1.0" + image = "aws/codebuild/standard:4.0" type = "LINUX_CONTAINER" image_pull_credentials_type = "CODEBUILD" } From 70c69f8edd1fc048e4fce21b677448861633f31e Mon Sep 17 00:00:00 2001 From: David Berkowicz Date: Thu, 10 Dec 2020 15:08:05 -0500 Subject: [PATCH 28/37] Added output invoke_arn to lambda function --- lambda_function/outputs.tf | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/lambda_function/outputs.tf b/lambda_function/outputs.tf index 7672793..7688603 100644 --- a/lambda_function/outputs.tf +++ b/lambda_function/outputs.tf @@ -9,3 +9,7 @@ output "role" { output "function_name" { value = aws_lambda_function.lambda.function_name } + +output "invoke_arn" { + value = aws_lambda_function.lambda.invoke_arn +} From c6f73ac8731b2aaf700a9c7b81c2f36a8be93af8 Mon Sep 17 00:00:00 2001 From: eyablonowitz Date: Fri, 11 Dec 2020 11:20:42 -0500 Subject: [PATCH 29/37] add codebuild role outputs (#14) --- lambda_function/outputs.tf | 4 ++++ lambda_layer/outputs.tf | 6 +++++- 2 files changed, 9 insertions(+), 1 deletion(-) diff --git a/lambda_function/outputs.tf b/lambda_function/outputs.tf index 7688603..39f8653 100644 --- a/lambda_function/outputs.tf +++ b/lambda_function/outputs.tf @@ -13,3 +13,7 @@ output "function_name" { output "invoke_arn" { value = aws_lambda_function.lambda.invoke_arn } + +output "codebuild_role" { + value = aws_iam_role.codebuild +} diff --git a/lambda_layer/outputs.tf b/lambda_layer/outputs.tf index edd9d35..3ffc660 100644 --- a/lambda_layer/outputs.tf +++ b/lambda_layer/outputs.tf @@ -1,3 +1,7 @@ output "arn" { value = aws_lambda_layer_version.layer.arn -} \ No newline at end of file +} + +output "codebuild_role" { + value = aws_iam_role.codebuild +} From 834478e39a6365171ddb348a0e1d38bf96293dcf Mon Sep 17 00:00:00 2001 From: yzhangatpatientping Date: Tue, 15 Dec 2020 17:10:24 -0500 Subject: [PATCH 30/37] Fix code build output (#15) make the code build output conditional --- lambda_layer/outputs.tf | 2 +- lambda_layer/variables.tf | 5 +++-- 2 files changed, 4 insertions(+), 3 deletions(-) diff --git a/lambda_layer/outputs.tf b/lambda_layer/outputs.tf index 3ffc660..3b216c1 100644 --- a/lambda_layer/outputs.tf +++ b/lambda_layer/outputs.tf @@ -3,5 +3,5 @@ output "arn" { } output "codebuild_role" { - value = aws_iam_role.codebuild + value = var.github_url != "" ? aws_iam_role.codebuild[0] : null } diff --git a/lambda_layer/variables.tf b/lambda_layer/variables.tf index 0a49647..8dd13c3 100644 --- a/lambda_layer/variables.tf +++ b/lambda_layer/variables.tf @@ -29,7 +29,8 @@ variable "reserved_concurrent_executions" { } variable "github_url" { - type = string + type = string + default = "" } variable "codebuild_image" { @@ -53,6 +54,6 @@ variable "build_timeout" { } variable "git_branch" { - type = string + type = string default = "master" } \ No newline at end of file From 817f87885f4cebbd46daccb176783db9a64047b4 Mon Sep 17 00:00:00 2001 From: bugs404 Date: Wed, 7 Apr 2021 12:36:21 -0400 Subject: [PATCH 31/37] DF-2391 - Allow codebuild job to invoke lambda in some environments (#16) DF-2391 - Add an optional variable that defaults to false and if true gives the codebuild job for the lambda function the ability to invoke the lambda function (for integration testing purposes) - propagate the switch as an env variable available to the codebuild job so it can decide to run an integration test or not - Update readme to document new functionality and environment variable that exposes said functionality --- README.md | 14 +++++++++ lambda_function/ci.tf | 60 ++++++++++++++++++++---------------- lambda_function/variables.tf | 5 +++ 3 files changed, 