-
-
Notifications
You must be signed in to change notification settings - Fork 342
/
main.tf
151 lines (118 loc) · 5.5 KB
/
main.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
data "aws_caller_identity" "current" {}
data "aws_partition" "current" {}
data "aws_region" "current" {}
locals {
create = var.create && var.putin_khuylo
sns_topic_arn = try(
aws_sns_topic.this[0].arn,
"arn:${data.aws_partition.current.id}:sns:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:${var.sns_topic_name}",
""
)
sns_feedback_role = local.create_sns_feedback_role ? aws_iam_role.sns_feedback_role[0].arn : var.sns_topic_lambda_feedback_role_arn
lambda_policy_document = {
sid = "AllowWriteToCloudwatchLogs"
effect = "Allow"
actions = ["logs:CreateLogStream", "logs:PutLogEvents"]
resources = [replace("${try(aws_cloudwatch_log_group.lambda[0].arn, "")}:*", ":*:*", ":*")]
}
lambda_policy_document_kms = {
sid = "AllowKMSDecrypt"
effect = "Allow"
actions = ["kms:Decrypt"]
resources = [var.kms_key_arn]
}
lambda_handler = try(split(".", basename(var.lambda_source_path))[0], "notify_slack")
}
data "aws_iam_policy_document" "lambda" {
count = var.create ? 1 : 0
dynamic "statement" {
for_each = concat([local.lambda_policy_document], var.kms_key_arn != "" ? [local.lambda_policy_document_kms] : [])
content {
sid = statement.value.sid
effect = statement.value.effect
actions = statement.value.actions
resources = statement.value.resources
}
}
}
resource "aws_cloudwatch_log_group" "lambda" {
count = var.create ? 1 : 0
name = "/aws/lambda/${var.lambda_function_name}"
retention_in_days = var.cloudwatch_log_group_retention_in_days
kms_key_id = var.cloudwatch_log_group_kms_key_id
tags = merge(var.tags, var.cloudwatch_log_group_tags)
}
resource "aws_sns_topic" "this" {
count = var.create_sns_topic && var.create ? 1 : 0
name = var.sns_topic_name
kms_master_key_id = var.sns_topic_kms_key_id
lambda_failure_feedback_role_arn = var.enable_sns_topic_delivery_status_logs ? local.sns_feedback_role : null
lambda_success_feedback_role_arn = var.enable_sns_topic_delivery_status_logs ? local.sns_feedback_role : null
lambda_success_feedback_sample_rate = var.enable_sns_topic_delivery_status_logs ? var.sns_topic_lambda_feedback_sample_rate : null
tags = merge(var.tags, var.sns_topic_tags)
}
resource "aws_sns_topic_subscription" "sns_notify_slack" {
count = var.create ? 1 : 0
topic_arn = local.sns_topic_arn
protocol = "lambda"
endpoint = module.lambda.lambda_function_qualified_arn
filter_policy = var.subscription_filter_policy
filter_policy_scope = var.subscription_filter_policy_scope
}
module "lambda" {
source = "terraform-aws-modules/lambda/aws"
version = "6.8.0"
create = var.create
function_name = var.lambda_function_name
description = var.lambda_description
hash_extra = var.hash_extra
handler = "${local.lambda_handler}.lambda_handler"
source_path = var.lambda_source_path != null ? "${path.root}/${var.lambda_source_path}" : "${path.module}/functions/notify_slack.py"
recreate_missing_package = var.recreate_missing_package
runtime = "python3.11"
architectures = var.architectures
timeout = 30
kms_key_arn = var.kms_key_arn
reserved_concurrent_executions = var.reserved_concurrent_executions
ephemeral_storage_size = var.lambda_function_ephemeral_storage_size
trigger_on_package_timestamp = var.trigger_on_package_timestamp
# If publish is disabled, there will be "Error adding new Lambda Permission for notify_slack:
# InvalidParameterValueException: We currently do not support adding policies for $LATEST."
publish = true
environment_variables = {
SLACK_WEBHOOK_URL = var.slack_webhook_url
SLACK_CHANNEL = var.slack_channel
SLACK_USERNAME = var.slack_username
SLACK_EMOJI = var.slack_emoji
LOG_EVENTS = var.log_events ? "True" : "False"
}
create_role = var.lambda_role == ""
lambda_role = var.lambda_role
role_name = "${var.iam_role_name_prefix}-${var.lambda_function_name}"
role_permissions_boundary = var.iam_role_boundary_policy_arn
role_tags = var.iam_role_tags
role_path = var.iam_role_path
policy_path = var.iam_policy_path
# Do not use Lambda's policy for cloudwatch logs, because we have to add a policy
# for KMS conditionally. This way attach_policy_json is always true independenty of
# the value of presense of KMS. Famous "computed values in count" bug...
attach_cloudwatch_logs_policy = false
attach_policy_json = true
policy_json = try(data.aws_iam_policy_document.lambda[0].json, "")
use_existing_cloudwatch_log_group = true
attach_network_policy = var.lambda_function_vpc_subnet_ids != null
dead_letter_target_arn = var.lambda_dead_letter_target_arn
attach_dead_letter_policy = var.lambda_attach_dead_letter_policy
allowed_triggers = {
AllowExecutionFromSNS = {
principal = "sns.amazonaws.com"
source_arn = local.sns_topic_arn
}
}
store_on_s3 = var.lambda_function_store_on_s3
s3_bucket = var.lambda_function_s3_bucket
vpc_subnet_ids = var.lambda_function_vpc_subnet_ids
vpc_security_group_ids = var.lambda_function_vpc_security_group_ids
tags = merge(var.tags, var.lambda_function_tags)
depends_on = [aws_cloudwatch_log_group.lambda]
}