forked from outerbounds/terraform-aws-metaflow
-
Notifications
You must be signed in to change notification settings - Fork 0
/
lambda.tf
123 lines (101 loc) · 3 KB
/
lambda.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
data "aws_iam_policy_document" "lambda_ecs_execute_role" {
statement {
actions = [
"sts:AssumeRole"
]
effect = "Allow"
principals {
identifiers = ["lambda.amazonaws.com"]
type = "Service"
}
}
}
resource "aws_iam_role" "lambda_ecs_execute_role" {
name = local.lambda_ecs_execute_role_name
assume_role_policy = data.aws_iam_policy_document.lambda_ecs_execute_role.json
tags = var.standard_tags
}
data "aws_iam_policy_document" "lambda_ecs_task_execute_policy_cloudwatch" {
statement {
sid = "CreateLogGroup"
effect = "Allow"
actions = [
"logs:CreateLogGroup"
]
resources = [
"${local.cloudwatch_logs_arn_prefix}:*"
]
}
statement {
sid = "LogEvents"
effect = "Allow"
actions = [
"logs:PutLogEvents",
"logs:CreateLogStream"
]
resources = [
"${local.cloudwatch_logs_arn_prefix}:log-group:/aws/lambda/${local.db_migrate_lambda_name}:*"
]
}
}
data "aws_iam_policy_document" "lambda_ecs_task_execute_policy_vpc" {
statement {
sid = "NetInts"
effect = "Allow"
actions = [
"ec2:CreateNetworkInterface",
"ec2:DescribeNetworkInterfaces",
"ec2:DeleteNetworkInterface"
]
resources = [
"*"
]
}
}
resource "aws_iam_role_policy" "grant_lambda_ecs_cloudwatch" {
name = "cloudwatch"
role = aws_iam_role.lambda_ecs_execute_role.name
policy = data.aws_iam_policy_document.lambda_ecs_task_execute_policy_cloudwatch.json
}
resource "aws_iam_role_policy" "grant_lambda_ecs_vpc" {
name = "ecs_task_execute"
role = aws_iam_role.lambda_ecs_execute_role.name
policy = data.aws_iam_policy_document.lambda_ecs_task_execute_policy_vpc.json
}
data "archive_file" "db_migrate_lambda" {
type = "zip"
# enumerate each file in the archive to prevent changes to the archive based on the platform
# https://github.com/hashicorp/terraform-provider-archive/issues/34#issuecomment-907233664
dynamic "source" {
for_each = toset([
"db-migrate-lambda/index.py",
])
content {
content = file("${path.module}/${source.value}")
filename = basename(source.value)
}
}
output_file_mode = "0666"
output_path = local.db_migrate_lambda_zip_file
}
resource "aws_lambda_function" "db_migrate_lambda" {
function_name = local.db_migrate_lambda_name
handler = "index.handler"
runtime = "python3.9"
memory_size = 128
timeout = 900
description = "Trigger DB Migration"
filename = local.db_migrate_lambda_zip_file
source_code_hash = data.archive_file.db_migrate_lambda.output_base64sha256
role = aws_iam_role.lambda_ecs_execute_role.arn
tags = var.standard_tags
environment {
variables = {
MD_LB_ADDRESS = "http://${aws_lb.this.dns_name}:8082"
}
}
vpc_config {
subnet_ids = [var.subnet1_id, var.subnet2_id]
security_group_ids = [aws_security_group.metadata_service_security_group.id]
}
}