chore: support layer (#18)

* chore: test new provider version

* feat: add suppoty lambda layers

* chore: add example

* fix: precommit

* fix: precommit

* fix: add default kms (#19)

* chore: version constrain for archive

* chore: update tagging style

* chore: update Doc

Author: xshot9011

CHANGELOG.md

@@ -2,6 +2,23 @@
 
 All notable changes to this module will be documented in this file.
 
+## [v1.2.0] - 2023-09-12
+
+### Added
+
+- Data general source `data.aws_caller_identity.this`, `data.aws_region.this`
+- Encryption to cloudwatch log group (external kms, built-in kms)
+  - Data `data.aws_iam_policy_document.cloudwatch_log_group_kms_policy`
+  - Module `module.cloudwatch_log_group_kms (v1.0.0)`
+  - Variable `var.is_create_default_kms`, `var.cloudwatch_log_group_kms_key_arn`
+- Add support lambda layer
+  - Variable `var.layer_arns`
+
+### Changed
+
+- Constrain version for archive provider to `>= 2.0.0` from `2.2.0`
+- Add default tagging with module name
+
 ## [v1.1.4] - 2022-12-15
 
 ### Added

README.md

@@ -20,4 +20,4 @@ Your can also report the vulnerabilities by emailing to Oozou DevOps team at:
 [email protected]
 ```
 
-We will acknowledge your email within 72 hours on workday, and will send a more details response within 5 days. After the initial email start, we will investigate the security issue snd fix it as soon as possible.
+We will acknowledge your email within 72 hours on workday, and will send a more details response within 5 days. After the initial email start, we will investigate the security issue snd fix it as soon as possible.

SECURITY.md

@@ -1,5 +1,5 @@
 locals {
-  name              = format("%s-%s-%s", "oozou", "test", "app")
+  name = format("%s-%s-%s", "oozou", "test", "app")
 }
 
 data "aws_caller_identity" "this" {}
@@ -31,7 +31,7 @@ module "sns" {
 
   prefix       = "oozou"
   environment  = "test"
-  name         = format("%s-accesskey-rotate", "app") 
+  name         = format("%s-accesskey-rotate", "app")
   display_name = "Alerting Center"
 
   sns_permission_configuration = {
@@ -71,14 +71,14 @@ resource "aws_iam_policy" "sns_publish_policy" {
         Action = [
           "sns:Publish",
         ]
-        Effect   = "Allow"
-        "Resource": module.sns.sns_topic_arn
+        Effect = "Allow"
+        "Resource" : module.sns.sns_topic_arn
       },
     ]
   })
 }
 
-resource "aws_iam_policy" "iam_updateKey_policy" {
+resource "aws_iam_policy" "iam_updatekey_policy" {
   name = format("%s-iam-updatekey-access", local.name)
   path = "/"
 
@@ -92,8 +92,8 @@ resource "aws_iam_policy" "iam_updateKey_policy" {
           "iam:ListAccessKeys",
           "iam:DeleteAccessKey",
         ]
-        Effect   = "Allow"
-        "Resource": aws_iam_user.s3_presigned_user.arn
+        Effect = "Allow"
+        "Resource" : aws_iam_user.s3_presigned_user.arn
       },
     ]
   })
@@ -108,11 +108,11 @@ resource "aws_iam_policy" "secretsmanager_updatesecret_policy" {
     Statement = [
       {
         Action = [
-            "secretsmanager:GetSecretValue",
-            "secretsmanager:PutSecretValue"
+          "secretsmanager:GetSecretValue",
+          "secretsmanager:PutSecretValue"
         ]
-        Effect   = "Allow"
-          "Resource": aws_secretsmanager_secret.accesskey.arn
+        Effect = "Allow"
+        "Resource" : aws_secretsmanager_secret.accesskey.arn
       },
     ]
   })
@@ -136,22 +136,22 @@ module "lambda_accesskey_rotate" {
   runtime = "python3.9"
   handler = "access_key_rotate.handler"
   environment_variables = {
-    iam_username    = aws_iam_user.s3_presigned_user.name
-    secret_name      = aws_secretsmanager_secret.accesskey.name
-    sns_topic_arn   = module.sns.sns_topic_arn
+    iam_username  = aws_iam_user.s3_presigned_user.name
+    secret_name   = aws_secretsmanager_secret.accesskey.name
+    sns_topic_arn = module.sns.sns_topic_arn
   }
 
   # IAM
   additional_lambda_role_policy_arns = [
     aws_iam_policy.sns_publish_policy.arn,
     aws_iam_policy.secretsmanager_updatesecret_policy.arn,
-    aws_iam_policy.iam_updateKey_policy.arn
+    aws_iam_policy.iam_updatekey_policy.arn
   ]
 
   # Resource policy
   lambda_permission_configurations = {
     allow_trigger_from_eventbridge = {
-      principal   = "secretsmanager.amazonaws.com"
+      principal = "secretsmanager.amazonaws.com"
     }
   }
 
@@ -183,16 +183,16 @@ module "secret_kms_key" {
 }
 
 resource "aws_secretsmanager_secret" "accesskey" {
-  name                = format("%s/accesskey", local.name)
-  description = "access key secret with rotation"
-  kms_key_id  = module.secret_kms_key.key_arn
+  name                    = format("%s/accesskey", local.name)
+  description             = "access key secret with rotation"
+  kms_key_id              = module.secret_kms_key.key_arn
   recovery_window_in_days = 0
 
 }
 
 resource "aws_secretsmanager_secret_rotation" "accesskey" {
   secret_id           = aws_secretsmanager_secret.accesskey.id
-  rotation_lambda_arn = module.lambda_accesskey_rotate.function_arn 
+  rotation_lambda_arn = module.lambda_accesskey_rotate.function_arn
   rotation_rules {
     automatically_after_days = 7
   }
@@ -212,4 +212,3 @@ resource "aws_iam_user" "s3_presigned_user" {
 
   tags = merge({}, { "Name" = "s3_presigned_user" })
 }
-

examples/access_key_rotate/main.tf

@@ -0,0 +1,33 @@
+# EditorConfig is awesome: http://EditorConfig.org
+# Uses editorconfig to maintain consistent coding styles
