Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

chore: Update Lambda network and change RDS Lib in Lambdas #912

Merged
merged 5 commits into from
Dec 3, 2024
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion .devcontainer/devcontainer.json
Original file line number Diff line number Diff line change
Expand Up @@ -12,7 +12,7 @@
"terraform": {
"version": "1.9.8",
"tflint": "latest",
"terragrunt": "0.69.0"
"terragrunt": "0.69.2"
},
"aws-cli": {
"version": "2.5.6"
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/terragrunt-apply-production.yml
Original file line number Diff line number Diff line change
Expand Up @@ -19,7 +19,7 @@ env:
AWS_ACCOUNT_ID: ${{ vars.PRODUCTION_AWS_ACCOUNT_ID }}
AWS_REGION: ca-central-1
TERRAFORM_VERSION: 1.9.8
TERRAGRUNT_VERSION: 0.69.0
TERRAGRUNT_VERSION: 0.69.2
TF_INPUT: false
# API
TF_VAR_zitadel_application_key: ${{ secrets.PRODUCTION_ZITADEL_APPLICATION_KEY }}
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/terragrunt-apply-staging.yml
Original file line number Diff line number Diff line change
Expand Up @@ -24,7 +24,7 @@ env:
AWS_ACCOUNT_ID: ${{ vars.STAGING_AWS_ACCOUNT_ID }}
AWS_REGION: ca-central-1
TERRAFORM_VERSION: 1.9.8
TERRAGRUNT_VERSION: 0.69.0
TERRAGRUNT_VERSION: 0.69.2
TF_INPUT: false
# API
TF_VAR_zitadel_application_key: ${{ secrets.STAGING_ZITADEL_APPLICATION_KEY }}
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/terragrunt-plan-all-staging.yml
Original file line number Diff line number Diff line change
Expand Up @@ -16,7 +16,7 @@ env:
AWS_REGION: ca-central-1
CONFTEST_VERSION: 0.46.0
TERRAFORM_VERSION: 1.9.8
TERRAGRUNT_VERSION: 0.69.0
TERRAGRUNT_VERSION: 0.69.2
TF_INPUT: false
# API
TF_VAR_zitadel_application_key: ${{ secrets.STAGING_ZITADEL_APPLICATION_KEY }}
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/terragrunt-plan-production.yml
Original file line number Diff line number Diff line change
Expand Up @@ -21,7 +21,7 @@ env:
AWS_REGION: ca-central-1
CONFTEST_VERSION: 0.46.0
TERRAFORM_VERSION: 1.9.8
TERRAGRUNT_VERSION: 0.69.0
TERRAGRUNT_VERSION: 0.69.2
TF_INPUT: false
# API
TF_VAR_zitadel_application_key: ${{ secrets.PRODUCTION_ZITADEL_APPLICATION_KEY }}
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/terragrunt-plan-staging.yml
Original file line number Diff line number Diff line change
Expand Up @@ -26,7 +26,7 @@ env:
AWS_REGION: ca-central-1
CONFTEST_VERSION: 0.46.0
TERRAFORM_VERSION: 1.9.8
TERRAGRUNT_VERSION: 0.69.0
TERRAGRUNT_VERSION: 0.69.2
TF_INPUT: false
# API
TF_VAR_zitadel_application_key: ${{ secrets.STAGING_ZITADEL_APPLICATION_KEY }}
Expand Down
2 changes: 1 addition & 1 deletion README.md
Original file line number Diff line number Diff line change
Expand Up @@ -21,7 +21,7 @@ Pull Requests in this repository require all commits to be signed before they ca
1. `brew install warrensbox/tap/tfswitch`
1. `tfswitch 1.9.8`
1. `brew install warrensbox/tap/tgswitch`
1. `tgswitch 0.69.0`
1. `tgswitch 0.69.2`

- Yarn (if you want to deploy the infrastructure locally):

