xdr-terraform-modules/base/customer_portal_lambda/main.tf

locals {
  environment_vars = {
      "HTTP_PROXY"             = "http://${var.proxy}"
      "HTTPS_PROXY"            = "http://${var.proxy}"
      "NO_PROXY"               = "${var.dns_info["legacy_private"]["zone"]},${var.dns_info["private"]["zone"]}"
      "VAULT_HOST"             = "vault.${var.dns_info["private"]["zone"]}"
      "VAULT_PATH"             = "portal/data/lambda_sync_env"
      "VERIFY_PORTAL_SSL"      = "0"
      "PYTHONWARNINGS"         = "ignore:Unverified HTTPS request"
      "SQS_URL"                = "https://sqs.${var.aws_region}.amazonaws.com/${var.aws_account_id}/portal-scheduler.fifo"

  }
}

####
#
#Security Group
#
####
data "aws_security_group" "typical-host" {
  name   = "typical-host"
  vpc_id = var.vpc_id
}

resource "aws_security_group" "portal_lambda_splunk_sg" {
  vpc_id      = var.vpc_id
  name        = "portal-data-sync-lambda-splunk-sg"
  description = "Allow Lambda access to Moose"
}

resource "aws_security_group_rule" "portal_lambda_splunk_out" {
  type              = "egress"
  from_port         = 8089
  to_port           = 8089
  protocol          = "tcp"
  cidr_blocks       = ["10.0.0.0/8"]
  description       = "All Splunk SH"
  security_group_id = aws_security_group.portal_lambda_splunk_sg.id
}

resource "aws_security_group_rule" "portal_lambda_splunk_in" {
  type              = "ingress"
  from_port         = 8089
  to_port           = 8089
  protocol          = "tcp"
  description       = "Moose SH"
  security_group_id = aws_security_group.portal_lambda_splunk_sg.id
  self              = "true"
}

# Env variables for bootstrap only; true secrets should be in vault
resource "aws_lambda_function" "portal_data_sync" {
  description      = "Sync data between Splunk and Portal"
  filename         = "code.zip"
  source_code_hash = filebase64sha256("code.zip")
  function_name    = "portal_data_sync"
  role             = aws_iam_role.portal_lambda_role.arn
  handler          = "lambda_function.lambda_handler"
  runtime          = "python3.7"
  timeout          = "898"
  vpc_config {
    subnet_ids          = var.subnets
    security_group_ids  = [ data.aws_security_group.typical-host.id, aws_security_group.portal_lambda_splunk_sg.id ]
  }
  environment { 
    variables = merge(var.customer_vars, local.environment_vars)
  }
  tags = merge(var.standard_tags, var.tags)

  lifecycle {
    # Ignoring changes to the code of the function so that we won't
    # overlay changes to the function made outside of terraform.  Installing
    # new versions of a lambda should not be a terraform-ish action we don't think
    ignore_changes = [
      last_modified,
      source_code_hash
    ]
  }

}

resource "aws_lambda_function" "portal_scheduler" {
  description      = "Used to schedule Portal sync jobs"
  filename         = var.environment == "test" ? "test_portal_data_sync_20211209135332.zip" : "prod_portal_data_sync_20211209135448.zip"
  source_code_hash = var.environment == "test" ? filebase64sha256("test_portal_data_sync_20211209135332.zip") : filebase64sha256("prod_portal_data_sync_20211209135448.zip") 
  #s3_bucket        = aws_s3_bucket.bucket.bucket
  #s3_key           = "code.zip" 
  function_name    = "portal_scheduler"
  role             = aws_iam_role.portal_lambda_role.arn
  handler          = "lambda_function.scheduler"
  runtime          = "python3.8"
  timeout          = "180"
  vpc_config {
    subnet_ids          = var.subnets
    security_group_ids  = [ data.aws_security_group.typical-host.id, aws_security_group.portal_lambda_splunk_sg.id ]
  }
  environment { 
    variables = merge(var.customer_vars, local.environment_vars)
  }
  tags = merge(var.standard_tags, var.tags)

  lifecycle {
    # Ignoring changes to the code of the function so that we won't
    # overlay changes to the function made outside of terraform.  Installing
    # new versions of a lambda should not be a terraform-ish action we don't think
    ignore_changes = [
      last_modified,
      source_code_hash
    ]
  }

}

resource "aws_lambda_function_event_invoke_config" "portal_scheduler" {
  function_name                = aws_lambda_function.portal_scheduler.function_name
  maximum_retry_attempts       = 0
}

resource "aws_lambda_function" "portal_customer_sync" {
  description      = "Sync data between Splunk and Portal"
  filename         = var.environment == "test" ? "test_portal_data_sync_20211209135332.zip" : "prod_portal_data_sync_20211209135448.zip"
  source_code_hash = var.environment == "test" ? filebase64sha256("test_portal_data_sync_20211209135332.zip") : filebase64sha256("prod_portal_data_sync_20211209135448.zip") 
  function_name    = "portal_customer_sync"
  role             = aws_iam_role.portal_lambda_role.arn
  handler          = "lambda_function.handler"
  runtime          = "python3.8"
  timeout          = "900"
  vpc_config {
    subnet_ids          = var.subnets
    security_group_ids  = [ data.aws_security_group.typical-host.id, aws_security_group.portal_lambda_splunk_sg.id ]
  }
  environment { 
    variables = merge(var.customer_vars, local.environment_vars)
  }
  tags = merge(var.standard_tags, var.tags)

  lifecycle {
    # Ignoring changes to the code of the function so that we won't
    # overlay changes to the function made outside of terraform.  Installing
    # new versions of a lambda should not be a terraform-ish action we don't think
    ignore_changes = [
      last_modified,
      source_code_hash
    ]
  }

}

resource "aws_lambda_function_event_invoke_config" "portal_customer_sync" {
  function_name                = aws_lambda_function.portal_customer_sync.function_name
  maximum_retry_attempts       = 0
}

resource "aws_lambda_event_source_mapping" "portal_customer_sync" {
  event_source_arn = aws_sqs_queue.sqs_queue.arn
  function_name    = aws_lambda_function.portal_customer_sync.arn
  batch_size       = 1

}