52 insertions(+), 27 deletions(-) diff --git a/README.md b/README.md index ecc17d5..bb731eb 100644 --- a/README.md +++ b/README.md @@ -63,6 +63,7 @@ Additional arguments: | create_empty_layer | Create an empty lambda layer without the actual code if set to true | True | | codebuild_image | Specify Codebuild's [image](https://docs.aws.amazon.com/codebuild/latest/userguide/build-env-ref-available.html) | "aws/codebuild/standard:1.0" | | privileged_mode | Run the docker container with [privilege](https://docs.docker.com/engine/reference/run/#runtime-privilege-and-linux-capabilities) | False | +| codebuild_can_run_integration_test | Specifies whether or not codebuild job can invoke lambda function and is passed through to the job as an env variable (run_integration_test) | False # CodeBuild @@ -123,3 +124,16 @@ Ensure you add the following permissions to the lambda role []: https://www.terraform.io/docs/providers/aws/r/lambda_function.html + +## Codebuild and Integration Testing + +If invoking this module within an environment where Integration testing makes sense as part of CI, by setting the "codebuild_can_run_integration_test" argument to true + * The codebuild job that accompanies lambda ci is now able to invoke the lambda function + * The codebuild job will know if it's appropriate to perform integration testing in the environment it's running in according to env variable "run_integration_test" + +For an example implementation of a lambda-codebuild job setup to conditionally run integration tests see this buildspec.yml excerpt: + + if [ "$run_integration_test" = true ]; then + aws lambda wait function-updated --function-name $lambda_name; + aws lambda invoke --function-name $lambda_name --payload file://tests/testEvent.json response.json | jq -e 'has("FunctionError")|not'; + fi \ No newline at end of file diff --git a/lambda_function/ci.tf b/lambda_function/ci.tf index 3592f7d..9a90143 100644 --- a/lambda_function/ci.tf +++ b/lambda_function/ci.tf @@ -24,36 +24,38 @@ EOF resource "aws_iam_role_policy" "codebuild" { count = var.github_url == "" ? 0 : 1 - role = aws_iam_role.codebuild[0].name + policy = data.aws_iam_policy_document.policy.json +} - policy = < Date: Tue, 3 Aug 2021 17:11:29 -0400 Subject: [PATCH 32/37] Read SSM /service/shared/ --- lambda_layer/ci.tf | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/lambda_layer/ci.tf b/lambda_layer/ci.tf index facc269..bdf1f43 100644 --- a/lambda_layer/ci.tf +++ b/lambda_layer/ci.tf @@ -46,6 +46,15 @@ resource "aws_iam_role_policy" "codebuild" { "Effect": "Allow", "Resource": "${aws_lambda_layer_version.layer.layer_arn}", "Action": "lambda:PublishLayerVersion" + }, + { + "Effect": "Allow", + "Action": [ + "ssm:GetParameter*" + ], + "Resource": [ + "arn:aws:ssm:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:parameter/service/shared/*" + ] } ] } From ba81c92fb337bec245832878ba9eb2faaaa283a1 Mon Sep 17 00:00:00 2001 From: David Berkowicz Date: Tue, 22 Mar 2022 12:49:00 -0400 Subject: [PATCH 33/37] Added python3.8 to lambda runtime --- lambda_function/placeholders/python3.8/index.py | 9 +++++++++ 1 file changed, 9 insertions(+) create mode 100644 lambda_function/placeholders/python3.8/index.py diff --git a/lambda_function/placeholders/python3.8/index.py b/lambda_function/placeholders/python3.8/index.py new file mode 100644 index 0000000..98b644f --- /dev/null +++ b/lambda_function/placeholders/python3.8/index.py @@ -0,0 +1,9 @@ +import json + + +def lambda_handler(event, context): + print(json.dumps(event)) + return { + 'statusCode': 200, + 'body': event + } From 30740ead3db500746bb80466d464392daaee39b6 Mon Sep 