From e3bcf1b12b405a486d5cf500dc33fc768f371723 Mon Sep 17 00:00:00 2001
From: Phil Jory <Philip.Jory@albelli.com>
Date: Wed, 25 Sep 2019 17:56:29 +0200
Subject: [PATCH] Add new lambda scripts for shared vpc + sns

---
 apps/lambda_function_sns_shared_vpc/README.md |  49 +++++++
 .../cloudwatch.tf                             |  18 +++
 apps/lambda_function_sns_shared_vpc/lambda.tf | 133 ++++++++++++++++++
 apps/lambda_function_sns_shared_vpc/locals.tf |  12 ++
 apps/lambda_function_sns_shared_vpc/main.tf   |  10 ++
 .../lambda_function_sns_shared_vpc/outputs.tf |  17 +++
 apps/lambda_function_sns_shared_vpc/sns.tf    |  42 ++++++
 apps/lambda_function_sns_shared_vpc/sqs.tf    |  31 ++++
 .../variables.tf                              |  78 ++++++++++
 9 files changed, 390 insertions(+)
 create mode 100644 apps/lambda_function_sns_shared_vpc/README.md
 create mode 100644 apps/lambda_function_sns_shared_vpc/cloudwatch.tf
 create mode 100644 apps/lambda_function_sns_shared_vpc/lambda.tf
 create mode 100644 apps/lambda_function_sns_shared_vpc/locals.tf
 create mode 100644 apps/lambda_function_sns_shared_vpc/main.tf
 create mode 100644 apps/lambda_function_sns_shared_vpc/outputs.tf
 create mode 100644 apps/lambda_function_sns_shared_vpc/sns.tf
 create mode 100644 apps/lambda_function_sns_shared_vpc/sqs.tf
 create mode 100644 apps/lambda_function_sns_shared_vpc/variables.tf

diff --git a/apps/lambda_function_sns_shared_vpc/README.md b/apps/lambda_function_sns_shared_vpc/README.md
new file mode 100644
index 00000000..ae65edcc
--- /dev/null
+++ b/apps/lambda_function_sns_shared_vpc/README.md
@@ -0,0 +1,49 @@
+# Description
+
+An example terraform module to build simple application as aws lambda function triggered by SNS - hosted ont eh shared VPC.
+
+## Code Example
+
+```hcl-terraform
+
+//CustomerSubscription.EmailChanged
+module "lambda_app" {
+  source = "git@github.com:albumprinter/eops_tf_modules.git//apps/lambda_function_sns?ref=v0.17.10" # for eg. {TAG_VERSION} = v0.17.10
+  app_name = "${var.lambda_name}"
+  description = "Lambda function to process SNS"
+  handler = "Lambda::Lambda.Handler::Handle"
+  environment = "${var.environment}"
+  runtime = "dotnetcore2.1"
+  memory_size = "${var.memory}"
+  timeout = "30" // optional
+  tags_team = "WATSON"
+  lambda_bucket_name = "${var.lambda_bucket_name}"
+  lambda_sns_subscription_arn = "arn:aws:sns:eu-west-1:179698508378:Albumprinter-Authentication-Messaging-Messages-V1-EmailChanged"
+  variables = {
+    dummy = ""
+  }
+  iam_policy_document = "${data.aws_iam_policy_document.policy.json}"
+}
+
+data "aws_iam_policy_document" "policy" {
+  statement {
+    actions   = [
+                "logs:CreateLogStream",
+                "logs:DescribeLogStreams",
+                "logs:PutLogEvents",
+                "logs:GetLogEvents"
+               ]
+    resources = ["arn:aws:logs:${var.region}:${data.aws_caller_identity.current.account_id}:log-group:/aws/lambda/${var.lambda_name}:*"]
+  }
+  statement {
+    actions = [
+      "ec2:CreateNetworkInterface",
+      "ec2:DescribeNetworkInterfaces",
+      "ec2:DeleteNetworkInterface"
+    ]
+    resources = ["arn:aws:ec2:${var.region}:*"]
+  }
+}
+
+
+```
diff --git a/apps/lambda_function_sns_shared_vpc/cloudwatch.tf b/apps/lambda_function_sns_shared_vpc/cloudwatch.tf
new file mode 100644
index 00000000..dd334ce8
--- /dev/null
+++ b/apps/lambda_function_sns_shared_vpc/cloudwatch.tf
@@ -0,0 +1,18 @@
+module "lambda_app_cloudwatch" {
