Skip to content

Commit 2a456b7

Browse files
devksingh4devksingh4
committed
create lambda with aws
1 parent c9aa7e9 commit 2a456b7

File tree

5 files changed

+294
-0
lines changed

5 files changed

+294
-0
lines changed

terraform/envs/prod/.terraform.lock.hcl

Lines changed: 23 additions & 0 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

terraform/envs/qa/.terraform.lock.hcl

Lines changed: 23 additions & 0 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

terraform/envs/qa/main.tf

Lines changed: 17 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -45,6 +45,23 @@ module "dynamo" {
4545
ProjectId = var.ProjectId
4646
}
4747

48+
resource "random_string" "origin_verify_key" {
49+
length = 16
50+
special = false
51+
keepers = {
52+
force_recreation = uuid()
53+
}
54+
}
55+
56+
module "lambdas" {
57+
source = "../../modules/lambdas"
58+
ProjectId = var.ProjectId
59+
RunEnvironment = "dev"
60+
EntraRoleArn = "arn:aws:iam::427040638965:role/infra-core-api-AppSecurityRoles--EntraLambdaIAMRole-b3CFiiF0S5pN"
61+
LinkryKvArn = "arn:aws:cloudfront::427040638965:key-value-store/0c2c02fd-7c47-4029-975d-bc5d0376bba1"
62+
OriginVerifyKey = random_string.origin_verify_key.result
63+
LogRetentionDays = 30
64+
}
4865

