From cfa1786ab173f5dd2ecdc8aef097475e975215a4 Mon Sep 17 00:00:00 2001 From: Gavriel Hagag Date: Sun, 1 Dec 2024 17:13:00 +0200 Subject: [PATCH 1/4] lambda support vpc --- CHANGELOG.md | 5 +++++ examples/basic-github-integration.tf | 6 ++++++ examples/basic-gitlab-integration.tf | 6 ++++++ examples/basic-jira-integration.tf | 6 ++++++ examples/basic-terraform-integration.tf | 6 ++++++ modules/lambda/lambda.tf | 26 +++++++++++++++++++++++++ modules/lambda/variables.tf | 14 +++++++++++++ modules/role/outputs.tf | 4 ++++ multiple-lambdas-integration.tf | 4 ++++ single-lambda-integration.tf | 2 ++ variables.tf | 9 +++++++++ 11 files changed, 88 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index ed728a2..2a080b9 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,6 +1,11 @@ # Change Log All notable changes to this project will be documented in this file. + +## [4.2.0] - 2024-12-01 +### Added +- Added VPC support to Lambda function + ## [4.1.0] - 2024-11-13 ### Added - Support for self hosted github diff --git a/examples/basic-github-integration.tf b/examples/basic-github-integration.tf index c612262..1b196ab 100644 --- a/examples/basic-github-integration.tf +++ b/examples/basic-github-integration.tf @@ -28,4 +28,10 @@ module "spectral_lambda_integration" { STRICT_MODE = false SPECTRAL_TAGS = "iac,base,audit" } + + # With VPC configuration + vpc_config = { + subnet_ids = ["subnet-12345678", "subnet-87654321"] + security_group_ids = ["sg-12345678"] + } } \ No newline at end of file diff --git a/examples/basic-gitlab-integration.tf b/examples/basic-gitlab-integration.tf index 117e70f..c5fd391 100644 --- a/examples/basic-gitlab-integration.tf +++ b/examples/basic-gitlab-integration.tf @@ -13,4 +13,10 @@ module "spectral_lambda_integration" { # STRICT_MODE = false / true # SPECTRAL_TAGS = "iac,base,audit" } + + # With VPC configuration + vpc_config = { + subnet_ids = ["subnet-12345678", "subnet-87654321"] + security_group_ids = ["sg-12345678"] + } } \ No newline at end of file diff --git a/examples/basic-jira-integration.tf b/examples/basic-jira-integration.tf index cabb149..b6ba5d7 100644 --- a/examples/basic-jira-integration.tf +++ b/examples/basic-jira-integration.tf @@ -16,4 +16,10 @@ module "spectral_lambda_integration" { # REDACTED_MESSAGE = "MyRedactedMessage" # SPECTRAL_TAGS = "iac,base,audit" } + + # With VPC configuration + vpc_config = { + subnet_ids = ["subnet-12345678", "subnet-87654321"] + security_group_ids = ["sg-12345678"] + } } \ No newline at end of file diff --git a/examples/basic-terraform-integration.tf b/examples/basic-terraform-integration.tf index da6bee3..b0d4e6d 100644 --- a/examples/basic-terraform-integration.tf +++ b/examples/basic-terraform-integration.tf @@ -7,4 +7,10 @@ module "spectral_lambda_integration" { SPECTRAL_DSN = "MySpectralDSN" CHECK_POLICY = "Fail on any issue" # (Fail on any issue / Fail on warnings and above / Fail on errors only / Always Pass) } + + # With VPC configuration + vpc_config = { + subnet_ids = ["subnet-12345678", "subnet-87654321"] + security_group_ids = ["sg-12345678"] + } } \ No newline at end of file diff --git a/modules/lambda/lambda.tf b/modules/lambda/lambda.tf index 7e29feb..5e68b9c 100644 --- a/modules/lambda/lambda.tf +++ b/modules/lambda/lambda.tf @@ -1,3 +1,5 @@ +data "aws_partition" "current" {} + locals { runtime = "nodejs20.x" lambda_source_code_zip_path = coalesce(var.lambda_source_code_path, "${path.module}/source_code/${var.integration_type}/${var.lambda_source_code_filename}") @@ -21,6 +23,18 @@ resource "aws_lambda_function" "spectral_scanner_lambda" { environment { variables = var.env_vars } + + dynamic "vpc_config" { + for_each = var.vpc_config != null ? [var.vpc_config] : [] + content { + subnet_ids = vpc_config.value.subnet_ids + security_group_ids = vpc_config.value.security_group_ids + } + } + + depends_on = [ + aws_iam_role_policy.lambda_vpc_policy, + ] } resource "aws_cloudwatch_log_group" "lambda_log_group" { @@ -32,4 +46,16 @@ resource "aws_cloudwatch_log_group" "lambda_log_group" { var.global_tags, lookup(var.tags, "lambda", {}), ) +} + +data "aws_iam_policy" "lambda_vpc_policy" { + count = var.vpc_config != null ? 1 : 0 + arn = "arn:${data.aws_partition.current.partition}:iam::aws:policy/service-role/AWSLambdaENIManagementAccess" +} + +resource "aws_iam_role_policy" "lambda_vpc_policy" { + count = var.vpc_config != null ? 