chore: Update Lambda network and change RDS Lib in Lambdas #912

bryan-robitaille · 2024-12-03T18:39:33Z

Summary | Résumé

Adds back #906 with legacy lambda security groups. The new groups need to be created and assigned to the Lambda's before the legacy groups can be destroyed.

Chicken => Egg ?

github-actions · 2024-12-03T19:04:14Z

⚠ Terrform update available

Terraform: 1.10.0 (using 1.9.8)
Terragrunt: 0.69.5 (using 0.69.2)

github-actions · 2024-12-03T19:08:38Z

Staging: network

✅ Terraform Init: success
✅ Terraform Validate: success
✅ Terraform Format: success
✅ Terraform Plan: success
✅ Conftest: success

Plan: 5 to add, 0 to change, 0 to destroy

Show summary

CHANGE	NAME
add	`aws_security_group.lambda`
	`aws_vpc_security_group_egress_rule.internet`
	`aws_vpc_security_group_ingress_rule.privatelink`
	`aws_vpc_security_group_ingress_rule.rds`
	`aws_vpc_security_group_ingress_rule.redis`

Show plan

Resource actions are indicated with the following symbols:
  + create

Terraform will perform the following actions:

  # aws_security_group.lambda will be created
  + resource "aws_security_group" "lambda" {
      + arn                    = (known after apply)
      + description            = "Lambdas"
      + egress                 = (known after apply)
      + id                     = (known after apply)
      + ingress                = (known after apply)
      + name                   = "lambda"
      + name_prefix            = (known after apply)
      + owner_id               = (known after apply)
      + revoke_rules_on_delete = false
      + tags_all               = {
          + "CostCentre" = "forms-platform-staging"
          + "Terraform"  = "true"
        }
      + vpc_id                 = "vpc-0ad5b3739860129d0"
    }

  # aws_vpc_security_group_egress_rule.internet will be created
  + resource "aws_vpc_security_group_egress_rule" "internet" {
      + arn                    = (known after apply)
      + cidr_ipv4              = "0.0.0.0/0"
      + description            = "Egress to the internet from Nagware Lambda function"
      + from_port              = 443
      + id                     = (known after apply)
      + ip_protocol            = "tcp"
      + security_group_id      = (known after apply)
      + security_group_rule_id = (known after apply)
      + tags_all               = {
          + "CostCentre" = "forms-platform-staging"
          + "Terraform"  = "true"
        }
      + to_port                = 443
    }

  # aws_vpc_security_group_ingress_rule.privatelink will be created
  + resource "aws_vpc_security_group_ingress_rule" "privatelink" {
      + arn                          = (known after apply)
      + description                  = "Security group rule for Nagware Lambda function ingress"
      + from_port                    = 443
      + id                           = (known after apply)
      + ip_protocol                  = "tcp"
      + referenced_security_group_id = "sg-089a83b7d81dff031"
      + security_group_id            = (known after apply)
      + security_group_rule_id       = (known after apply)
      + tags_all                     = {
          + "CostCentre" = "forms-platform-staging"
          + "Terraform"  = "true"
        }
      + to_port                      = 443
    }

  # aws_vpc_security_group_ingress_rule.rds will be created
  + resource "aws_vpc_security_group_ingress_rule" "rds" {
      + arn                          = (known after apply)
      + description                  = "Ingress to database from lambda"
      + from_port                    = 5432
      + id                           = (known after apply)
      + ip_protocol                  = "tcp"
      + referenced_security_group_id = (known after apply)
      + security_group_id            = "sg-0b80bb714d886b8ff"
      + security_group_rule_id       = (known after apply)
      + tags_all                     = {
          + "CostCentre" = "forms-platform-staging"
          + "Terraform"  = "true"
        }
      + to_port                      = 5432
    }

  # aws_vpc_security_group_ingress_rule.redis will be created
  + resource "aws_vpc_security_group_ingress_rule" "redis" {
      + arn                          = (known after apply)
      + description                  = "Ingress to Redis from lambda"
      + from_port                    = 6379
      + id                           = (known after apply)
      + ip_protocol                  = "tcp"
      + referenced_security_group_id = (known after apply)
      + security_group_id            = "sg-092fddfbbac0e15aa"
      + security_group_rule_id       = (known after apply)
      + tags_all                     = {
          + "CostCentre" = "forms-platform-staging"
          + "Terraform"  = "true"
        }
      + to_port                      = 6379
    }

Plan: 5 to add, 0 to change, 0 to destroy.

