Support multiple lambda integration (Gitlab) (#11)

* Support multiple lambda integration (Gitlab)

* renames

* update source code & add flexibility

* CR fixes

* fix syntax

* changed to correct arn output

* fix lambda execution resoucse arn

Author: ChengaDev

locals.tf

@@ -0,0 +1,6 @@
+locals {
+  resource_name_pattern       = "spectral-${var.integration_type}-integration-${var.environment}"
+  single_lambda_integration   = contains(["jira", "terraform"], var.integration_type) ? true : false
+  multiple_lambda_integration = contains(["gitlab"], var.integration_type) ? true : false
+  api_triggered_function_arn  = local.single_lambda_integration ? module.lambda_function[0].lambda_function_arn : module.frontend_lambda_function[0].lambda_function_arn
+}

modules/lambda/lambda.tf

@@ -1,15 +1,14 @@
 locals {
   runtime                     = "nodejs14.x"
-  lambda_handler              = "handler.app"
-  lambda_source_code_zip_path = "${path.module}/source_code/${var.integration_type}/app.zip"
+  lambda_source_code_zip_path = "${path.module}/source_code/${var.integration_type}/${var.lambda_source_code_filename}"
 }
 
 resource "aws_lambda_function" "spectral_scanner_lambda" {
   runtime       = local.runtime
-  role          = aws_iam_role.lambda_execution_role.arn
-  function_name = var.resource_name_pattern
   filename      = local.lambda_source_code_zip_path
-  handler       = local.lambda_handler
+  handler       = var.lambda_handler
+  function_name = var.resource_name_pattern
+  role          = var.role_arn
   timeout       = var.timeout
   memory_size   = var.memory_size
   publish       = var.publish
@@ -26,65 +25,11 @@ resource "aws_lambda_function" "spectral_scanner_lambda" {
 
 resource "aws_cloudwatch_log_group" "lambda_log_group" {
   count             = var.should_write_logs ? 1 : 0
-  name              = var.resource_name_pattern
+  name              = "/aws/lambda/${var.resource_name_pattern}"
   retention_in_days = var.logs_retention_in_days
 
   tags = merge(
     var.global_tags,
     lookup(var.tags, "lambda", {}),
   )
-}
-
-data "aws_iam_policy_document" "assume_role_policy" {
-  statement {
-    sid    = ""
-    effect = "Allow"
-
-    actions = ["sts:AssumeRole"]
-
-    principals {
-      type        = "Service"
-      identifiers = ["lambda.amazonaws.com"]
-    }
-  }
-}
-
-resource "aws_iam_role" "lambda_execution_role" {
-  name               = var.resource_name_pattern
-  assume_role_policy = data.aws_iam_policy_document.assume_role_policy.json
-
-  tags = merge(
-    var.global_tags,
-    lookup(var.tags, "iam", {}),
-  )
-}
-
-data "aws_iam_policy_document" "secrets_policy_document" {
-  statement {
-    sid       = ""
-    effect    = "Allow"
-    actions   = ["secretsmanager:GetSecretValue"]
-    resources = var.secrets_arns
-  }
-}
-
-resource "aws_iam_policy" "secrets_iam_policy" {
-  count  = var.store_secret_in_secrets_manager ? 1 : 0
-  policy = data.aws_iam_policy_document.secrets_policy_document.json
-
-  tags = merge(
-    var.global_tags,
-    lookup(var.tags, "iam", {}),
-  )
-}
-
-resource "aws_iam_role_policy_attachment" "lambda_execution_role" {
-  role       = aws_iam_role.lambda_execution_role.name
-  policy_arn = "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"
-}
-
-resource "aws_iam_role_policy_attachment" "lambda_secrets_role_attachment" {
-  count      = var.store_secret_in_secrets_manager ? 1 : 0
-  role       = aws_iam_role.lambda_execution_role.name
-  policy_arn = aws_iam_policy.secrets_iam_policy[count.index].arn
 }

modules/lambda/outputs.tf

@@ -1,15 +1,11 @@
+output "lambda_arn" {
+  value = aws_lambda_function.spectral_scanner_lambda.arn
+}
+
 output "lambda_function_arn" {
   value = aws_lambda_function.spectral_scanner_lambda.invoke_arn
 }
 
 output "lambda_function_name" {
   value = aws_lambda_function.spectral_scanner_lambda.function_name
-}
-
-output "lambda_iam_role_arn" {
-  value = aws_iam_role.lambda_execution_role.arn
-}
-
-output "lambda_iam_role_name" {
-  value = aws_iam_role.lambda_execution_role.name
 }

modules/lambda/source_code/gitlab/app.zip

@@ -74,4 +74,20 @@ variable "secrets_arns" {
 variable "store_secret_in_secrets_manager" {
   description = "Whether to store your secrets in secrets manager, default is false"
   type        = bool
+}
+
+variable "lambda_source_code_filename" {
+  type        = string
+  description = "The lambda source code filename"
+}
+
+variable "role_arn" {
+  type        = string
+  description = "The lambda source code filename"
+}
+
+variable "lambda_handler" {
+  type        = string
+  description = "The handler of the handler"
+  default     = "handler.app"
 }