Expand Down
3 changes: 2 additions & 1 deletion aws/lambdas/iam.tf
Original file line number Diff line number Diff line change
Expand Up @@ -186,7 +186,8 @@ data "aws_iam_policy_document" "lambda_secrets" {

resources = [
var.database_secret_arn,
var.notify_api_key_secret_arn
var.notify_api_key_secret_arn,
var.database_url_secret_arn,
]
}
}
Expand Down
11 changes: 8 additions & 3 deletions aws/lambdas/inputs.tf
Original file line number Diff line number Diff line change
Expand Up @@ -14,6 +14,11 @@ variable "database_secret_arn" {
type = string
}

variable "database_url_secret_arn" {
description = "Database URL secret version ARN, used by the ECS task"
type = string
}

variable "rds_cluster_arn" {
description = "RDS cluster ARN"
type = string
Expand Down Expand Up @@ -199,8 +204,8 @@ variable "ecr_repository_url_vault_integrity_lambda" {
type = string
}

variable "lambda_nagware_security_group_id" {
description = "Security group ID for the Nagware Lambda"
variable "lambda_security_group_id" {
description = "Security group ID for the Lambdas"
type = string
}

Expand All @@ -217,4 +222,4 @@ variable "redis_port" {
variable "redis_url" {
description = "Redis URL used by the Nagware function. This should not include the protocol or port."
type = string
}
}
6 changes: 2 additions & 4 deletions aws/lambdas/nagware.tf
Original file line number Diff line number Diff line change
Expand Up @@ -10,7 +10,7 @@ resource "aws_lambda_function" "nagware" {
timeout = 900

vpc_config {
security_group_ids = [var.lambda_nagware_security_group_id]
security_group_ids = [var.lambda_security_group_id]
subnet_ids = var.private_subnet_ids
}

Expand All @@ -24,9 +24,7 @@ resource "aws_lambda_function" "nagware" {
REGION = var.region
DOMAIN = var.domains[0]
DYNAMODB_VAULT_TABLE_NAME = var.dynamodb_vault_table_name
DB_ARN = var.rds_cluster_arn
DB_SECRET = var.database_secret_arn
DB_NAME = var.rds_db_name
DB_URL = var.database_url_secret_arn
NOTIFY_API_KEY = var.notify_api_key_secret_arn
REDIS_URL = "redis://${var.redis_url}:${var.redis_port}"
TEMPLATE_ID = var.gc_template_id
Expand Down
10 changes: 7 additions & 3 deletions aws/lambdas/reliability.tf
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,12 @@ resource "aws_lambda_function" "reliability" {
role = aws_iam_role.lambda.arn
timeout = 300

vpc_config {
security_group_ids = [var.lambda_security_group_id]
subnet_ids = var.private_subnet_ids
}


lifecycle {
ignore_changes = [image_uri]
}
Expand All @@ -15,9 +21,7 @@ resource "aws_lambda_function" "reliability" {
REGION = var.region
NOTIFY_API_KEY = var.notify_api_key_secret_arn
TEMPLATE_ID = var.gc_template_id
DB_ARN = var.rds_cluster_arn
DB_SECRET = var.database_secret_arn
DB_NAME = var.rds_db_name
DB_URL = var.database_url_secret_arn
LOCALSTACK = var.localstack_hosted
}
}
Expand Down
4 changes: 2 additions & 2 deletions aws/network/outputs.tf
Original file line number Diff line number Diff line change
Expand Up @@ -33,9 +33,9 @@ output "idp_lb_security_group_id" {
value = aws_security_group.idp_lb.id
}

output "lambda_nagware_security_group_id" {
output "lambda_security_group_id" {
description = "Lambda Nagware function security group ID"
value = aws_security_group.lambda_nagware.id
value = aws_security_group.lambda.id
}

output "public_subnet_ids" {
Expand Down
60 changes: 57 additions & 3 deletions aws/network/security_groups_lambda.tf
Original file line number Diff line number Diff line change
@@ -1,6 +1,4 @@
#
# Nagware
#
### Everything below this line needs to be deleted
resource "aws_security_group" "lambda_nagware" {
description = "Lambda Nagware"
name = "lambda_nagware"
Expand Down Expand Up @@ -48,7 +46,63 @@ resource "aws_security_group_rule" "lambda_nagware_egress_redis" {
protocol = "tcp"
security_group_id = aws_security_group.lambda_nagware.id
source_security_group_id = aws_security_group.forms_redis.id

