Merge pull request #6 from Daemon-Solutions/SD-3177

SD-3177. Lambda Improvements and Documentation

Author: MartinSimangoDaemn

README.md

@@ -50,3 +50,76 @@ Outputs
 -------
 
 See [outputs file](outputs.tf)
+
+<!-- BEGIN_TF_DOCS -->
+## Requirements
+
+| Name | Version |
+|------|---------|
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | > 0.11 |
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 0.12 |
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| <a name="provider_archive"></a> [archive](#provider\_archive) | n/a |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | n/a |
+| <a name="provider_null"></a> [null](#provider\_null) | n/a |
+
+## Modules
+
+No modules.
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [aws_autoscaling_notification.manage_dns_asg_notification](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/autoscaling_notification) | resource |
+| [aws_iam_role.lambda_manage_dns_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
+| [aws_iam_role_policy.lambda_manage_dns_logging_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource |
+| [aws_iam_role_policy.lambda_manage_dns_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource |
+| [aws_lambda_function.manage_dns](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_function) | resource |
+| [aws_lambda_permission.manage_dns_asg_sns](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_permission) | resource |
+| [aws_sns_topic.manage_dns_asg_sns](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sns_topic) | resource |
+| [aws_sns_topic_subscription.sns_topic_subscription](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sns_topic_subscription) | resource |
+| [null_resource.notify_sns_topic](https://registry.terraform.io/providers/hashicorp/null/latest/docs/resources/resource) | resource |
+| [archive_file.lambda_package](https://registry.terraform.io/providers/hashicorp/archive/latest/docs/data-sources/file) | data source |
+| [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source |
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| <a name="input_asg_count"></a> [asg\_count](#input\_asg\_count) | Number of the Autoscaling Groups defined in asg\_names variable. Only here because count cannot be computed | `string` | `"1"` | no |
+| <a name="input_asg_names"></a> [asg\_names](#input\_asg\_names) | Name of the Autoscaling Groups to attach this Lambda Function to | `list(string)` | n/a | yes |
+| <a name="input_enabled"></a> [enabled](#input\_enabled) | Enable or disable the Lambda DNS functionality. | `string` | `"1"` | no |
+| <a name="input_environment"></a> [environment](#input\_environment) | Environment | `string` | n/a | yes |
+| <a name="input_lambda_function_name"></a> [lambda\_function\_name](#input\_lambda\_function\_name) | The name of the Lambda Function to create, which will manage the Autoscaling Groups | `string` | n/a | yes |
+| <a name="input_manage_instance_dns"></a> [manage\_instance\_dns](#input\_manage\_instance\_dns) | Whether to manage DNS records for Autoscaling Group instances | `bool` | `true` | no |
+| <a name="input_manage_private_asg_dns"></a> [manage\_private\_asg\_dns](#input\_manage\_private\_asg\_dns) | Whether to manage DNS records for private Autoscaling Group instances | `bool` | `false` | no |
+| <a name="input_manage_public_asg_dns"></a> [manage\_public\_asg\_dns](#input\_manage\_public\_asg\_dns) | Whether to manage DNS records for public Autoscaling Group instances | `bool` | `false` | no |
+| <a name="input_pd_escalation_policy"></a> [pd\_escalation\_policy](#input\_pd\_escalation\_policy) | PagerDuty Escalation Policy | `string` | n/a | yes |
+| <a name="input_pd_priority"></a> [pd\_priority](#input\_pd\_priority) | PagerDuty Priority ID | `string` | n/a | yes |
+| <a name="input_pd_service"></a> [pd\_service](#input\_pd\_service) | PagerDuty Service ID | `string` | n/a | yes |
+| <a name="input_pd_user_email"></a> [pd\_user\_email](#input\_pd\_user\_email) | PagerDuty Registered User Email | `string` | n/a | yes |
+| <a name="input_private_asg_record_template"></a> [private\_asg\_record\_template](#input\_private\_asg\_record\_template) | The fully qualified domain name format for private Autoscaling Group DNS records | `string` | `"service.internal.domain"` | no |
+| <a name="input_private_instance_record_template"></a> [private\_instance\_record\_template](#input\_private\_instance\_record\_template) | The fully qualified domain name format for private instance DNS records | `string` | `"service.az.domain"` | no |
+| <a name="input_public_asg_record_template"></a> [public\_asg\_record\_template](#input\_public\_asg\_record\_template) | The fully qualified domain name format for public Autoscaling Group DNS records | `string` | `"service.domain"` | no |
+| <a name="input_runtime"></a> [runtime](#input\_runtime) | Runtime binary | `string` | `"python3.7"` | no |
+| <a name="input_secret_name"></a> [secret\_name](#input\_secret\_name) | Daemon Secret Manager | `string` | n/a | yes |
+| <a name="input_service"></a> [service](#input\_service) | Autoscaling Group service name, e.g. 'bastion'. This will be prefix for DNS records. | `string` | n/a | yes |
+| <a name="input_slack_webhook"></a> [slack\_webhook](#input\_slack\_webhook) | slack webhook for notifications | `string` | n/a | yes |
+| <a name="input_sns_topic_name"></a> [sns\_topic\_name](#input\_sns\_topic\_name) | Name for the SNS topic which will handle notifications of instance launch and terminate events | `string` | n/a | yes |
+| <a name="input_ttl"></a> [ttl](#input\_ttl) | TTL value for the DNS record(s) | `number` | `60` | no |
+| <a name="input_zone_id"></a> [zone\_id](#input\_zone\_id) | Id of a zone file to add records to | `string` | n/a | yes |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| <a name="output_lambda_function_arn"></a> [lambda\_function\_arn](#output\_lambda\_function\_arn) | n/a |
+| <a name="output_lambda_function_name"></a> [lambda\_function\_name](#output\_lambda\_function\_name) | n/a |
+| <a name="output_lambda_manage_dns_role_arn"></a> [lambda\_manage\_dns\_role\_arn](#output\_lambda\_manage\_dns\_role\_arn) | n/a |
+| <a name="output_sns_topic_arn"></a> [sns\_topic\_arn](#output\_sns\_topic\_arn) | n/a |
+<!-- END_TF_DOCS -->

