Update lambda permission for private link (#154)

* add permission to lambda when deploying it with private link

* add endpoint

* terraform fmt

* update changelog

CHANGELOG.md

@@ -1,5 +1,9 @@
 # Changelog
 
+## v1.0.94
+#### **coralogix-aws-shipper**
+### 🧰 Bug fixes 🧰
+- Update permissions for lambda when using private link
 
 ## v1.0.93
 #### **coralogix-aws-shipper**

modules/coralogix-aws-shipper/CloudWatch.tf

@@ -1,4 +1,5 @@
 resource "aws_lambda_permission" "cloudwatch_trigger_premission" {
+  depends_on    = [module.lambda]
   for_each      = local.log_groups
   action        = "lambda:InvokeFunction"
   function_name = local.integration_info.integration.lambda_name == null ? module.locals.integration.function_name : local.integration_info.integration.lambda_name

modules/coralogix-aws-shipper/Ecr.tf

@@ -1,27 +1,27 @@
 resource "aws_cloudwatch_event_rule" "EventBridgeRule" {
-    count = var.integration_type == "EcrScan" ? 1 : 0
-    name        = format("ECR-image-scan-lambda-invoke")
-    description = "Event rule for invoking Lambda on ECR image scan"
-    event_pattern = jsonencode({
+  count       = var.integration_type == "EcrScan" ? 1 : 0
+  name        = format("ECR-image-scan-lambda-invoke")
+  description = "Event rule for invoking Lambda on ECR image scan"
+  event_pattern = jsonencode({
     source      = ["aws.ecr"],
     detail-type = ["ECR Image Scan"],
-    detail      = {
-        scan-status = ["COMPLETE"]
+    detail = {
+      scan-status = ["COMPLETE"]
     }
-    })
+  })
 
-    tags = {
+  tags = {
     Name = "ECR-image-scan-lambda-invoke"
-    }
+  }
 }
 
 resource "aws_cloudwatch_event_target" "EventBridgeRuleTarget" {
-    depends_on = [ aws_cloudwatch_event_rule.EventBridgeRule ]
-    count = var.integration_type == "EcrScan" ? 1 : 0
-    rule      = aws_cloudwatch_event_rule.EventBridgeRule[0].name
-    target_id = "LambdaFunction"
+  depends_on = [aws_cloudwatch_event_rule.EventBridgeRule]
+  count      = var.integration_type == "EcrScan" ? 1 : 0
+  rule       = aws_cloudwatch_event_rule.EventBridgeRule[0].name
+  target_id  = "LambdaFunction"
 
-    arn = element(module.lambda[*].integration.lambda_function_arn, 0)
+  arn = element(module.lambda[*].integration.lambda_function_arn, 0)
 }
 
 

modules/coralogix-aws-shipper/README.md

@@ -42,7 +42,7 @@ If you want to avoid this issue, you can deploy in other ways:
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
 | <a name="input_coralogix_region"></a> [coralogix\_region](#input\_coralogix\_region) | The Coralogix location region, possible options are [`EU1`, `EU2`, `AP1`, `AP2`, `US1`, `US2`, `Custom`] | `string` | n/a | yes |
-| <a name="input_custom_domain"></a> [custom_domain](#input\_custom\_domain) | If you choose a custom domain name for your private cluster, Coralogix will send telemetry from the specified address (e.g. custom.coralogix.com).| `string` | n/a | no |
+| <a name="input_custom_domain"></a> [custom_domain](#input\_custom\_domain) | If you choose a custom domain name for your private cluster, Coralogix will send telemetry from the specified address (e.g. custom.coralogix.com) there is no need to add `ingress.` to the domain .| `string` | n/a | no |
 | <a name="input_integration_type"></a> [integration_type](#input\_data\_type) | Choose the AWS service that you wish to integrate with Coralogix. Can be one of: S3, CloudTrail, VpcFlow, CloudWatch, S3Csv, SNS, SQS, Kinesis, CloudFront, MSK, Kafka, EcrScan. | `string` | n/a | yes |
 | <a name="input_api_key"></a> [api\_key](#input\_api_\_key) | The Coralogix Send Your Data - [API Key](https://coralogix.com/docs/send-your-data-api-key/) validates your authenticity. This value can be a direct Coralogix API Key or an AWS Secret Manager ARN containing the API Key.| `string` | n/a | yes |
 | <a name="input_store_api_key_in_secrets_manager"></a> [store\_api\_key\_in\_secrets\_manager](#input\_store\_api\_key\_in\_secrets\_manager) | Enable this to store your API Key securely. Otherwise, it will remain exposed in plain text as an environment variable in the Lambda function console.| bool | true | no |