}
### Everything above this line needs to be deleted


#
# Nagware
#
resource "aws_security_group" "lambda" {
description = "Lambdas"
name = "lambda"
vpc_id = aws_vpc.forms.id
}

# Internet

resource "aws_vpc_security_group_ingress_rule" "privatelink" {
description = "Security group rule for Nagware Lambda function ingress"
security_group_id = aws_security_group.lambda.id
referenced_security_group_id = aws_security_group.privatelink.id
ip_protocol = "tcp"
from_port = 443
to_port = 443

}

resource "aws_vpc_security_group_egress_rule" "internet" {
description = "Egress to the internet from Nagware Lambda function"
security_group_id = aws_security_group.lambda.id
ip_protocol = "tcp"
from_port = 443
to_port = 443
cidr_ipv4 = "0.0.0.0/0"
}


# Redis
resource "aws_vpc_security_group_ingress_rule" "redis" {
description = "Ingress to Redis from lambda"
security_group_id = aws_security_group.forms_redis.id
referenced_security_group_id = aws_security_group.lambda.id
ip_protocol = "tcp"
from_port = 6379
to_port = 6379

}

# RDS
resource "aws_vpc_security_group_ingress_rule" "rds" {
description = "Ingress to database from lambda"
security_group_id = aws_security_group.forms_database.id
referenced_security_group_id = aws_security_group.lambda.id
ip_protocol = "tcp"
from_port = 5432
to_port = 5432
}


#
# Athena connector
Expand Down
2 changes: 1 addition & 1 deletion docker-compose.yml
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@ volumes:
services:
localstack:
container_name: "GCForms_LocalStack"
image: localstack/localstack-pro:latest
image: localstack/localstack-pro:3
ports:
- "127.0.0.1:4566:4566" # LocalStack Gateway
- "127.0.0.1:4510-4559:4510-4559" # external services port range
Expand Down
4 changes: 3 additions & 1 deletion env/cloud/app/terragrunt.hcl
Original file line number Diff line number Diff line change
Expand Up @@ -54,7 +54,9 @@ dependency "network" {
mock_outputs_merge_strategy_with_state = "shallow"
mock_outputs_allowed_terraform_commands = ["init", "fmt", "validate", "plan", "show"]
mock_outputs = {
private_subnet_ids = [""]
private_subnet_ids = ["prv-1", "prv-2"]
egress_security_group_id = "sg-1234567890"
ecs_security_group_id = "sg-1234567890"
}
}

Expand Down
23 changes: 13 additions & 10 deletions env/cloud/lambdas/terragrunt.hcl
Original file line number Diff line number Diff line change
Expand Up @@ -30,8 +30,8 @@ dependency "network" {
mock_outputs_merge_strategy_with_state = "shallow"
mock_outputs_allowed_terraform_commands = ["init", "fmt", "validate", "plan", "show"]
mock_outputs = {
lambda_nagware_security_group_id = "sg-1234"
private_subnet_ids = ["prv-1", "prv-2"]
lambda_security_group_id = "sg-1234"
private_subnet_ids = ["prv-1", "prv-2"]
}
}

Expand All @@ -40,9 +40,10 @@ dependency "rds" {
mock_outputs_merge_strategy_with_state = "shallow"
mock_outputs_allowed_terraform_commands = ["init", "fmt", "validate", "plan", "show"]
mock_outputs = {
rds_cluster_arn = null
rds_db_name = null
database_secret_arn = null
rds_cluster_arn = null
rds_db_name = null
database_secret_arn = null
database_url_secret_arn = null
}
}

