Merge pull request #5 from kunduso/add-lambda

Add scaffolding and supporting infrastructure
kunduso · Jun 11, 2024 · 791a5fe · 791a5fe
2 parents d431b89 + dc91a0c
commit 791a5fe
Show file tree

Hide file tree

Showing 8 changed files with 140 additions and 8 deletions.
diff --git a/.github/workflows/code-scan.yml b/.github/workflows/code-scan.yml
@@ -3,14 +3,14 @@ name: checkov-static-analysis-scan
 # Controls when the workflow will run
 on:
   # Triggers the workflow on push or pull request events but only for the "main" branch
-  push:
-    branches: [ '*' ]
-    paths-ignore:
-      - '**/README.md'
-  pull_request:
-    branches: ["main"]
-    paths-ignore:
-      - '**/README.md'
+  # push:
+  #   branches: [ '*' ]
+  #   paths-ignore:
+  #     - '**/README.md'
+  # pull_request:
+  #   branches: ["main"]
+  #   paths-ignore:
+  #     - '**/README.md'
 
   # Allows you to run this workflow manually from the Actions tab
   workflow_dispatch:

diff --git a/.gitignore b/.gitignore
@@ -32,3 +32,4 @@ override.tf.json
 # Ignore CLI configuration files
 .terraformrc
 terraform.rc
+.terraform.lock.hcl
diff --git a/cloudwatch.tf b/cloudwatch.tf
@@ -0,0 +1,5 @@
+resource "aws_cloudwatch_log_group" "lambda_log" {
+  name              = var.name
+  retention_in_days = 365
+  kms_key_id        = aws_kms_key.encryption_rest.arn
+}
diff --git a/data.tf b/data.tf
@@ -0,0 +1,6 @@
+data "aws_caller_identity" "current" {}
+locals {
+  principal_root_arn       = "arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"
+  principal_logs_arn       = "logs.${var.region}.amazonaws.com"
+  cloudwatch_log_group_arn = "arn:aws:logs:${var.region}:${data.aws_caller_identity.current.account_id}:log-group:/${var.name}"
+}
diff --git a/iam_role.tf b/iam_role.tf
@@ -0,0 +1,58 @@
+#https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role
+resource "aws_iam_role" "lambda_role" {
+  name = "${var.name}_lambda_role"
+  assume_role_policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [
+      {
+        Action = "sts:AssumeRole"
+        Effect = "Allow"
+        Sid    = ""
+        Principal = {
+          Service = "lambda.amazonaws.com"
+        }
+      },
+    ]
+  })
+}
+
+#https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy
+resource "aws_iam_policy" "lambda_policy" {
+  name        = "${var.name}_lambda_policy"
+  path        = "/"
+  description = "AWS IAM policy for the lambda role."
+  policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [
+      {
+        Effect = "Allow",
+        Action = [
+          "ssm:GetParameters",
+          "ssm:GetParameter"
+        ],
+        Resource = [aws_ssm_parameter.parameter.arn]
+      },
+      {
+        Effect = "Allow",
+        Action = [
+          "logs:CreateLogGroup",
+          "logs:CreateLogStream",
+          "logs:PutLogEvents"
+        ],
+        Resource = [aws_cloudwatch_log_group.lambda_log.arn]
+      },
+      {
+        Effect = "Allow",
+        Action = [
+          "kms:Decrypt"
+        ]
+        Resource = [aws_kms_key.encryption_rest.arn]
+      }
+    ]
+  })
+}
+
+resource "aws_iam_role_policy_attachment" "lambda_policy_attachement" {
+  role       = aws_iam_role.lambda_role.name
+  policy_arn = aws_iam_policy.lambda_policy.arn
+}
diff --git a/kms.tf b/kms.tf
@@ -0,0 +1,50 @@
+#https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_key
+resource "aws_kms_key" "encryption_rest" {
+  enable_key_rotation     = true
+  description             = "Key to encrypt Amazon CloudWatch logs at rest."
+  deletion_window_in_days = 7
+  #checkov:skip=CKV2_AWS_64: KMS Key policy in a separate resource
+}
+#https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_alias
+resource "aws_kms_alias" "encryption_rest" {
+  name          = "alias/lambda-${var.name}-at-rest"
+  target_key_id = aws_kms_key.encryption_rest.key_id
+}
+#https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_key_policy
+resource "aws_kms_key_policy" "encryption_rest_policy" {
+  key_id = aws_kms_key.encryption_rest.id
+  policy = jsonencode({
+    Id = "encryption-rest"
+    Statement = [
+      {
+        Action = "kms:*"
+        Effect = "Allow"
+        Principal = {
+          AWS = "${local.principal_root_arn}"
+        }
+        Resource = "*"
+        Sid      = "Enable IAM User Permissions"
+      },
+      {
+        Effect : "Allow",
+        Principal : {
+          Service : "${local.principal_logs_arn}"
+        },
+        Action : [
+          "kms:Encrypt*",
+          "kms:Decrypt*",
+          "kms:ReEncrypt*",
+          "kms:GenerateDataKey*",
+          "kms:Describe*"
+        ],
+        Resource : "*",
+        Condition : {
+          ArnEquals : {
+            "kms:EncryptionContext:aws:logs:arn" : [local.cloudwatch_log_group_arn]
+          }
+        }
+      }
+    ]
+    Version = "2012-10-17"
+  })
+}
diff --git a/ssm_parameter.tf b/ssm_parameter.tf
@@ -0,0 +1,7 @@
+#https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ssm_parameter
+resource "aws_ssm_parameter" "parameter" {
+  name   = "/${var.name}"
+  type   = "SecureString"
+  key_id = aws_kms_key.encryption_rest.id
+  value  = ""
+}
diff --git a/variables.tf b/variables.tf
@@ -17,4 +17,9 @@ variable "secret_key" {
   type        = string
   sensitive   = true
   default     = ""
+}
+variable "name" {
+  description = "The name of the application."
+  type        = string
+  default     = "app-7"
 }