xdr-terraform-modules/base/customer_portal_lambda/main.tf

locals {
  environment_vars = {
      "HTTP_PROXY"             = "http://${var.proxy}"
      "HTTPS_PROXY"            = "http://${var.proxy}"
      "NO_PROXY"               = "${var.dns_info["legacy_private"]["zone"]},${var.dns_info["private"]["zone"]}"
      "VAULT_HOST"             = "vault.${var.dns_info["private"]["zone"]}"
      "VAULT_PATH"             = "portal/data/lambda_sync_env"
      "VERIFY_PORTAL_SSL"      = "0"
      "PYTHONWARNINGS"         = "ignore:Unverified HTTPS request"

  }
}

data "aws_iam_policy_document" "policy_portal_data_sync_lambda" {
  statement {
    effect = "Allow"
    actions = [
      "ec2:CreateNetworkInterface",
      "logs:CreateLogStream",
      "ec2:DescribeNetworkInterfaces",
      "logs:DescribeLogStreams",
      "ec2:DeleteNetworkInterface",
      "logs:PutRetentionPolicy",
      "logs:CreateLogGroup",
      "logs:PutLogEvents"
    ]
    resources = ["*"]
  }
}

resource "aws_iam_policy" "policy_portal_data_sync_lambda" {
  name        = "policy_portal_data_sync_lambda"
  path        = "/"
  policy      = data.aws_iam_policy_document.policy_portal_data_sync_lambda.json
  description = "IAM policy for portal_data_sync_lambda"
}

resource "aws_iam_role" "portal-lambda-role" {
  name     = "portal-data-sync-lambda-role"
  assume_role_policy = <<EOF
{   
    "Version": "2012-10-17",
    "Statement": [
      { 
        "Sid": "",
        "Effect": "Allow",
        "Principal": {
          "Service": [
            "lambda.amazonaws.com"
            ]
        },
        "Action": "sts:AssumeRole"
      }
    ]
  }
EOF
}

resource "aws_iam_role_policy_attachment" "lambda-role" {
  role       = aws_iam_role.portal-lambda-role.name
  policy_arn = aws_iam_policy.policy_portal_data_sync_lambda.arn
}

####
#
#Security Group
#
####
data "aws_security_group" "typical-host" {
  name   = "typical-host"
  vpc_id = var.vpc_id
}

resource "aws_security_group" "portal_lambda_splunk_sg" {
  vpc_id      = var.vpc_id
  name        = "portal-data-sync-lambda-splunk-sg"
  description = "Allow Lambda access to Moose"
}

resource "aws_security_group_rule" "portal_lambda_splunk_out" {
  type              = "egress"
  from_port         = 8089
  to_port           = 8089
  protocol          = "tcp"
  cidr_blocks       = ["10.0.0.0/8"]
  description       = "All Splunk SH"
  security_group_id = aws_security_group.portal_lambda_splunk_sg.id
}

resource "aws_security_group_rule" "portal_lambda_splunk_in" {
  type              = "ingress"
  from_port         = 8089
  to_port           = 8089
  protocol          = "tcp"
  description       = "Moose SH"
  security_group_id = aws_security_group.portal_lambda_splunk_sg.id
  self              = "true"
}

# Env variables for bootstrap only; true secrets should be in vault
resource "aws_lambda_function" "portal_data_sync" {
  description      = "Sync data between Splunk and Portal"
  filename         = "code.zip"
  source_code_hash = filebase64sha256("code.zip")
  function_name    = "portal_data_sync"
  role             = aws_iam_role.portal-lambda-role.arn
  handler          = "lambda_function.lambda_handler"
  runtime          = "python3.7"
  timeout          = "898"
  vpc_config {
    subnet_ids          = var.subnets
    security_group_ids  = [ data.aws_security_group.typical-host.id, aws_security_group.portal_lambda_splunk_sg.id ]
  }
  environment { 
    variables = merge(var.customer_vars, local.environment_vars)
  }
  tags = merge(var.standard_tags, var.tags)

  lifecycle {
    # Ignoring changes to the code of the function so that we won't
    # overlay changes to the function made outside of terraform.  Installing
    # new versions of a lambda should not be a terraform-ish action we don't think
    ignore_changes = [
      last_modified,
      source_code_hash
    ]
  }

}