spectral-terraform-lambda-integration

Author: ChengaDev

.github/workflows/scan.yml

@@ -0,0 +1,19 @@
+name: Main
+on:
+  push:
+    branches: [ main ]
+  pull_request:
+
+env:
+  SPECTRAL_DSN: ${{ secrets.SPECTRAL_DSN }}
+  
+jobs:
+  scan:
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@v2
+    - name: Install and run Spectral CI
+      uses: spectralops/spectral-github-action@v2
+      with:
+        spectral-dsn: ${{ env.SPECTRAL_DSN }}
+        spectral-args: scan --ok --include-tags base,iac

.github/workflows/terraform-fmt.yml

@@ -0,0 +1,30 @@
+name: "terraform formatting"
+
+on:
+  push:
+    branches:
+      - master
+  pull_request:
+    
+defaults:
+  run:
+    shell: bash
+   
+jobs:
+  terraform:
+    name: "Terraform"
+    runs-on: ubuntu-latest
+    steps:
+    - name: Checkout
+      uses: actions/checkout@v2
+    - name: Setup Terraform
+      uses: hashicorp/setup-terraform@v1
+    - name: Terraform format - root
+      id: fmt_root
+      run: terraform fmt -check
+    - name: Terraform format - lambda module
+      id: fmt_lambda
+      run: terraform fmt -check ./modules/lambda/
+    - name: Terraform format - lambda module
+      id: fmt_api_gateway
+      run: terraform fmt -check ./modules/api_gateway/

.gitignore

@@ -0,0 +1,13 @@
+**/.terraform/*
+*.tfstate
+*.tfstate.*
+crash.log
+crash.*.log
+*.tfvars
+*.tfvars.json
+override.tf
+override.tf.json
+*_override.tf
+*_override.tf.json
+.terraformrc
+terraform.rc

