chore: Update Lambda network and change RDS Lib in Lambdas (#912)

.devcontainer/devcontainer.json

@@ -12,7 +12,7 @@
     "terraform": {
       "version": "1.9.8",
       "tflint": "latest",
-      "terragrunt": "0.69.0"
+      "terragrunt": "0.69.2"
     },
     "aws-cli": {
       "version": "2.5.6"

.github/workflows/terragrunt-apply-production.yml

@@ -19,7 +19,7 @@ env:
   AWS_ACCOUNT_ID: ${{ vars.PRODUCTION_AWS_ACCOUNT_ID }}
   AWS_REGION: ca-central-1
   TERRAFORM_VERSION: 1.9.8
-  TERRAGRUNT_VERSION: 0.69.0
+  TERRAGRUNT_VERSION: 0.69.2
   TF_INPUT: false
   # API
   TF_VAR_zitadel_application_key: ${{ secrets.PRODUCTION_ZITADEL_APPLICATION_KEY }}

.github/workflows/terragrunt-apply-staging.yml

@@ -24,7 +24,7 @@ env:
   AWS_ACCOUNT_ID: ${{ vars.STAGING_AWS_ACCOUNT_ID }}
   AWS_REGION: ca-central-1
   TERRAFORM_VERSION: 1.9.8
-  TERRAGRUNT_VERSION: 0.69.0
+  TERRAGRUNT_VERSION: 0.69.2
   TF_INPUT: false
   # API
   TF_VAR_zitadel_application_key: ${{ secrets.STAGING_ZITADEL_APPLICATION_KEY }}

.github/workflows/terragrunt-plan-all-staging.yml

@@ -16,7 +16,7 @@ env:
   AWS_REGION: ca-central-1
   CONFTEST_VERSION: 0.46.0
   TERRAFORM_VERSION: 1.9.8
-  TERRAGRUNT_VERSION: 0.69.0
+  TERRAGRUNT_VERSION: 0.69.2
   TF_INPUT: false
   # API
   TF_VAR_zitadel_application_key: ${{ secrets.STAGING_ZITADEL_APPLICATION_KEY }}

.github/workflows/terragrunt-plan-production.yml

@@ -21,7 +21,7 @@ env:
   AWS_REGION: ca-central-1
   CONFTEST_VERSION: 0.46.0
   TERRAFORM_VERSION: 1.9.8
-  TERRAGRUNT_VERSION: 0.69.0
+  TERRAGRUNT_VERSION: 0.69.2
   TF_INPUT: false
   # API
   TF_VAR_zitadel_application_key: ${{ secrets.PRODUCTION_ZITADEL_APPLICATION_KEY }}

.github/workflows/terragrunt-plan-staging.yml

@@ -26,7 +26,7 @@ env:
   AWS_REGION: ca-central-1
   CONFTEST_VERSION: 0.46.0
   TERRAFORM_VERSION: 1.9.8
-  TERRAGRUNT_VERSION: 0.69.0
+  TERRAGRUNT_VERSION: 0.69.2
   TF_INPUT: false
   # API
   TF_VAR_zitadel_application_key: ${{ secrets.STAGING_ZITADEL_APPLICATION_KEY }}

README.md

@@ -21,7 +21,7 @@ Pull Requests in this repository require all commits to be signed before they ca
   1. `brew install warrensbox/tap/tfswitch`
   1. `tfswitch 1.9.8`
   1. `brew install warrensbox/tap/tgswitch`
-  1. `tgswitch 0.69.0`
+  1. `tgswitch 0.69.2`
 
 - Yarn (if you want to deploy the infrastructure locally):
 

aws/lambdas/iam.tf

@@ -186,7 +186,8 @@ data "aws_iam_policy_document" "lambda_secrets" {
 
     resources = [
       var.database_secret_arn,
-      var.notify_api_key_secret_arn
+      var.notify_api_key_secret_arn,
+      var.database_url_secret_arn,
     ]
   }
 }

aws/lambdas/inputs.tf

@@ -14,6 +14,11 @@ variable "database_secret_arn" {
   type        = string
 }
 
+variable "database_url_secret_arn" {
+  description = "Database URL secret version ARN, used by the ECS task"
+  type        = string
+}
+
 variable "rds_cluster_arn" {
   description = "RDS cluster ARN"
   type        = string
@@ -199,8 +204,8 @@ variable "ecr_repository_url_vault_integrity_lambda" {
   type        = string
 }
 
