Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

lambda support vpc #20

Merged
merged 6 commits into from
Dec 31, 2024
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion .github/workflows/scan.yml
Original file line number Diff line number Diff line change
Expand Up @@ -13,7 +13,7 @@ jobs:
steps:
- uses: actions/checkout@v2
- name: Install and run Spectral CI
uses: spectralops/spectral-github-action@v3
uses: spectralops/spectral-github-action@v4
with:
spectral-dsn: ${{ env.SPECTRAL_DSN }}
spectral-args: scan --unpack --ok --engines secrets,iac
5 changes: 5 additions & 0 deletions CHANGELOG.md
Original file line number Diff line number Diff line change
@@ -1,6 +1,11 @@
# Change Log

All notable changes to this project will be documented in this file.

## [4.2.0] - 2024-12-01
### Added
- Added VPC support to Lambda function

## [4.1.0] - 2024-11-13
### Added
- Support for self hosted github
Expand Down
1 change: 1 addition & 0 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -52,6 +52,7 @@ Terraform configuration used to create the required AWS resources for integratin
| <a name="input_secrets_names"></a> [secrets\_names](#input\_secrets\_names) | Names of secrets to create | `list(string)` | `null` | no |
| <a name="input_store_secret_in_secrets_manager"></a> [store\_secret\_in\_secrets\_manager](#input\_store\_secret\_in\_secrets\_manager) | Whether to store your secrets in secrets manager, default is false | `bool` | `false` | no |
| <a name="input_tags"></a> [tags](#input\_tags) | A collection of tags grouped by key representing it's target resource. | `map(map(string))` | <pre>{<br> "api_gateway": {},<br> "iam": {},<br> "lambda": {}<br>}</pre> | no |
| <a name="input_vpc_config"></a> [vpc\_config](#input\_vpc\_config) | Configuration block for VPC settings for the Lambda function, including subnet IDs and security group IDs. | <pre>object({<br> subnet_ids = list(string)<br> security_group_ids = list(string)<br>})</pre> | `null` | no |

### env_vars

Expand Down
15 changes: 15 additions & 0 deletions examples/vpc-in-lambda.tf
Original file line number Diff line number Diff line change
@@ -0,0 +1,15 @@
module "spectral_lambda_integration" {
source = "github.com/SpectralOps/spectral-terraform-lambda-integration"

integration_type = "gitlab"

env_vars = {
# Required environment variables for GitLab integration
}

# With VPC configuration
vpc_config = {
subnet_ids = ["subnet-12345678", "subnet-87654321"]
security_group_ids = ["sg-12345678"]
}
}
26 changes: 26 additions & 0 deletions modules/lambda/lambda.tf
Original file line number Diff line number Diff line change
@@ -1,3 +1,5 @@
data "aws_partition" "current" {}

locals {
runtime = "nodejs20.x"
lambda_source_code_zip_path = coalesce(var.lambda_source_code_path, "${path.module}/source_code/${var.integration_type}/${var.lambda_source_code_filename}")
Expand All @@ -21,6 +23,18 @@ resource "aws_lambda_function" "spectral_scanner_lambda" {
environment {
variables = var.env_vars
}

dynamic "vpc_config" {
gabbyhagag marked this conversation as resolved.
Show resolved Hide resolved
for_each = var.vpc_config != null ? [var.vpc_config] : []
content {
subnet_ids = vpc_config.value.subnet_ids
security_group_ids = vpc_config.value.security_group_ids
}
}

depends_on = [
aws_iam_role_policy.lambda_vpc_policy,
]
}

resource "aws_cloudwatch_log_group" "lambda_log_group" {
Expand All @@ -32,4 +46,16 @@ resource "aws_cloudwatch_log_group" "lambda_log_group" {
var.global_tags,
lookup(var.tags, "lambda", {}),
)
}

data "aws_iam_policy" "lambda_vpc_policy" {
count = var.vpc_config != null ? 1 : 0
arn = "arn:${data.aws_partition.current.partition}:iam::aws:policy/service-role/AWSLambdaENIManagementAccess"
}

resource "aws_iam_role_policy" "lambda_vpc_policy" {
count = var.vpc_config != null ? 1 : 0
name = "lambda-vpc-policy"
role = var.lambda_role_id
policy = data.aws_iam_policy.lambda_vpc_policy[0].policy
}
14 changes: 14 additions & 0 deletions modules/lambda/variables.tf
Original file line number Diff line number Diff line change
Expand Up @@ -86,8 +86,22 @@ variable "role_arn" {
description = "The lambda source code filename"
}

variable "lambda_role_id" {
type = string
description = "The lambda role id"
}

variable "lambda_handler" {
type = string
description = "The handler of the handler"
default = "handler.app"
}

variable "vpc_config" {
type = object({
subnet_ids = list(string)
security_group_ids = list(string)
})
description = "The VPC configuration for the lambda"
default = null
}
4 changes: 4 additions & 0 deletions modules/role/outputs.tf
Original file line number Diff line number Diff line change
Expand Up @@ -4,4 +4,8 @@ output "lambda_role_name" {

output "lambda_role_arn" {
value = aws_iam_role.lambda_execution_role.arn
}

output "lambda_role_id" {
value = aws_iam_role.lambda_execution_role.id
}
4 changes: 4 additions & 0 deletions multiple-lambdas-integration.tf
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,8 @@ module "frontend_lambda_function" {
lambda_source_code_filename = "frontend.zip"
lambda_source_code_path = var.frontend_lambda_source_code_path
role_arn = module.lambda_role.lambda_role_arn
vpc_config = var.vpc_config
lambda_role_id = module.lambda_role.lambda_role_id
}

module "backend_lambda_function" {
Expand All @@ -40,6 +42,8 @@ module "backend_lambda_function" {
lambda_source_code_filename = "backend.zip"
lambda_source_code_path = var.backend_lambda_source_code_path
role_arn = module.lambda_role.lambda_role_arn
vpc_config = var.vpc_config
lambda_role_id = module.lambda_role.lambda_role_id
}

data "aws_iam_policy_document" "lambda_invoke_policy_document" {
Expand Down
2 changes: 2 additions & 0 deletions single-lambda-integration.tf
Original file line number Diff line number Diff line change
Expand Up @@ -16,4 +16,6 @@ module "lambda_function" {
lambda_source_code_filename = "app.zip"
lambda_source_code_path = var.lambda_source_code_path
role_arn = module.lambda_role.lambda_role_arn
vpc_config = var.vpc_config
lambda_role_id = module.lambda_role.lambda_role_id
}
9 changes: 9 additions & 0 deletions variables.tf
Original file line number Diff line number Diff line change
Expand Up @@ -116,4 +116,13 @@ variable "gateway_api_integration_timeout_milliseconds" {
description = "Timeout for the API Gateway to wait for lambda response"
type = number
default = 29000
}

variable "vpc_config" {
description = "VPC configuration for the Lambda function"
type = object({
subnet_ids = list(string)
security_group_ids = list(string)
})
default = null
}
Loading