Changes to Outputs:
  - lambda_nagware_security_group_id = "sg-0d34d30a62da57ade" -> null
  + lambda_security_group_id         = (known after apply)

─────────────────────────────────────────────────────────────────────────────

Saved the plan to: plan.tfplan

To perform exactly these actions, run the following command to apply:
    terraform apply "plan.tfplan"

Show Conftest results

WARN - plan.json - main - Missing Common Tags: ["aws_default_network_acl.forms"]
WARN - plan.json - main - Missing Common Tags: ["aws_default_security_group.default"]
WARN - plan.json - main - Missing Common Tags: ["aws_eip.forms_natgw[0]"]
WARN - plan.json - main - Missing Common Tags: ["aws_eip.forms_natgw[1]"]
WARN - plan.json - main - Missing Common Tags: ["aws_eip.forms_natgw[2]"]
WARN - plan.json - main - Missing Common Tags: ["aws_flow_log.vpc_flow_logs[0]"]
WARN - plan.json - main - Missing Common Tags: ["aws_internet_gateway.forms"]
WARN - plan.json - main - Missing Common Tags: ["aws_nat_gateway.forms[0]"]
WARN - plan.json - main - Missing Common Tags: ["aws_nat_gateway.forms[1]"]
WARN - plan.json - main - Missing Common Tags: ["aws_nat_gateway.forms[2]"]
WARN - plan.json - main - Missing Common Tags: ["aws_route_table.forms_private_subnet[0]"]
WARN - plan.json - main - Missing Common Tags: ["aws_route_table.forms_private_subnet[1]"]
WARN - plan.json - main - Missing Common Tags: ["aws_route_table.forms_private_subnet[2]"]
WARN - plan.json - main - Missing Common Tags: ["aws_route_table.forms_public_subnet"]
WARN - plan.json - main - Missing Common Tags: ["aws_security_group.api_ecs"]
WARN - plan.json - main - Missing Common Tags: ["aws_security_group.connector_db"]
WARN - plan.json - main - Missing Common Tags: ["aws_security_group.forms"]
WARN - plan.json - main - Missing Common Tags: ["aws_security_group.forms_database"]
WARN - plan.json - main - Missing Common Tags: ["aws_security_group.forms_egress"]
WARN - plan.json - main - Missing Common Tags: ["aws_security_group.forms_load_balancer"]
WARN - plan.json - main - Missing Common Tags: ["aws_security_group.forms_redis"]
WARN - plan.json - main - Missing Common Tags: ["aws_security_group.idp_db"]
WARN - plan.json - main - Missing Common Tags: ["aws_security_group.idp_ecs"]
WARN - plan.json - main - Missing Common Tags: ["aws_security_group.idp_lb"]
WARN - plan.json - main - Missing Common Tags:...

github-actions · 2024-12-03T19:15:18Z

Staging: lambdas

✅ Terraform Init: success
✅ Terraform Validate: success
✅ Terraform Format: success
✅ Terraform Plan: success
✅ Conftest: success

Plan: 0 to add, 3 to change, 0 to destroy

Show summary

CHANGE	NAME
update	`aws_iam_policy.lambda_secrets`
	`aws_lambda_function.nagware`
	`aws_lambda_function.reliability`

Show plan

Resource actions are indicated with the following symbols:
  ~ update in-place

Terraform will perform the following actions:

  # aws_iam_policy.lambda_secrets will be updated in-place
  ~ resource "aws_iam_policy" "lambda_secrets" {
        id               = "arn:aws:iam::687401027353:policy/lambda_secrets"
        name             = "lambda_secrets"
      ~ policy           = jsonencode(
          ~ {
              ~ Statement = [
                  ~ {
                      ~ Resource = [
                          + "arn:aws:secretsmanager:ca-central-1:687401027353:secret:server-database-url-0PSpE3",
                            "arn:aws:secretsmanager:ca-central-1:687401027353:secret:notify_api_key-eR3nNp",
                            # (1 unchanged element hidden)
                        ]
                        # (2 unchanged attributes hidden)
                    },
                ]
                # (1 unchanged attribute hidden)
            }
        )
        tags             = {}
        # (7 unchanged attributes hidden)
    }

