locals { # Env variables for bootstrap only; true secrets should be in vault environment_vars = { "HTTP_PROXY" = "http://${var.proxy}" "HTTPS_PROXY" = "http://${var.proxy}" "NO_PROXY" = "${var.dns_info["legacy_private"]["zone"]},${var.dns_info["private"]["zone"]}" "VAULT_HOST" = "vault.${var.dns_info["private"]["zone"]}" "VAULT_PATH" = "portal/data/lambda_sync_env" "VERIFY_PORTAL_SSL" = "0" "PYTHONWARNINGS" = "ignore:Unverified HTTPS request" "SQS_URL" = "https://sqs.${var.aws_region}.amazonaws.com/${var.aws_account_id}/portal-scheduler.fifo" } } #### # #Security Group # #### data "aws_security_group" "typical-host" { name = "typical-host" vpc_id = var.vpc_id } resource "aws_security_group" "portal_lambda_splunk_sg" { vpc_id = var.vpc_id name = "portal-data-sync-lambda-splunk-sg" description = "Allow Lambda network access" } resource "aws_security_group_rule" "portal_lambda_splunk_out" { type = "egress" from_port = 8089 to_port = 8089 protocol = "tcp" cidr_blocks = ["10.0.0.0/8"] description = "All Splunk SH" security_group_id = aws_security_group.portal_lambda_splunk_sg.id } resource "aws_security_group_rule" "portal_lambda_phantom_out" { type = "egress" from_port = 443 to_port = 443 protocol = "tcp" cidr_blocks = var.cidr_map["vpc-private-services"] description = "Allow Lambda to connect to all server APIs in private-services" security_group_id = aws_security_group.portal_lambda_splunk_sg.id } resource "aws_security_group_rule" "portal_lambda_splunk_in" { type = "ingress" from_port = 8089 to_port = 8089 protocol = "tcp" description = "Moose SH" security_group_id = aws_security_group.portal_lambda_splunk_sg.id self = "true" } resource "aws_lambda_function" "portal_scheduler" { description = "Used to schedule Portal sync jobs" filename = "code.zip" source_code_hash = filebase64sha256("code.zip") function_name = "portal_scheduler" role = aws_iam_role.portal_lambda_role.arn handler = "lambda_function.scheduler" runtime = "python3.8" timeout = "180" vpc_config { subnet_ids = var.subnets security_group_ids = [data.aws_security_group.typical-host.id, aws_security_group.portal_lambda_splunk_sg.id] } environment { variables = merge(var.customer_vars, local.environment_vars) } tags = merge(var.standard_tags, var.tags) lifecycle { # Ignoring changes to the code of the function so that we won't # overlay changes to the function made outside of terraform. Installing # new versions of a lambda should not be a terraform-ish action we don't think ignore_changes = [ last_modified, source_code_hash ] } } resource "aws_lambda_function_event_invoke_config" "portal_scheduler" { function_name = aws_lambda_function.portal_scheduler.function_name maximum_retry_attempts = 0 } resource "aws_lambda_function" "portal_customer_sync" { description = "Sync data between Splunk and Portal" filename = "code.zip" source_code_hash = filebase64sha256("code.zip") function_name = "portal_customer_sync" role = aws_iam_role.portal_lambda_role.arn handler = "lambda_function.handler" runtime = "python3.8" timeout = "900" memory_size = "1024" vpc_config { subnet_ids = var.subnets security_group_ids = [data.aws_security_group.typical-host.id, aws_security_group.portal_lambda_splunk_sg.id] } environment { variables = merge(var.customer_vars, local.environment_vars) } tags = merge(var.standard_tags, var.tags) lifecycle { # Ignoring changes to the code of the function so that we won't # overlay changes to the function made outside of terraform. Installing # new versions of a lambda should not be a terraform-ish action we don't think ignore_changes = [ last_modified, source_code_hash ] } } resource "aws_lambda_function_event_invoke_config" "portal_customer_sync" { function_name = aws_lambda_function.portal_customer_sync.function_name maximum_retry_attempts = 0 } resource "aws_lambda_event_source_mapping" "portal_customer_sync" { event_source_arn = aws_sqs_queue.sqs_queue.arn function_name = aws_lambda_function.portal_customer_sync.arn batch_size = 1 }