Skip to content

Commit

Permalink
update TF versions, providers, Lambda sha references, and arm64 suppo…
Browse files Browse the repository at this point in the history
…rt (#40)
  • Loading branch information
radsec authored Nov 29, 2023
1 parent 31f22dd commit 7dad3d6
Show file tree
Hide file tree
Showing 21 changed files with 60 additions and 93 deletions.
5 changes: 3 additions & 2 deletions Makefile
Original file line number Diff line number Diff line change
@@ -1,9 +1,10 @@
PKG = github.com/airbnb/rudolph
VERSION := $(shell git describe --tags --always)
DOCS_DIR ?= ./docs
DEPLOYMENT_ZIP_PATH = $(PWD)/build/package/deployment.zip
RUDOLPH_API_DEPLOYMENT_ZIP_PATH = $(PWD)/build/package/api_deployment.zip
RUDOLPH_API_AUTHORIZER_DEPLOYMENT_ZIP_PATH = $(PWD)/build/package/api_authorizer_deployment.zip
TERRAFORM_DEPLOYMENTS_DIR = $(PWD)/deployments/environments
TF_DEFAULT_FLAGS = --var zip_file_path="$(DEPLOYMENT_ZIP_PATH)" --var package_version=$(VERSION)
TF_DEFAULT_FLAGS = --var lambda_api_zip="$(RUDOLPH_API_DEPLOYMENT_ZIP_PATH)" --var lambda_authorizer_zip="$(RUDOLPH_API_AUTHORIZER_DEPLOYMENT_ZIP_PATH)"
LDFLAGS=-ldflags="-X main.version=$(VERSION)"

# Check to ensure the prefix is being passed in as an arg like `ENV=<YOUR_ENVIRONMENT>`
Expand Down
2 changes: 2 additions & 0 deletions deployments/environments/example/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -58,7 +58,9 @@ terraform {
provider "aws" {
region = "us-east-1"
default_tags {
tags = {
Name = "Rudolph"
}
}
}
```
Expand Down
4 changes: 2 additions & 2 deletions deployments/environments/example/versions.tf
Original file line number Diff line number Diff line change
@@ -1,10 +1,10 @@
terraform {
required_version = ">= 0.14.11"
required_version = ">= 1.3.6"

required_providers {
aws = {
source = "hashicorp/aws"
version = "~> 3.38.0"
version = "~> 3.76.1"
}
}
}
6 changes: 3 additions & 3 deletions deployments/terraform_modules/default_main.tf
Original file line number Diff line number Diff line change
Expand Up @@ -18,9 +18,9 @@ module "santa_api" {
route53_zone_name = var.route53_zone_name
use_existing_route53_zone = var.use_existing_route53_zone

lambda_zip = var.zip_file_path
package_version = var.package_version

lambda_api_zip = var.lambda_api_zip
lambda_authorizer_zip = var.lambda_authorizer_zip
enable_s3_logging = var.enable_s3_logging

kms_key_administrators_arns = var.kms_key_administrators_arns
Expand Down
8 changes: 4 additions & 4 deletions deployments/terraform_modules/default_variables.tf
Original file line number Diff line number Diff line change
@@ -1,11 +1,11 @@
variable "zip_file_path" {
variable "lambda_api_zip" {
type = string
description = "Path to zip on disk to use for deployment of Lambda functions. This gets passed in from 'make deploy' command"
description = "Full path to zip with go binary for Lambda to be uploaded to S3"
}

variable "package_version" {
variable "lambda_authorizer_zip" {
type = string
description = "Version of golang binary being used. This value comes from git tags and is used when the Lambda package is uploaded to S3. This gets passed in from 'make deploy' command"
description = "Full path to zip with go binary for Lambda to be uploaded to S3"
}

// These variables are provided by config.auto.tfvars.json
Expand Down
6 changes: 3 additions & 3 deletions deployments/terraform_modules/santa_api/_variables.tf
Original file line number Diff line number Diff line change
Expand Up @@ -39,14 +39,14 @@ variable "stage_name" {
description = "Name of stage to use for this deployment"
}

variable "lambda_zip" {
variable "lambda_api_zip" {
type = string
description = "Full path to zip with go binary for Lambda to be uploaded to S3"
}

variable "package_version" {
variable "lambda_authorizer_zip" {
type = string
description = "Version of golang binary being used. This value comes from git tags and is used when the Lambda package is uploaded to S3"
description = "Full path to zip with go binary for Lambda to be uploaded to S3"
}

variable "use_existing_route53_zone" {
Expand Down
6 changes: 3 additions & 3 deletions deployments/terraform_modules/santa_api/authorizer.tf
Original file line number Diff line number Diff line change
Expand Up @@ -9,9 +9,9 @@ module "rudolph_api_authorizer" {
alias_name = var.stage_name
api_gateway_id = aws_api_gateway_rest_api.api_gateway.id
