feat: Allow Lambda function to be VPC bound (#122)

antonbabenko · web-flow · commit 6d550b6527c3 · 2020-12-18T13:27:38.000+01:00
diff --git a/.gitignore b/.gitignore
@@ -2,5 +2,6 @@
 terraform.tfstate
 *.tfstate*
 terraform.tfvars
+.terraform.lock.hcl
 
 builds/
diff --git a/README.md b/README.md
@@ -109,7 +109,11 @@ To run the tests:
 | kms\_key\_arn | ARN of the KMS key used for decrypting slack webhook url | `string` | `""` | no |
 | lambda\_description | The description of the Lambda function | `string` | `null` | no |
 | lambda\_function\_name | The name of the Lambda function to create | `string` | `"notify_slack"` | no |
+| lambda\_function\_s3\_bucket | S3 bucket to store artifacts | `string` | `null` | no |
+| lambda\_function\_store\_on\_s3 | Whether to store produced artifacts on S3 or locally. | `bool` | `false` | no |
 | lambda\_function\_tags | Additional tags for the Lambda function | `map(string)` | `{}` | no |
+| lambda\_function\_vpc\_security\_group\_ids | List of security group ids when Lambda Function should run in the VPC. | `list(string)` | `null` | no |
+| lambda\_function\_vpc\_subnet\_ids | List of subnet ids when Lambda Function should run in the VPC. Usually private or intra subnets. | `list(string)` | `null` | no |
 | lambda\_role | IAM role attached to the Lambda Function.  If this is set then a role will not be created for you. | `string` | `""` | no |
 | log\_events | Boolean flag to enabled/disable logging of incoming events | `bool` | `false` | no |
 | reserved\_concurrent\_executions | The amount of reserved concurrent executions for this lambda function. A value of 0 disables lambda from being triggered and -1 removes any concurrency limitations | `number` | `-1` | no |
diff --git a/examples/cloudwatch-alerts-to-slack/README.md b/examples/cloudwatch-alerts-to-slack/README.md
@@ -1,6 +1,6 @@
 # CloudWatch alerts to Slack
 
-Configuration in this directory creates an SNS topic that sends messages to a Slack channel with Slack webhook URL encrypted using KMS and a CloudWatch Alarm that monitors the duration of lambda execution.
+Configuration in this directory creates a VPC, an SNS topic that sends messages to a Slack channel with Slack webhook URL encrypted using KMS and a CloudWatch Alarm that monitors the duration of lambda execution.
 
 ## KMS keys
 
@@ -62,12 +62,14 @@ Note that this example may create resources which can cost money. Run `terraform
 |------|---------|
 | terraform | >= 0.13.0 |
 | aws | >= 2.35 |
+| random | >= 2 |
 
 ## Providers
 
 | Name | Version |
 |------|---------|
 | aws | >= 2.35 |
+| random | >= 2 |
 
 ## Inputs
 
diff --git a/examples/cloudwatch-alerts-to-slack/main.tf b/examples/cloudwatch-alerts-to-slack/main.tf
@@ -35,6 +35,10 @@ module "notify_slack" {
   lambda_description = "Lambda function which sends notifications to Slack"
   log_events         = true
 
+  # VPC
+  #  lambda_function_vpc_subnet_ids = module.vpc.intra_subnets
+  #  lambda_function_vpc_security_group_ids = [module.vpc.default_security_group_id]
+
   tags = {
     Name = "cloudwatch-alerts-to-slack"
   }
@@ -57,3 +61,20 @@ resource "aws_cloudwatch_metric_alarm" "lambda_duration" {
     FunctionName = module.notify_slack["develop"].notify_slack_lambda_function_name
   }
 }
+
+######
+# VPC
+######
+resource "random_pet" "this" {
+  length = 2
+}
+
+module "vpc" {
+  source = "terraform-aws-modules/vpc/aws"
+
+  name = random_pet.this.id
+  cidr = "10.10.0.0/16"
+
+  azs           = ["eu-west-1a", "eu-west-1b", "eu-west-1c"]
+  intra_subnets = ["10.10.101.0/24", "10.10.102.0/24", "10.10.103.0/24"]
+}
diff --git a/examples/cloudwatch-alerts-to-slack/versions.tf b/examples/cloudwatch-alerts-to-slack/versions.tf
@@ -2,6 +2,7 @@ terraform {
   required_version = ">= 0.13.0"
 
   required_providers {
-    aws = ">= 2.35"
+    aws    = ">= 2.35"
+    random = ">= 2"
   }
 }
diff --git a/main.tf b/main.tf
@@ -106,6 +106,7 @@ module "lambda" {
   policy_json                   = element(concat(data.aws_iam_policy_document.lambda[*].json, [""]), 0)
 
   use_existing_cloudwatch_log_group = true
+  attach_network_policy             = var.lambda_function_vpc_subnet_ids != null
 
   allowed_triggers = {
     AllowExecutionFromSNS = {
@@ -114,6 +115,12 @@ module "lambda" {
     }
   }
 
+  store_on_s3 = var.lambda_function_store_on_s3
+  s3_bucket   = var.lambda_function_s3_bucket
+
+  vpc_subnet_ids         = var.lambda_function_vpc_subnet_ids
+  vpc_security_group_ids = var.lambda_function_vpc_security_group_ids
+
   tags = merge(var.tags, var.lambda_function_tags)
 
   depends_on = [aws_cloudwatch_log_group.lambda]
diff --git a/variables.tf b/variables.tf
@@ -120,6 +120,30 @@ variable "lambda_function_tags" {
   default     = {}
 }
 
+variable "lambda_function_vpc_subnet_ids" {
+  description = "List of subnet ids when Lambda Function should run in the VPC. Usually private or intra subnets."
+  type        = list(string)
+  default     = null
+}
+
+variable "lambda_function_vpc_security_group_ids" {
+  description = "List of security group ids when Lambda Function should run in the VPC."
+  type        = list(string)
+  default     = null
+}
+
+variable "lambda_function_store_on_s3" {
+  description = "Whether to store produced artifacts on S3 or locally."
+  type        = bool
+  default     = false
+}
+
+variable "lambda_function_s3_bucket" {
+  description = "S3 bucket to store artifacts"
+  type        = string
+  default     = null
+}
+
 variable "sns_topic_tags" {
   description = "Additional tags for the SNS topic"
   type        = map(string)

Original file line number	Diff line number	Diff line change
`@@ -2,6 +2,7 @@ terraform {`
`2`	`2`	`required_version = ">= 0.13.0"`
`3`	`3`
`4`	`4`	`required_providers {`
`5`		`- aws = ">= 2.35"`
	`5`	`+ aws = ">= 2.35"`
	`6`	`+ random = ">= 2"`
`6`	`7`	`}`
`7`	`8`	`}`