-variable "lambda_nagware_security_group_id" {
-  description = "Security group ID for the Nagware Lambda"
+variable "lambda_security_group_id" {
+  description = "Security group ID for the Lambdas"
   type        = string
 }
 
@@ -217,4 +222,4 @@ variable "redis_port" {
 variable "redis_url" {
   description = "Redis URL used by the Nagware function.  This should not include the protocol or port."
   type        = string
-}
+}

aws/lambdas/nagware.tf

@@ -10,7 +10,7 @@ resource "aws_lambda_function" "nagware" {
   timeout       = 900
 
   vpc_config {
-    security_group_ids = [var.lambda_nagware_security_group_id]
+    security_group_ids = [var.lambda_security_group_id]
     subnet_ids         = var.private_subnet_ids
   }
 
@@ -24,9 +24,7 @@ resource "aws_lambda_function" "nagware" {
       REGION                    = var.region
       DOMAIN                    = var.domains[0]
       DYNAMODB_VAULT_TABLE_NAME = var.dynamodb_vault_table_name
-      DB_ARN                    = var.rds_cluster_arn
-      DB_SECRET                 = var.database_secret_arn
-      DB_NAME                   = var.rds_db_name
+      DB_URL                    = var.database_url_secret_arn
       NOTIFY_API_KEY            = var.notify_api_key_secret_arn
       REDIS_URL                 = "redis://${var.redis_url}:${var.redis_port}"
       TEMPLATE_ID               = var.gc_template_id

aws/lambdas/reliability.tf

@@ -5,6 +5,12 @@ resource "aws_lambda_function" "reliability" {
   role          = aws_iam_role.lambda.arn
   timeout       = 300
 
+  vpc_config {
+    security_group_ids = [var.lambda_security_group_id]
+    subnet_ids         = var.private_subnet_ids
+  }
+
+
   lifecycle {
     ignore_changes = [image_uri]
   }
@@ -15,9 +21,7 @@ resource "aws_lambda_function" "reliability" {
       REGION         = var.region
       NOTIFY_API_KEY = var.notify_api_key_secret_arn
       TEMPLATE_ID    = var.gc_template_id
-      DB_ARN         = var.rds_cluster_arn
-      DB_SECRET      = var.database_secret_arn
-      DB_NAME        = var.rds_db_name
+      DB_URL         = var.database_url_secret_arn
       LOCALSTACK     = var.localstack_hosted
     }
   }

aws/network/outputs.tf

@@ -33,9 +33,9 @@ output "idp_lb_security_group_id" {
   value       = aws_security_group.idp_lb.id
 }
 
-output "lambda_nagware_security_group_id" {
+output "lambda_security_group_id" {
   description = "Lambda Nagware function security group ID"
-  value       = aws_security_group.lambda_nagware.id
+  value       = aws_security_group.lambda.id
 }
 