modules/coralogix-aws-shipper/data.tf

@@ -2,6 +2,11 @@ data "aws_region" "this" {}
 
 data "aws_caller_identity" "this" {}
 
+data "aws_subnet" "subnet" {
+  count = (var.store_api_key_in_secrets_manager || local.api_key_is_arn) && var.subnet_ids != null ? 1 : 0
+  id    = var.subnet_ids[0]
+}
+
 data "aws_cloudwatch_log_group" "this" {
   for_each = local.log_groups
   name     = each.key

modules/coralogix-aws-shipper/main.tf

@@ -47,7 +47,7 @@ module "lambda" {
   vpc_subnet_ids         = var.subnet_ids
   vpc_security_group_ids = var.security_group_ids
   environment_variables = {
-    CORALOGIX_ENDPOINT = var.custom_domain != "" ? "https://ingress.${var.custom_domain}" : var.subnet_ids == null ? "https://ingress.${lookup(module.locals[each.key].coralogix_domains, var.coralogix_region, "Europe")}" : "https://ingress.private.${lookup(module.locals.coralogix_domains, var.coralogix_region, "Europe")}"
+    CORALOGIX_ENDPOINT = var.custom_domain != "" ? "https://ingress.${var.custom_domain}" : var.subnet_ids == null ? "https://ingress.${lookup(module.locals[each.key].coralogix_domains, var.coralogix_region, "EU1")}" : "https://ingress.private.${lookup(module.locals[each.key].coralogix_domains, var.coralogix_region, "EU1")}"
     INTEGRATION_TYPE   = each.value.integration_type
     RUST_LOG           = var.log_level
     CORALOGIX_API_KEY  = var.store_api_key_in_secrets_manager && !local.api_key_is_arn ? aws_secretsmanager_secret.coralogix_secret[0].arn : var.api_key
@@ -60,7 +60,7 @@ module "lambda" {
   }
   s3_existing_package = {
     bucket = var.custom_s3_bucket == "" ? "coralogix-serverless-repo-${data.aws_region.this.name}" : var.custom_s3_bucket
-    key = var.cpu_arch == "arm64" ? "coralogix-aws-shipper.zip" : "coralogix-aws-shipper-x86-64.zip"
+    key    = var.cpu_arch == "arm64" ? "coralogix-aws-shipper.zip" : "coralogix-aws-shipper-x86-64.zip"
   }
   policy_path                             = "/coralogix/"
   role_path                               = "/coralogix/"
@@ -86,6 +86,15 @@ module "lambda" {
       actions   = ["sns:publish"]
       resources = [aws_sns_topic.this[each.key].arn]
     }
+    private_link_policy = var.subnet_ids != null ? {
+      effect    = "Allow"
+      actions   = ["ec2:CreateNetworkInterface", "ec2:DescribeNetworkInterfaces", "ec2:DeleteNetworkInterface"]
+      resources = ["*"]
+      } : {
+      effect    = "Deny"
+      actions   = ["rds:DescribeAccountAttributes"]
+      resources = ["*"]
+    }
     sqs_s3_integration_policy = var.sqs_name != null && var.s3_bucket_name != null ? {
       effect = "Allow"
       actions = [
@@ -96,24 +105,24 @@ module "lambda" {
         "s3:GetLifecycleConfiguration"
       ]
       resources = ["${data.aws_s3_bucket.this[0].arn}/*", data.aws_s3_bucket.this[0].arn]
-    } : {
-        effect = "Deny"
-        actions = ["rds:DescribeAccountAttributes"]
-        resources = ["*"]
-    } 
+      } : {
+      effect    = "Deny"
+      actions   = ["rds:DescribeAccountAttributes"]
+      resources = ["*"]
+    }
     integrations_policy = var.s3_bucket_name != null && var.sqs_name == null ? {
       effect    = "Allow"
       actions   = ["s3:GetObject"]
       resources = ["${data.aws_s3_bucket.this[0].arn}/*"]
-    } : var.sqs_name != null ? {
+      } : var.sqs_name != null ? {
       effect = "Allow"
       actions = [
         "sqs:ReceiveMessage",
         "sqs:DeleteMessage",
         "sqs:GetQueueAttributes"
       ]
       resources = [data.aws_sqs_queue.name[0].arn]
-    }: var.kinesis_stream_name != null ? {
+      } : var.kinesis_stream_name != null ? {
       effect = "Allow"
       actions = [
         "kinesis:GetRecords",
@@ -125,25 +134,25 @@ module "lambda" {
         "kinesis:SubscribeToShard"
       ]
       resources = [data.aws_kinesis_stream.kinesis_stream[0].arn]
-    } : var.kafka_brokers != null ? {
-        effect = "Allow"
-        actions = [
-          "ec2:CreateNetworkInterface",
-          "ec2:DescribeNetworkInterfaces",
-          "ec2:DescribeVpcs",
-          "ec2:DeleteNetworkInterface",
-          "ec2:DescribeSubnets",
-          "ec2:DescribeSecurityGroups"
-        ]
-        resources = ["*"]
-    } : var.integration_type == "EcrScan" ? {
-        effect = "Allow"
-        actions = ["ecr:DescribeImageScanFindings"]
-        resources = ["*"]
-    } :  {
-        effect = "Deny"
-        actions = ["ecr:DescribeImageScanFindings"]
-        resources = ["*"]
+      } : var.kafka_brokers != null ? {
+      effect = "Allow"
+      actions = [
+        "ec2:CreateNetworkInterface",
+        "ec2:DescribeNetworkInterfaces",
+        "ec2:DescribeVpcs",
+        "ec2:DeleteNetworkInterface",
+        "ec2:DescribeSubnets",
+        "ec2:DescribeSecurityGroups"
+      ]
+      resources = ["*"]
+      } : var.integration_type == "EcrScan" ? {
+      effect    = "Allow"
+      actions   = ["ecr:DescribeImageScanFindings"]
+      resources = ["*"]
+      } : {
+      effect    = "Deny"
+      actions   = ["ecr:DescribeImageScanFindings"]
+      resources = ["*"]
     }
   }
 