4966
// This section last: moved records into modules
5067
moved {

terraform/modules/lambdas/main.tf

Lines changed: 201 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,201 @@
1+
data "archive_file" "api_lambda_code" {
2+
type = "zip"
3+
source_dir = "${path.module}/../../../dist/lambda"
4+
output_path = "${path.module}/../../../dist/terraform/api.zip"
5+
}
6+
7+
locals {
8+
core_api_lambda_name = "${var.ProjectId}-tf-lambda"
9+
}
10+
data "aws_caller_identity" "current" {}
11+
data "aws_region" "current" {}
12+
13+
resource "aws_cloudwatch_log_group" "api_logs" {
14+
name = "/aws/lambda/${local.core_api_lambda_name}"
15+
retention_in_days = var.LogRetentionDays
16+
}
17+
18+
resource "aws_iam_role" "api_role" {
19+
name = "${local.core_api_lambda_name}-role"
20+
assume_role_policy = jsonencode({
21+
Version = "2012-10-17"
22+
Statement = [
23+
{
24+
Action = "sts:AssumeRole"
25+
Effect = "Allow"
26+
Sid = ""
27+
Principal = {
28+
Service = "lambda.amazonaws.com"
29+
}
30+
Condition = {
31+
StringEquals = {
32+
"aws:SourceArn" = "arn:aws:lambda:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:function:${local.core_api_lambda_name}"
33+
}
34+
}
35+
},
36+
]
37+
})
38+
}
39+
40+
resource "aws_iam_policy" "shared_iam_policy" {
41+
name = "${var.ProjectId}-lambda-shared-policy"
42+
policy = jsonencode(({
43+
Version = "2012-10-17"
44+
Statement = [
45+
{
46+
Action = ["logs:CreateLogGroup", "logs:CreateLogStream", "logs:PutLogEvents"],
47+
Effect = "Allow",
48+
Resource = [aws_cloudwatch_log_group.api_logs.arn]
49+
},
50+
{
51+
Action = ["secretsmanager:GetSecretValue"],
52+
Effect = "Allow",
53+
Resource = [
54+
"arn:aws:secretsmanager:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:secret:infra-core-api-config*",
55+
"arn:aws:secretsmanager:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:secret:infra-core-api-testing-credentials*"
56+
]
57+
},
58+
{
59+
Action = ["dynamodb:DescribeLimits"],
60+
Effect = "Allow",
61+
Resource = ["*"]
62+
},
63+
{
64+
Sid = "DynamoDBTableAccess"
65+
Action = [
66+
"dynamodb:BatchGetItem",
67+
"dynamodb:BatchWriteItem",
68+
"dynamodb:ConditionCheckItem",
69+
"dynamodb:PutItem",
70+
"dynamodb:DescribeTable",
71+
"dynamodb:DeleteItem",
72+
"dynamodb:GetItem",
73+
"dynamodb:Scan",
74+
"dynamodb:Query",
75+
"dynamodb:UpdateItem"
76+
],
77+
Effect = "Allow",
78+
Resource = [
79+
"arn:aws:dynamodb:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:table/infra-core-api-events",
80+
"arn:aws:dynamodb:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:table/infra-core-api-events/index/*",
81+
"arn:aws:dynamodb:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:table/infra-merchstore-purchase-history",
82+
"arn:aws:dynamodb:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:table/infra-merchstore-purchase-history/index/*",
83+
"arn:aws:dynamodb:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:table/infra-events-tickets",
84+
"arn:aws:dynamodb:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:table/infra-events-ticketing-metadata",
85+
"arn:aws:dynamodb:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:table/infra-merchstore-metadata",
86+
"arn:aws:dynamodb:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:table/infra-core-api-iam-userroles",
87+
"arn:aws:dynamodb:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:table/infra-core-api-iam-grouproles",
88+
"arn:aws:dynamodb:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:table/infra-core-api-iam-stripe-links",
89+
"arn:aws:dynamodb:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:table/infra-core-api-iam-stripe-links/index/*",
90+
"arn:aws:dynamodb:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:table/infra-core-api-membership-provisioning",
91+
"arn:aws:dynamodb:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:table/infra-core-api-membership-provisioning/index/*",
92+
"arn:aws:dynamodb:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:table/infra-core-api-membership-external-v3",
93+
"arn:aws:dynamodb:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:table/infra-core-api-membership-external-v3/index/*",
94+
"arn:aws:dynamodb:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:table/infra-core-api-room-requests",
95+
"arn:aws:dynamodb:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:table/infra-core-api-room-requests/index/*",
96+
"arn:aws:dynamodb:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:table/infra-core-api-room-requests-status",
97+
"arn:aws:dynamodb:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:table/infra-core-api-room-requests-status/index/*",
98+
"arn:aws:dynamodb:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:table/infra-core-api-linkry",
99+
"arn:aws:dynamodb:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:table/infra-core-api-keys",
100+
101+
]
102+
},
103+
{
104+
Sid = "DynamoDBCacheAccess",
105+
Effect = "Allow",
106+
Action = [
107+
"dynamodb:ConditionCheckItem",
108+
"dynamodb:PutItem",
109+
"dynamodb:DescribeTable",
110+
"dynamodb:DeleteItem",
111+
"dynamodb:GetItem",
112+
"dynamodb:Query",
113+
"dynamodb:UpdateItem"
114+
],
115+
Resource = [
116+
"arn:aws:dynamodb:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:table/infra-core-api-cache",
117+
]
118+
},
119+
{
120+
Sid = "DynamoDBAuditLogAccess",
121+
Effect = "Allow",
122+
Action = [
123+
"dynamodb:PutItem",
124+
"dynamodb:DescribeTable",
125+
"dynamodb:Query",
126+
],
127+
Resource = [
128+
"arn:aws:dynamodb:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:table/infra-core-api-audit-log",
129+
"arn:aws:dynamodb:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:table/infra-core-api-audit-log/index/*",
130+
]
131+
},
132+
{
133+
Sid = "DynamoDBStreamAccess",
134+
Effect = "Allow",
135+
Action = [
136+
"dynamodb:GetShardIterator",
137+
"dynamodb:DescribeStream",
138+
"dynamodb:GetRecords",
139+
"dynamodb:ListStreams"
140+
],
141+
Resource = [
142+
"arn:aws:dynamodb:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:table/infra-core-api-stripe-links/stream/*",
143+
"arn:aws:dynamodb:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:table/infra-core-api-events/stream/*",
144+
]
145+
},
146+
{
147+
Sid = "LinkryKvAccess",
148+
Effect = "Allow",
149+
Action = [
150+
"cloudfront-keyvaluestore:*"
151+
],
152+
Resource = [var.LinkryKvArn]
153+
}
154+
]
155+
}))
156+
157+
}
158+
159+
resource "aws_iam_role_policy_attachment" "api_attach_shared" {
160+
role = aws_iam_role.api_role.name
161+
policy_arn = aws_iam_policy.shared_iam_policy.arn
162+
}
163+
164+
resource "aws_lambda_function" "api_lambda" {
165+
depends_on = [aws_cloudwatch_log_group.api_logs]
166+
function_name = local.core_api_lambda_name
167+
role = aws_iam_role.api_role.arn
168+
architectures = ["arm64"]
169+
handler = "lambda.handler"
170+
runtime = "nodejs22.x"
171+
filename = data.archive_file.api_lambda_code.output_path
172+
timeout = 60
173+
memory_size = 2048
174+
source_code_hash = data.archive_file.api_lambda_code.output_sha256
175+
environment {
176+
variables = {
177+
"RunEnvironment" = var.RunEnvironment
178+
"AWS_CRT_NODEJS_BINARY_RELATIVE_PATH" = "node_modules/aws-crt/dist/bin/linux-arm64-glibc/aws-crt-nodejs.node"
179+
ORIGIN_VERIFY_KEY = var.OriginVerifyKey
180+
EntraRoleArn = var.EntraRoleArn
181+
LinkryKvArn = var.LinkryKvArn
182+
"NODE_OPTIONS" = "--enable-source-maps"
183+
}
184+
}
185+
}
186+
187+
resource "aws_lambda_alias" "warmer_function_alias" {
188+
name = "live"
189+
description = "Live environment alias"
190+
function_name = aws_lambda_function.api_lambda.arn
191+
function_version = aws_lambda_function.api_lambda.version
192+
}
193+
194+
resource "aws_lambda_function_url" "api_lambda_function_url" {
195+
function_name = aws_lambda_function.api_lambda.function_name
196+
authorization_type = "NONE"
197+
}
198+
199+
output "core_function_url" {
200+
value = aws_lambda_function_url.api_lambda_function_url.function_url
201+
}

terraform/modules/lambdas/variables.tf

Lines changed: 30 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,30 @@
1+
variable "ProjectId" {
2+
type = string
3+
description = "Prefix before each resource"
4+
}
5+
6+
variable "EntraRoleArn" {
7+
type = string
8+
}
9+
10+
11+
variable "LinkryKvArn" {
12+
type = string
13+
}
14+
15+
16+
variable "RunEnvironment" {
17+
type = string
18+
validation {
19+
condition = var.RunEnvironment == "dev" || var.RunEnvironment == "prod"
20+
error_message = "The lambda run environment must be dev or prod."
21+
}
22+
}
23+
24+
variable "OriginVerifyKey" {
25+
type = string
26+
}
27+
28+
variable "LogRetentionDays" {
29+
type = number
30+
}

0 commit comments

Comments
 (0)