 output "public_subnet_ids" {

aws/network/security_groups_lambda.tf

@@ -1,6 +1,4 @@
-#
-# Nagware
-#
+### Everything below this line needs to be deleted
 resource "aws_security_group" "lambda_nagware" {
   description = "Lambda Nagware"
   name        = "lambda_nagware"
@@ -48,7 +46,63 @@ resource "aws_security_group_rule" "lambda_nagware_egress_redis" {
   protocol                 = "tcp"
   security_group_id        = aws_security_group.lambda_nagware.id
   source_security_group_id = aws_security_group.forms_redis.id
+
 }
+### Everything above this line needs to be deleted
+
+
+#
+# Nagware
+#
+resource "aws_security_group" "lambda" {
+  description = "Lambdas"
+  name        = "lambda"
+  vpc_id      = aws_vpc.forms.id
+}
+
+# Internet
+
+resource "aws_vpc_security_group_ingress_rule" "privatelink" {
+  description                  = "Security group rule for Nagware Lambda function ingress"
+  security_group_id            = aws_security_group.lambda.id
+  referenced_security_group_id = aws_security_group.privatelink.id
+  ip_protocol                  = "tcp"
+  from_port                    = 443
+  to_port                      = 443
+
+}
+
+resource "aws_vpc_security_group_egress_rule" "internet" {
+  description       = "Egress to the internet from Nagware Lambda function"
+  security_group_id = aws_security_group.lambda.id
+  ip_protocol       = "tcp"
+  from_port         = 443
+  to_port           = 443
+  cidr_ipv4         = "0.0.0.0/0"
+}
+
+
+# Redis
+resource "aws_vpc_security_group_ingress_rule" "redis" {
+  description                  = "Ingress to Redis from lambda"
+  security_group_id            = aws_security_group.forms_redis.id
+  referenced_security_group_id = aws_security_group.lambda.id
+  ip_protocol                  = "tcp"
+  from_port                    = 6379
+  to_port                      = 6379
+
+}
+
+# RDS
+resource "aws_vpc_security_group_ingress_rule" "rds" {
+  description                  = "Ingress to database from lambda"
+  security_group_id            = aws_security_group.forms_database.id
+  referenced_security_group_id = aws_security_group.lambda.id
+  ip_protocol                  = "tcp"
+  from_port                    = 5432
+  to_port                      = 5432
+}
+
 
 #
 # Athena connector

docker-compose.yml

@@ -3,7 +3,7 @@ volumes:
 services:
   localstack:
     container_name: "GCForms_LocalStack"
-    image: localstack/localstack-pro:latest
+    image: localstack/localstack-pro:3
     ports:
       - "127.0.0.1:4566:4566" # LocalStack Gateway
       - "127.0.0.1:4510-4559:4510-4559" # external services port range

env/cloud/app/terragrunt.hcl

@@ -54,7 +54,9 @@ dependency "network" {
   mock_outputs_merge_strategy_with_state  = "shallow"
   mock_outputs_allowed_terraform_commands = ["init", "fmt", "validate", "plan", "show"]
   mock_outputs = {
-    private_subnet_ids = [""]
+    private_subnet_ids       = ["prv-1", "prv-2"]
+    egress_security_group_id = "sg-1234567890"
+    ecs_security_group_id    = "sg-1234567890"
   }
 }
 

env/cloud/lambdas/terragrunt.hcl

@@ -30,8 +30,8 @@ dependency "network" {
   mock_outputs_merge_strategy_with_state  = "shallow"
   mock_outputs_allowed_terraform_commands = ["init", "fmt", "validate", "plan", "show"]
   mock_outputs = {
-    lambda_nagware_security_group_id = "sg-1234"
-    private_subnet_ids               = ["prv-1", "prv-2"]
+    lambda_security_group_id = "sg-1234"
+    private_subnet_ids       = ["prv-1", "prv-2"]
   }
 }
 
@@ -40,9 +40,10 @@ dependency "rds" {
   mock_outputs_merge_strategy_with_state  = "shallow"
   mock_outputs_allowed_terraform_commands = ["init", "fmt", "validate", "plan", "show"]
   mock_outputs = {
-    rds_cluster_arn     = null
-    rds_db_name         = null
-    database_secret_arn = null
+    rds_cluster_arn         = null
+    rds_db_name             = null
+    database_secret_arn     = null
+    database_url_secret_arn = null
   }
 }
 
@@ -153,8 +154,8 @@ dependency "ecr" {
 }
 
 inputs = {
-  lambda_nagware_security_group_id = dependency.network.outputs.lambda_nagware_security_group_id
-  private_subnet_ids               = dependency.network.outputs.private_subnet_ids
+  lambda_security_group_id = dependency.network.outputs.lambda_security_group_id
+  private_subnet_ids       = dependency.network.outputs.private_subnet_ids
 
   dynamodb_relability_queue_arn      = dependency.dynamodb.outputs.dynamodb_relability_queue_arn
   dynamodb_vault_arn                 = dependency.dynamodb.outputs.dynamodb_vault_arn
@@ -168,9 +169,10 @@ inputs = {
   kms_key_cloudwatch_arn = dependency.kms.outputs.kms_key_cloudwatch_arn
   kms_key_dynamodb_arn   = dependency.kms.outputs.kms_key_dynamodb_arn
 
