SD-2156. Environment and Slack variables

Author: gonzalo-dae-mn

asg.tf

@@ -1,5 +1,7 @@
 # ASG notification
 resource "aws_autoscaling_notification" "manage_dns_asg_notification" {
+  count = var.enabled ? 1 : 0
+
   group_names = var.asg_names
 
   notifications = [
@@ -8,6 +10,6 @@ resource "aws_autoscaling_notification" "manage_dns_asg_notification" {
     "autoscaling:EC2_INSTANCE_TERMINATE",
   ]
 
-  topic_arn = aws_sns_topic.dns.arn
+  topic_arn = join("", aws_sns_topic.manage_dns_asg_sns.*.arn)
 }
 

aws.tf

@@ -1,46 +1,101 @@
-# Lambda policy
-data "aws_iam_policy_document" "lambda" {
-  statement {
-    actions = [
-      "route53:GetHostedZone",
-      "route53:ChangeResourceRecordSets",
-      "route53:ListResourceRecordSets",
-    ]
-
-    resources = [
-      "arn:aws:route53:::hostedzone/${var.zone_id}",
-    ]
-  }
-
-  statement {
-    actions = [
-      "autoscaling:DescribeAutoScalingGroups",
-      "autoscaling:DescribeAutoScalingInstances",
-    ]
-
-    resources = [
-      "*",
-    ]
-  }
-
-  statement {
-    actions = [
-      "ec2:DescribeInstances",
-    ]
-
-    resources = [
-      "*",
-    ]
-  }
-
-  statement {
-    actions = [
-      "sts:AssumeRole",
-    ]
-
-    resources = [
-      "*",
-    ]
-  }
+# Lambda policy for logging
+resource "aws_iam_role_policy" "lambda_manage_dns_logging_policy" {
+  count = var.enabled ? 1 : 0
+
+  name = "${var.service}_lambda_dns_logging_policy"
+  role = join("", aws_iam_role.lambda_manage_dns_role.*.id)
+
+  policy = <<EOF
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Effect": "Allow",
+      "Action": [
+        "logs:CreateLogGroup",
+        "logs:CreateLogStream",
+        "logs:PutLogEvents"
+      ],
+      "Resource": "*"
+    }
+  ]
+}
+EOF
+
+}
+
+# Lambda policy for managing dns
+resource "aws_iam_role_policy" "lambda_manage_dns_policy" {
+  count = var.enabled ? 1 : 0
+
+  name = "${var.service}_lambda_route53_policy"
+  role = join("", aws_iam_role.lambda_manage_dns_role.*.id)
+
+  policy = <<EOF
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Effect": "Allow",
+      "Action": [
+        "route53:GetHostedZone",
+        "route53:ChangeResourceRecordSets",
+        "route53:ListResourceRecordSets"
+      ],
+      "Resource": "arn:aws:route53:::hostedzone/${var.zone_id}"
+    },
+    {
+      "Effect": "Allow",
+      "Action": [
+        "autoscaling:DescribeAutoScalingGroups",
+        "autoscaling:DescribeAutoScalingInstances"
+      ],
+      "Resource": "*"
+    },
+    {
+      "Effect": "Allow",
+      "Action": [
+        "ec2:DescribeInstances"
+      ],
+      "Resource": "*"
+    }
+  ]
+}
+EOF
+
+}
+
+# Lambda role
+resource "aws_iam_role" "lambda_manage_dns_role" {
+  count = var.enabled ? 1 : 0
+
+  name_prefix = "${var.service}_lambda_dns"
+
+  assume_role_policy = <<EOF
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Action": "sts:AssumeRole",
+      "Principal": {
+        "Service": "lambda.amazonaws.com"
+      },
+      "Effect": "Allow",
+      "Sid": ""
+    }
+  ]
+}
+EOF
+
+}
+
+resource "aws_lambda_permission" "manage_dns_asg_sns" {
+  count = var.enabled ? 1 : 0
+
+  statement_id  = "AllowExecutionFromSNS"
+  action        = "lambda:InvokeFunction"
+  function_name = join("", aws_lambda_function.manage_dns.*.arn)
+  principal     = "sns.amazonaws.com"
+  source_arn    = join("", aws_sns_topic.manage_dns_asg_sns.*.arn)
 }
 

iam.tf

@@ -0,0 +1 @@
+*.zip