Support new GitHub bot deployment

.gitignore

@@ -10,4 +10,5 @@ override.tf.json
 *_override.tf
 *_override.tf.json
 .terraformrc
-terraform.rc
+terraform.rc
+.DS_Store

README.md

@@ -14,14 +14,14 @@ Terraform configuration used to create the required AWS resources for integratin
 
 | Name      | Version |
 | ----------- | ----------- |
-| [aws](https://registry.terraform.io/providers/hashicorp/aws/latest/docs)      | >= 4.37.0    |
+| [aws](https://registry.terraform.io/providers/hashicorp/aws/latest/docs)      | >= 5.26.0    |
 
 ## Inputs
 
 | Name      | Description | Type | Default | Required |
 | ----------- | ----------- | ----------- | ----------- | ----------- |
 | `environment` | The target environment name for deployment | `string` | `prod` | No |
-| `integration_type` | Spectral integration type (A unique phrase describing the integration) - Available values: `terraform`, `jira` and `gitlab` | `string` | N/A | Yes |
+| `integration_type` | Spectral integration type (A unique phrase describing the integration) - Available values: `github`, `terraform`, `jira` and `gitlab` | `string` | N/A | Yes |
 | [`env_vars`](#env_vars) | Extendable object contains all required environment variables required for the integration. | `map(string)` | N/A | No |
 | [`global_tags`](#global_tags) | Tags to be applied on every newly created resource. | `map(string)` | ```{ BusinessUnit = "Spectral" }``` | No |
 | [`tags`](#tags) | Tags to be applied on concrete resources  | `map(map(string))` | ```{ iam = { } lambda = { } api_gateway = { } }``` | No |
@@ -30,7 +30,7 @@ Terraform configuration used to create the required AWS resources for integratin
 | `lambda_function_timeout` | Amount of time your Lambda Function has to run in seconds.  | `number` | 300 | No |
 | `lambda_function_memory_size` | Amount of memory in MB your Lambda Function can use at runtime. | `number` | 1024 | No |
 | `lambda_publish` | Whether to publish creation/change as new Lambda Function Version. | `bool` | `false` | No |
-| `store_secret_in_secrets_manager` | Whether to store secrets values on a vault (currently supporting AWS secrets manager on GitLab integration). | `bool` | `false` | No |
+| `store_secret_in_secrets_manager` | Whether to store secrets values on a vault (currently supporting AWS secrets manager on GitHub / GitLab integration). | `bool` | `false` | No |
 
 ### env_vars
 
@@ -152,3 +152,7 @@ module "spectral_lambda_integration" {
 8. `lambda_iam_role_arn` - Amazon Resource Name (ARN) specifying the role.
 9. `lambda_iam_role_name` - Name of the role.
 10. `secrets_arns` - Arns of created secrets in secrets manager.
+
+## Support
+
+For GitHub deployment - only bot version 2.x is supported

examples/basic-github-integration.tf

@@ -0,0 +1,32 @@
+module "spectral_lambda_integration" {
+  source = "github.com/SpectralOps/spectral-terraform-lambda-integration"
+
+  integration_type   = "github"
+  lambda_enable_logs = true
+
+  # Use this attributes to deploy specific version of the bot
+  frontend_lambda_source_code_path = "./source-code/github/github-frontend.zip"
+  backend_lambda_source_code_path  = "./source-code/github/github-backend.zip"
+
+  env_vars = {
+    # Required environment variables    
+    SPECTRAL_DSN          = "MySpectralDSN"
+    CHECK_POLICY          = "Fail on any issue" # (Fail on any issue / Fail on warnings and above / Fail on errors only / Always Pass)
+    GITHUB_APP_ID         = "MyGitHubAppId"
+    GITHUB_WEBHOOK_SECRET = "MyGitHubWebhookSecret"
+    GITHUB_PRIVATE_KEY    = "MyGitHubPrivateKey"
+    # Optional environment variables
+    SECRETS_VAULT                      = "aws_secrets_manager"
+    VAULT_KEY_SPECTRAL_DSN             = "Spectral_Dsn-..."
+    VAULT_KEY_GITHUB_WEBHOOK_SECRET    = "Spectral_GithubBot_WebhookSecret-..."
+    VAULT_KEY_GITHUB_PRIVATE_KEY       = "Spectral_GithubBot_PrivateKey-..."
+    GITHUB_SHOULD_POST_REVIEW_COMMENTS = false
+    GITHUB_SHOULD_SKIP_CHECK           = false
+    S3_BLACK_LIST_OBJECT_KEY           = "The S3 object key of your blacklist flie"
+    S3_BLACK_LIST_BUCKET_NAME          = "The S3 bucket name that holds your blacklist file"
+    SHOULD_SKIP_INGEST                 = false
+    STRICT_MODE                        = false
+    SPECTRAL_TAGS                      = "iac,base,audit"
+    HOME                               = "/tmp"
+  }
+}