  # aws_lambda_function.nagware will be updated in-place
  ~ resource "aws_lambda_function" "nagware" {
        id                             = "nagware"
        tags                           = {}
        # (28 unchanged attributes hidden)

      ~ environment {
          ~ variables = {
              - "DB_ARN"                    = "arn:aws:rds:ca-central-1:687401027353:cluster:forms-staging-db-cluster" -> null
              - "DB_NAME"                   = "forms" -> null
              - "DB_SECRET"                 = "arn:aws:secretsmanager:ca-central-1:687401027353:secret:database-secret-vHJuTe" -> null
              + "DB_URL"                    = "arn:aws:secretsmanager:ca-central-1:687401027353:secret:server-database-url-0PSpE3"
                # (8 unchanged elements hidden)
            }
        }

      ~ vpc_config {
          ~ security_group_ids          = [
              - "sg-0d34d30a62da57ade",
              + "sg-1234",
            ]
            # (3 unchanged attributes hidden)
        }

        # (3 unchanged blocks hidden)
    }

  # aws_lambda_function.reliability will be updated in-place
  ~ resource "aws_lambda_function" "reliability" {
        id                             = "reliability"
        tags                           = {}
        # (28 unchanged attributes hidden)

      ~ environment {
          ~ variables = {
              - "DB_ARN"         = "arn:aws:rds:ca-central-1:687401027353:cluster:forms-staging-db-cluster" -> null
              - "DB_NAME"        = "forms" -> null
              - "DB_SECRET"      = "arn:aws:secretsmanager:ca-central-1:687401027353:secret:database-secret-vHJuTe" -> null
              + "DB_URL"         = "arn:aws:secretsmanager:ca-central-1:687401027353:secret:server-database-url-0PSpE3"
                # (5 unchanged elements hidden)
            }
        }

      + vpc_config {
          + ipv6_allowed_for_dual_stack = false
          + security_group_ids          = [
              + "sg-1234",
            ]
          + subnet_ids                  = [
              + "subnet-07e38df0760d389d1",
              + "subnet-07f9debd31e48ce64",
              + "subnet-0af8e6e3cf80f582d",
            ]
        }

        # (3 unchanged blocks hidden)
    }

Plan: 0 to add, 3 to change, 0 to destroy.

─────────────────────────────────────────────────────────────────────────────

Saved the plan to: plan.tfplan

To perform exactly these actions, run the following command to apply:
    terraform apply "plan.tfplan"

Show Conftest results

WARN - plan.json - main - Missing Common Tags: ["aws_cloudwatch_event_rule.audit_logs_archiver_lambda_trigger"]
WARN - plan.json - main - Missing Common Tags: ["aws_cloudwatch_event_rule.form_archiver_lambda_trigger"]
WARN - plan.json - main - Missing Common Tags: ["aws_cloudwatch_event_rule.nagware_lambda_trigger"]
WARN - plan.json - main - Missing Common Tags: ["aws_cloudwatch_event_rule.reliability_dlq_lambda_trigger"]
WARN - plan.json - main - Missing Common Tags: ["aws_cloudwatch_event_rule.response_archiver_lambda_trigger"]
WARN - plan.json - main - Missing Common Tags: ["aws_cloudwatch_log_group.archive_form_templates"]
WARN - plan.json - main - Missing Common Tags: ["aws_cloudwatch_log_group.audit_logs"]
WARN - plan.json - main - Missing Common Tags: ["aws_cloudwatch_log_group.audit_logs_archiver"]
WARN - plan.json - main - Missing Common Tags: ["aws_cloudwatch_log_group.dead_letter_queue_consumer"]
WARN - plan.json - main - Missing Common Tags: ["aws_cloudwatch_log_group.nagware"]
WARN - plan.json - main - Missing Common Tags: ["aws_cloudwatch_log_group.reliability"]
WARN - plan.json - main - Missing Common Tags: ["aws_cloudwatch_log_group.response_archiver"]
WARN - plan.json - main - Missing Common Tags: ["aws_cloudwatch_log_group.submission"]
WARN - plan.json - main - Missing Common Tags: ["aws_cloudwatch_log_group.vault_integrity"]
WARN - plan.json - main - Missing Common Tags: ["aws_iam_policy.lambda_dynamodb"]
WARN - plan.json - main - Missing Common Tags: ["aws_iam_policy.lambda_kms"]
WARN - plan.json - main - Missing Common Tags: ["aws_iam_policy.lambda_logging"]
WARN - plan.json - main - Missing Common Tags: ["aws_iam_policy.lambda_rds"]
WARN - plan.json - main - Missing Common Tags: ["aws_iam_policy.lambda_s3"]
WARN - plan.json - main - Missing Common Tags: ["aws_iam_policy.lambda_secrets"]
WARN - plan.json - main - Missing Common Tags: ["aws_iam_policy.lambda_sns"]
WARN - plan.json - main - Missing Common Tags: ["aws_iam_policy.lambda_sqs"]
WARN -...