iam.tf

@@ -58,6 +58,14 @@ resource "aws_iam_role_policy" "lambda_manage_dns_policy" {
         "ec2:DescribeInstances"
       ],
       "Resource": "*"
+    },
+      {
+      "Effect": "Allow",
+      "Action": [
+        "secretsmanager:Get*",
+        "secretsmanager:List*"
+      ],
+      "Resource": "*"
     }
   ]
 }

include/lambda.py

@@ -9,17 +9,23 @@
 from string import Template
 
 
+
 zone_id = os.environ['ZONE_ID']
 service = os.environ['SERVICE']
 ttl = int(os.environ['TTL'])
 webhook_url = os.environ['SLACK_WEBHOOK']
 environment = os.environ['ENVIRONMENT']
-pd_key = os.environ['PD_KEY']
-dedup_pd_key = os.environ['PD_DEDUP_KEY']
-pd_message = os.environ['PD_MESSAGE']
+secret_name = os.environ['SECRET_NAME']
+pd_service = os.environ['PD_SERVICE']
+pd_escalation_policy = os.environ['PD_ESCALATION_POLICY']
+pd_priority = os.environ['PD_PRIORITY']
+pd_user_email = os.environ['PD_USER_EMAIL']
+
+
 datestamp = datetime.datetime.now().strftime("%Y-%m-%dT%H:%M:%S.%f")
 
-PD_DATA = ('{"payload": {"summary": "' + pd_message + '","timestamp": "' + datestamp + '","severity": "critical","source": "Laguna Rundeck PROD"},"routing_key": "' + pd_key + '", "dedup_key":  "' + dedup_pd_key + '","event_action": "trigger"}')
+PD_DATA = ('{"incident":{"type":"incident","title": "Rundeck ' + environment + ' has restarted!","service":{"id":"' + pd_service + '","type":"service_reference"},"priority":{"id":"' + pd_priority + '","type":"priority_reference"},"urgency":"high","incident_key":"test1","body":{"type":"incident_body","details":"Rundeck ' + environment + ' has restarted!"},"escalation_policy":{"id":"' + pd_escalation_policy + '","type":"escalation_policy_reference"}}}')
+
 
 private_instance_record_template = os.environ['PRIVATE_INSTANCE_RECORD_TEMPLATE']
 private_asg_record_template = os.environ['PRIVATE_ASG_RECORD_TEMPLATE']
@@ -85,6 +91,18 @@ def slack_notification(message):
     return True
 
