From 3893706e40e6690a92f4dd77ba102ebf98b0e051 Mon Sep 17 00:00:00 2001
From: Ryan Diers <39590744+radsec@users.noreply.github.com>
Date: Thu, 28 Mar 2024 13:57:04 -0700
Subject: [PATCH] [TF] Update Lambda versioning/aliases logic, tune Lambdas,
 and AWS firehose TF changes (#43)

* update lambda aliases

* tune lambda memory

* remove this broken symbolic link during builds

* reduce warnings and migrate the firehose S3 TF resources
---
 .../terraform_modules/santa_api/_providers.tf |   8 ++
 .../terraform_modules/santa_api/lambda.tf     |   1 +
 .../santa_api/modules/firehose/s3.tf          | 113 +++++++++++++-----
 .../modules/lambda/api-handler/lambda.tf      |   2 +-
 scripts/build.sh                              |   1 -
 5 files changed, 96 insertions(+), 29 deletions(-)
 create mode 100644 deployments/terraform_modules/santa_api/_providers.tf

diff --git a/deployments/terraform_modules/santa_api/_providers.tf b/deployments/terraform_modules/santa_api/_providers.tf
new file mode 100644
index 0000000..ce128ba
--- /dev/null
+++ b/deployments/terraform_modules/santa_api/_providers.tf
@@ -0,0 +1,8 @@
+terraform {
+  required_providers {
+    aws = {
+      source = "hashicorp/aws"
+      version = "5.15.0"
+    }
+  }
+}
\ No newline at end of file
diff --git a/deployments/terraform_modules/santa_api/lambda.tf b/deployments/terraform_modules/santa_api/lambda.tf
index 6ff7b31..36b91f0 100644
--- a/deployments/terraform_modules/santa_api/lambda.tf
+++ b/deployments/terraform_modules/santa_api/lambda.tf
@@ -144,6 +144,7 @@ module "postflight_function" {
   lambda_source_key         = aws_s3_bucket_object.santa_api_source.key
   lambda_source_hash        = local.lambda_source_hash
   endpoint                  = "postflight"
+  lambda_memory_size        = 512
   api_gateway_execution_arn = aws_api_gateway_rest_api.api_gateway.execution_arn
 
   env_vars = {
diff --git a/deployments/terraform_modules/santa_api/modules/firehose/s3.tf b/deployments/terraform_modules/santa_api/modules/firehose/s3.tf
index 02f818d..02dd519 100644
--- a/deployments/terraform_modules/santa_api/modules/firehose/s3.tf
+++ b/deployments/terraform_modules/santa_api/modules/firehose/s3.tf
@@ -12,62 +12,121 @@ resource "aws_s3_bucket" "s3_logging" {
   count = local.create_s3_logging_bucket ? 1 : 0
 
   bucket = local.s3_logging_bucket_name
-  acl    = "log-delivery-write"
+
+  force_destroy = true
+
+}
+
+resource "aws_s3_bucket_policy" "s3_logging" {
+  count = local.create_s3_logging_bucket ? 1 : 0
+
+  bucket = aws_s3_bucket.s3_logging[0].id
   policy = format(
     data.aws_iam_policy_document.firehose_bucket_policy_template.json,
     local.s3_logging_bucket_name,
     local.s3_logging_bucket_name
   )
+}
 
-  force_destroy = true
+resource "aws_s3_bucket_versioning" "s3_logging" {
+  count = local.create_s3_logging_bucket ? 1 : 0
 
-  versioning {
-    enabled = true
+  bucket = aws_s3_bucket.s3_logging[0].id
+  versioning_configuration {
+    status = "Enabled"
   }
+}
 
-  server_side_encryption_configuration {
-    rule {
-      apply_server_side_encryption_by_default {
-        sse_algorithm     = "aws:kms"
-        kms_master_key_id = aws_kms_key.s3_logging[0].key_id
-      }
+resource "aws_s3_bucket_server_side_encryption_configuration" "s3_logging" {
+  count = local.create_s3_logging_bucket ? 1 : 0
+
+  bucket = aws_s3_bucket.s3_logging[0].id
+
+  rule {
+    apply_server_side_encryption_by_default {
+      sse_algorithm     = "aws:kms"
+      kms_master_key_id = aws_kms_key.s3_logging[0].key_id
     }
   }
 }
 
