From 317d1c75bc1bfd50084489a0d229fa75ad1db889 Mon Sep 17 00:00:00 2001
From: Tariq Mahmood <tariq.mahmood@digital.justice.gov.uk>
Date: Mon, 16 Oct 2023 16:58:38 +0100
Subject: [PATCH] LAWS-3514: adding lambda funtion as a module - v1.00

---
 terraform/environments/apex/lambda.tf         | 108 ++----------------
 .../environments/apex/module/lambda/main.tf   | 100 ++++++++++++++++
 .../apex/module/lambda/variables.tf           |  40 +++++++
 terraform/environments/apex/variables.tf      |   5 +
 4 files changed, 155 insertions(+), 98 deletions(-)
 create mode 100644 terraform/environments/apex/module/lambda/main.tf
 create mode 100644 terraform/environments/apex/module/lambda/variables.tf
 create mode 100644 terraform/environments/apex/variables.tf

diff --git a/terraform/environments/apex/lambda.tf b/terraform/environments/apex/lambda.tf
index 8b878c1e1a9..ffb213d1095 100644
--- a/terraform/environments/apex/lambda.tf
+++ b/terraform/environments/apex/lambda.tf
@@ -1,103 +1,15 @@
-data "aws_iam_policy_document" "assume_role" {
-  statement {
-    effect = "Allow"
+module "lambda_backup" {
+  source = "./module/lambda"
 
-    principals {
-      type        = "Service"
-      identifiers = ["lambda.amazonaws.com","ssm.amazonaws.com"]
-    }
+backup_policy_name = "${local.application_name}-lambda-instance-policy"
+source_file   = ""
+output_path   = ""
+filename      = ""
+function_name = ""
+handler       = ""
 