modules/lambda/source_code/gitlab/backend.zip

@@ -0,0 +1,7 @@
+output "lambda_role_name" {
+  value = aws_iam_role.lambda_execution_role.name
+}
+
+output "lambda_role_arn" {
+  value = aws_iam_role.lambda_execution_role.arn
+}

modules/lambda/source_code/gitlab/frontend.zip

@@ -0,0 +1,53 @@
+data "aws_iam_policy_document" "assume_role_policy" {
+  statement {
+    sid    = ""
+    effect = "Allow"
+
+    actions = ["sts:AssumeRole"]
+
+    principals {
+      type        = "Service"
+      identifiers = ["lambda.amazonaws.com"]
+    }
+  }
+}
+
+resource "aws_iam_role" "lambda_execution_role" {
+  name               = var.resource_name_pattern
+  assume_role_policy = data.aws_iam_policy_document.assume_role_policy.json
+
+  tags = merge(
+    var.global_tags,
+    lookup(var.tags, "iam", {}),
+  )
+}
+
+data "aws_iam_policy_document" "secrets_policy_document" {
+  statement {
+    sid       = ""
+    effect    = "Allow"
+    actions   = ["secretsmanager:GetSecretValue"]
+    resources = var.secrets_arns
+  }
+}
+
+resource "aws_iam_policy" "secrets_iam_policy" {
+  count  = var.store_secret_in_secrets_manager ? 1 : 0
+  policy = data.aws_iam_policy_document.secrets_policy_document.json
+
+  tags = merge(
+    var.global_tags,
+    lookup(var.tags, "iam", {}),
+  )
+}
+
+resource "aws_iam_role_policy_attachment" "lambda_execution_role" {
+  role       = aws_iam_role.lambda_execution_role.name
+  policy_arn = "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"
+}
+
+resource "aws_iam_role_policy_attachment" "lambda_secrets_policy_attachment" {
+  count      = var.store_secret_in_secrets_manager ? 1 : 0
+  role       = aws_iam_role.lambda_execution_role.name
+  policy_arn = aws_iam_policy.secrets_iam_policy[count.index].arn
+}

modules/lambda/variables.tf

@@ -0,0 +1,38 @@
+variable "store_secret_in_secrets_manager" {
+  description = "Whether to store your secrets in secrets manager, default is false"
+  type        = bool
+}
+
+variable "secrets_arns" {
+  description = "List of secrets associated with the lambda"
+  type        = list(string)
+  default     = []
+}
+
+variable "global_tags" {
+  type        = map(string)
+  description = "A list of tags to apply on all newly created resources."
+  default = {
+    BusinessUnit = "Spectral"
+  }
+}
+
+variable "tags" {
+  type        = map(map(string))
+  description = "A collection of tags grouped by key representing it's target resource."
+  default = {
+    iam         = {}
+    lambda      = {}
+    api_gateway = {}
+  }
+}
+
+variable "resource_name_pattern" {
+  type        = string
+  description = "A common resource name created by pattern."
+}
+
+variable "multiple_lambda_integration" {
+  type        = bool
+  description = "Is current integration structure contains two lambdas"
+}

