AFS
/
xdr-terraform-modules


			
				
					
						
						
							123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143
							locals {
  # Env variables for bootstrap only; true secrets should be in vault
  environment_vars = {
    "HTTP_PROXY"        = "http://${local.proxy}"
    "HTTPS_PROXY"       = "http://${local.proxy}"
    "NO_PROXY"          = "${var.dns_info["legacy_private"]["zone"]},${var.dns_info["private"]["zone"]}"
    "VAULT_HOST"        = "vault.${var.dns_info["private"]["zone"]}"
    "VAULT_PATH"        = "portal/data/lambda_sync_env"
    "VERIFY_PORTAL_SSL" = "0"
    "PYTHONWARNINGS"    = "ignore:Unverified HTTPS request"
    "SQS_URL"           = "https://sqs.${var.aws_region}.amazonaws.com/${var.aws_account_id}/portal-scheduler.fifo"

  }
}

#----------------------------------------------------------------------------
# Portal Lambda Security Group
#----------------------------------------------------------------------------
data "aws_security_group" "typical-host" {
  name   = "typical-host"
  vpc_id = var.vpc_id
}

resource "aws_security_group" "portal_lambda_splunk_sg" {
  vpc_id      = var.vpc_id
  name        = "portal-data-sync-lambda-splunk-sg"
  description = "Allow Lambda network access"
}

#----------------------------------------------------------------------------
# EGRESS
#----------------------------------------------------------------------------
resource "aws_security_group_rule" "portal_lambda_splunk_out" {
  type              = "egress"
  description       = "All Splunk SH"
  from_port         = 8089
  to_port           = 8089
  protocol          = "tcp"
  cidr_blocks       = ["10.0.0.0/8"]
  security_group_id = aws_security_group.portal_lambda_splunk_sg.id
}

resource "aws_security_group_rule" "portal_lambda_phantom_out" {
  type              = "egress"
  description       = "Allow Lambda to connect to all server APIs in private-services"
  from_port         = 443
  to_port           = 443
  protocol          = "tcp"
  cidr_blocks       = local.cidr_map["vpc-private-services"]
  security_group_id = aws_security_group.portal_lambda_splunk_sg.id
}

resource "aws_security_group_rule" "portal_lambda_splunk_in" {
  type              = "ingress"
  description       = "Moose SH"
  from_port         = 8089
  to_port           = 8089
  protocol          = "tcp"
  security_group_id = aws_security_group.portal_lambda_splunk_sg.id
  self              = "true"
}

# tfsec:ignore:aws-lambda-enable-tracing We do not enable X-Ray Tracing for Lambda
resource "aws_lambda_function" "portal_scheduler" {
	# checkov:skip=CKV_AWS_50: see tfsec ignore X-Ray Tracing
  description      = "Used to schedule Portal sync jobs"
  filename         = "code.zip"
  source_code_hash = filebase64sha256("code.zip")
  function_name    = "portal_scheduler"
  role             = aws_iam_role.portal_lambda_role.arn
  handler          = "lambda_function.scheduler"
  runtime          = "python3.8"
  timeout          = "180"
  vpc_config {
    subnet_ids         = var.subnets
    security_group_ids = [data.aws_security_group.typical-host.id, aws_security_group.portal_lambda_splunk_sg.id]
  }
  environment {
    variables = merge(var.customer_vars, local.environment_vars)
  }
  tags = merge(local.standard_tags, var.tags)

  lifecycle {
    # Ignoring changes to the code of the function so that we won't
    # overlay changes to the function made outside of terraform.  Installing
    # new versions of a lambda should not be a terraform-ish action we don't think
    ignore_changes = [
      last_modified,
      source_code_hash
    ]
  }

}

resource "aws_lambda_function_event_invoke_config" "portal_scheduler" {
  function_name          = aws_lambda_function.portal_scheduler.function_name
  maximum_retry_attempts = 0
}

# tfsec:ignore:aws-lambda-enable-tracing We do not enable X-Ray Tracing for Lambda
resource "aws_lambda_function" "portal_customer_sync" {
	# checkov:skip=CKV_AWS_50: see tfsec ignore X-Ray Tracing
  description      = "Sync data between Splunk and Portal"
  filename         = "code.zip"
  source_code_hash = filebase64sha256("code.zip")
  function_name    = "portal_customer_sync"
  role             = aws_iam_role.portal_lambda_role.arn
  handler          = "lambda_function.handler"
  runtime          = "python3.8"
  timeout          = "900"
  memory_size      = "1024"
  vpc_config {
    subnet_ids         = var.subnets
    security_group_ids = [data.aws_security_group.typical-host.id, aws_security_group.portal_lambda_splunk_sg.id]
  }
  environment {
    variables = merge(var.customer_vars, local.environment_vars)
  }
  tags = merge(local.standard_tags, var.tags)

  lifecycle {
    # Ignoring changes to the code of the function so that we won't
    # overlay changes to the function made outside of terraform.  Installing
    # new versions of a lambda should not be a terraform-ish action we don't think
    ignore_changes = [
      last_modified,
      source_code_hash
    ]
  }

}

resource "aws_lambda_function_event_invoke_config" "portal_customer_sync" {
  function_name          = aws_lambda_function.portal_customer_sync.function_name
  maximum_retry_attempts = 0
}

resource "aws_lambda_event_source_mapping" "portal_customer_sync" {
  event_source_arn = aws_sqs_queue.sqs_queue.arn
  function_name    = aws_lambda_function.portal_customer_sync.arn
  batch_size       = 1

}