api_gateway_execution_arn = aws_api_gateway_rest_api.api_gateway.execution_arn
lambda_source_bucket = aws_s3_bucket_object.santa_api_source.bucket
lambda_source_key = aws_s3_bucket_object.santa_api_source.key
lambda_source_hash = local.lambda_source_hash
lambda_source_bucket = aws_s3_bucket_object.santa_api_authorizer_source.bucket
lambda_source_key = aws_s3_bucket_object.santa_api_authorizer_source.key
lambda_source_hash = local.lambda_authorizer_hash

env_vars = {
REGION = var.region
Expand Down
24 changes: 13 additions & 11 deletions deployments/terraform_modules/santa_api/lambda.tf
Original file line number Diff line number Diff line change
@@ -1,8 +1,9 @@
locals {
lambda_source_hash = filebase64sha256(var.lambda_zip)
lambda_source_key = "rudolph-source-${var.package_version}.zip"
lambda_source_hash = filebase64sha256(var.lambda_api_zip)
lambda_source_key = "rudolph-source-${filemd5(var.lambda_api_zip)}.zip"
lambda_authorizer_hash = filebase64sha256(var.lambda_authorizer_zip)
lambda_authorizer_source_key = "rudolph-source-authorizer-${filemd5(var.lambda_authorizer_zip)}.zip"
lambda_source_bucket = length(module.lambda_source) > 0 ? module.lambda_source[0].bucket_name : var.lambda_source_s3_bucket_name

dynamodb_table_name = format("%s_rudolph_store", var.prefix)
firehose_name = var.eventupload_firehose_name == "" ? format("%s_rudolph_eventsupload_firehose", var.prefix) : var.eventupload_firehose_name
}
Expand All @@ -23,8 +24,15 @@ module "lambda_source" {
resource "aws_s3_bucket_object" "santa_api_source" {
bucket = local.lambda_source_bucket
key = local.lambda_source_key
source = var.lambda_zip
etag = filemd5(var.lambda_zip)
source = var.lambda_api_zip
etag = filemd5(var.lambda_api_zip)
}

resource "aws_s3_bucket_object" "santa_api_authorizer_source" {
bucket = local.lambda_source_bucket
key = local.lambda_authorizer_source_key
source = var.lambda_authorizer_zip
etag = filemd5(var.lambda_authorizer_zip)
}


Expand All @@ -37,7 +45,6 @@ module "health_function" {
lambda_source_bucket = aws_s3_bucket_object.santa_api_source.bucket
lambda_source_key = aws_s3_bucket_object.santa_api_source.key
lambda_source_hash = local.lambda_source_hash
lambda_handler = "api"
endpoint = "health"
api_gateway_execution_arn = aws_api_gateway_rest_api.api_gateway.execution_arn

Expand All @@ -57,7 +64,6 @@ module "xsrf_function" {
lambda_source_bucket = aws_s3_bucket_object.santa_api_source.bucket
lambda_source_key = aws_s3_bucket_object.santa_api_source.key
lambda_source_hash = local.lambda_source_hash
lambda_handler = "api"
endpoint = "xsrf"
api_gateway_execution_arn = aws_api_gateway_rest_api.api_gateway.execution_arn

Expand All @@ -74,7 +80,6 @@ module "preflight_function" {
lambda_source_bucket = aws_s3_bucket_object.santa_api_source.bucket
lambda_source_key = aws_s3_bucket_object.santa_api_source.key
lambda_source_hash = local.lambda_source_hash
lambda_handler = "api"
endpoint = "preflight"
api_gateway_execution_arn = aws_api_gateway_rest_api.api_gateway.execution_arn

Expand All @@ -94,7 +99,6 @@ module "eventupload_function" {
lambda_source_bucket = aws_s3_bucket_object.santa_api_source.bucket
lambda_source_key = aws_s3_bucket_object.santa_api_source.key
lambda_source_hash = local.lambda_source_hash
lambda_handler = "api"
endpoint = "eventupload"
api_gateway_execution_arn = aws_api_gateway_rest_api.api_gateway.execution_arn

Expand All @@ -117,7 +121,6 @@ module "ruledownload_function" {
lambda_source_bucket = aws_s3_bucket_object.santa_api_source.bucket
lambda_source_key = aws_s3_bucket_object.santa_api_source.key
lambda_source_hash = local.lambda_source_hash
lambda_handler = "api"
endpoint = "ruledownload"
api_gateway_execution_arn = aws_api_gateway_rest_api.api_gateway.execution_arn

Expand All @@ -137,7 +140,6 @@ module "postflight_function" {
lambda_source_bucket = aws_s3_bucket_object.santa_api_source.bucket
lambda_source_key = aws_s3_bucket_object.santa_api_source.key
lambda_source_hash = local.lambda_source_hash
lambda_handler = "api"
endpoint = "postflight"
api_gateway_execution_arn = aws_api_gateway_rest_api.api_gateway.execution_arn

Expand Down
4 changes: 0 additions & 4 deletions deployments/terraform_modules/santa_api/main.tf
Original file line number Diff line number Diff line change
Expand Up @@ -14,10 +14,6 @@ resource "aws_api_gateway_rest_api" "api_gateway" {