locals.tf

@@ -1,6 +1,14 @@
 locals {
-  resource_name_pattern       = "spectral-${var.integration_type}-integration-${var.environment}"
+  resource_name_pattern       = coalesce(var.resource_name_common_part, "spectral-${var.integration_type}-integration-${var.environment}-${random_string.random_resource_name_suffix.id}")
   single_lambda_integration   = contains(["jira", "terraform"], var.integration_type) ? true : false
-  multiple_lambda_integration = contains(["gitlab"], var.integration_type) ? true : false
+  multiple_lambda_integration = contains(["gitlab", "github"], var.integration_type) ? true : false
   api_triggered_function_arn  = local.single_lambda_integration ? module.lambda_function[0].lambda_function_arn : module.frontend_lambda_function[0].lambda_function_arn
+  frontend_lambda_handler     = contains(["github"], var.integration_type) ? "index.handler" : "frontend.app"
+  backend_lambda_handler      = contains(["github"], var.integration_type) ? "index.handler" : "backend.app"
+  default_secrets_names = {
+    "github" = coalesce(var.secrets_names, ["Spectral_GithubBot_PrivateKey", "Spectral_GithubBot_WebhookSecret"]),
+    "gitlab" = coalesce(var.secrets_names, ["Spectral_GitlabBot_GitlabToken", "Spectral_GitlabBot_WebhookSecret"])
+  }
+  # Please do not change or replace the 'frontend' suffix since there a logic in the bot based in it
+  function_name = local.single_lambda_integration ? local.resource_name_pattern : "${local.resource_name_pattern}-frontend"
 }

modules/api_gateway/rest_api.tf

@@ -31,6 +31,7 @@ resource "aws_api_gateway_integration" "api_proxy_integration" {
   integration_http_method = "POST"
   type                    = "AWS_PROXY"
   uri                     = var.lambda_function_arn
+  timeout_milliseconds    = var.gateway_api_integration_timeout_milliseconds
 }
 
 resource "aws_api_gateway_method_response" "response_200" {
@@ -43,7 +44,7 @@ resource "aws_api_gateway_method_response" "response_200" {
 resource "aws_lambda_permission" "lambda_permission" {
   statement_id  = "AllowExecutionFromAPIGateway"
   action        = "lambda:InvokeFunction"
-  function_name = var.resource_name_pattern
+  function_name = var.function_name
   principal     = "apigateway.amazonaws.com"
   source_arn    = local.rest_api_execution_arn
 }

modules/api_gateway/variables.tf

@@ -34,4 +34,15 @@ variable "tags" {
 variable "integration_type" {
   type        = string
   description = "Spectral integration type (A unique phrase describing the integration) - Available values: `terraform`."
+}
+
+variable "function_name" {
+  type        = string
+  description = "The name of the function the API would trigger upon request"
+}
+
+variable "gateway_api_integration_timeout_milliseconds" {
+  description = "Timeout for the API Gateway to wait for lambda response"
+  type        = number
+  default     = 29000
 }

modules/lambda/lambda.tf

@@ -1,6 +1,6 @@
 locals {
-  runtime                     = "nodejs14.x"
-  lambda_source_code_zip_path = "${path.module}/source_code/${var.integration_type}/${var.lambda_source_code_filename}"
+  runtime                     = "nodejs20.x"
+  lambda_source_code_zip_path = coalesce(var.lambda_source_code_path, "${path.module}/source_code/${var.integration_type}/${var.lambda_source_code_filename}")
 }
 
 resource "aws_lambda_function" "spectral_scanner_lambda" {

modules/lambda/variables.tf

@@ -71,16 +71,16 @@ variable "secrets_arns" {
   default     = []
 }
 
-variable "store_secret_in_secrets_manager" {
-  description = "Whether to store your secrets in secrets manager, default is false"
-  type        = bool
-}
-
 variable "lambda_source_code_filename" {
   type        = string
   description = "The lambda source code filename"
 }
 