Expand Down Expand Up @@ -153,8 +154,8 @@ dependency "ecr" {
}

inputs = {
lambda_nagware_security_group_id = dependency.network.outputs.lambda_nagware_security_group_id
private_subnet_ids = dependency.network.outputs.private_subnet_ids
lambda_security_group_id = dependency.network.outputs.lambda_security_group_id
private_subnet_ids = dependency.network.outputs.private_subnet_ids

dynamodb_relability_queue_arn = dependency.dynamodb.outputs.dynamodb_relability_queue_arn
dynamodb_vault_arn = dependency.dynamodb.outputs.dynamodb_vault_arn
Expand All @@ -168,9 +169,10 @@ inputs = {
kms_key_cloudwatch_arn = dependency.kms.outputs.kms_key_cloudwatch_arn
kms_key_dynamodb_arn = dependency.kms.outputs.kms_key_dynamodb_arn

rds_cluster_arn = dependency.rds.outputs.rds_cluster_arn
rds_db_name = dependency.rds.outputs.rds_db_name
database_secret_arn = dependency.rds.outputs.database_secret_arn
rds_cluster_arn = dependency.rds.outputs.rds_cluster_arn
rds_db_name = dependency.rds.outputs.rds_db_name
database_secret_arn = dependency.rds.outputs.database_secret_arn
database_url_secret_arn = dependency.rds.outputs.database_url_secret_arn

redis_port = dependency.redis.outputs.redis_port
redis_url = dependency.redis.outputs.redis_url
Expand All @@ -186,6 +188,7 @@ inputs = {

notify_api_key_secret_arn = dependency.secrets.outputs.notify_api_key_secret_arn


reliability_file_storage_arn = dependency.s3.outputs.reliability_file_storage_arn
vault_file_storage_arn = dependency.s3.outputs.vault_file_storage_arn
vault_file_storage_id = dependency.s3.outputs.vault_file_storage_id
Expand Down
8 changes: 5 additions & 3 deletions env/cloud/pr_review/terragrunt.hcl
Original file line number Diff line number Diff line change
Expand Up @@ -40,9 +40,11 @@ dependency "network" {
mock_outputs_merge_strategy_with_state = "shallow"
mock_outputs = {
vpc_id = null
privatelink_security_group_id = null
forms_database_security_group_id = null
forms_redis_security_group_id = null
privatelink_security_group_id = "sg-1234567890"
forms_database_security_group_id = "sg-1234567890"
forms_redis_security_group_id = "sg-1234567890"
rds_security_group_id = "sg-1234567890"
redis_security_group_id = "sg-1234567890"
}
}

Expand Down
4 changes: 2 additions & 2 deletions env/cloud/redis/terragrunt.hcl
Original file line number Diff line number Diff line change
Expand Up @@ -11,8 +11,8 @@ dependency "network" {
mock_outputs_merge_strategy_with_state = "shallow"
mock_outputs_allowed_terraform_commands = ["init", "fmt", "validate", "plan", "show"]
mock_outputs = {
private_subnet_ids = [""]
redis_security_group_id = null
private_subnet_ids = ["prv-1", "prv-2"]
redis_security_group_id = "sg-1234567890"
}
}

Expand Down
23 changes: 22 additions & 1 deletion env/common/local-provider.tf
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@ terraform {
required_providers {
aws = {
source = "hashicorp/aws"
version = "5.70.0"
version = "5.78.0"
}
random = {
source = "hashicorp/random"
Expand Down Expand Up @@ -54,6 +54,13 @@ provider "aws" {
kms = "http://${var.localstack_host}:4566"
ecr = "http://${var.localstack_host}:4566"
}

default_tags {
tags = {
(var.billing_tag_key) = var.billing_tag_value
Terraform = true
}
}
}

provider "aws" {
Expand Down Expand Up @@ -92,6 +99,13 @@ provider "aws" {
kms = "http://${var.localstack_host}:4566"
ecr = "http://${var.localstack_host}:4566"
}

default_tags {
tags = {
(var.billing_tag_key) = var.billing_tag_value
Terraform = true
}
}
}

provider "aws" {
Expand All @@ -104,6 +118,13 @@ provider "aws" {
skip_metadata_api_check = true
skip_requesting_account_id = true

default_tags {
tags = {
(var.billing_tag_key) = var.billing_tag_value
Terraform = true
}
}

endpoints {
apigateway = "http://${var.localstack_host}:4566"
cloudformation = "http://${var.localstack_host}:4566"
Expand Down
2 changes: 1 addition & 1 deletion env/common/provider.tf
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@ terraform {
required_providers {
aws = {
source = "hashicorp/aws"
version = "5.76.0"
version = "5.78.0"
}
random = {
source = "hashicorp/random"
Expand Down
Loading
Loading