# Use the authorizer's UsageIdentifierKey to uniquely identify an endpoint.
api_key_source = "AUTHORIZER"

# tags = {
# Name = "Rudolph"
# }
}

##########################
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -175,8 +175,4 @@ resource "aws_iam_role" "eventsupload_firehose_role" {
name = "${var.prefix}_rudolph_eventsupload_firehose_role"
path = "/rudolph/"
assume_role_policy = data.aws_iam_policy_document.firehose_assume_role_policy.json

tags = {
Name = "Rudolph"
}
}
Original file line number Diff line number Diff line change
Expand Up @@ -4,10 +4,6 @@ locals {

resource "aws_cloudwatch_log_group" "eventsupload_firehose" {
name = "/aws/kinesisfirehose/${local.firehose_name}"

tags = {
Name = "Rudolph"
}
}

resource "aws_kinesis_firehose_delivery_stream" "eventsupload_firehose" {
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -17,10 +17,6 @@ resource "aws_kms_key" "rudolph_eventsupload_kms_key" {
enable_key_rotation = true
description = "Rudolph EventsUpload S3 Server-Side Encryption"
policy = data.aws_iam_policy_document.rudolph_eventsupload_kms_key_policy.json

tags = {
Name = "Rudolph"
}
}

data "aws_iam_policy_document" "rudolph_eventsupload_kms_key_policy" {
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -70,8 +70,4 @@ resource "aws_s3_bucket" "rudolph_eventsupload_firehose" {
}
}
}

tags = {
Name = "Rudolph"
}
}
Original file line number Diff line number Diff line change
Expand Up @@ -31,7 +31,7 @@ variable "endpoint" {
variable "lambda_handler" {
type = string
description = "Lambda function handler path. If left blank, this will default to a formatted handler based on the endpoint variable value"
default = ""
default = "bootstrap"
}

variable "alias_name" {
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -7,10 +7,6 @@ resource "aws_iam_role" "api_handler_role" {
name = "${var.prefix}_rudolph_${var.endpoint}_role"
assume_role_policy = data.aws_iam_policy_document.lambda_execution_policy.json
path = "/rudolph/"

# tags = {
# Name = "Rudolph"
# }
}

data "aws_iam_policy_document" "lambda_execution_policy" {
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -3,16 +3,18 @@
#

locals {
handler = var.lambda_handler == "" ? var.endpoint : var.lambda_handler
handler = "bootstrap"
runtime = "provided.al2"
}


resource "aws_lambda_function" "api_handler" {
function_name = "${var.prefix}_rudolph_${var.endpoint}"
role = aws_iam_role.api_handler_role.arn
handler = local.handler
runtime = "go1.x"
runtime = local.runtime
publish = true
architectures = ["arm64"]

s3_bucket = var.lambda_source_bucket
s3_key = var.lambda_source_key
Expand All @@ -34,10 +36,6 @@ resource "aws_lambda_function" "api_handler" {
variables = var.env_vars
}
}

# tags = {
# Name = "Rudolph"
# }
}

resource "aws_lambda_alias" "api_handler" {
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -8,10 +8,6 @@ resource "aws_iam_role" "invocation_role" {
name = "${var.prefix}_rudolph_api_gateway_authorizer"
path = "/rudolph/"
assume_role_policy = data.aws_iam_policy_document.assume_role_policy.json

# tags = {
# Name = "Rudolph"
# }
}

data "aws_iam_policy_document" "assume_role_policy" {
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -39,20 +39,12 @@ resource "aws_s3_bucket" "santa_api_source" {
}
}
}

# tags = {
# Name = "Rudolph"
# }
}

// KMS Key for S3 server-side encryption
resource "aws_kms_key" "santa_api_source" {
enable_key_rotation = true
description = "Rudolph Source S3 Server-Side Encryption"

