First commit

Author: horothesun

.github/workflows/ci.yml

@@ -0,0 +1,35 @@
+name: CI
+
+on:
+  push:
+    branches: [ "master" ]
+  pull_request:
+    branches: [ "master" ]
+  workflow_dispatch: # enable manual execution
+
+env:
+  TERRAFORM_VERSION: 1.3.6
+
+concurrency:
+  group: ${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  verify:
+    name: Verify
+    runs-on: ubuntu-latest
+    timeout-minutes: 5
+    steps:
+
+    - uses: actions/checkout@v3
+
+    - name: Setup Terraform
+      uses: hashicorp/setup-terraform@v2
+      with:
+        terraform_version: ${{ env.TERRAFORM_VERSION }}
+
+    - name: Format check
+      run: terraform fmt -check -recursive .
+
+    - name: Validate
+      run: terraform validate

.gitignore

@@ -26,4 +26,4 @@ override.tf.json
 # !example_override.tf
 
 # Include tfplan files to ignore the plan output of command: terraform plan -out=tfplan
-# example: *tfplan*
+*tfplan*

LICENSE

@@ -1,6 +1,6 @@
 MIT License
 
-Copyright (c) 2022 Nicola
+Copyright (c) 2022 horothesun
 
 Permission is hereby granted, free of charge, to any person obtaining a copy
 of this software and associated documentation files (the "Software"), to deal

api_gateway.tf

@@ -0,0 +1,66 @@
+resource "aws_apigatewayv2_api" "api_gw" {
+  name          = aws_lambda_function.lambda.function_name
+  protocol_type = "HTTP"
+  description   = "HTTP API for ${aws_lambda_function.lambda.function_name}"
+
+  cors_configuration {
+    allow_credentials = false
+    allow_headers     = []
+    allow_methods     = [var.http_method]
+    allow_origins     = ["*"]
+    expose_headers    = []
+    max_age           = 0
+  }
+}
+
+resource "aws_apigatewayv2_stage" "default" {
+  api_id = aws_apigatewayv2_api.api_gw.id
+
+  name        = "$default"
+  auto_deploy = true
+
+  access_log_settings {
+    destination_arn = aws_cloudwatch_log_group.api_gw.arn
+
+    format = jsonencode({
+      request_id                = "$context.requestId"
+      source_ip                 = "$context.identity.sourceIp"
+      request_time              = "$context.requestTime"
+      protocol                  = "$context.protocol"
+      http_method               = "$context.httpMethod"
+      resource_path             = "$context.resourcePath"
+      route_key                 = "$context.routeKey"
+      status                    = "$context.status"
+      response_length           = "$context.responseLength"
+      integration_error_message = "$context.integrationErrorMessage"
+    })
+  }
+
+  default_route_settings {
+    throttling_burst_limit = var.burst_limit_rps
+    throttling_rate_limit  = var.rate_limit_rps
+  }
+}
+
+resource "aws_apigatewayv2_integration" "lambda" {
+  api_id = aws_apigatewayv2_api.api_gw.id
+
+  integration_uri        = aws_lambda_function.lambda.invoke_arn
+  integration_type       = "AWS_PROXY"
+  payload_format_version = "2.0"
+  timeout_milliseconds   = 1000 * local.http_timeout_in_seconds
+}
+
+resource "aws_apigatewayv2_route" "lambda" {
+  api_id    = aws_apigatewayv2_api.api_gw.id
+  route_key = "${var.http_method} ${var.http_route}"
+  target    = "integrations/${aws_apigatewayv2_integration.lambda.id}"
+}
+
+resource "aws_lambda_permission" "api_gw" {
+  statement_id  = "AllowExecutionFromAPIGateway"
+  action        = "lambda:InvokeFunction"
+  function_name = aws_lambda_function.lambda.function_name
+  principal     = "apigateway.amazonaws.com"
+  source_arn    = "${aws_apigatewayv2_api.api_gw.execution_arn}/*/*"
+}

