Merge pull request #8 from byu-oit/vpc-optional

Vpc optional

Author: joshgubler

README.md

@@ -26,7 +26,7 @@ Also Note: CodePipeline and CodeDeploy cannot be used together to deploy a Lambd
 ## Usage
 ```hcl
 module "lambda_api" {
-  source                        = "github.com/byu-oit/terraform-aws-lambda-api?ref=v1.0.1"
+  source                        = "github.com/byu-oit/terraform-aws-lambda-api?ref=v1.1.0"
   app_name                      = "my-lambda"
   env                           = "dev"
   codedeploy_service_role_arn   = module.acs.power_builder_role.arn
@@ -37,13 +37,17 @@ module "lambda_api" {
   https_certificate_arn         = module.acs.certificate.arn
   vpc_id                        = module.acs.vpc.id
   public_subnet_ids             = module.acs.public_subnet_ids
-  private_subnet_ids            = module.acs.private_subnet_ids
   role_permissions_boundary_arn = module.acs.role_permissions_boundary.arn
   codedeploy_test_listener_port = 4443
   use_codedeploy                = true
   timeout                       = 3
   memory_size                   = 128
 
+  lambda_vpc_config = {
+    subnet_ids         = module.acs.private_subnet_ids
+    security_group_ids = ["sg-3asdfadsfasdfas"]
+  }
+
   codedeploy_lifecycle_hooks = {
     BeforeAllowTraffic = aws_lambda_function.test_lambda.function_name
     AfterAllowTraffic  = null
@@ -81,23 +85,29 @@ module "lambda_api" {
 | lambda_zip_file | string | File that contains your compiled or zipped source code. |
 | handler | string | Lambda event handler |
 | runtime | string | Lambda runtime |
+| lambda_vpc_config | [object](#lambda_vpc_config) | Lambda VPC object. Used if lambda requires to run inside a VPC | null
 | environment_variables | map(string) | A map that defines environment variables for the Lambda function. |
 | hosted_zone | [object](#hosted_zone) | Hosted Zone object to redirect to ALB. (Can pass in the aws_hosted_zone object). A and AAAA records created in this hosted zone. |
 | https_certificate_arn | string | ARN of the HTTPS certificate of the hosted zone/domain. |
 | codedeploy_lifecycle_hooks | [object](#codedeploy_lifecycle_hooks) | Define Lambda Functions for CodeDeploy lifecycle event hooks. Or set this variable to null to not have any lifecycle hooks invoked. Defaults to null | null
 | codedeploy_test_listener_port | number | The port for a codedeploy test listener. If provided CodeDeploy will use this port for test traffic on the new replacement set during the blue-green deployment process before shifting production traffic to the replacement set. Defaults to null | null
-| vpc_id | string | VPC ID to deploy ECS fargate service. |
+| vpc_id | string | VPC ID to deploy ALB and Lambda (If specified). |
 | public_subnet_ids | list(string) | List of subnet IDs for the ALB. |
-| private_subnet_ids | list(string) | List of subnet IDs for the Lambda service. |
 | tags | map(string) | A map of AWS Tags to attach to each resource created | {}
 | role_permissions_boundary_arn | string | IAM Role Permissions Boundary ARN |
 | log_retention_in_days | number | CloudWatch log group retention in days. Defaults to 7. | 7
-| lambda_policies | list(string) | List of IAM Policy ARNs to attach to the lambda role. | []
-| security_groups | list(string) | List of extra security group IDs to attach to the lambda. | []
+| lambda_policies | list(string) | List of IAM Policy ARNs to attach to the lambda role. | []'
 | use_codedeploy | bool | If true, CodeDeploy App and Deployment Group will be created and TF will not update alias to point to new versions of the Lambda (becuase CodeDeploy will do that). | false
 | timeout | number | How long the lambda will run (in seconds) before timing out | 3 (same as terraform default)
 | memory_size | number | Size of the memory of the lambda. CPU will scale along with it | 128 (same as terraform default)
 
+#### lambda_vpc_config
+
+This variable is used when the lambda needs to be run from within a VPC. 