github-actions · 2024-12-03T19:18:35Z

Staging: load_testing

✅ Terraform Init: success
✅ Terraform Validate: success
✅ Terraform Format: success
✅ Terraform Plan: success
✅ Conftest: success

Plan: 0 to add, 4 to change, 0 to destroy

Show summary

CHANGE	NAME
update	`aws_iam_policy.load_test_lambda`
	`aws_ssm_parameter.load_testing_form_id`
	`aws_ssm_parameter.load_testing_form_private_key`
	`aws_ssm_parameter.load_testing_zitadel_app_private_key`

Show plan

Resource actions are indicated with the following symbols:
  ~ update in-place
 <= read (data resources)

Terraform will perform the following actions:

  # data.aws_iam_policy_document.load_test_lambda will be read during apply
  # (depends on a resource or a module with changes pending)
 <= data "aws_iam_policy_document" "load_test_lambda" {
      + id            = (known after apply)
      + json          = (known after apply)
      + minified_json = (known after apply)

      + statement {
          + actions   = [
              + "ssm:GetParameters",
            ]
          + effect    = "Allow"
          + resources = [
              + "arn:aws:ssm:ca-central-1:687401027353:parameter/load-testing/form-id",
              + "arn:aws:ssm:ca-central-1:687401027353:parameter/load-testing/form-private-key",
              + "arn:aws:ssm:ca-central-1:687401027353:parameter/load-testing/zitadel-app-private-key",
            ]
          + sid       = "GetSSMParameters"
        }
      + statement {
          + actions   = [
              + "lambda:InvokeFunction",
            ]
          + effect    = "Allow"
          + resources = [
              + "arn:aws:lambda:ca-central-1:687401027353:function:Submission",
            ]
          + sid       = "InvokeSubmissionLambda"
        }
    }

  # aws_iam_policy.load_test_lambda will be updated in-place
  ~ resource "aws_iam_policy" "load_test_lambda" {
        id               = "arn:aws:iam::687401027353:policy/LoadTestLambda"
        name             = "LoadTestLambda"
      ~ policy           = jsonencode(
            {
              - Statement = [
                  - {
                      - Action   = "ssm:GetParameters"
                      - Effect   = "Allow"
                      - Resource = [
                          - "arn:aws:ssm:ca-central-1:687401027353:parameter/load-testing/zitadel-app-private-key",
                          - "arn:aws:ssm:ca-central-1:687401027353:parameter/load-testing/form-private-key",
                          - "arn:aws:ssm:ca-central-1:687401027353:parameter/load-testing/form-id",
                        ]
                      - Sid      = "GetSSMParameters"
                    },
                  - {
                      - Action   = "lambda:InvokeFunction"
                      - Effect   = "Allow"
                      - Resource = "arn:aws:lambda:ca-central-1:687401027353:function:Submission"
                      - Sid      = "InvokeSubmissionLambda"
                    },
                ]
              - Version   = "2012-10-17"
            }
        ) -> (known after apply)
        tags             = {}
        # (7 unchanged attributes hidden)
    }