1 : 0 + name = "lambda-vpc-policy" + role = var.lambda_role_id + policy = data.aws_iam_policy.lambda_vpc_policy[0].policy } \ No newline at end of file diff --git a/modules/lambda/variables.tf b/modules/lambda/variables.tf index 131ef6b..6c2d9d4 100644 --- a/modules/lambda/variables.tf +++ b/modules/lambda/variables.tf @@ -86,8 +86,22 @@ variable "role_arn" { description = "The lambda source code filename" } +variable "lambda_role_id" { + type = string + description = "The lambda role id" +} + variable "lambda_handler" { type = string description = "The handler of the handler" default = "handler.app" +} + +variable "vpc_config" { + type = object({ + subnet_ids = list(string) + security_group_ids = list(string) + }) + description = "The VPC configuration for the lambda" + default = null } \ No newline at end of file diff --git a/modules/role/outputs.tf b/modules/role/outputs.tf index ef474a0..c1a8332 100644 --- a/modules/role/outputs.tf +++ b/modules/role/outputs.tf @@ -4,4 +4,8 @@ output "lambda_role_name" { output "lambda_role_arn" { value = aws_iam_role.lambda_execution_role.arn +} + +output "lambda_role_id" { + value = aws_iam_role.lambda_execution_role.id } \ No newline at end of file diff --git a/multiple-lambdas-integration.tf b/multiple-lambdas-integration.tf index ffec1e7..0ab149d 100644 --- a/multiple-lambdas-integration.tf +++ b/multiple-lambdas-integration.tf @@ -18,6 +18,8 @@ module "frontend_lambda_function" { lambda_source_code_filename = "frontend.zip" lambda_source_code_path = var.frontend_lambda_source_code_path role_arn = module.lambda_role.lambda_role_arn + vpc_config = var.vpc_config + lambda_role_id = module.lambda_role.lambda_role_id } module "backend_lambda_function" { @@ -40,6 +42,8 @@ module "backend_lambda_function" { lambda_source_code_filename = "backend.zip" lambda_source_code_path = var.backend_lambda_source_code_path role_arn = module.lambda_role.lambda_role_arn + vpc_config = var.vpc_config + lambda_role_id = module.lambda_role.lambda_role_id } data "aws_iam_policy_document" "lambda_invoke_policy_document" { diff --git a/single-lambda-integration.tf b/single-lambda-integration.tf index e162e88..b4f7846 100644 --- a/single-lambda-integration.tf +++ b/single-lambda-integration.tf @@ -16,4 +16,6 @@ module "lambda_function" { lambda_source_code_filename = "app.zip" lambda_source_code_path = var.lambda_source_code_path role_arn = module.lambda_role.lambda_role_arn + vpc_config = var.vpc_config + lambda_role_id = module.lambda_role.lambda_role_id } \ No newline at end of file diff --git a/variables.tf b/variables.tf index 33a761c..0fb8e79 100644 --- a/variables.tf +++ b/variables.tf @@ -116,4 +116,13 @@ variable "gateway_api_integration_timeout_milliseconds" { description = "Timeout for the API Gateway to wait for lambda response" type = number default = 29000 +} + +variable "vpc_config" { + description = "VPC configuration for the Lambda function" + type = object({ + subnet_ids = list(string) + security_group_ids = list(string) + }) + default = null } \ No newline at end of file From 788d54d5ecfd155f804af17835ac4ed5e06c66fa Mon Sep 17 00:00:00 2001 From: Gavriel Hagag Date: Sun, 1 Dec 2024 17:35:32 +0200 Subject: [PATCH 2/4] fmt --- modules/lambda/lambda.tf | 2 +- modules/lambda/variables.tf | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/modules/lambda/lambda.tf b/modules/lambda/lambda.tf index 5e68b9c..b6db838 100644 --- a/modules/lambda/lambda.tf +++ b/modules/lambda/lambda.tf @@ -50,7 +50,7 @@ resource "aws_cloudwatch_log_group" "lambda_log_group" { data "aws_iam_policy" "lambda_vpc_policy" { count = var.vpc_config != null ? 1 : 0 - arn = "arn:${data.aws_partition.current.partition}:iam::aws:policy/service-role/AWSLambdaENIManagementAccess" + arn = "arn:${data.aws_partition.current.partition}:iam::aws:policy/service-role/AWSLambdaENIManagementAccess" } resource "aws_iam_role_policy" "lambda_vpc_policy" { diff --git a/modules/lambda/variables.tf b/modules/lambda/variables.tf index 6c2d9d4..242ce9e 100644 --- a/modules/lambda/variables.tf +++ b/modules/lambda/variables.tf @@ -98,7 +98,7 @@ variable "lambda_handler" { } variable "vpc_config" { - type = object({ + type = object({ subnet_ids = list(string) security_group_ids = list(string) }) From 7762249912a1e5f17193457ae2c21a668343d354 Mon Sep 17 00:00:00 2001 From: Gavriel Hagag Date: Mon, 2 Dec 2024 10:40:20 +0200 Subject: [PATCH 3/4] add doc --- README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/README.md b/README.md index 033c7cd..280968d 100644 --- a/README.md +++ b/README.md @@ -52,6 +52,7 @@ Terraform configuration used to create the required AWS resources for integratin | [secrets\_names](#input\_secrets\_names) | Names of secrets to create | `list(string)` | `null` | no | | [store\_secret\_in\_secrets\_manager](#input\_store\_secret\_in\_secrets\_manager) | Whether to store your secrets in secrets manager, default is false | `bool` | `false` | no | | [tags](#input\_tags) | A collection of tags grouped by key representing it's target resource. | `map(map(string))` | 
{
  "api_gateway": {},
  "iam": {},
  "lambda": {}
}
| no | +| [vpc\_config](#input\_vpc\_config) | Configuration block for VPC settings for the Lambda function, including subnet IDs and security group IDs. | 
object({
  subnet_ids         = list(string)
  security_group_ids = list(string)
})
| `null` | no | ### env_vars From 3b52029d45160651e157a344b8cdc991b8fc4958 Mon Sep 17 00:00:00 2001 From: Gavriel Hagag Date: Tue, 3 Dec 2024 11:58:35 +0200 Subject: [PATCH 4/4] fix rejects --- examples/basic-github-integration.tf | 6 ------ examples/basic-gitlab-integration.tf | 6 ------ examples/basic-jira-integration.tf | 6 ------ examples/basic-terraform-integration.tf | 6 ------ examples/lambda-in-vpc.tf | 19 +++++++++++++++++++ 5 files changed, 19 insertions(+), 24 deletions(-) create mode 100644 examples/lambda-in-vpc.tf diff --git a/examples/basic-github-integration.tf b/examples/basic-github-integration.tf index 1b196ab..c612262 100644 --- a/examples/basic-github-integration.tf +++ b/examples/basic-github-integration.tf @@ -28,10 +28,4 @@ module "spectral_lambda_integration" { STRICT_MODE = false SPECTRAL_TAGS = "iac,base,audit" } - - # With VPC configuration - vpc_config = { - subnet_ids = ["subnet-12345678", "subnet-87654321"] - security_group_ids = ["sg-12345678"] - } } \ No newline at end of file diff --git a/examples/basic-gitlab-integration.tf b/examples/basic-gitlab-integration.tf index c5fd391..117e70f 100644 --- a/examples/basic-gitlab-integration.tf +++ b/examples/basic-gitlab-integration.tf @@ -13,10 +13,4 @@ module "spectral_lambda_integration" { # STRICT_MODE = false / true # SPECTRAL_TAGS = "iac,base,audit" } - - # With VPC configuration - vpc_config = { - subnet_ids = ["subnet-12345678", "subnet-87654321"] - security_group_ids = ["sg-12345678"] - } } \ No newline at end of file diff --git a/examples/basic-jira-integration.tf b/examples/basic-jira-integration.tf index b6ba5d7..cabb149 100644 --- a/examples/basic-jira-integration.tf +++ b/examples/basic-jira-integration.tf @@ -16,10 +16,4 @@ module "spectral_lambda_integration" { # REDACTED_MESSAGE = "MyRedactedMessage" # SPECTRAL_TAGS = "iac,base,audit" } - - # With VPC configuration - vpc_config = { - subnet_ids = ["subnet-12345678", "subnet-87654321"] - security_group_ids = ["sg-12345678"] - } } \ No newline at end of file diff --git a/examples/basic-terraform-integration.tf b/examples/basic-terraform-integration.tf index b0d4e6d..da6bee3 100644 --- a/examples/basic-terraform-integration.tf +++ b/examples/basic-terraform-integration.tf @@ -7,10 +7,4 @@ module "spectral_lambda_integration" { SPECTRAL_DSN = "MySpectralDSN" CHECK_POLICY = "Fail on any issue" # (Fail on any issue / Fail on warnings and above / Fail on errors only / Always Pass) } - - # With VPC configuration - vpc_config = { - subnet_ids = ["subnet-12345678", "subnet-87654321"] - security_group_ids = ["sg-12345678"] - } } \ No newline at end of file diff --git a/examples/lambda-in-vpc.tf b/examples/lambda-in-vpc.tf new file mode 100644 index 0000000..f5b30cd --- /dev/null +++ b/examples/lambda-in-vpc.tf @@ -0,0 +1,19 @@ +module "spectral_lambda_integration" { + source = "github.com/SpectralOps/spectral-terraform-lambda-integration" + + integration_type = "gitlab" + + env_vars = { + # Required environment variables + SPECTRAL_DSN = "MySpectralDSN" + CHECK_POLICY = "Fail on any issue" # (Fail on any issue / Fail on warnings and above / Fail on errors only / Always Pass) + GITLAB_ACCESS_TOKEN = "MyGitlabToken" + GITLAB_WEBHOOK_SECRET = "MyGitlabWebhookSecret" + } + + # With VPC configuration + vpc_config = { + subnet_ids = ["subnet-12345678", "subnet-87654321"] + security_group_ids = ["sg-12345678"] + } +} \ No newline at end of file