+resource "aws_s3_bucket_ownership_controls" "s3_logging" {
+  count = local.create_s3_logging_bucket ? 1 : 0
+
+  bucket = aws_s3_bucket.s3_logging[0].id
+  rule {
+    object_ownership = "BucketOwnerPreferred"
+  }
+}
+
+resource "aws_s3_bucket_acl" "s3_logging" {
+  count = local.create_s3_logging_bucket ? 1 : 0
+  
+  depends_on = [aws_s3_bucket_ownership_controls.s3_logging]
+
+  bucket = aws_s3_bucket.s3_logging[0].id
+  acl    = "log-delivery-write"
+}
+
 #
 # S3 Bucket for firehose
 #
 
 resource "aws_s3_bucket" "rudolph_eventsupload_firehose" {
   bucket = local.source_bucket_name
+
+  force_destroy = true
+
+
+}
+
+resource "aws_s3_bucket_ownership_controls" "rudolph_eventsupload_firehose" {
+  bucket = aws_s3_bucket.rudolph_eventsupload_firehose.id
+  rule {
+    object_ownership = "BucketOwnerPreferred"
+  }
+}
+
+resource "aws_s3_bucket_acl" "rudolph_eventsupload_firehose" {
+  depends_on = [aws_s3_bucket_ownership_controls.rudolph_eventsupload_firehose]
+
+  bucket = aws_s3_bucket.rudolph_eventsupload_firehose.id
   acl    = "private"
+}
+
+
+resource "aws_s3_bucket_policy" "rudolph_eventsupload_firehose" {
+  bucket = aws_s3_bucket.rudolph_eventsupload_firehose.id
   policy = format(
     data.aws_iam_policy_document.firehose_bucket_policy_template.json,
     local.source_bucket_name,
     local.source_bucket_name
   )
+}
 
-  force_destroy = true
-
-  versioning {
-    enabled = true
+resource "aws_s3_bucket_versioning" "rudolph_eventsupload_firehose" {
+  bucket = aws_s3_bucket.rudolph_eventsupload_firehose.id
+  versioning_configuration {
+    status = "Enabled"
   }
+}
 
-  dynamic "logging" {
-    for_each = var.enable_logging ? [1] : []
-    content {
-      target_bucket = local.s3_logging_bucket_name
-      target_prefix = "${local.source_bucket_name}/"
-    }
-  }
+resource "aws_s3_bucket_server_side_encryption_configuration" "rudolph_eventsupload_firehose" {
+  bucket = aws_s3_bucket.rudolph_eventsupload_firehose.id
 
-  server_side_encryption_configuration {
-    rule {
-      apply_server_side_encryption_by_default {
-        sse_algorithm     = "aws:kms"
-        kms_master_key_id = aws_kms_key.rudolph_eventsupload_kms_key.key_id
-      }
+  rule {
+    apply_server_side_encryption_by_default {
+      sse_algorithm     = "aws:kms"
+      kms_master_key_id = aws_kms_key.rudolph_eventsupload_kms_key.key_id
     }
   }
 }
+
+resource "aws_s3_bucket_logging" "rudolph_eventsupload_firehose" {
+  count = var.enable_logging ? 1 : 0
+  
+  bucket = aws_s3_bucket.rudolph_eventsupload_firehose.id
+
+  target_bucket = local.s3_logging_bucket_name
+  target_prefix = "${local.source_bucket_name}/"
+}
diff --git a/deployments/terraform_modules/santa_api/modules/lambda/api-handler/lambda.tf b/deployments/terraform_modules/santa_api/modules/lambda/api-handler/lambda.tf
index 04b7c4d..4061fbc 100644
--- a/deployments/terraform_modules/santa_api/modules/lambda/api-handler/lambda.tf
+++ b/deployments/terraform_modules/santa_api/modules/lambda/api-handler/lambda.tf
@@ -43,7 +43,7 @@ resource "aws_lambda_alias" "api_handler" {
   name             = var.alias_name
   description      = "${var.alias_name} alias for ${aws_lambda_function.api_handler.function_name}"
   function_name    = aws_lambda_function.api_handler.function_name
-  function_version = aws_lambda_function.api_handler.version
+  function_version = "$LATEST"
 }
 
 
diff --git a/scripts/build.sh b/scripts/build.sh
index dbf76a7..a8b1de2 100755
--- a/scripts/build.sh
+++ b/scripts/build.sh
@@ -42,7 +42,6 @@ if [ "$(uname)" == "Darwin" ]; then
 else
     echo "  compiling cli..."
     go build -o $CLI_BUILD_DIR/cli $APPS_DIR/cli
-    ln -sf $CLI_BUILD_DIR/cli $DIR/$CLI_NAME
 fi
 
 echo "*** packaging... ***"