 
+def get_secret(secret_name):
+
+    session = boto3.session.Session()
+    client = session.client(
+        service_name='secretsmanager',
+        region_name=aws_region
+    )
+
+    get_secret_value_response = client.get_secret_value(SecretId=secret_name)
+
+    secret = json.loads(get_secret_value_response['SecretString'])
+    return secret
 
 def lambda_handler(event, context):
 
@@ -200,18 +218,20 @@ def lambda_handler(event, context):
     slack_notification('Rundeck ' + environment + ' has restarted!!')
 
     #PagerDuty Alert
-    if environment == "production":
-        data = json.loads(PD_DATA)
-        data = json.dumps(data)
-        data = data.encode()
-        http = urllib3.PoolManager()
-        response = http.request('POST',
-            'https://events.pagerduty.com/v2/enqueue',
-            body = data,
-            headers = {'Content-Type': 'application/json'},
-            retries = False)
-        content = response.read()
-        print(content)
+    data = json.loads(PD_DATA)
+    data = json.dumps(data)
+    data = data.encode()
+    http = urllib3.PoolManager()
+    secret_value = get_secret(secret_name)
+    new_secret_value = (secret_value['pager_duty_api_key'])
+    print("new_secret_value " + new_secret_value)
+    response = http.request('POST',
+        'https://api.pagerduty.com/incidents',
+        body = data,
+        headers = {'Content-Type': 'application/json','Accept': 'application/vnd.pagerduty+json;version=2','Authorization': 'Token token=' + str(new_secret_value) + '', 'From': '' + pd_user_email + ''},
+        retries = False)
+    content = response.read()
+    print(content)
 
 
 # helpers

main.tf

@@ -27,9 +27,11 @@ resource "aws_lambda_function" "manage_dns" {
       SERVICE                          = var.service
       SLACK_WEBHOOK                    = var.slack_webhook
       ENVIRONMENT                      = var.environment
-      PD_KEY                           = var.pd_key
-      PD_DEDUP_KEY                     = var.dedup_pd_key
-      PD_MESSAGE                       = var.pd_message
+      PD_SERVICE                       = var.pd_service
+      PD_PRIORITY                      = var.pd_priority
+      PD_ESCALATION_POLICY             = var.pd_escalation_policy
+      PD_USER_EMAIL                    = var.pd_user_email
+      SECRET_NAME                      = var.secret_name
       PRIVATE_INSTANCE_RECORD_TEMPLATE = var.private_instance_record_template
       PRIVATE_ASG_RECORD_TEMPLATE      = var.private_asg_record_template
       PUBLIC_ASG_RECORD_TEMPLATE       = var.public_asg_record_template

variables.tf

@@ -85,19 +85,27 @@ variable "environment" {
   description = "Environment"
 }
 
-variable "pd_key" {
+variable "pd_service" {
   type        = string
-  description = "PagerDuty Token Key"
+  description = "PagerDuty Service ID"
 }
 
-variable "dedup_pd_key" {
+variable "pd_priority" {
   type        = string
-  description = "PagerDuty Dedup Key"
+  description = "PagerDuty Priority ID"
 }
 
-variable "pd_message" {
+variable "pd_escalation_policy" {
   type        = string
-  description = "PagerDuty Message"
-  default     = "Error!"
+  description = "PagerDuty Escalation Policy"
 }
 
+variable "pd_user_email" {
+  type        = string
+  description = "PagerDuty Registered User Email"
+}
+
+variable "secret_name" {
+  type        = string
+  description = "Daemon Secret Manager"
+}