+  source = "../../apps/cloudwatch_lambda"
+  app_name = "${var.app_name}"
+  log_group_name = "/aws/lambda/${var.app_name}"
+  alarm_threshold = "${var.lambda_memory_alert_threshold}"
+  alarm_action_arn = "${var.alarm_action_arn}"
+  environment = "${var.environment}"
+  tags_team = "${var.tags_team}"
+  tags_domain = "${var.tags_domain}"
+  tags_purpose = "${var.tags_purpose}"
+  tags_cost_center = "${var.tags_cost_center}"
+  description = "${var.description}"
+  retention_days = "${var.retention_days}"
+  enable_cloudwatch_alarms = "${var.enable_cloudwatch_alarms}"
+  providers = {
+   aws = "aws"
+  }
+}
\ No newline at end of file
diff --git a/apps/lambda_function_sns_shared_vpc/lambda.tf b/apps/lambda_function_sns_shared_vpc/lambda.tf
new file mode 100644
index 00000000..a8312fe7
--- /dev/null
+++ b/apps/lambda_function_sns_shared_vpc/lambda.tf
@@ -0,0 +1,133 @@
+module "lambda_s3_bucket_object" {
+  source = "../../apps/lambda_s3_bucket_object"
+  lambda_bucket_name = "${var.lambda_bucket_name}"
+  s3_object_key = "builds/lambda/${var.app_name}/lambda.zip"
+  tags = "${local.tags}"
+  providers = {
+   aws = "aws"
+  }
+}
+
+
+resource "aws_iam_role" "iam_for_app" {
+  name = "${var.app_name}"
+  assume_role_policy = <<EOF
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Sid": "1",
+      "Action": "sts:AssumeRole",
+      "Principal": {
+        "Service": "lambda.amazonaws.com"
+      },
+      "Effect": "Allow"
+    },
+    {
+      "Sid": "2",
+      "Action": "sts:AssumeRole",
+      "Principal": {
+        "Service": "apigateway.amazonaws.com"
+      },
+      "Effect": "Allow"
+    }
+  ]
+}
+EOF
+}
+
+data "aws_caller_identity" "current" {}
+data "aws_iam_policy_document" "default_policy" {
+  statement {
+    actions   = [
+                "logs:CreateLogStream",
+                "logs:DescribeLogStreams",
+                "logs:PutLogEvents",
+                "logs:GetLogEvents"
+               ]
+    resources = ["arn:aws:logs:${var.region}:${data.aws_caller_identity.current.account_id}:log-group:/aws/lambda/${var.app_name}:*"]
+  }
+  statement {
+    actions = [
+      "ec2:CreateNetworkInterface",
+      "ec2:DescribeNetworkInterfaces",
+      "ec2:DeleteNetworkInterface"
+    ]
+    resources = ["*"]
+  }
+}
+
+locals {
+  iam_policy_doc = "${var.iam_policy_document == "" ? data.aws_iam_policy_document.default_policy.json : var.iam_policy_document}"
+}
+
+output "iam_policy_document" {
+  value = "${local.iam_policy_doc}"
+}
+
+resource "aws_iam_role_policy" "iam_policy_for_app" {
+  name = "${var.app_name}"
+  role = "${aws_iam_role.iam_for_app.id}"
+  policy = "${local.iam_policy_doc}"
+}
+
+resource "aws_security_group" "sg_for_app" {
+  name = "${var.app_name}"
+  description = "Allow all inbound traffic for the scheduled lambda function"
+  vpc_id = "${module.aws_shared_data.vpc_id}"
+
+  ingress {
+    from_port = 0
+    to_port = 0
+    protocol = "-1"
+    cidr_blocks = [
+      "185.184.204.70/32",
+      "62.97.245.10/32",
+      "185.184.204.74/32",
+      "62.102.226.22/32",
+      "213.41.124.76/32",
+      "77.60.83.148/32",
+      "62.21.226.193/32",
+      "192.168.0.0/16",
+      "10.0.0.0/8",
+      "172.16.0.0/12"
+    ]
+  }
+
+  egress {
+    from_port = 0
+    to_port = 0
+    protocol = "-1"
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+  tags = "${local.tags}"
+}
+
+
+
+
+resource "aws_lambda_function" "app" {
+  s3_bucket = "${var.lambda_bucket_name}"
