SD-2156. Environment and Slack variables

Author: gonzalo-dae-mn

asg.tf

@@ -1,7 +1,5 @@
 # ASG notification
 resource "aws_autoscaling_notification" "manage_dns_asg_notification" {
-  count = var.enabled ? 1 : 0
-
   group_names = var.asg_names
 
   notifications = [
@@ -10,6 +8,6 @@ resource "aws_autoscaling_notification" "manage_dns_asg_notification" {
     "autoscaling:EC2_INSTANCE_TERMINATE",
   ]
 
-  topic_arn = join("", aws_sns_topic.manage_dns_asg_sns.*.arn)
+  topic_arn = aws_sns_topic.dns.arn
 }
 

iam.tf

@@ -1,101 +1,46 @@
-# Lambda policy for logging
-resource "aws_iam_role_policy" "lambda_manage_dns_logging_policy" {
-  count = var.enabled ? 1 : 0
-
-  name = "${var.service}_lambda_dns_logging_policy"
-  role = join("", aws_iam_role.lambda_manage_dns_role.*.id)
-
-  policy = <<EOF
-{
-  "Version": "2012-10-17",
-  "Statement": [
-    {
-      "Effect": "Allow",
-      "Action": [
-        "logs:CreateLogGroup",
-        "logs:CreateLogStream",
-        "logs:PutLogEvents"
-      ],
-      "Resource": "*"
-    }
-  ]
-}
-EOF
-
-}
-
-# Lambda policy for managing dns
-resource "aws_iam_role_policy" "lambda_manage_dns_policy" {
-  count = var.enabled ? 1 : 0
-
-  name = "${var.service}_lambda_route53_policy"
-  role = join("", aws_iam_role.lambda_manage_dns_role.*.id)
-
-  policy = <<EOF
-{
-  "Version": "2012-10-17",
-  "Statement": [
-    {
-      "Effect": "Allow",
-      "Action": [
-        "route53:GetHostedZone",
-        "route53:ChangeResourceRecordSets",
-        "route53:ListResourceRecordSets"
-      ],
-      "Resource": "arn:aws:route53:::hostedzone/${var.zone_id}"
-    },
-    {
-      "Effect": "Allow",
-      "Action": [
-        "autoscaling:DescribeAutoScalingGroups",
-        "autoscaling:DescribeAutoScalingInstances"
-      ],
-      "Resource": "*"
-    },
-    {
-      "Effect": "Allow",
-      "Action": [
-        "ec2:DescribeInstances"
-      ],
-      "Resource": "*"
-    }
-  ]
-}
-EOF
-
-}
-
-# Lambda role
-resource "aws_iam_role" "lambda_manage_dns_role" {
-  count = var.enabled ? 1 : 0
-
-  name_prefix = "${var.service}_lambda_dns"
-
-  assume_role_policy = <<EOF
-{
-  "Version": "2012-10-17",
-  "Statement": [
-    {
-      "Action": "sts:AssumeRole",
-      "Principal": {
-        "Service": "lambda.amazonaws.com"
-      },
-      "Effect": "Allow",
-      "Sid": ""
-    }
-  ]
-}
-EOF
-
-}
-
-resource "aws_lambda_permission" "manage_dns_asg_sns" {
-  count = var.enabled ? 1 : 0
-
-  statement_id  = "AllowExecutionFromSNS"
-  action        = "lambda:InvokeFunction"
-  function_name = join("", aws_lambda_function.manage_dns.*.arn)
-  principal     = "sns.amazonaws.com"
-  source_arn    = join("", aws_sns_topic.manage_dns_asg_sns.*.arn)
+# Lambda policy
+data "aws_iam_policy_document" "lambda" {
+  statement {
+    actions = [
+      "route53:GetHostedZone",
+      "route53:ChangeResourceRecordSets",
+      "route53:ListResourceRecordSets",
+    ]
+
+    resources = [
+      "arn:aws:route53:::hostedzone/${var.zone_id}",
+    ]
+  }
+
+  statement {
+    actions = [
+      "autoscaling:DescribeAutoScalingGroups",
+      "autoscaling:DescribeAutoScalingInstances",
+    ]
+
+    resources = [
+      "*",
+    ]
+  }
+
+  statement {
+    actions = [
+      "ec2:DescribeInstances",
+    ]
+
+    resources = [
+      "*",
+    ]
+  }
+
+  statement {
+    actions = [
+      "sts:AssumeRole",
+    ]
+
+    resources = [
+      "*",
+    ]
+  }
 }
 

include/.gitignore

@@ -8,6 +8,8 @@
 service = os.environ['SERVICE']
 ttl = int(os.environ['TTL'])
 dns_role_arn = os.environ.get('DNS_ROLE_ARN')
+webhook_url = os.environ['SLACK_WEBHOOK']
+environment = os.environ['ENVIRONMENT']
 