# tags = {
# Name = "Rudolph"
# }
}

// KMS Alias for S3 server-side encryption
Expand Down
4 changes: 0 additions & 4 deletions deployments/terraform_modules/santa_api/route53.tf
Original file line number Diff line number Diff line change
Expand Up @@ -4,10 +4,6 @@
resource "aws_acm_certificate" "api_ssl_certificate" {
domain_name = local.api_domain_name
validation_method = "DNS"

# tags = {
# Name = "Rudolph"
# }
}

resource "aws_acm_certificate_validation" "api_certificate_validation" {
Expand Down
5 changes: 0 additions & 5 deletions deployments/terraform_modules/santa_api/usage_plan.tf
Original file line number Diff line number Diff line change
Expand Up @@ -18,11 +18,6 @@
# rate_limit = 1
# }

# tags = {
# Name = "Rudolph"
# }
# }

# resource "aws_api_gateway_usage_plan_key" "main" {
# key_id = aws_api_gateway_api_key.mykey.id
# key_type = "API_KEY"
Expand Down
35 changes: 22 additions & 13 deletions scripts/build.sh
Original file line number Diff line number Diff line change
Expand Up @@ -9,11 +9,14 @@ DIR="$( cd -P "$( dirname "$SOURCE" )/.." && pwd )"
# Establish directories
BUILD_DIR=$DIR/build
LINUX_BUILD_DIR=$BUILD_DIR/linux
LINUX_BUILD_DIR_API=$LINUX_BUILD_DIR/api
LINUX_BUILD_DIR_AUTHORIZER=$LINUX_BUILD_DIR/authorizer
MACOS_BUILD_DIR=$BUILD_DIR/macos
APPS_DIR=$DIR/cmd
CLI_NAME=rudolph
PKG_DIR=$BUILD_DIR/package
DEPLOYMENT_ZIP_PATH=$PKG_DIR/deployment.zip
API_DEPLOYMENT_ZIP_PATH=$PKG_DIR/api_deployment.zip
API_AUTHORIZER_DEPLOYMENT_ZIP_PATH=$PKG_DIR/api_authorizer_deployment.zip

cd "$DIR"

Expand All @@ -23,27 +26,33 @@ rm -rf $BUILD_DIR
# Do the build things
echo "*** compiling application binaries... ***"

echo " compiling api..."
GOOS=linux GOARCH=amd64 go build -o $LINUX_BUILD_DIR/api $APPS_DIR/api
echo " compiling api in linux:arm64..."
GOOS=linux GOARCH=arm64 go build -o $LINUX_BUILD_DIR_API/bootstrap $APPS_DIR/api

echo " compiling authorizer..."
GOOS=linux GOARCH=amd64 go build -o $LINUX_BUILD_DIR/authorizer $APPS_DIR/authorizer
echo " compiling authorizer in linux:arm64..."
GOOS=linux GOARCH=arm64 go build -o $LINUX_BUILD_DIR_AUTHORIZER/bootstrap $APPS_DIR/authorizer

echo " compiling cli..."
GOOS=darwin GOARCH=amd64 go build -o $MACOS_BUILD_DIR/cli_amd64 $APPS_DIR/cli
GOOS=darwin GOARCH=arm64 go build -o $MACOS_BUILD_DIR/cli_arm64 $APPS_DIR/cli
lipo -create -output $MACOS_BUILD_DIR/cli $MACOS_BUILD_DIR/cli_amd64 $MACOS_BUILD_DIR/cli_arm64
ln -sf $MACOS_BUILD_DIR/cli $DIR/$CLI_NAME
if [ "$(uname)" == "Darwin" ]; then
echo " compiling cli..."
GOOS=darwin GOARCH=amd64 go build -o $MACOS_BUILD_DIR/cli_amd64 $APPS_DIR/cli
GOOS=darwin GOARCH=arm64 go build -o $MACOS_BUILD_DIR/cli_arm64 $APPS_DIR/cli
lipo -create -output $MACOS_BUILD_DIR/cli $MACOS_BUILD_DIR/cli_amd64 $MACOS_BUILD_DIR/cli_arm64
ln -sf $MACOS_BUILD_DIR/cli $DIR/$CLI_NAME
fi

echo "*** packaging... ***"

mkdir $PKG_DIR
# remember zip 2nd arg zips up all the specified directories. We omit the dir info by cd,
# but you could use the -j option as well.
cd $LINUX_BUILD_DIR; zip -r $DEPLOYMENT_ZIP_PATH *
cd $LINUX_BUILD_DIR_API; zip -r $API_DEPLOYMENT_ZIP_PATH *
cd $LINUX_BUILD_DIR_AUTHORIZER; zip -r $API_AUTHORIZER_DEPLOYMENT_ZIP_PATH *

echo "*** complete ***"

echo " created:"
echo " $DEPLOYMENT_ZIP_PATH"
echo " $DIR/$CLI_NAME"
echo " $API_DEPLOYMENT_ZIP_PATH"
echo " $API_AUTHORIZER_DEPLOYMENT_ZIP_PATH"
if [ "$(uname)" == "Darwin" ]; then
echo " $MACOS_BUILD_DIR/cli"
fi

0 comments on commit 7dad3d6

Please sign in to comment.