+  s3_key = "${module.lambda_s3_bucket_object.key}"
+  function_name = "${var.app_name}"
+  description = "${var.description}"
+  role = "${aws_iam_role.iam_for_app.arn}"
+  handler = "${var.handler}"
+  runtime = "${var.runtime}"
+  memory_size = "${var.memory_size}"
+  timeout = "${var.timeout}"
+  environment {
+    variables = "${var.variables}"
+  }
+  count            = "${var.enabled}"
+  tags = "${local.tags}"
+  reserved_concurrent_executions = "${var.reserved_concurrent_executions}"
+
+  dead_letter_config = {
+    target_arn = "${aws_sns_topic.lambda_error_sns.arn}"
+  }
+  vpc_config = {
+    subnet_ids = ["${split( ",", var.private == 1 ?   join(",", module.aws_shared_data.private_subnet_ids) :  join(",", module.aws_shared_data.all_subnet_ids))}"]
+    security_group_ids = ["${aws_security_group.sg_for_app.id}"]
+  }
+}
\ No newline at end of file
diff --git a/apps/lambda_function_sns_shared_vpc/locals.tf b/apps/lambda_function_sns_shared_vpc/locals.tf
new file mode 100644
index 00000000..b83771c0
--- /dev/null
+++ b/apps/lambda_function_sns_shared_vpc/locals.tf
@@ -0,0 +1,12 @@
+locals {
+  tags = {
+    Domain          = "${var.tags_domain}"
+    Name            = "${var.app_name}"
+    "Business Unit" = "${var.tags_business_unit}"
+    "Cost Center"   = "${var.tags_cost_center}"
+    Team            = "${var.tags_team}"
+    Purpose         = "${var.tags_purpose}"
+    Description     = "${var.description}"
+    Environment     = "${var.environment}"
+  }
+}
\ No newline at end of file
diff --git a/apps/lambda_function_sns_shared_vpc/main.tf b/apps/lambda_function_sns_shared_vpc/main.tf
new file mode 100644
index 00000000..10e9b109
--- /dev/null
+++ b/apps/lambda_function_sns_shared_vpc/main.tf
@@ -0,0 +1,10 @@
+provider "aws" {
+}
+
+module "aws_shared_data" {
+  source = "../../data_providers/shared-vpc-data"
+  account_type = "${var.account_type}"
+  providers = {
+    aws = "aws"
+  }
+}
diff --git a/apps/lambda_function_sns_shared_vpc/outputs.tf b/apps/lambda_function_sns_shared_vpc/outputs.tf
new file mode 100644
index 00000000..1fe432b4
--- /dev/null
+++ b/apps/lambda_function_sns_shared_vpc/outputs.tf
@@ -0,0 +1,17 @@
+output "security_group_id" {
+  value = "${aws_security_group.sg_for_app.id}"
+}
+output "lambda_kms_key_id" {
+  value = "${aws_lambda_function.app.*.id}"
+}
+output "lambda_arn" {
+  value = "${aws_lambda_function.app.*.arn}"
+}
+
+output "iam_role_arn" {
+  value = "${aws_iam_role.iam_for_app.*.arn}"
+}
+
+output "lambda_sns_subscription_arn" {
+  value = "${var.lambda_sns_subscription_arn}"
+}
\ No newline at end of file
diff --git a/apps/lambda_function_sns_shared_vpc/sns.tf b/apps/lambda_function_sns_shared_vpc/sns.tf
new file mode 100644
index 00000000..a944be9f
--- /dev/null
+++ b/apps/lambda_function_sns_shared_vpc/sns.tf
@@ -0,0 +1,42 @@
+resource "aws_sns_topic" "lambda_replay_sns" {
+  name = "${var.app_name}-REPLAY"
+}
+
+resource "aws_sns_topic_subscription" "lambda_replay_topic_subscription" {
+  topic_arn = "${aws_sns_topic.lambda_replay_sns.arn}"
+  protocol  = "lambda"
+  endpoint  = "${aws_lambda_function.app.arn}"
+}
+
+resource "aws_lambda_permission" "allow_sns_replay" {
+  statement_id   = "AllowExecutionFromSNSReplay"
+  action         = "lambda:InvokeFunction"
+  function_name  = "${aws_lambda_function.app.function_name}"
+  principal      = "sns.amazonaws.com"  
+  source_arn     = "${aws_sns_topic.lambda_replay_sns.arn}"  
+}