+
+* **`subnet_ids`** - List of subnet IDs for the Lambda service. 
+* **`security_group_ids`** - List of extra security group IDs to attach to the lambda.
+
 #### codedeploy_lifecycle_hooks
 
 This variable is used when generating the [appspec.json](#appspec) file. This will define what Lambda Functions to invoke 

examples/no-codedeploy/example.tf

@@ -9,7 +9,7 @@ module "acs" {
 
 module "lambda_api" {
   # source                        = "../../"
-  source                        = "github.com/byu-oit/terraform-aws-lambda-api?ref=v1.0.1"
+  source                        = "github.com/byu-oit/terraform-aws-lambda-api?ref=v1.1.0"
   app_name                      = "my-lambda"
   env                           = "dev"
   lambda_zip_file               = "./src/lambda.zip"
@@ -19,7 +19,6 @@ module "lambda_api" {
   https_certificate_arn         = module.acs.certificate.arn
   vpc_id                        = module.acs.vpc.id
   public_subnet_ids             = module.acs.public_subnet_ids
-  private_subnet_ids            = module.acs.private_subnet_ids
   role_permissions_boundary_arn = module.acs.role_permissions_boundary.arn
 }
 

examples/simple-lambda-in-vpc/example.tf

@@ -0,0 +1,32 @@
+provider "aws" {
+  version = "~> 2.56"
+  region  = "us-west-2"
+}
+
+module "acs" {
+  source = "github.com/byu-oit/terraform-aws-acs-info?ref=v2.1.0"
+}
+
+module "lambda_api" {
+  # source                        = "../../"
+  source                        = "github.com/byu-oit/terraform-aws-lambda-api?ref=v1.1.0"
+  app_name                      = "my-lambda"
+  env                           = "dev"
+  lambda_zip_file               = "./src/lambda.zip"
+  handler                       = "index.handler"
+  runtime                       = "nodejs12.x"
+  hosted_zone                   = module.acs.route53_zone
+  https_certificate_arn         = module.acs.certificate.arn
+  vpc_id                        = module.acs.vpc.id
+  public_subnet_ids             = module.acs.public_subnet_ids
+  role_permissions_boundary_arn = module.acs.role_permissions_boundary.arn
+
+  lambda_vpc_config = {
+    subnet_ids         = module.acs.private_subnet_ids
+    security_group_ids = []
+  }
+}
+
+output "url" {
+  value = module.lambda_api.dns_record.fqdn
+}

examples/simple-lambda-in-vpc/src/index.js

@@ -0,0 +1,42 @@
+exports.handler = async function (event, context) {
+  /*
+  const event = {
+    'requestContext': {
+      'elb': {
+        'targetGroupArn': 'arn:aws:elasticloadbalancing:region:123456789012:targetgroup/my-target-group/6d0ecf831eec9f09'
+      }
+    },
+    'httpMethod': 'GET',
+    'path': '/',
+    'queryStringParameters': { some_query: 'blah' },
+    'headers': {
+      'accept': 'text/html,application/xhtml+xml',
+      'accept-language': 'en-US,en;q=0.8',
+      'content-type': 'text/plain',
+      'cookie': 'cookies',
+      'host': 'lambda-846800462-us-east-2.elb.amazonaws.com',
+      'user-agent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6)',
+      'x-amzn-trace-id': 'Root=1-5bdb40ca-556d8b0c50dc66f0511bf520',
+      'x-forwarded-for': '72.21.198.66',
+      'x-forwarded-port': '443',
+      'x-forwarded-proto': 'https'
+    },
+    'isBase64Encoded': false,
+    'body': 'request_body' // This is a string - If you want an object, you'll need to parse it
+  }
+  */
+
+  console.log(event)
+  console.log(context)
+
+  return {
+    'isBase64Encoded': false,
+    'statusCode': 200,
+    'statusDescription': '200 OK',
+    'headers': {
+      'Set-cookie': 'cookies',
+      'Content-Type': 'application/json'
+    },