@@ -157,12 +166,12 @@ module "lambda" {
       principal  = "kafka.amazonaws.com"
       source_arn = var.msk_cluster_arn
     }
-  } : var.integration_type == "EcrScan" ?{
+    } : var.integration_type == "EcrScan" ? {
     AllowExecutionFromECR = {
       principal  = "events.amazonaws.com"
       source_arn = aws_cloudwatch_event_rule.EventBridgeRule[0].arn
     }
-  }  :{}
+  } : {}
 
   tags = merge(var.tags, module.locals[each.key].tags)
 }
@@ -226,3 +235,13 @@ resource "aws_secretsmanager_secret_version" "service_user" {
   secret_id     = aws_secretsmanager_secret.coralogix_secret[0].id
   secret_string = var.api_key
 }
+
+resource "aws_vpc_endpoint" "secretsmanager" {
+  count               = (var.store_api_key_in_secrets_manager || local.api_key_is_arn) && var.subnet_ids != null ? 1 : 0
+  vpc_id              = data.aws_subnet.subnet[0].vpc_id
+  service_name        = "com.amazonaws.${data.aws_region.this.name}.secretsmanager"
+  vpc_endpoint_type   = "Interface"
+  subnet_ids          = var.subnet_ids
+  security_group_ids  = var.security_group_ids
+  private_dns_enabled = true
+}

modules/coralogix-aws-shipper/variables.tf

@@ -119,7 +119,7 @@ variable "cpu_arch" {
   validation {
     condition     = contains(["arm64", "x86_64"], var.cpu_arch)
     error_message = "The CPU architecture must be one of these values: [arm64, x86_64]."
-  } 
+  }
 }
 
 # Integration Generic Config (Optional)
@@ -168,7 +168,7 @@ variable "integration_type" {
   description = "the aws service that send the data to the s3"
   type        = string
   validation {
-    condition     = contains(["CloudWatch", "CloudTrail", "VpcFlow", "S3", "S3Csv", "Sns", "Sqs", "Kinesis", "CloudFront", "MSK", "Kafka","EcrScan", ""], var.integration_type)
+    condition     = contains(["CloudWatch", "CloudTrail", "VpcFlow", "S3", "S3Csv", "Sns", "Sqs", "Kinesis", "CloudFront", "MSK", "Kafka", "EcrScan", ""], var.integration_type)
     error_message = "The integration type must be: [CloudWatch, CloudTrail, VpcFlow, S3, S3Csv, Sns, Sqs, Kinesis, CloudFront, MSK, Kafka, EcrScan]."
   }
   default = ""
@@ -230,7 +230,7 @@ variable "msk_cluster_arn" {
 
 variable "msk_topic_name" {
   description = "List of names of the Kafka topic used to store records in your Kafka cluster ( [\"topic1\", \"topic2\",])"
-  type        = list
+  type        = list(any)
   default     = null
 }