README.md

@@ -0,0 +1,168 @@
+<img src="https://user-images.githubusercontent.com/44297242/188002580-ba0a6d59-8b1c-475e-bd61-192dd952194f.png" alt="drawing" style="width:400px;"/>
+
+# spectral-lambda-integration
+
+Terraform configuration used to create the required AWS resources for integrating between Spectral and external service providers.
+
+## Requirements
+
+| Name      | Version |
+| ----------- | ----------- |
+| [terraform](https://www.terraform.io/downloads)      | ~> 1.2.0    |
+
+## Providers
+
+| Name      | Version |
+| ----------- | ----------- |
+| [aws](https://registry.terraform.io/providers/hashicorp/aws/latest/docs)      | ~> 4.9    |
+
+## Inputs
+
+| Name      | Description | Type | Default | Required |
+| ----------- | ----------- | ----------- | ----------- | ----------- |
+| `account_id` | AWS Account ID number of the account in which to manage resources. | `number` | N/A | Yes |
+| `aws_region` | The region in which to manage resources.| `string` | N/A | Yes |
+| `environment` | The target environment name for deployment | `string` | `prod` | No |
+| `integration_type` | Spectral integration type (A unique phrase describing the integration) - Available values: `terraform` | `string` | N/A | Yes |
+| [`env_vars`](#env_vars) | Extendable object contains all required environment variables required for the integration. | `map(string)` | N/A | No |
+| [`global_tags`](#global_tags) | Tags to be applied on every newly created resource. | `map(string)` | ```{ BusinessUnit = "Spectral" }``` | No |
+| [`tags`](#tags) | Tags to be applied on concrete resources  | `map(map(string))` | ```{ iam = { } lambda = { } api_gateway = { } }``` | No |
+| `lambda_enable_logs` | Specifies if Lambda should have CloudWatch a dedicated logs group. | `bool` | `false` | No |
+| `lambda_logs_retention_in_days` | Specifies the number of days you want to retain log events in the specified log group. | `number` | `30` | No |
+| `lambda_function_timeout` | Amount of time your Lambda Function has to run in seconds.  | `number` | 300 | No |
+| `lambda_function_memory_size` | Amount of memory in MB your Lambda Function can use at runtime. | `number` | 1024 | No |
+| `lambda_publish` | Whether to publish creation/change as new Lambda Function Version. | `bool` | `false` | No |
+
+### env_vars
+
+In some integrations, Spectral requires some extra environment variables besides the default ones.
+Those extra variables should be added to the `env_vars` map in addition to `CHECK_POLICY` and `SPECTRAL_DSN` which are mandatory.
+
+Please refer to our docs to view the extra environment variables needed for the integration.
+
+##### SPECTRAL_DSN (mandatory)
+
+Your SpectralOps identifier, retrieved from your SpectralOps account.
+
+##### CHECK_POLICY (mandatory)
+
+`CHECK_POLICY` responsible for setting the minimum issue severity that should fail the check.
+The valid values for this field are:
+
+1. Fail on any issue
+2. Fail on warnings and above
+3. Fail on errors only
+4. Always pass
+
+### global_tags
+
+This variable holds a list of tags be applied on all newly created resources:
+
+```tcl
+{
+  BusinessUnit = "Spectral"
+  ...
+}
+```
+
+### tags
+
+This variable holds a collection of tags grouped by key representing its target resource:
+
+1. IAM role resource - using the `iam` key
+2. Lambda resource - using the `lambda` key
+3. ApiGateway resource - using the `api_gateway` key
+
+```tcl
+{
+  iam = {
+    ...
+  }
+  lambda = {
+    ...
+  }
+  api_gateway = {
+    ...
+  }
+}
+```
+
+## Usage
+
+```tcl
+module "spectral_lambda_integration" {
+  source                        = "github.com/SpectralOps/spectral-terraform-lambda-integration?ref=v1.0.0"
+
+  account_id                    = 111111111111
+  aws_region                    = "us-east-1"
+  environment                   = "prod"
+  integration_type              = "terraform"
+  lambda_enable_logs            = true
+  lambda_logs_retention_in_days = 30
+  lambda_publish                = false
+  lambda_function_timeout       = 300
+  lambda_function_memory_size   = 1024
+
+  # Environment variables used by the integration
+  env_vars = {
+    # Mandatory - Your spectral DSN retreived from SpectralOps
+    SPECTRAL_DSN       = ""
+    # Mandatory - Set which severity should fail the check
+    CHECK_POLICY       = ""
+    # Additional env-vars should go here
+  }
+
+  # Global tags - Tags to be applied on every newly created resource
+  global_tags = {
+    # Tags to apply to all newly created resources
+    BusinessUnit = "Spectral"
+  }
+
+  # Tags to be applied on concrete resources
+  tags = {
+    # Tags to apply on iam related resources
+    iam = {
+      Resource = "role"
+    }
+    # Tags to apply on lambda related resources
+    lambda = {
+      Resource = "lambda"
+    }
+    # Tags to apply on api_gateway related resources
+    api_gateway = {
+      Resource = "api_gateway"
+    }
+  }
+}
+```
+
+## Resources
+
+| Name      | Type |
+| ----------- | ----------- |
+| [aws_api_gateway_rest_api](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/api_gateway_rest_api) | resource |
+| [aws_api_gateway_method](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/api_gateway_method) | resource |
+| [aws_api_gateway_method_response](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/api_gateway_method_response) | resource |
+| [aws_api_gateway_integration](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/api_gateway_integration) | resource |
+| [aws_api_gateway_deployment](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/api_gateway_deployment) | resource |
+| [aws_api_gateway_stage](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/api_gateway_stage) | resource |
+| [aws_lambda_permission](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_permission) | resource |
+| [aws_lambda_function](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_function) | resource |
+| [aws_cloudwatch_log_group](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_group) | resource |
+| [aws_iam_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
+| [aws_iam_role_policy_attachment](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
+| [aws_iam_policy_document](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data |
+
+## Outputs
+
+### This module has the following outputs
+
+1. `rest_api_id` - The ID of the REST API.
+2. `rest_api_url` - The URL for accessing the lambda through the ApiGateway.
+3. `rest_api_arn` - Amazon Resource Name (ARN) identifying your Rest API.
+4. `rest_api_execution_arn` - The execution ARN part to be used in lambda_permission's source_arn, not concatenated to other allowed API resources.
+5. `rest_api_lambda_execution_arn` - The execution ARN part to be used in lambda_permission's source_arn, concatenated with allowed API resources (method & path).
+6. `lambda_function_arn` - Amazon Resource Name (ARN) identifying your Lambda Function.
+7. `lambda_function_name` - The name of the lambda function.
+8. `lambda_iam_role_arn` - Amazon Resource Name (ARN) specifying the role.
+9. `lambda_iam_role_name` - Name of the role.

