AFS
/
xdr-terraform-modules


			
				
					
						
						
							123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144
							data "aws_iam_policy_document" "policy_portal_data_sync_lambda" {
	statement {
		effect = "Allow"
		actions = [
		  "ec2:CreateNetworkInterface",
		  "logs:CreateLogStream",
		  "ec2:DescribeNetworkInterfaces",
		  "logs:DescribeLogStreams",
		  "ec2:DeleteNetworkInterface",
		  "logs:PutRetentionPolicy",
		  "logs:CreateLogGroup",
		  "logs:PutLogEvents"
		]
		resources = ["*"]
	}
}

resource "aws_iam_policy" "policy_portal_data_sync_lambda" {
  name        = "policy_portal_data_sync_lambda"
  path        = "/"
  policy      = data.aws_iam_policy_document.policy_portal_data_sync_lambda.json
  description = "IAM policy for portal_data_sync_lambda"
}

resource "aws_iam_role" "portal-lambda-role" {
  name     = "portal-data-sync-lambda-role"
  assume_role_policy = <<EOF
{   
    "Version": "2012-10-17",
    "Statement": [
      { 
        "Sid": "",
        "Effect": "Allow",
        "Principal": {
          "Service": [
            "lambda.amazonaws.com"
            ]
        },
        "Action": "sts:AssumeRole"
      }
    ]
  }
EOF
}

resource "aws_iam_role_policy_attachment" "lambda-role" {
  role       = aws_iam_role.portal-lambda-role.name
  policy_arn = aws_iam_policy.policy_portal_data_sync_lambda.arn
}

####
#
#Security Group
#
####
data "aws_security_group" "typical-host" {
  name   = "typical-host"
  vpc_id = var.vpc_id
}

resource "aws_security_group" "portal_lambda_sg" {
  vpc_id      = var.vpc_id
  name        = "portal-data-sync-lambda-sg"
  description = "Allow Lambda access to Portal"
}

resource "aws_security_group_rule" "portal_lambda_https" {
  type              = "egress"
  from_port         = 443
  to_port           = 443
  protocol          = "tcp"
  cidr_blocks       = ["0.0.0.0/0"]
  description       = "Access to Portal"
  security_group_id = aws_security_group.portal_lambda_sg.id
}

resource "aws_security_group" "portal_lambda_splunk_sg" {
  vpc_id      = var.vpc_id
  name        = "portal-data-sync-lambda-splunk-sg"
  description = "Allow Lambda access to Moose"
}

resource "aws_security_group_rule" "portal_lambda_splunk_out" {
  type              = "egress"
  from_port         = 8089
  to_port           = 8089
  protocol          = "tcp"
  cidr_blocks       = ["10.0.0.0/8"]
  description       = "All Splunk SH"
  security_group_id = aws_security_group.portal_lambda_splunk_sg.id
}

resource "aws_security_group_rule" "portal_lambda_splunk_in" {
  type              = "ingress"
  from_port         = 8089
  to_port           = 8089
  protocol          = "tcp"
  description       = "Moose SH"
  security_group_id = aws_security_group.portal_lambda_splunk_sg.id
  self              = "true"
}

# Env variables for bootstrap only; true secrets should be in vault
resource "aws_lambda_function" "portal_data_sync" {
  description      = "Sync data between Splunk and Portal"
	filename         = "code.zip"
	source_code_hash = filebase64sha256("code.zip")
	function_name    = "portal_data_sync"
	role             = aws_iam_role.portal-lambda-role.arn
	handler          = "lambda_function.lambda_handler"
	runtime          = "python3.7"
	timeout          = "315"
	vpc_config {
		subnet_ids          = var.subnets
		security_group_ids  = [ aws_security_group.portal_lambda_sg.id, aws_security_group.portal_lambda_splunk_sg.id ]
	}
	environment { 
		variables = {
			"CUSTOMER_1_NAME"        = "AFS"
			"CUSTOMER_2_NAME"        = "NGA"
			"CUSTOMER_3_NAME"        = "MOOSE"
			"CUSTOMER_5_NAME"        = "MA_COVID"
			"CUSTOMER_6_NAME"        = "LA_COVID"
			"CUSTOMER_7_NAME"        = "DC_COVID"
			"CUSTOMER_8_NAME"        = "NIH"
			"HTTP_PROXY"             = "http://${var.proxy}"
			"HTTPS_PROXY"            = "http://${var.proxy}"
			"NO_PROXY"               = var.dns_info["private"]["zone"]
			"VAULT_HOST"             = "vault.${var.dns_info["private"]["zone"]}"
			"VAULT_PATH"             = "portal/data/lambda_sync_env"
		}
	}

  lifecycle {
    # Ignoring changes to the code of the function so that we won't
    # overlay changes to the function made outside of terraform.  Installing
    # new versions of a lambda should not be a terraform-ish action we don't think
    ignore_changes = [
      last_modified,
      source_code_hash
    ]
  }

}