 private_instance_record_template = os.environ['PRIVATE_INSTANCE_RECORD_TEMPLATE']
 private_asg_record_template = os.environ['PRIVATE_ASG_RECORD_TEMPLATE']

include/lambda.py

@@ -1,14 +1,15 @@
 # Lambda function
 module "lambda" {
-  source        = "github.com/claranet/terraform-aws-lambda?ref=v1.2.0"
+  source        = "git@github.com:Daemon-Solutions/terraform-aws-lambda?ref=v1.2.0"
   function_name = var.lambda_function_name
   description   = "Manages DNS records for ${join(", ", var.asg_names)} AutoScaling Group(s)"
   handler       = "lambda.lambda_handler"
-  runtime       = "python3.7"
+  runtime       = var.runtime
   layers        = var.lambda_layers
   timeout       = 300
   source_path   = "${path.module}/include/lambda.py"
-  policy        = {
+  build_command = "${var.runtime} build.py '$filename' '$runtime' '$source'"
+  policy = {
     json = data.aws_iam_policy_document.lambda.json
   }
 
@@ -17,6 +18,8 @@ module "lambda" {
       ZONE_ID                          = var.zone_id
       DNS_ROLE_ARN                     = var.dns_role_arn
       SERVICE                          = var.service
+      SLACK_WEBHOOK                    = var.slack_webhook
+      ENVIRONMENT                      = var.environment
       PRIVATE_INSTANCE_RECORD_TEMPLATE = var.private_instance_record_template
       PRIVATE_ASG_RECORD_TEMPLATE      = var.private_asg_record_template
       PUBLIC_ASG_RECORD_TEMPLATE       = var.public_asg_record_template
@@ -57,4 +60,3 @@ resource "null_resource" "notify_sns_topic" {
     command = "python ${path.module}/include/publish.py ${data.aws_region.current.name} ${element(var.asg_names, count.index)} ${aws_sns_topic.dns.arn}"
   }
 }
-

lambda.tf

@@ -1,16 +1,16 @@
 output "lambda_manage_dns_role_arn" {
-  value = join("", aws_iam_role.lambda_manage_dns_role.*.name)
+  value = module.lambda.role_arn
 }
 
 output "lambda_function_arn" {
-  value = join("", aws_lambda_function.manage_dns.*.arn)
+  value = module.lambda.function_arn
 }
 
 output "lambda_function_name" {
-  value = join("", aws_lambda_function.manage_dns.*.function_name)
+  value = module.lambda.function_name
 }
 
 output "sns_topic_arn" {
-  value = join("", aws_sns_topic.manage_dns_asg_sns.*.arn)
+  value = aws_sns_topic.dns.arn
 }
 

main.tf

@@ -1,16 +1,12 @@
 # SNS topic
-resource "aws_sns_topic" "manage_dns_asg_sns" {
-  count = var.enabled ? 1 : 0
-
+resource "aws_sns_topic" "dns" {
   name = var.sns_topic_name
 }
 
 # SNS subscription
 resource "aws_sns_topic_subscription" "sns_topic_subscription" {
-  count = var.enabled ? 1 : 0
-
-  topic_arn = join("", aws_sns_topic.manage_dns_asg_sns.*.arn)
+  topic_arn = aws_sns_topic.dns.arn
   protocol  = "lambda"
-  endpoint  = join("", aws_lambda_function.manage_dns.*.arn)
+  endpoint  = module.lambda.function_arn
 }
 

outputs.tf

@@ -1,27 +1,33 @@
-variable "enabled" {
-  description = "Enable or disable the Lambda DNS functionality."
-  type        = string
-  default     = "1"
-}
-
 variable "lambda_function_name" {
   description = "The name of the Lambda Function to create, which will manage the Autoscaling Groups"
   type        = string
 }
 
+variable "lambda_layers" {
+  description = "List of Lambda Layer Version ARNs to attach to the Lambda Function"
+  type        = list(string)
+  default     = []
+}
+
 variable "zone_id" {
   description = "Id of a zone file to add records to"
   type        = string
 }
 
+variable "dns_role_arn" {
+  description = "ARN of a role to assume to manage DNS records. Useful if DNS zone is in different account"
+  type        = string
+  default     = ""
+}
+
 variable "asg_names" {
-  description = "Name of the Autoscaling Groups to attach this Lambda Function to"
+  description = "The Autoscaling Group names to attach to this Lambda Function"
   type        = list(string)
 }
 
 variable "asg_count" {
   description = "Number of the Autoscaling Groups defined in asg_names variable. Only here because count cannot be computed"
-  default     = "1"
+  default     = 1
 }
 
 variable "sns_topic_name" {
@@ -69,3 +75,15 @@ variable "ttl" {
   default     = 60
 }
 
+variable runtime {
+  description = "Runtime binary"
+  default     = "python3.7"
+}
+
+variable "slack_webhook" {
+  description =  "slack webhook for notifications"
+}
+
+variable "environment" {
+  description =  "Environment"
+}