+variable "lambda_source_code_path" {
+  type        = string
+  description = "The lambda source code path"
+}
+
 variable "role_arn" {
   type        = string
   description = "The lambda source code filename"

modules/role/role.tf

@@ -13,7 +13,7 @@ data "aws_iam_policy_document" "assume_role_policy" {
 }
 
 resource "aws_iam_role" "lambda_execution_role" {
-  name               = var.resource_name_pattern
+  name               = var.role_name
   assume_role_policy = data.aws_iam_policy_document.assume_role_policy.json
 
   tags = merge(

modules/role/variables.tf

@@ -27,9 +27,9 @@ variable "tags" {
   }
 }
 
-variable "resource_name_pattern" {
+variable "role_name" {
   type        = string
-  description = "A common resource name created by pattern."
+  description = "The name of the role"
 }
 
 variable "multiple_lambda_integration" {

modules/secrets_manager/secrets.tf

@@ -1,6 +1,6 @@
 locals {
   secrets_arns = concat(
-    try(module.gitlab[0].secrets_arns, []),
+    [for secret in aws_secretsmanager_secret.general_secret : secret.arn],
     [aws_secretsmanager_secret.spectral_dsn.arn]
   )
 }
@@ -9,7 +9,7 @@ resource "aws_secretsmanager_secret" "spectral_dsn" {
   name = "Spectral_Dsn"
 }
 
-module "gitlab" {
-  count  = var.integration_type == "gitlab" ? 1 : 0
-  source = "./gitlab"
+resource "aws_secretsmanager_secret" "general_secret" {
+  count = length(var.secrets_names)
+  name  = var.secrets_names[count.index]
 }

modules/secrets_manager/variables.tf

@@ -1,4 +1,9 @@
 variable "integration_type" {
   description = "Integration type to create secrets for"
   type        = string
+}
+
+variable "secrets_names" {
+  description = "Names of secrets to create"
+  type        = list(string)
 }

multiple-lambdas-integration.tf

@@ -1,43 +1,45 @@
 module "frontend_lambda_function" {
-  count                           = local.multiple_lambda_integration ? 1 : 0
-  source                          = "./modules/lambda"
-  global_tags                     = var.global_tags
-  tags                            = var.tags
-  environment                     = var.environment
-  integration_type                = var.integration_type
-  resource_name_pattern           = "${local.resource_name_pattern}-frontend"
-  env_vars                        = var.env_vars
-  logs_retention_in_days          = var.lambda_logs_retention_in_days
-  should_write_logs               = var.lambda_enable_logs
-  lambda_handler                  = "frontend.app"
-  timeout                         = var.lambda_function_timeout
-  memory_size                     = var.lambda_function_memory_size
-  publish                         = var.lambda_publish
-  secrets_arns                    = var.store_secret_in_secrets_manager ? module.secrets_manager[0].secrets_arns : []
-  store_secret_in_secrets_manager = var.store_secret_in_secrets_manager
-  lambda_source_code_filename     = "frontend.zip"
-  role_arn                        = module.lambda_role.lambda_role_arn
+  count            = local.multiple_lambda_integration ? 1 : 0
+  source           = "./modules/lambda"
+  global_tags      = var.global_tags
+  tags             = var.tags
+  environment      = var.environment
+  integration_type = var.integration_type
+  # Please do not change or replace the 'frontend' suffix since there a logic in the bot based in it
+  resource_name_pattern       = "${local.resource_name_pattern}-frontend"
+  env_vars                    = var.env_vars
+  logs_retention_in_days      = var.lambda_logs_retention_in_days
+  should_write_logs           = var.lambda_enable_logs
+  lambda_handler              = local.frontend_lambda_handler
+  timeout                     = var.lambda_function_timeout
+  memory_size                 = var.lambda_function_memory_size
+  publish                     = var.lambda_publish
+  secrets_arns                = var.store_secret_in_secrets_manager ? module.secrets_manager[0].secrets_arns : []
+  lambda_source_code_filename = "frontend.zip"
+  lambda_source_code_path     = var.frontend_lambda_source_code_path
+  role_arn                    = module.lambda_role.lambda_role_arn
 }
 