+    'body': '{"message":"Hello, World! ... Yo!"}' // This needs to be a string - If you want to return JSON, you'll need to stringify it
+  }
+}

examples/simple-lambda-in-vpc/src/package-lock.json

@@ -0,0 +1,11 @@
+{
+  "name": "handler",
+  "version": "1.0.0",
+  "description": "",
+  "main": "index.js",
+  "scripts": {
+    "test": "echo \"Error: no test specified\""
+  },
+  "author": "",
+  "license": "Apache-2.0"
+}

examples/simple-lambda-in-vpc/src/package.json

@@ -9,7 +9,7 @@ module "acs" {
 
 module "lambda_api" {
   # source                        = "../../"
-  source                        = "github.com/byu-oit/terraform-aws-lambda-api?ref=v1.0.1"
+  source                        = "github.com/byu-oit/terraform-aws-lambda-api?ref=v1.1.0"
   app_name                      = "my-lambda-codedeploy"
   env                           = "dev"
   codedeploy_service_role_arn   = module.acs.power_builder_role.arn
@@ -20,7 +20,6 @@ module "lambda_api" {
   https_certificate_arn         = module.acs.certificate.arn
   vpc_id                        = module.acs.vpc.id
   public_subnet_ids             = module.acs.public_subnet_ids
-  private_subnet_ids            = module.acs.private_subnet_ids
   role_permissions_boundary_arn = module.acs.role_permissions_boundary.arn
   codedeploy_test_listener_port = 4443
   use_codedeploy                = true

examples/simple-lambda-with-deploy-test/example.tf

@@ -224,6 +224,7 @@ resource "aws_iam_role_policy_attachment" "lambda_policy_attach" {
 }
 
 resource "aws_security_group" "lambda_sg" {
+  count       = var.lambda_vpc_config != null ? 1 : 0
   name        = "${local.long_name}-lambda-sg"
   description = "Controls access to the Lambda"
   vpc_id      = var.vpc_id
@@ -257,9 +258,12 @@ resource "aws_lambda_function" "api_lambda" {
     }
   }
 
-  vpc_config {
-    subnet_ids         = var.private_subnet_ids
-    security_group_ids = concat([aws_security_group.lambda_sg.id], var.security_groups)
+  dynamic "vpc_config" {
+    for_each = var.lambda_vpc_config == null ? [] : [var.lambda_vpc_config]
+    content {
+      subnet_ids         = var.lambda_vpc_config.subnet_ids
+      security_group_ids = concat([aws_security_group.lambda_sg[0].id], var.lambda_vpc_config.security_group_ids)
+    }
   }
 }
 

main.tf

@@ -3,7 +3,7 @@ output "lambda" {
 }
 
 output "lambda_security_group" {
-  value = aws_security_group.lambda_sg
+  value = length(aws_security_group.lambda_sg) > 0 ? aws_security_group.lambda_sg[0] : null
 }
 
 output "lambda_live_alias" {

outputs.tf

@@ -35,6 +35,15 @@ variable "environment_variables" {
   default     = null
 }
 
+variable "lambda_vpc_config" {
+  default     = null
+  description = "Provide this to allow your function to access your VPC."
+  type = object({
+    security_group_ids = list(string)
+    subnet_ids         = list(string)
+  })
+}
+
 variable "hosted_zone" {
   type = object({
     name = string,
@@ -71,10 +80,6 @@ variable "public_subnet_ids" {
   type        = list(string)
   description = "List of subnet IDs for the ALB."
 }
-variable "private_subnet_ids" {
-  type        = list(string)
-  description = "List of subnet IDs for the Lambda service."
-}
 
 variable "tags" {
   type        = map(string)
@@ -99,12 +104,6 @@ variable "lambda_policies" {
   default     = []
 }
 
-variable "security_groups" {
-  type        = list(string)
-  description = "List of extra security group IDs to attach to the lambda."
-  default     = []
-}
-
 variable "use_codedeploy" {
   type        = bool
   description = "If true, CodeDeploy App and Deployment Group will be created and TF will not update alias to point to new versions of the Lambda (becuase CodeDeploy will do that)."