Skip to content

Commit

Permalink
[TF] Update Lambda versioning/aliases logic, tune Lambdas, and AWS fi…
Browse files Browse the repository at this point in the history
…rehose TF changes (#43)

* update lambda aliases

* tune lambda memory

* remove this broken symbolic link during builds

* reduce warnings and migrate the firehose S3 TF resources
  • Loading branch information
radsec authored Mar 28, 2024
1 parent 5dfb57a commit 3893706
Show file tree
Hide file tree
Showing 5 changed files with 96 additions and 29 deletions.
8 changes: 8 additions & 0 deletions deployments/terraform_modules/santa_api/_providers.tf
Original file line number Diff line number Diff line change
@@ -0,0 +1,8 @@
terraform {
required_providers {
aws = {
source = "hashicorp/aws"
version = "5.15.0"
}
}
}
1 change: 1 addition & 0 deletions deployments/terraform_modules/santa_api/lambda.tf
Original file line number Diff line number Diff line change
Expand Up @@ -144,6 +144,7 @@ module "postflight_function" {
lambda_source_key = aws_s3_bucket_object.santa_api_source.key
lambda_source_hash = local.lambda_source_hash
endpoint = "postflight"
lambda_memory_size = 512
api_gateway_execution_arn = aws_api_gateway_rest_api.api_gateway.execution_arn

env_vars = {
Expand Down
113 changes: 86 additions & 27 deletions deployments/terraform_modules/santa_api/modules/firehose/s3.tf
Original file line number Diff line number Diff line change
Expand Up @@ -12,62 +12,121 @@ resource "aws_s3_bucket" "s3_logging" {
count = local.create_s3_logging_bucket ? 1 : 0

bucket = local.s3_logging_bucket_name
acl = "log-delivery-write"

force_destroy = true

}

resource "aws_s3_bucket_policy" "s3_logging" {
count = local.create_s3_logging_bucket ? 1 : 0

bucket = aws_s3_bucket.s3_logging[0].id
policy = format(
data.aws_iam_policy_document.firehose_bucket_policy_template.json,
local.s3_logging_bucket_name,
local.s3_logging_bucket_name
)
}

force_destroy = true
resource "aws_s3_bucket_versioning" "s3_logging" {
count = local.create_s3_logging_bucket ? 1 : 0

versioning {
enabled = true
bucket = aws_s3_bucket.s3_logging[0].id
versioning_configuration {
status = "Enabled"
}
}

server_side_encryption_configuration {
rule {
apply_server_side_encryption_by_default {
sse_algorithm = "aws:kms"
kms_master_key_id = aws_kms_key.s3_logging[0].key_id
}
resource "aws_s3_bucket_server_side_encryption_configuration" "s3_logging" {
count = local.create_s3_logging_bucket ? 1 : 0

bucket = aws_s3_bucket.s3_logging[0].id

rule {
apply_server_side_encryption_by_default {
sse_algorithm = "aws:kms"
kms_master_key_id = aws_kms_key.s3_logging[0].key_id
}
}
}

resource "aws_s3_bucket_ownership_controls" "s3_logging" {
count = local.create_s3_logging_bucket ? 1 : 0

bucket = aws_s3_bucket.s3_logging[0].id
rule {
object_ownership = "BucketOwnerPreferred"
}
}

resource "aws_s3_bucket_acl" "s3_logging" {
count = local.create_s3_logging_bucket ? 1 : 0

depends_on = [aws_s3_bucket_ownership_controls.s3_logging]

bucket = aws_s3_bucket.s3_logging[0].id
acl = "log-delivery-write"
}

#
# S3 Bucket for firehose
#

resource "aws_s3_bucket" "rudolph_eventsupload_firehose" {
bucket = local.source_bucket_name

force_destroy = true


}

resource "aws_s3_bucket_ownership_controls" "rudolph_eventsupload_firehose" {
bucket = aws_s3_bucket.rudolph_eventsupload_firehose.id
rule {
object_ownership = "BucketOwnerPreferred"
}
}

resource "aws_s3_bucket_acl" "rudolph_eventsupload_firehose" {
depends_on = [aws_s3_bucket_ownership_controls.rudolph_eventsupload_firehose]

bucket = aws_s3_bucket.rudolph_eventsupload_firehose.id
acl = "private"
}


resource "aws_s3_bucket_policy" "rudolph_eventsupload_firehose" {
bucket = aws_s3_bucket.rudolph_eventsupload_firehose.id
policy = format(
data.aws_iam_policy_document.firehose_bucket_policy_template.json,
local.source_bucket_name,
local.source_bucket_name
)
}

force_destroy = true

versioning {
enabled = true
resource "aws_s3_bucket_versioning" "rudolph_eventsupload_firehose" {
bucket = aws_s3_bucket.rudolph_eventsupload_firehose.id
versioning_configuration {
status = "Enabled"
}
}

dynamic "logging" {
for_each = var.enable_logging ? [1] : []
content {
target_bucket = local.s3_logging_bucket_name
target_prefix = "${local.source_bucket_name}/"
}
}
resource "aws_s3_bucket_server_side_encryption_configuration" "rudolph_eventsupload_firehose" {
bucket = aws_s3_bucket.rudolph_eventsupload_firehose.id

server_side_encryption_configuration {
rule {
apply_server_side_encryption_by_default {
sse_algorithm = "aws:kms"
kms_master_key_id = aws_kms_key.rudolph_eventsupload_kms_key.key_id
}
rule {
apply_server_side_encryption_by_default {
sse_algorithm = "aws:kms"
kms_master_key_id = aws_kms_key.rudolph_eventsupload_kms_key.key_id
}
}
}

resource "aws_s3_bucket_logging" "rudolph_eventsupload_firehose" {
count = var.enable_logging ? 1 : 0

bucket = aws_s3_bucket.rudolph_eventsupload_firehose.id

target_bucket = local.s3_logging_bucket_name
target_prefix = "${local.source_bucket_name}/"
}
Original file line number Diff line number Diff line change
Expand Up @@ -43,7 +43,7 @@ resource "aws_lambda_alias" "api_handler" {
name = var.alias_name
description = "${var.alias_name} alias for ${aws_lambda_function.api_handler.function_name}"
function_name = aws_lambda_function.api_handler.function_name
function_version = aws_lambda_function.api_handler.version
function_version = "$LATEST"
}


Expand Down
1 change: 0 additions & 1 deletion scripts/build.sh
Original file line number Diff line number Diff line change
Expand Up @@ -42,7 +42,6 @@ if [ "$(uname)" == "Darwin" ]; then
else
echo " compiling cli..."
go build -o $CLI_BUILD_DIR/cli $APPS_DIR/cli
ln -sf $CLI_BUILD_DIR/cli $DIR/$CLI_NAME
fi

echo "*** packaging... ***"
Expand Down

0 comments on commit 3893706

Please sign in to comment.