 module "backend_lambda_function" {
-  count                           = local.multiple_lambda_integration ? 1 : 0
-  source                          = "./modules/lambda"
-  global_tags                     = var.global_tags
-  tags                            = var.tags
-  environment                     = var.environment
-  integration_type                = var.integration_type
-  resource_name_pattern           = "${local.resource_name_pattern}-backend"
-  env_vars                        = var.env_vars
-  logs_retention_in_days          = var.lambda_logs_retention_in_days
-  should_write_logs               = var.lambda_enable_logs
-  lambda_handler                  = "backend.app"
-  timeout                         = var.lambda_function_timeout
-  memory_size                     = var.lambda_function_memory_size
-  publish                         = var.lambda_publish
-  secrets_arns                    = var.store_secret_in_secrets_manager ? module.secrets_manager[0].secrets_arns : []
-  store_secret_in_secrets_manager = var.store_secret_in_secrets_manager
-  lambda_source_code_filename     = "backend.zip"
-  role_arn                        = module.lambda_role.lambda_role_arn
+  count            = local.multiple_lambda_integration ? 1 : 0
+  source           = "./modules/lambda"
+  global_tags      = var.global_tags
+  tags             = var.tags
+  environment      = var.environment
+  integration_type = var.integration_type
+  # Please do not change or replace the 'backend' suffix since there a logic in the bot based in it
+  resource_name_pattern       = "${local.resource_name_pattern}-backend"
+  env_vars                    = var.env_vars
+  logs_retention_in_days      = var.lambda_logs_retention_in_days
+  should_write_logs           = var.lambda_enable_logs
+  lambda_handler              = local.backend_lambda_handler
+  timeout                     = var.lambda_function_timeout
+  memory_size                 = var.lambda_function_memory_size
+  publish                     = var.lambda_publish
+  secrets_arns                = var.store_secret_in_secrets_manager ? module.secrets_manager[0].secrets_arns : []
+  lambda_source_code_filename = "backend.zip"
+  lambda_source_code_path     = var.backend_lambda_source_code_path
+  role_arn                    = module.lambda_role.lambda_role_arn
 }
 
 data "aws_iam_policy_document" "lambda_invoke_policy_document" {

shared.tf

@@ -1,22 +1,30 @@
+resource "random_string" "random_resource_name_suffix" {
+  length  = 10
+  special = false
+  upper   = false
+}
+
 module "api_gateway" {
   source                = "./modules/api_gateway"
   global_tags           = var.global_tags
   tags                  = var.tags
   environment           = var.environment
   integration_type      = var.integration_type
-  resource_name_pattern = local.single_lambda_integration ? local.resource_name_pattern : "${local.resource_name_pattern}-frontend"
+  resource_name_pattern = local.resource_name_pattern
+  function_name         = local.function_name
   lambda_function_arn   = local.api_triggered_function_arn
 }
 
 module "secrets_manager" {
   count            = var.store_secret_in_secrets_manager ? 1 : 0
   integration_type = var.integration_type
   source           = "./modules/secrets_manager"
+  secrets_names    = local.default_secrets_names[var.integration_type]
 }
 
 module "lambda_role" {
   source                          = "./modules/role"
-  resource_name_pattern           = local.single_lambda_integration ? local.resource_name_pattern : "${local.resource_name_pattern}-frontend"
+  role_name                       = local.function_name
   store_secret_in_secrets_manager = var.store_secret_in_secrets_manager
   secrets_arns                    = var.store_secret_in_secrets_manager ? module.secrets_manager[0].secrets_arns : []
   tags                            = var.tags

single-lambda-integration.tf

@@ -1,19 +1,19 @@
 module "lambda_function" {
-  count                           = local.single_lambda_integration ? 1 : 0
-  source                          = "./modules/lambda"
-  global_tags                     = var.global_tags
-  tags                            = var.tags
-  environment                     = var.environment
-  integration_type                = var.integration_type
-  resource_name_pattern           = local.resource_name_pattern
-  env_vars                        = var.env_vars
-  logs_retention_in_days          = var.lambda_logs_retention_in_days
-  should_write_logs               = var.lambda_enable_logs
-  timeout                         = var.lambda_function_timeout
-  memory_size                     = var.lambda_function_memory_size
-  publish                         = var.lambda_publish
-  secrets_arns                    = var.store_secret_in_secrets_manager ? module.secrets_manager[0].secrets_arns : []
-  store_secret_in_secrets_manager = var.store_secret_in_secrets_manager
-  lambda_source_code_filename     = "app.zip"
-  role_arn                        = module.lambda_role.lambda_role_arn
+  count                       = local.single_lambda_integration ? 1 : 0
+  source                      = "./modules/lambda"
+  global_tags                 = var.global_tags
+  tags                        = var.tags
+  environment                 = var.environment
+  integration_type            = var.integration_type
+  resource_name_pattern       = local.resource_name_pattern
+  env_vars                    = var.env_vars
+  logs_retention_in_days      = var.lambda_logs_retention_in_days
+  should_write_logs           = var.lambda_enable_logs
+  timeout                     = var.lambda_function_timeout
+  memory_size                 = var.lambda_function_memory_size
+  publish                     = var.lambda_publish
+  secrets_arns                = var.store_secret_in_secrets_manager ? module.secrets_manager[0].secrets_arns : []
+  lambda_source_code_filename = "app.zip"
+  lambda_source_code_path     = var.lambda_source_code_path
+  role_arn                    = module.lambda_role.lambda_role_arn
 }