1- // TODO: maybe move to single repo using github pages
21module "acs" {
3- source = " github.com/byu-oit/terraform-aws-acs-info.git?ref=v1.1.0"
4- env = . env
2+ source = " github.com/byu-oit/terraform-aws-acs-info.git?ref=v2.1.0"
53 vpc_vpn_to_campus = true
64}
75
6+ resource "aws_cloudwatch_log_group" "logs" {
7+ name = " /aws/lambda/${ aws_lambda_function . lambda . function_name } "
8+ retention_in_days = 14
9+ }
10+
11+ resource "aws_iam_role" "iam_for_lambda" {
12+ name = " ${ var . app-name } -lambda"
13+ permissions_boundary = " arn:aws:iam::${ var . account-id } :policy/iamRolePermissionBoundary"
14+ assume_role_policy = << EOF
15+ {
16+ "Version": "2012-10-17",
17+ "Statement": [
18+ {
19+ "Action": "sts:AssumeRole",
20+ "Principal": {
21+ "Service": "lambda.amazonaws.com"
22+ },
23+ "Effect": "Allow",
24+ "Sid": ""
25+ }
26+ ]
27+ }
28+ EOF
29+ }
30+
31+ resource aws_iam_policy "ec2-network-interface-policy" {
32+ name = " ${ var . app-name } -ec2"
33+ description = " A policy to allow create, describe, and delete network interfaces"
34+
35+ policy = << EOF
36+ {
37+ "Version": "2012-10-17",
38+ "Statement": [
39+ {
40+ "Effect": "Allow",
41+ "Action": [
42+ "ec2:CreateNetworkInterface",
43+ "ec2:DescribeNetworkInterfaces",
44+ "ec2:DeleteNetworkInterface"
45+ ],
46+ "Resource": "*"
47+ }
48+ ]
49+ }
50+ EOF
51+ }
52+
53+ resource "aws_iam_role_policy_attachment" "ec2-network-interface-policy-attachment" {
54+ role = . iam_for_lambda . name
55+ policy_arn = . ec2-network-interface-policy . arn
56+ }
57+
58+ resource "aws_iam_policy" "lambda_logging" {
59+ name = " ${ var . app-name } -lambda-logging"
60+ description = " IAM policy for logging from a lambda"
61+
62+ policy = << EOF
63+ {
64+ "Version": "2012-10-17",
65+ "Statement": [
66+ {
67+ "Action": [
68+ "logs:CreateLogGroup",
69+ "logs:CreateLogStream",
70+ "logs:PutLogEvents"
71+ ],
72+ "Resource": "arn:aws:logs:*:*:*",
73+ "Effect": "Allow"
74+ }
75+ ]
76+ }
77+ EOF
78+ }
79+
80+ resource "aws_iam_role_policy_attachment" "lambda_logs" {
81+ role = . iam_for_lambda . name
82+ policy_arn = . lambda_logging . arn
83+ }
84+
885resource "aws_api_gateway_rest_api" "api" {
986 name = " ${ var . app-name } -api"
1087}
@@ -33,29 +110,29 @@ resource "aws_api_gateway_integration" "root_method_integration" {
33110 rest_api_id = . api . id
34111 resource_id = . api . root_resource_id
35112 http_method = . root-resource-method
36- integration_http_method = var . root-resource-method
113+ integration_http_method = " POST "
37114 type = " AWS_PROXY"
38115 uri = . lambda . invoke_arn
39116}
40117
41118resource "aws_api_gateway_resource" "resource" {
42- count = length (var. method-paths )
43- path_part = . method-paths [count . index ]
119+ count = length (var. methods )
120+ path_part = . methods [count . index ]. path
44121 parent_id = . api . root_resource_id
45122 rest_api_id = . api . id
46123}
47124
48125resource "aws_api_gateway_method" "method" {
49- count = length (var. method-paths )
126+ count = length (var. methods )
50127 rest_api_id = . api . id
51128 resource_id = . resource [count . index ]. id
52- http_method = . method-types [count . index ]
129+ http_method = . methods [count . index ]. type
53130 authorization = . resource-authorization
54131 request_parameters = . resource-request-params
55132}
56133
57134resource "aws_api_gateway_integration" "integration" {
58- count = length (var. method-paths )
135+ count = length (var. methods )
59136 rest_api_id = . api . id
60137 resource_id = . resource [count . index ]. id
61138 http_method = . method [count . index ]. http_method
@@ -69,8 +146,8 @@ resource "aws_lambda_permission" "apigw_lambda" {
69146 action = " lambda:InvokeFunction"
70147 function_name = . lambda . function_name
71148 principal = " apigateway.amazonaws.com"
72-
73149 source_arn = . api . execution_arn
150+ depends_on = aws_iam_role_policy_attachment . lambda_logs , aws_cloudwatch_log_group . logs ]
74151}
75152
76153resource "aws_api_gateway_domain_name" "api_domain" {
@@ -100,53 +177,6 @@ resource "aws_route53_record" "a_record" {
100177 }
101178}
102179
103- resource "aws_iam_role" "iam_for_lambda" {
104- name = " ${ var . app-name } -lambda"
105- permissions_boundary = " arn:aws:iam::${ var . account-id } :policy/iamRolePermissionBoundary"
106- assume_role_policy = << EOF
107- {
108- "Version": "2012-10-17",
109- "Statement": [
110- {
111- "Action": "sts:AssumeRole",
112- "Principal": {
113- "Service": "lambda.amazonaws.com"
114- },
115- "Effect": "Allow",
116- "Sid": ""
117- }
118- ]
119- }
120- EOF
121- }
122-
123- resource aws_iam_policy "ec2-network-interface-policy" {
124- name = " ${ var . app-name } -ec2"
125- description = " A policy to allow create, describe, and delete network interfaces"
126-
127- policy = << EOF
128- {
129- "Version": "2012-10-17",
130- "Statement": [
131- {
132- "Effect": "Allow",
133- "Action": [
134- "ec2:CreateNetworkInterface",
135- "ec2:DescribeNetworkInterfaces",
136- "ec2:DeleteNetworkInterface"
137- ],
138- "Resource": "*"
139- }
140- ]
141- }
142- EOF
143- }
144-
145- resource "aws_iam_role_policy_attachment" "ec2-network-interface-policy-attachment" {
146- role = . iam_for_lambda . name
147- policy_arn = . ec2-network-interface-policy . arn
148- }
149-
150180resource "aws_security_group" "vpc_sec" {
151181 name = " ${ var . app-name } -sg"
152182 description = " ${ var . app-name } -sg"
@@ -183,8 +213,9 @@ resource aws_lambda_function "lambda" {
183213 runtime = . runtime
184214 timeout = . timeout
185215 vpc_config {
186- security_group_ids =
187- aws_security_group . vpc_sec . id ]
216+ security_group_ids = concat ([
217+ aws_security_group . vpc_sec . id ,
218+ ], var. lambda-security-group-ids )
188219 subnet_ids = . acs . private_subnet_ids
189220 }
190221 environment {
0 commit comments