-  rds_cluster_arn     = dependency.rds.outputs.rds_cluster_arn
-  rds_db_name         = dependency.rds.outputs.rds_db_name
-  database_secret_arn = dependency.rds.outputs.database_secret_arn
+  rds_cluster_arn         = dependency.rds.outputs.rds_cluster_arn
+  rds_db_name             = dependency.rds.outputs.rds_db_name
+  database_secret_arn     = dependency.rds.outputs.database_secret_arn
+  database_url_secret_arn = dependency.rds.outputs.database_url_secret_arn
 
   redis_port = dependency.redis.outputs.redis_port
   redis_url  = dependency.redis.outputs.redis_url
@@ -186,6 +188,7 @@ inputs = {
 
   notify_api_key_secret_arn = dependency.secrets.outputs.notify_api_key_secret_arn
 
+
   reliability_file_storage_arn   = dependency.s3.outputs.reliability_file_storage_arn
   vault_file_storage_arn         = dependency.s3.outputs.vault_file_storage_arn
   vault_file_storage_id          = dependency.s3.outputs.vault_file_storage_id

env/cloud/pr_review/terragrunt.hcl

@@ -40,9 +40,11 @@ dependency "network" {
   mock_outputs_merge_strategy_with_state  = "shallow"
   mock_outputs = {
     vpc_id                           = null
-    privatelink_security_group_id    = null
-    forms_database_security_group_id = null
-    forms_redis_security_group_id    = null
+    privatelink_security_group_id    = "sg-1234567890"
+    forms_database_security_group_id = "sg-1234567890"
+    forms_redis_security_group_id    = "sg-1234567890"
+    rds_security_group_id            = "sg-1234567890"
+    redis_security_group_id          = "sg-1234567890"
   }
 }
 

env/cloud/redis/terragrunt.hcl

@@ -11,8 +11,8 @@ dependency "network" {
   mock_outputs_merge_strategy_with_state  = "shallow"
   mock_outputs_allowed_terraform_commands = ["init", "fmt", "validate", "plan", "show"]
   mock_outputs = {
-    private_subnet_ids      = [""]
-    redis_security_group_id = null
+    private_subnet_ids      = ["prv-1", "prv-2"]
+    redis_security_group_id = "sg-1234567890"
   }
 }
 

env/common/local-provider.tf

@@ -3,7 +3,7 @@ terraform {
   required_providers {
     aws = {
       source  = "hashicorp/aws"
-      version = "5.70.0"
+      version = "5.78.0"
     }
     random = {
       source  = "hashicorp/random"
@@ -54,6 +54,13 @@ provider "aws" {
     kms            = "http://${var.localstack_host}:4566"
     ecr            = "http://${var.localstack_host}:4566"
   }
+
+  default_tags {
+    tags = {
+      (var.billing_tag_key) = var.billing_tag_value
+      Terraform             = true
+    }
+  }
 }
 
 provider "aws" {
@@ -92,6 +99,13 @@ provider "aws" {
     kms            = "http://${var.localstack_host}:4566"
     ecr            = "http://${var.localstack_host}:4566"
   }
+
+  default_tags {
+    tags = {
+      (var.billing_tag_key) = var.billing_tag_value
+      Terraform             = true
+    }
+  }
 }
 
 provider "aws" {
@@ -104,6 +118,13 @@ provider "aws" {
   skip_metadata_api_check     = true
   skip_requesting_account_id  = true
 
+  default_tags {
+    tags = {
+      (var.billing_tag_key) = var.billing_tag_value
+      Terraform             = true
+    }
+  }
+
   endpoints {
     apigateway     = "http://${var.localstack_host}:4566"
     cloudformation = "http://${var.localstack_host}:4566"

env/common/provider.tf

@@ -3,7 +3,7 @@ terraform {
   required_providers {
     aws = {
       source  = "hashicorp/aws"
-      version = "5.76.0"
+      version = "5.78.0"
     }
     random = {
       source  = "hashicorp/random"