17 00:00:00 2001 From: vineelapentyala92 Date: Wed, 29 Jun 2022 14:04:13 -0400 Subject: [PATCH 34/37] DF-3284 (#19) * DF-3284 Add trigger input parameter viable --- lambda_function/schedule_trigger.tf | 1 + lambda_function/variables.tf | 6 ++++++ 2 files changed, 7 insertions(+) diff --git a/lambda_function/schedule_trigger.tf b/lambda_function/schedule_trigger.tf index aff8123..b693e87 100644 --- a/lambda_function/schedule_trigger.tf +++ b/lambda_function/schedule_trigger.tf @@ -12,6 +12,7 @@ resource "aws_cloudwatch_event_target" "lambda" { rule = aws_cloudwatch_event_rule.lambda[count.index].name target_id = "${var.function_name}-target" arn = aws_lambda_function.lambda.arn + input = var.trigger_input_parameters_json } resource "aws_lambda_permission" "lambda_cloudwatch" { diff --git a/lambda_function/variables.tf b/lambda_function/variables.tf index 6654daa..efcffaf 100644 --- a/lambda_function/variables.tf +++ b/lambda_function/variables.tf @@ -59,6 +59,12 @@ variable "trigger_schedule" { } } +variable "trigger_input_parameters_json" { + default = < Date: Wed, 5 Oct 2022 19:45:54 -0400 Subject: [PATCH 35/37] [DF-3553] adding ephemeral_storage (#20) --- lambda_function/lambda_function.tf | 3 +++ lambda_function/variables.tf | 7 ++++++- 2 files changed, 9 insertions(+), 1 deletion(-) diff --git a/lambda_function/lambda_function.tf b/lambda_function/lambda_function.tf index c7007c4..3331c9e 100644 --- a/lambda_function/lambda_function.tf +++ b/lambda_function/lambda_function.tf @@ -11,6 +11,9 @@ resource "aws_lambda_function" "lambda" { publish = var.publish layers = var.layers + ephemeral_storage { + size = var.ephemeral_storage + } vpc_config { subnet_ids = var.vpc_config["subnet_ids"] security_group_ids = var.vpc_config["security_group_ids"] diff --git a/lambda_function/variables.tf b/lambda_function/variables.tf index efcffaf..42222bb 100644 --- a/lambda_function/variables.tf +++ b/lambda_function/variables.tf @@ -138,4 +138,9 @@ variable "build_timeout" { variable "git_branch" { type = string default = "master" -} \ No newline at end of file +} + +variable "ephemeral_storage" { + type = number + default = 512 +} From 640c21f5af24623b8d57086301e4feda140c443d Mon Sep 17 00:00:00 2001 From: bugs404 Date: Wed, 4 Jan 2023 09:08:06 -0500 Subject: [PATCH 36/37] DF-3875 - Allow for multiple ci build in same account to publish same lambda but with state to allow for existance of multiple instances of same lambda in account (#21) --- lambda_function/ci.tf | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/lambda_function/ci.tf b/lambda_function/ci.tf index 9a90143..c2a37a1 100644 --- a/lambda_function/ci.tf +++ b/lambda_function/ci.tf @@ -78,6 +78,10 @@ resource "aws_codebuild_project" "lambda" { name = "run_integration_test" value = var.codebuild_can_run_integration_test } + environment_variable { + name = "lambda_function_name" + value = var.function_name + } } source { From ac88b75b0b68135c71bc41c1c5b7f91e5495de94 Mon Sep 17 00:00:00 2001 From: David Berkowicz Date: Wed, 25 Jan 2023 12:36:38 -0500 Subject: [PATCH 37/37] Added python3.9 --- lambda_function/placeholders/python3.9/index.py | 9 +++++++++ 1 file changed, 9 insertions(+) create mode 100644 lambda_function/placeholders/python3.9/index.py diff --git a/lambda_function/placeholders/python3.9/index.py b/lambda_function/placeholders/python3.9/index.py new file mode 100644 index 0000000..98b644f --- /dev/null +++ b/lambda_function/placeholders/python3.9/index.py @@ -0,0 +1,9 @@ +import json + + +def lambda_handler(event, context): + print(json.dumps(event)) + return { + 'statusCode': 200, + 'body': event + }