terraform-aws-github-runner/modules/lambda/main.tf at 02313491d9bd645c38696a30429a2b5c1adcd1ae · aarongorka/terraform-aws-github-runner · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
locals {
  role_path = var.lambda.role_path == null ? "/${var.lambda.prefix}/" : var.lambda.role_path

  lambda_environment_variables = {
    ENVIRONMENT                              = var.lambda.prefix
    LOG_LEVEL                                = var.lambda.log_level
    PREFIX                                   = var.lambda.prefix
    POWERTOOLS_LOGGER_LOG_EVENT              = var.lambda.log_level == "debug" ? "true" : "false"
    POWERTOOLS_SERVICE_NAME                  = var.lambda.name
    POWERTOOLS_TRACE_ENABLED                 = var.lambda.tracing_config.mode != null ? true : false
    POWERTOOLS_TRACER_CAPTURE_HTTPS_REQUESTS = var.lambda.tracing_config.capture_http_requests
    POWERTOOLS_TRACER_CAPTURE_ERROR          = var.lambda.tracing_config.capture_error
    POWERTOOLS_METRICS_NAMESPACE             = var.lambda.metrics_namespace
  }

  environment_variable = merge(local.lambda_environment_variables, var.lambda.environment_variables)
}

resource "aws_lambda_function" "main" {
  s3_bucket         = var.lambda.s3_bucket != null ? var.lambda.s3_bucket : null
  s3_key            = var.lambda.s3_key != null ? var.lambda.s3_key : null
  s3_object_version = var.lambda.s3_object_version != null ? var.lambda.s3_object_version : null
  filename          = var.lambda.s3_bucket == null ? var.lambda.zip : null
  source_code_hash  = var.lambda.s3_bucket == null ? filebase64sha256(var.lambda.zip) : null
  function_name     = "${var.lambda.prefix}-${var.lambda.name}"
  role              = aws_iam_role.main.arn
  handler           = var.lambda.handler
  runtime           = var.lambda.runtime
  timeout           = var.lambda.timeout
  memory_size       = var.lambda.memory_size
  architectures     = [var.lambda.architecture]

  environment {
    variables = local.environment_variable
  }

  dynamic "vpc_config" {
    for_each = var.lambda.subnet_ids != null && var.lambda.security_group_ids != null ? [true] : []
    content {
      security_group_ids = var.lambda.security_group_ids
      subnet_ids         = var.lambda.subnet_ids
    }
  }

  tags = merge(var.lambda.tags, var.lambda.lambda_tags)

  dynamic "tracing_config" {
    for_each = var.lambda.tracing_config.mode != null ? [true] : []
    content {
      mode = var.lambda.tracing_config.mode
    }
  }
}

resource "aws_cloudwatch_log_group" "main" {
  name              = "/aws/lambda/${aws_lambda_function.main.function_name}"
  retention_in_days = var.lambda.logging_retention_in_days
  kms_key_id        = var.lambda.logging_kms_key_id
  tags              = var.lambda.tags
}

resource "aws_iam_role" "main" {
  name                 = "${substr("${var.lambda.prefix}-${var.lambda.name}", 0, 54)}-${substr(md5("${var.lambda.prefix}-${var.lambda.name}"), 0, 8)}"
  assume_role_policy   = data.aws_iam_policy_document.lambda_assume_role_policy.json
  path                 = local.role_path
  permissions_boundary = var.lambda.role_permissions_boundary

  tags = var.lambda.tags
}

data "aws_iam_policy_document" "lambda_assume_role_policy" {
  statement {
    actions = ["sts:AssumeRole"]

    principals {
      type        = "Service"
      identifiers = ["lambda.amazonaws.com"]
    }

    dynamic "principals" {
      for_each = var.lambda.principals

      content {
        type        = principals.value.type
        identifiers = principals.value.identifiers
      }
    }
  }
}

resource "aws_iam_role_policy" "lambda_logging" {
  name = "logging-policy"
  role = aws_iam_role.main.id

  policy = templatefile("${path.module}/policies/lambda-cloudwatch.json", {
    log_group_arn = aws_cloudwatch_log_group.main.arn
  })
}

resource "aws_iam_role_policy_attachment" "vpc_execution_role" {
  count      = length(var.lambda.subnet_ids) > 0 ? 1 : 0
  role       = aws_iam_role.main.name
  policy_arn = "arn:${var.lambda.aws_partition}:iam::aws:policy/service-role/AWSLambdaVPCAccessExecutionRole"
}


resource "aws_iam_role_policy" "xray" {
  count  = var.lambda.tracing_config.mode != null ? 1 : 0
  name   = "xray-policy"
  policy = data.aws_iam_policy_document.lambda_xray[0].json
  role   = aws_iam_role.main.name
}