+
+resource "aws_sns_topic_subscription" "lambda_event_topic_subscription" {
+  topic_arn = "${var.lambda_sns_subscription_arn}"
+  protocol  = "lambda"
+  endpoint  = "${aws_lambda_function.app.arn}"
+  filter_policy = "${var.sns_subscription_filters}"
+}
+
+resource "aws_lambda_permission" "allow_sns_event" {
+  statement_id   = "AllowExecutionFromSNSEvent"
+  action         = "lambda:InvokeFunction"
+  function_name  = "${aws_lambda_function.app.function_name}"
+  principal      = "sns.amazonaws.com"  
+  source_arn     = "${var.lambda_sns_subscription_arn}"
+}
+
+resource "aws_sns_topic" "lambda_error_sns" {
+  name = "${var.app_name}-ERROR"
+}
+
+resource "aws_sns_topic_subscription" "lambda_error_topic_sqs_subscription" {
+  topic_arn = "${aws_sns_topic.lambda_error_sns.arn}"
+  protocol  = "sqs"
+  endpoint  = "${aws_sqs_queue.lambda_error_queue.arn}"
+}
diff --git a/apps/lambda_function_sns_shared_vpc/sqs.tf b/apps/lambda_function_sns_shared_vpc/sqs.tf
new file mode 100644
index 00000000..0d1cb8f6
--- /dev/null
+++ b/apps/lambda_function_sns_shared_vpc/sqs.tf
@@ -0,0 +1,31 @@
+resource "aws_sqs_queue" "lambda_error_queue" {
+  name                      = "${var.app_name}-ERROR"
+  message_retention_seconds = 1209600
+  tags = "${local.tags}"
+}
+
+
+resource "aws_sqs_queue_policy" "lambda_error_queue_policy" {
+  queue_url = "${aws_sqs_queue.lambda_error_queue.id}"
+
+  policy = <<POLICY
+{
+  "Version": "2012-10-17",
+  "Id": "sqspolicy",
+  "Statement": [
+    {
+      "Sid": "First",
+      "Effect": "Allow",
+      "Principal": "*",
+      "Action": "sqs:SendMessage",
+      "Resource": "${aws_sqs_queue.lambda_error_queue.arn}",
+      "Condition": {
+        "ArnEquals": {
+          "aws:SourceArn": "${aws_sns_topic.lambda_error_sns.arn}"
+        }
+      }
+    }
+  ]
+}
+POLICY
+}
\ No newline at end of file
diff --git a/apps/lambda_function_sns_shared_vpc/variables.tf b/apps/lambda_function_sns_shared_vpc/variables.tf
new file mode 100644
index 00000000..50c73931
--- /dev/null
+++ b/apps/lambda_function_sns_shared_vpc/variables.tf
@@ -0,0 +1,78 @@
+variable "region" {
+  default = "eu-west-1"
+}
+
+variable "account_type" {
+}
+
+variable "tags_business_unit" {
+  default = "Albumprinter"
+}
+variable "tags_cost_center" {}
+variable "tags_team" {}
+variable "tags_domain" {}
+variable "tags_purpose" {
+  default = ""
+}
+variable "description" {}
+variable "app_name" {}
+variable "runtime" {
+  default = "nodejs4.3"
+}
+variable "handler" {}
+variable "environment" {}
+variable "variables" {
+  type = "map"
+  default = {
+    env = ""
+  }
+}
+variable "lambda_bucket_name" {
+  default = ""
+}
+variable "memory_size" {
+  default = "128"
+}
+variable "timeout" {
+  default = "3"
+}
+variable "enabled" {
+  default = 1
+}
+variable "private" {
+  default = false
+}
+variable "vpc_enabled" {
+  default = true
+}
+variable "response_template" {
+  type = "map"
+
+  default = {
+    "application/json" = ""
+  }
+}
+variable "iam_policy_document" {
+  default = ""
+}
+variable "lambda_sns_subscription_arn" {
+  default = ""
+}
+variable "lambda_memory_alert_threshold" {
+  default = "120"
+}
+variable "alarm_action_arn" {
+  default = ""
+}
+variable "retention_days" {
+  default = "30"
+}
+variable "reserved_concurrent_executions" {
+  default = -1
+}
+variable "sns_subscription_filters" {
+  default = ""
+}
+variable "enable_cloudwatch_alarms" {
+  default = "1"
+}
\ No newline at end of file