  # aws_ssm_parameter.load_testing_form_id will be updated in-place
  ~ resource "aws_ssm_parameter" "load_testing_form_id" {
        id              = "/load-testing/form-id"
      + insecure_value  = (known after apply)
        name            = "/load-testing/form-id"
        tags            = {}
      ~ version         = 1 -> (known after apply)
        # (9 unchanged attributes hidden)
    }

  # aws_ssm_parameter.load_testing_form_private_key will be updated in-place
  ~ resource "aws_ssm_parameter" "load_testing_form_private_key" {
        id              = "/load-testing/form-private-key"
      + insecure_value  = (known after apply)
        name            = "/load-testing/form-private-key"
        tags            = {}
      ~ version         = 3 -> (known after apply)
        # (9 unchanged attributes hidden)
    }

  # aws_ssm_parameter.load_testing_zitadel_app_private_key will be updated in-place
  ~ resource "aws_ssm_parameter" "load_testing_zitadel_app_private_key" {
        id              = "/load-testing/zitadel-app-private-key"
      + insecure_value  = (known after apply)
        name            = "/load-testing/zitadel-app-private-key"
        tags            = {}
      ~ version         = 3 -> (known after apply)
        # (9 unchanged attributes hidden)
    }

Plan: 0 to add, 4 to change, 0 to destroy.

─────────────────────────────────────────────────────────────────────────────

Saved the plan to: plan.tfplan

To perform exactly these actions, run the following command to apply:
    terraform apply "plan.tfplan"

Show Conftest results

WARN - plan.json - main - Missing Common Tags: ["aws_iam_policy.load_test_lambda"]
WARN - plan.json - main - Missing Common Tags: ["aws_iam_role.load_test_lambda"]
WARN - plan.json - main - Missing Common Tags: ["aws_lambda_function.load_testing"]
WARN - plan.json - main - Missing Common Tags: ["aws_ssm_parameter.load_testing_form_id"]
WARN - plan.json - main - Missing Common Tags: ["aws_ssm_parameter.load_testing_form_private_key"]
WARN - plan.json - main - Missing Common Tags: ["aws_ssm_parameter.load_testing_zitadel_app_private_key"]

25 tests, 19 passed, 6 warnings, 0 failures, 0 exceptions

craigzour

LGTM!

bryan-robitaille and others added 4 commits December 3, 2024 13:14

chore: Replace rds data client in reliability and nagware lambdas (#906)

a33cea9

update sec rules for recommended format

6bdacc2

fix lambda egress rule

aadc527

adding back legacy sec groups

f1952eb

bryan-robitaille marked this pull request as ready for review December 3, 2024 19:00

rename rule for clarity

8c5f404

craigzour approved these changes Dec 3, 2024

View reviewed changes

bryan-robitaille merged commit 788b0bc into main Dec 3, 2024
13 checks passed

bryan-robitaille deleted the chore/lambda_rds_update branch December 3, 2024 19:20

sre-read-write bot mentioned this pull request Dec 3, 2024

chore: GCForms release v3.27.0 #895

Merged

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

chore: Update Lambda network and change RDS Lib in Lambdas #912

chore: Update Lambda network and change RDS Lib in Lambdas #912

bryan-robitaille commented Dec 3, 2024 •

edited

Loading

github-actions bot commented Dec 3, 2024

github-actions bot commented Dec 3, 2024

github-actions bot commented Dec 3, 2024

github-actions bot commented Dec 3, 2024

craigzour left a comment

chore: Update Lambda network and change RDS Lib in Lambdas #912

chore: Update Lambda network and change RDS Lib in Lambdas #912

Conversation

bryan-robitaille commented Dec 3, 2024 • edited Loading

Summary | Résumé

github-actions bot commented Dec 3, 2024

⚠ Terrform update available

github-actions bot commented Dec 3, 2024

Staging: network

github-actions bot commented Dec 3, 2024

Staging: lambdas

github-actions bot commented Dec 3, 2024

Staging: load_testing

craigzour left a comment

Choose a reason for hiding this comment

bryan-robitaille commented Dec 3, 2024 •

edited

Loading