+
+# top-most EditorConfig file
+root = true
+
+# Unix-style newlines with a newline ending every file
+[*]
+charset = utf-8
+end_of_line = lf
+insert_final_newline = true
+max_line_length = 80
+trim_trailing_whitespace = true
+
+[*.{tf,tfvars}]
+indent_size = 2
+indent_style = space
+
+[*.{py}]
+indent_size = 4
+indent_style = space
+
+[*.md]
+max_line_length = 0
+trim_trailing_whitespace = false
+
+# Tab indentation (no size specified)
+[Makefile]
+tab_width = 2
+indent_style = tab
+
+[COMMIT_EDITMSG]
+max_line_length = 0

examples/lambda_layer/.editorconfig

@@ -0,0 +1,35 @@
+<!-- BEGIN_TF_DOCS -->
+## Requirements
+
+| Name                                                                      | Version  |
+|---------------------------------------------------------------------------|----------|
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.0.0 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws)                   | >= 4.0.0 |
+
+## Providers
+
+No providers.
+
+## Modules
+
+| Name                                                   | Source | Version |
+|--------------------------------------------------------|--------|---------|
+| <a name="module_lambda"></a> [lambda](#module\_lambda) | ../../ | n/a     |
+
+## Resources
+
+No resources.
+
+## Inputs
+
+| Name                                                                  | Description                                                                                                  | Type       | Default | Required |
+|-----------------------------------------------------------------------|--------------------------------------------------------------------------------------------------------------|------------|---------|:--------:|
+| <a name="input_custom_tags"></a> [custom\_tags](#input\_custom\_tags) | Custom tags which can be passed on to the AWS resources. They should be key value pairs having distinct keys | `map(any)` | `{}`    |    no    |
+| <a name="input_environment"></a> [environment](#input\_environment)   | Environment Variable used as a prefix                                                                        | `string`   | n/a     |   yes    |
+| <a name="input_name"></a> [name](#input\_name)                        | Name of the ECS cluster and s3 also redis to create                                                          | `string`   | n/a     |   yes    |
+| <a name="input_prefix"></a> [prefix](#input\_prefix)                  | The prefix name of customer to be displayed in AWS console and resource                                      | `string`   | n/a     |   yes    |
+
+## Outputs
+
+No outputs.
+<!-- END_TF_DOCS -->

examples/lambda_layer/README.md

@@ -0,0 +1,44 @@
+locals {
+  name = format("%s-%s-%s", var.prefix, var.environment, var.name)
+}
+
+resource "aws_lambda_layer_version" "lambda_layer" {
+  filename   = "./src/requests.zip"
+  layer_name = format("%s-requests-layer", local.name)
+
+  compatible_runtimes = ["python3.8"]
+}
+
+module "lambda" {
+  source = "../../"
+
+  prefix      = var.prefix
+  environment = var.environment
+  name        = var.name
+
+  # Source code
+  source_code_dir           = "./src"
+  file_globs                = ["main.py"]
+  compressed_local_file_dir = "./outputs"
+
+  # Lambda Env
+  runtime = "python3.8"
+  handler = "main.lambda_handler"
+
+  # Lambda Specification
+  timeout                            = 3
+  memory_size                        = 128
+  reserved_concurrent_executions     = -1
+  layer_arns                         = [aws_lambda_layer_version.lambda_layer.arn]
+  additional_lambda_role_policy_arns = ["arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccess"]
+
+  # Resource policy
+  lambda_permission_configurations = {
+    # lambda_on_my_account = {
+    #   principal  = "apigateway.amazonaws.com"
+    #   source_arn = "arn:aws:execute-api:ap-southeast-1:557291035112:lk36vflbha/*/*/"
+    # }
+  }
+
+  tags = var.custom_tags
+}

examples/lambda_layer/main.tf

@@ -0,0 +1,10 @@
+import os
+import io
+import sys
+import csv
+import requests
+
+
+def lambda_handler(event, context):
+    response = requests.get("https://www.google.com")
+    return response.json()

examples/lambda_layer/outputs.tf

@@ -0,0 +1,6 @@
+prefix      = "example"
+environment = "devops"
+name        = "cms"
+custom_tags = {
+  "Remark" = "terraform-aws-lambda-example"
+}

examples/lambda_layer/src/main.py

@@ -0,0 +1,23 @@
+/* -------------------------------------------------------------------------- */
+/*                                  Generics                                  */
+/* -------------------------------------------------------------------------- */
+variable "prefix" {
+  description = "The prefix name of customer to be displayed in AWS console and resource"
+  type        = string
+}
+
+variable "environment" {
+  description = "Environment Variable used as a prefix"
+  type        = string
+}
+
+variable "name" {
+  description = "Name of the ECS cluster and s3 also redis to create"
+  type        = string
+}
+
+variable "custom_tags" {
+  description = "Custom tags which can be passed on to the AWS resources. They should be key value pairs having distinct keys"
+  type        = map(any)
+  default     = {}
+}

examples/lambda_layer/src/requests.zip

@@ -0,0 +1,10 @@
+terraform {
+  required_version = ">= 1.0.0"
+
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = ">= 4.0.0"
+    }
+  }
+}