cloudwatch.tf

@@ -0,0 +1,15 @@
+resource "aws_cloudwatch_log_group" "lambda" {
+  name              = "/aws/lambda/${aws_lambda_function.lambda.function_name}"
+  retention_in_days = var.lambda_logs_retention_days
+  lifecycle {
+    prevent_destroy = false
+  }
+}
+
+resource "aws_cloudwatch_log_group" "api_gw" {
+  name              = "/aws/api_gw/${aws_apigatewayv2_api.api_gw.name}"
+  retention_in_days = var.apigw_logs_retention_days
+  lifecycle {
+    prevent_destroy = false
+  }
+}

ecr.tf

@@ -0,0 +1,55 @@
+resource "aws_ecr_repository" "ecr_repo" {
+  name                 = var.lambda_name
+  image_tag_mutability = "MUTABLE"
+
+  image_scanning_configuration {
+    scan_on_push = false # additional cost
+  }
+}
+
+resource "aws_ecr_lifecycle_policy" "ecr_repo_lifecycle_policy" {
+  repository = aws_ecr_repository.ecr_repo.name
+
+  policy = jsonencode({
+    "rules" : [
+      {
+        "rulePriority" : 1,
+        "description" : "Keep last untagged image",
+        "selection" : {
+          "tagStatus" : "untagged",
+          "countType" : "imageCountMoreThan",
+          "countNumber" : 1
+        },
+        "action" : {
+          "type" : "expire"
+        }
+      }
+    ]
+  })
+}
+
+resource "aws_ecr_repository_policy" "ecr_repo_policy" {
+  repository = aws_ecr_repository.ecr_repo.name
+
+  policy = jsonencode({
+    "Version" : "2008-10-17",
+    "Statement" : [
+      {
+        "Sid" : "LambdaECRImageRetrievalPolicy",
+        "Effect" : "Allow",
+        "Principal" : {
+          "Service" : "lambda.amazonaws.com"
+        },
+        "Action" : [
+          "ecr:BatchGetImage",
+          "ecr:GetDownloadUrlForLayer"
+        ]
+      }
+    ]
+  })
+}
+
+data "aws_ecr_image" "ecr_image" {
+  repository_name = aws_ecr_repository.ecr_repo.name
+  image_tag       = "latest"
+}

iam.tf

@@ -0,0 +1,35 @@
+resource "aws_iam_role" "lambda" {
+  name = "${var.lambda_name}-lambda-role"
+  assume_role_policy = jsonencode({
+    "Version" : "2012-10-17",
+    "Statement" : [
+      {
+        "Effect" : "Allow",
+        "Action" : "sts:AssumeRole",
+        "Principal" : { "Service" : "lambda.amazonaws.com" }
+      }
+    ]
+  })
+}
+
+resource "aws_iam_role_policy_attachment" "lambda" {
+  role       = aws_iam_role.lambda.id
+  policy_arn = aws_iam_policy.lambda_cloudwatch.arn
+}
+
+resource "aws_iam_policy" "lambda_cloudwatch" {
+  name   = "${var.lambda_name}-cloudwatch"
+  policy = data.aws_iam_policy_document.lambda_cloudwatch.json
+}
+
+data "aws_iam_policy_document" "lambda_cloudwatch" {
+  statement {
+    sid    = "CreateCloudWatchLogs"
+    effect = "Allow"
+    actions = [
+      "logs:CreateLogStream",
+      "logs:PutLogEvents"
+    ]
+    resources = ["arn:aws:logs:*:*:*"]
+  }
+}

lambda.tf

@@ -0,0 +1,9 @@
+resource "aws_lambda_function" "lambda" {
+  function_name = var.lambda_name
+  role          = aws_iam_role.lambda.arn
+  timeout       = local.http_timeout_in_seconds - 1
+  memory_size   = var.lambda_memory_MB
+  architectures = ["x86_64"]
+  image_uri     = "${aws_ecr_repository.ecr_repo.repository_url}@${data.aws_ecr_image.ecr_image.id}"
+  package_type  = "Image"
+}

locals.tf

@@ -0,0 +1,3 @@
+locals {
+  http_timeout_in_seconds = 30
+}

outputs.tf

@@ -0,0 +1,7 @@
+output "ecr_repo_arn" {
+  value = aws_ecr_repository.ecr_repo.arn
+}
+
+output "lambda_function_arn" {
+  value = aws_lambda_function.lambda.arn
+}