modules/role/outputs.tf

@@ -0,0 +1,66 @@
+module "frontend_lambda_function" {
+  count                           = local.multiple_lambda_integration ? 1 : 0
+  source                          = "./modules/lambda"
+  global_tags                     = var.global_tags
+  tags                            = var.tags
+  environment                     = var.environment
+  integration_type                = var.integration_type
+  resource_name_pattern           = "${local.resource_name_pattern}-frontend"
+  env_vars                        = var.env_vars
+  logs_retention_in_days          = var.lambda_logs_retention_in_days
+  should_write_logs               = var.lambda_enable_logs
+  lambda_handler                  = "frontend.app"
+  timeout                         = var.lambda_function_timeout
+  memory_size                     = var.lambda_function_memory_size
+  publish                         = var.lambda_publish
+  secrets_arns                    = var.store_secret_in_secrets_manager ? module.secrets_manager[0].secrets_arns : []
+  store_secret_in_secrets_manager = var.store_secret_in_secrets_manager
+  lambda_source_code_filename     = "frontend.zip"
+  role_arn                        = module.lambda_role.lambda_role_arn
+}
+
+module "backend_lambda_function" {
+  count                           = local.multiple_lambda_integration ? 1 : 0
+  source                          = "./modules/lambda"
+  global_tags                     = var.global_tags
+  tags                            = var.tags
+  environment                     = var.environment
+  integration_type                = var.integration_type
+  resource_name_pattern           = "${local.resource_name_pattern}-backend"
+  env_vars                        = var.env_vars
+  logs_retention_in_days          = var.lambda_logs_retention_in_days
+  should_write_logs               = var.lambda_enable_logs
+  lambda_handler                  = "backend.app"
+  timeout                         = var.lambda_function_timeout
+  memory_size                     = var.lambda_function_memory_size
+  publish                         = var.lambda_publish
+  secrets_arns                    = var.store_secret_in_secrets_manager ? module.secrets_manager[0].secrets_arns : []
+  store_secret_in_secrets_manager = var.store_secret_in_secrets_manager
+  lambda_source_code_filename     = "backend.zip"
+  role_arn                        = module.lambda_role.lambda_role_arn
+}
+
+data "aws_iam_policy_document" "lambda_invoke_policy_document" {
+  statement {
+    sid       = ""
+    effect    = "Allow"
+    actions   = ["lambda:InvokeFunction", "lambda:InvokeAsync"]
+    resources = local.multiple_lambda_integration ? [module.backend_lambda_function[0].lambda_arn] : []
+  }
+}
+
+resource "aws_iam_policy" "lambda_invoke_iam_policy" {
+  count  = local.multiple_lambda_integration ? 1 : 0
+  policy = data.aws_iam_policy_document.lambda_invoke_policy_document.json
+
+  tags = merge(
+    var.global_tags,
+    lookup(var.tags, "iam", {}),
+  )
+}
+
+resource "aws_iam_role_policy_attachment" "lambda_invoke_policy_attachment" {
+  count      = local.multiple_lambda_integration ? 1 : 0
+  role       = module.lambda_role.lambda_role_name
+  policy_arn = aws_iam_policy.lambda_invoke_iam_policy[count.index].arn
+}

modules/role/role.tf

@@ -19,19 +19,19 @@ output "rest_api_lambda_execution_arn" {
 }
 
 output "lambda_function_arn" {
-  value = module.lambda_function.lambda_function_arn
+  value = module.lambda_function[*].lambda_function_arn
 }
 
 output "lambda_function_name" {
-  value = module.lambda_function.lambda_function_name
+  value = module.lambda_function[*].lambda_function_name
 }
 
 output "lambda_iam_role_arn" {
-  value = module.lambda_function.lambda_iam_role_arn
+  value = module.lambda_role.lambda_role_arn
 }
 
 output "lambda_iam_role_name" {
-  value = module.lambda_function.lambda_iam_role_name
+  value = module.lambda_role.lambda_role_name
 }
 
 output "secrets_arns" {

modules/role/variables.tf

@@ -0,0 +1,25 @@
+module "api_gateway" {
+  source                = "./modules/api_gateway"
+  global_tags           = var.global_tags
+  tags                  = var.tags
+  environment           = var.environment
+  integration_type      = var.integration_type
+  resource_name_pattern = local.single_lambda_integration ? local.resource_name_pattern : "${local.resource_name_pattern}-frontend"
+  lambda_function_arn   = local.api_triggered_function_arn
+}
+
+module "secrets_manager" {
+  count            = var.store_secret_in_secrets_manager ? 1 : 0
+  integration_type = var.integration_type
+  source           = "./modules/secrets_manager"
+}
+
+module "lambda_role" {
+  source                          = "./modules/role"
+  resource_name_pattern           = local.single_lambda_integration ? local.resource_name_pattern : "${local.resource_name_pattern}-frontend"
+  store_secret_in_secrets_manager = var.store_secret_in_secrets_manager
+  secrets_arns                    = var.store_secret_in_secrets_manager ? module.secrets_manager[0].secrets_arns : []
+  tags                            = var.tags
+  global_tags                     = var.global_tags
+  multiple_lambda_integration     = local.multiple_lambda_integration
+}

multiple-lambdas-integration.tf

@@ -1,8 +1,5 @@
-locals {
-  resource_name_pattern = "spectral-${var.integration_type}-integration-${var.environment}"
-}
-
 module "lambda_function" {
+  count                           = local.single_lambda_integration ? 1 : 0
   source                          = "./modules/lambda"
   global_tags                     = var.global_tags
   tags                            = var.tags
@@ -17,20 +14,6 @@ module "lambda_function" {
   publish                         = var.lambda_publish
   secrets_arns                    = var.store_secret_in_secrets_manager ? module.secrets_manager[0].secrets_arns : []
   store_secret_in_secrets_manager = var.store_secret_in_secrets_manager
-}
-
-module "api_gateway" {
-  source                = "./modules/api_gateway"
-  global_tags           = var.global_tags
-  tags                  = var.tags
-  environment           = var.environment
-  integration_type      = var.integration_type
-  resource_name_pattern = local.resource_name_pattern
-  lambda_function_arn   = module.lambda_function.lambda_function_arn
-}
-
-module "secrets_manager" {
-  count            = var.store_secret_in_secrets_manager ? 1 : 0
-  integration_type = var.integration_type
-  source           = "./modules/secrets_manager"
+  lambda_source_code_filename     = "app.zip"
+  role_arn                        = module.lambda_role.lambda_role_arn
 }