examples/basic-integration.tf

@@ -0,0 +1,12 @@
+module "spectral_lambda_integration" {
+  source = "github.com/SpectralOps/spectral-terraform-lambda-integration?ref=v1.0.0"
+
+  account_id       = 111111111111
+  aws_region       = "us-east-1"
+  integration_type = "terraform"
+
+  env_vars = {
+    SPECTRAL_DSN = "MySpectralDSN"
+    CHECK_POLICY = "Always Pass"
+  }
+}

examples/custom-lambda-settings.tf

@@ -0,0 +1,16 @@
+module "spectral_lambda_integration" {
+  source = "github.com/SpectralOps/spectral-terraform-lambda-integration?ref=v1.0.0"
+
+  account_id       = 111111111111
+  aws_region       = "us-east-1"
+  integration_type = "terraform"
+
+  lambda_function_timeout     = 320
+  lambda_function_memory_size = 1024
+  lambda_publsh               = true
+
+  env_vars = {
+    SPECTRAL_DSN = "MySpectralDSN"
+    CHECK_POLICY = "Always Pass"
+  }
+}

examples/enable-cloudwatch-logs-group.tf

@@ -0,0 +1,14 @@
+module "spectral_lambda_integration" {
+  source = "github.com/SpectralOps/spectral-terraform-lambda-integration?ref=v1.0.0"
+
+  account_id                    = 111111111111
+  aws_region                    = "us-east-1"
+  integration_type              = "terraform"
+  lambda_enable_logs            = true
+  lambda_logs_retention_in_days = 10
+
+  env_vars = {
+    SPECTRAL_DSN = "MySpectralDSN"
+    CHECK_POLICY = "Always Pass"
+  }
+}

examples/extended-tags.tf

@@ -0,0 +1,29 @@
+module "spectral_lambda_integration" {
+  source = "github.com/SpectralOps/spectral-terraform-lambda-integration?ref=v1.0.0"
+
+  account_id       = 111111111111
+  aws_region       = "us-east-1"
+  integration_type = "terraform"
+
+  tags = {
+    iam = {
+      Component = "IAM"
+    }
+    lambda = {
+      Component = "Lambda"
+    }
+    api_gateway = {
+      Component = "ApiGateway"
+    }
+  }
+
+  global_tags = {
+    BusinessUnit  = "Spectral"
+    SomeGlobalTag = "Value"
+  }
+
+  env_vars = {
+    SPECTRAL_DSN = "MySpectralDSN"
+    CHECK_POLICY = "Always Pass"
+  }
+}

examples/extra-env-vars.tf

@@ -0,0 +1,15 @@
+module "spectral_lambda_integration" {
+  source = "github.com/SpectralOps/spectral-terraform-lambda-integration?ref=v1.0.0"
+
+  account_id       = 111111111111
+  aws_region       = "us-east-1"
+  integration_type = "terraform"
+
+  env_vars = {
+    SPECTRAL_DSN      = "MySpectralDSN"
+    CHECK_POLICY      = "Always Pass"
+    TERRFORM_USER_KEY = "MY-KEY"
+    GITHUB_TOKEN      = "MY-TOKEN"
+    # Extra environment variables goes here...
+  }
+}

main.tf

@@ -0,0 +1,28 @@
+locals {
+  resource_name_pattern = "spectral-${var.integration_type}-integration-${var.environment}"
+}
+
+module "lambda_function" {
+  source                 = "./modules/lambda"
+  global_tags            = var.global_tags
+  tags                   = var.tags
+  environment            = var.environment
+  integration_type       = var.integration_type
+  resource_name_pattern  = local.resource_name_pattern
+  env_vars               = var.env_vars
+  logs_retention_in_days = var.lambda_logs_retention_in_days
+  should_write_logs      = var.lambda_enable_logs
+  timeout                = var.lambda_function_timeout
+  memory_size            = var.lambda_function_memory_size
+  publish                = var.lambda_publish
+}
+
+module "api_gateway" {
+  source                = "./modules/api_gateway"
+  global_tags           = var.global_tags
+  tags                  = var.tags
+  environment           = var.environment
+  integration_type      = var.integration_type
+  resource_name_pattern = local.resource_name_pattern
+  lambda_function_arn   = module.lambda_function.lambda_function_arn
+}

modules/api_gateway/outputs.tf

@@ -0,0 +1,19 @@
+output "rest_api_url" {
+  value = "${aws_api_gateway_deployment.rest_api_deployment.invoke_url}${aws_api_gateway_stage.rest_api_stage.stage_name}${aws_api_gateway_resource.event_resource.path}"
+}
+
+output "rest_api_arn" {
+  value = aws_api_gateway_rest_api.gateway_rest_api.arn
+}
+
+output "rest_api_execution_arn" {
+  value = aws_api_gateway_rest_api.gateway_rest_api.execution_arn
+}
+
+output "rest_api_lambda_execution_arn" {
+  value = local.rest_api_execution_arn
+}
+
+output "rest_api_id" {
+  value = aws_api_gateway_rest_api.gateway_rest_api.id
+}