| 123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134 |
- data "aws_iam_policy_document" "policy_portal_data_sync_lambda" {
- statement {
- effect = "Allow"
- actions = [
- "ec2:CreateNetworkInterface",
- "logs:CreateLogStream",
- "ec2:DescribeNetworkInterfaces",
- "logs:DescribeLogStreams",
- "ec2:DeleteNetworkInterface",
- "logs:PutRetentionPolicy",
- "logs:CreateLogGroup",
- "logs:PutLogEvents"
- ]
- resources = ["*"]
- }
- }
- resource "aws_iam_policy" "policy_portal_data_sync_lambda" {
- name = "policy_portal_data_sync_lambda"
- path = "/"
- policy = data.aws_iam_policy_document.policy_portal_data_sync_lambda.json
- description = "IAM policy for portal_data_sync_lambda"
- }
- resource "aws_iam_role" "portal-lambda-role" {
- name = "portal-data-sync-lambda-role"
- assume_role_policy = <<EOF
- {
- "Version": "2012-10-17",
- "Statement": [
- {
- "Sid": "",
- "Effect": "Allow",
- "Principal": {
- "Service": [
- "lambda.amazonaws.com"
- ]
- },
- "Action": "sts:AssumeRole"
- }
- ]
- }
- EOF
- }
- resource "aws_iam_role_policy_attachment" "lambda-role" {
- role = aws_iam_role.portal-lambda-role.name
- policy_arn = aws_iam_policy.policy_portal_data_sync_lambda.arn
- }
- ####
- #
- #Security Group
- #
- ####
- data "aws_security_group" "typical-host" {
- name = "typical-host"
- vpc_id = var.vpc_id
- }
- resource "aws_security_group" "portal_lambda_splunk_sg" {
- vpc_id = var.vpc_id
- name = "portal-data-sync-lambda-splunk-sg"
- description = "Allow Lambda access to Moose"
- }
- resource "aws_security_group_rule" "portal_lambda_splunk_out" {
- type = "egress"
- from_port = 8089
- to_port = 8089
- protocol = "tcp"
- cidr_blocks = ["10.0.0.0/8"]
- description = "All Splunk SH"
- security_group_id = aws_security_group.portal_lambda_splunk_sg.id
- }
- resource "aws_security_group_rule" "portal_lambda_splunk_in" {
- type = "ingress"
- from_port = 8089
- to_port = 8089
- protocol = "tcp"
- description = "Moose SH"
- security_group_id = aws_security_group.portal_lambda_splunk_sg.id
- self = "true"
- }
- # Env variables for bootstrap only; true secrets should be in vault
- resource "aws_lambda_function" "portal_data_sync" {
- description = "Sync data between Splunk and Portal"
- filename = "code.zip"
- source_code_hash = filebase64sha256("code.zip")
- function_name = "portal_data_sync"
- role = aws_iam_role.portal-lambda-role.arn
- handler = "lambda_function.lambda_handler"
- runtime = "python3.7"
- timeout = "600"
- vpc_config {
- subnet_ids = var.subnets
- security_group_ids = [ data.aws_security_group.typical-host.id, aws_security_group.portal_lambda_splunk_sg.id ]
- }
- environment {
- variables = {
- "CUSTOMER_1_NAME" = "AFS"
- "CUSTOMER_2_NAME" = "NGA"
- "CUSTOMER_3_NAME" = "MOOSE"
- "CUSTOMER_5_NAME" = "MA_COVID"
- "CUSTOMER_6_NAME" = "LA_COVID"
- "CUSTOMER_7_NAME" = "DC_COVID"
- "CUSTOMER_8_NAME" = "NIH"
- "CUSTOMER_9_NAME" = "BAS"
- "CUSTOMER_10_NAME" = "FRTIB"
- "CUSTOMER_11_NAME" = "DOED"
- "CUSTOMER_12_NAME" = "CA_COVID"
- "HTTP_PROXY" = "http://${var.proxy}"
- "HTTPS_PROXY" = "http://${var.proxy}"
- "NO_PROXY" = "${var.dns_info["legacy_private"]["zone"]},${var.dns_info["private"]["zone"]}"
- "VAULT_HOST" = "vault.${var.dns_info["private"]["zone"]}"
- "VAULT_PATH" = "portal/data/lambda_sync_env"
- "VERIFY_PORTAL_SSL" = "0"
- }
- }
- tags = merge(var.standard_tags, var.tags)
- lifecycle {
- # Ignoring changes to the code of the function so that we won't
- # overlay changes to the function made outside of terraform. Installing
- # new versions of a lambda should not be a terraform-ish action we don't think
- ignore_changes = [
- last_modified,
- source_code_hash
- ]
- }
- }
|