-    actions = ["sts:AssumeRole"]
-  }
-}
-
-resource "aws_iam_role" "backuplambdarole" {
-  name               = "backuplambdarole"
-  assume_role_policy = data.aws_iam_policy_document.assume_role.json
-}
-
-resource "aws_iam_policy" "backuplambdapolicy" { #tfsec:ignore:aws-iam-no-policy-wildcards
-  name = "${local.application_name}-lambda-instance-policy"
-  tags = merge(
+    tags = merge(
     local.tags,
-    {
-      Name = "${local.application_name}-lambda-instance-policy"
-    }
+    { Name = "laa-${local.application_name}-${local.environment}-mp" }
   )
-  policy = <<EOF
-{
-    "Version" : "2012-10-17",
-    "Statement": [
-        {
-            "Action": [
-                "lambda:InvokeFunction",
-                "ec2:CreateNetworkInterface",
-                "ec2:DescribeNetworkInterfaces",
-                "ec2:DeleteNetworkInterface",
-                "ec2:DescribeSecurityGroups",
-                "ec2:CreateSnapshot",
-                "ec2:DeleteSnapshot",
-                "ec2:DescribeSubnets",
-                "ec2:DescribeVpcs",
-                "ec2:DescribeInstances",
-                "ec2:DescribeAddresses",
-                "ec2:DescribeInstanceStatus",
-                "ec2:DescribeVolumes",
-                "ec2:DescribeSnapshots",
-                "ec2:CreateTags",
-                "s3:*",
-                "ssm:*",
-                "ses:*",
-                "logs:*",
-                "cloudwatch:*",
-                "sts:AssumeRole"
-            ],
-            "Resource": "*",
-            "Effect": "Allow"
-        }
-    ]
 }
-EOF
-}
-
-resource "aws_iam_role_policy_attachment" "backuppolicyattachment" {
-  role       = aws_iam_role.backuplambdarole.name
-  policy_arn = aws_iam_policy.backuplambdapolicy.arn
-}
-
-data "archive_file" "lambda_dbsnapshot" {
-  type        = "zip"
-  source_file = "dbsnapshot.js"
-  output_path = "snapshotDBFunction.zip"
-}
-
-# data "archive_file" "lambda_dbconnect" {
-#   type        = "zip"
-#   source_file = "dbconnect.js"
-#   output_path = "connectDBFunction.zip"
-# }
-
-# data "archive_file" "lambda_delete_deletesnapshots" {
-#   type        = "zip"
-#   source_file = "deletesnapshots.py"
-#   output_path = "DeleteEBSPendingSnapshots.zip"
-# }
-
-resource "aws_lambda_function" "snapshotDBFunction" {
-  # If the file is not in the current working directory you will need to include a
-  # path.module in the filename.
-  filename      = "snapshotDBFunction.zip"
-  function_name = "snapshotDBFunction"
-  role          = aws_iam_role.backuplambdarole.arn
-  handler       = "snapshot/dbsnapshot.handler"
-
-  source_code_hash = data.archive_file.lambda_dbsnapshot.output_base64sha256
-
-  runtime = "nodejs18.x"
-
-#   environment {
-#     variables = {
-#       foo = "bar"
-#     }
-#   }
-}
\ No newline at end of file
diff --git a/terraform/environments/apex/module/lambda/main.tf b/terraform/environments/apex/module/lambda/main.tf
new file mode 100644
index 00000000000..3b83fa44fa1
--- /dev/null
+++ b/terraform/environments/apex/module/lambda/main.tf
@@ -0,0 +1,100 @@
+data "aws_iam_policy_document" "assume_role" {
+  statement {
+    effect = "Allow"
+
+    principals {
+      type        = "Service"
+      identifiers = ["lambda.amazonaws.com","ssm.amazonaws.com"]
+    }
+
+    actions = ["sts:AssumeRole"]
+  }
+}
+
+resource "aws_iam_role" "backuplambdarole" {
+  name               = "backuplambdarole"
+  assume_role_policy = data.aws_iam_policy_document.assume_role.json
+}
+
+resource "aws_iam_policy" "backuplambdapolicy" { #tfsec:ignore:aws-iam-no-policy-wildcards
+  name = var.backup_policy_name
+  tags = var.tags
+  policy = <<EOF
+{
+    "Version" : "2012-10-17",
+    "Statement": [
+        {
+            "Action": [
+                "lambda:InvokeFunction",
+                "ec2:CreateNetworkInterface",
+                "ec2:DescribeNetworkInterfaces",
+                "ec2:DeleteNetworkInterface",
+                "ec2:DescribeSecurityGroups",
+                "ec2:CreateSnapshot",
+                "ec2:DeleteSnapshot",
+                "ec2:DescribeSubnets",
+                "ec2:DescribeVpcs",
+                "ec2:DescribeInstances",
+                "ec2:DescribeAddresses",
+                "ec2:DescribeInstanceStatus",
+                "ec2:DescribeVolumes",
+                "ec2:DescribeSnapshots",
+                "ec2:CreateTags",
+                "s3:*",
+                "ssm:*",
+                "ses:*",
+                "logs:*",
+                "cloudwatch:*",
+                "sts:AssumeRole"
+            ],
+            "Resource": "*",
+            "Effect": "Allow"
+        }
+    ]
+}
+EOF
+}
+
+resource "aws_iam_role_policy_attachment" "backuppolicyattachment" {
+  role       = aws_iam_role.backuplambdarole.name
+  policy_arn = aws_iam_policy.backuplambdapolicy.arn
+}
+
+data "archive_file" "lambda_dbsnapshot" {
+  type        = "zip"
+  source_file = var.source_file
+  output_path = var.output_path
+}
+
+# data "archive_file" "lambda_dbconnect" {
+#   type        = "zip"
+#   source_file = "dbconnect.js"
+#   output_path = "connectDBFunction.zip"
+# }
+
+# data "archive_file" "lambda_delete_deletesnapshots" {
+#   type        = "zip"
+#   source_file = "deletesnapshots.py"
+#   output_path = "DeleteEBSPendingSnapshots.zip"
+# }
+
+resource "aws_lambda_function" "snapshotDBFunction" {
+  # If the file is not in the current working directory you will need to include a
+  # path.module in the filename.
+
+  count         =
+  filename      = var.filename
+  function_name = var.function_name
+  role          = aws_iam_role.backuplambdarole.arn
+  handler       = var.handler
+
+  source_code_hash = data.archive_file.lambda_dbsnapshot.output_base64sha256
+
+  runtime = "nodejs18.x"
+
+#   environment {
+#     variables = {
+#       foo = "bar"
+#     }
+#   }
+}
\ No newline at end of file
diff --git a/terraform/environments/apex/module/lambda/variables.tf b/terraform/environments/apex/module/lambda/variables.tf
new file mode 100644
index 00000000000..ce11f22824e
--- /dev/null
+++ b/terraform/environments/apex/module/lambda/variables.tf
@@ -0,0 +1,40 @@
+variable "backup_policy_name" {
+  type        = string
+  description = "backup iam policy name"
+  default     = null
+}
+
+variable "tags" {
+  type        = map(any)
+  description = "Tags to apply to resources, where applicable"
+}
+
+variable "source_file" {
+  type        = string
+  description = "source file for Function"
+  default     = ""
+}
+
+variable "output_path" {
+  type        = string
+  description = "output path to zip file Function"
+  default     = ""
+}
+
+variable "filename" {
+  type        = string
+  description = "Function filename"
+  default     = ""
+}
+
+variable "function_name" {
+  type        = string
+  description = "Function function name"
+  default     = ""
+}
+
+variable "handler" {
+  type        = string
+  description = "Function handler"
+  default     = ""
+}
\ No newline at end of file
diff --git a/terraform/environments/apex/variables.tf b/terraform/environments/apex/variables.tf
new file mode 100644
index 00000000000..146e983184c
--- /dev/null
+++ b/terraform/environments/apex/variables.tf
@@ -0,0 +1,5 @@
+variable "sandboxes" {
+  type    = list(string)
+  default = ["sandbox_server_one", "sandbox_server_two", "sandbox_server_three"]
+}
+