lambda support vpc

CHANGELOG.md

@@ -1,6 +1,11 @@
 # Change Log
 
 All notable changes to this project will be documented in this file.
+
+## [4.2.0] - 2024-12-01
+### Added
+- Added VPC support to Lambda function
+
 ## [4.1.0] - 2024-11-13
 ### Added
 - Support for self hosted github

examples/basic-github-integration.tf

@@ -28,4 +28,10 @@ module "spectral_lambda_integration" {
     STRICT_MODE                        = false
     SPECTRAL_TAGS                      = "iac,base,audit"
   }
+
+  # With VPC configuration
+  vpc_config = {
+    subnet_ids         = ["subnet-12345678", "subnet-87654321"]
+    security_group_ids = ["sg-12345678"]
+  }
 }

examples/basic-gitlab-integration.tf

@@ -13,4 +13,10 @@ module "spectral_lambda_integration" {
     # STRICT_MODE   = false / true
     # SPECTRAL_TAGS = "iac,base,audit"
   }
+
+  # With VPC configuration
+  vpc_config = {
+    subnet_ids         = ["subnet-12345678", "subnet-87654321"]
+    security_group_ids = ["sg-12345678"]
+  }
 }

examples/basic-jira-integration.tf

@@ -16,4 +16,10 @@ module "spectral_lambda_integration" {
     # REDACTED_MESSAGE        = "MyRedactedMessage"
     # SPECTRAL_TAGS           = "iac,base,audit"
   }
+
+  # With VPC configuration
+  vpc_config = {
+    subnet_ids         = ["subnet-12345678", "subnet-87654321"]
+    security_group_ids = ["sg-12345678"]
+  }
 }

examples/basic-terraform-integration.tf

@@ -7,4 +7,10 @@ module "spectral_lambda_integration" {
     SPECTRAL_DSN = "MySpectralDSN"
     CHECK_POLICY = "Fail on any issue" # (Fail on any issue / Fail on warnings and above / Fail on errors only / Always Pass)
   }
+
+  # With VPC configuration
+  vpc_config = {
+    subnet_ids         = ["subnet-12345678", "subnet-87654321"]
+    security_group_ids = ["sg-12345678"]
+  }
 }

modules/lambda/lambda.tf

@@ -1,3 +1,5 @@
+data "aws_partition" "current" {}
+
 locals {
   runtime                     = "nodejs20.x"
   lambda_source_code_zip_path = coalesce(var.lambda_source_code_path, "${path.module}/source_code/${var.integration_type}/${var.lambda_source_code_filename}")
@@ -21,6 +23,18 @@ resource "aws_lambda_function" "spectral_scanner_lambda" {
   environment {
     variables = var.env_vars
   }
+
+  dynamic "vpc_config" {
+    for_each = var.vpc_config != null ? [var.vpc_config] : []
+    content {
+      subnet_ids         = vpc_config.value.subnet_ids
+      security_group_ids = vpc_config.value.security_group_ids
+    }
+  }
+
+  depends_on = [
+    aws_iam_role_policy.lambda_vpc_policy,
+  ]
 }
 
 resource "aws_cloudwatch_log_group" "lambda_log_group" {
@@ -32,4 +46,16 @@ resource "aws_cloudwatch_log_group" "lambda_log_group" {
     var.global_tags,
     lookup(var.tags, "lambda", {}),
   )
+}
+
+data "aws_iam_policy" "lambda_vpc_policy" {
+  count = var.vpc_config != null ? 1 : 0
+  arn = "arn:${data.aws_partition.current.partition}:iam::aws:policy/service-role/AWSLambdaENIManagementAccess"
+}
+
+resource "aws_iam_role_policy" "lambda_vpc_policy" {
+  count  = var.vpc_config != null ? 1 : 0
+  name   = "lambda-vpc-policy"
+  role   = var.lambda_role_id
+  policy = data.aws_iam_policy.lambda_vpc_policy[0].policy
 }

modules/lambda/variables.tf

@@ -86,8 +86,22 @@ variable "role_arn" {
   description = "The lambda source code filename"
 }
 
+variable "lambda_role_id" {
+  type        = string
+  description = "The lambda role id"
+}
+
 variable "lambda_handler" {
   type        = string
   description = "The handler of the handler"
   default     = "handler.app"
+}
+
+variable "vpc_config" {
+  type        = object({
+    subnet_ids         = list(string)
+    security_group_ids = list(string)
+  })
+  description = "The VPC configuration for the lambda"
+  default     = null
 }

modules/role/outputs.tf

@@ -4,4 +4,8 @@ output "lambda_role_name" {
 
 output "lambda_role_arn" {
   value = aws_iam_role.lambda_execution_role.arn
+}
+
+output "lambda_role_id" {
+  value = aws_iam_role.lambda_execution_role.id
 }

multiple-lambdas-integration.tf

@@ -18,6 +18,8 @@ module "frontend_lambda_function" {
   lambda_source_code_filename = "frontend.zip"
   lambda_source_code_path     = var.frontend_lambda_source_code_path
   role_arn                    = module.lambda_role.lambda_role_arn
+  vpc_config                  = var.vpc_config
+  lambda_role_id              = module.lambda_role.lambda_role_id
 }
 
 module "backend_lambda_function" {
@@ -40,6 +42,8 @@ module "backend_lambda_function" {
   lambda_source_code_filename = "backend.zip"
   lambda_source_code_path     = var.backend_lambda_source_code_path
   role_arn                    = module.lambda_role.lambda_role_arn
+  vpc_config                  = var.vpc_config
+  lambda_role_id              = module.lambda_role.lambda_role_id
 }
 
 data "aws_iam_policy_document" "lambda_invoke_policy_document" {

single-lambda-integration.tf

@@ -16,4 +16,6 @@ module "lambda_function" {
   lambda_source_code_filename = "app.zip"
   lambda_source_code_path     = var.lambda_source_code_path
   role_arn                    = module.lambda_role.lambda_role_arn
+  vpc_config                  = var.vpc_config
+  lambda_role_id              = module.lambda_role.lambda_role_id
 }

variables.tf

@@ -116,4 +116,13 @@ variable "gateway_api_integration_timeout_milliseconds" {
   description = "Timeout for the API Gateway to wait for lambda response"
   type        = number
   default     = 29000
+}
+
+variable "vpc_config" {
+  description = "VPC configuration for the Lambda function"
+  type = object({
+    subnet_ids         = list(string)
+    security_group_ids = list(string)
+  })
+  default = null
 }