From 1b8a0694908bb1f5b3e54b4980c8f354232d1cb3 Mon Sep 17 00:00:00 2001
From: Sourav Kundu <skundu.dev@gmail.com>
Date: Wed, 12 Jun 2024 07:53:58 -0500
Subject: [PATCH 1/7] #3 add log stream

---
 cloudwatch.tf | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/cloudwatch.tf b/cloudwatch.tf
index 8ad1682..d4f7e73 100644
--- a/cloudwatch.tf
+++ b/cloudwatch.tf
@@ -1,6 +1,13 @@
 #https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_group
 resource "aws_cloudwatch_log_group" "lambda_log" {
-  name              = var.name
+  name              = "${var.log_group_prefix}${var.name}" #"/aws/lambda/${var.name}"
   retention_in_days = 365
   kms_key_id        = aws_kms_key.encryption_rest.arn
+  # depends_on = [ aws_kms_key.encryption_rest ]
+}
+#
+#https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_stream
+resource "aws_cloudwatch_log_stream" "log_stream" {
+  name           = "${var.name}-lambda-log-stream"
+  log_group_name = aws_cloudwatch_log_group.lambda_log.name
 }
\ No newline at end of file

From 3f1b3b65e3b72fc0e7b203f76823278fb63d7ed4 Mon Sep 17 00:00:00 2001
From: Sourav Kundu <skundu.dev@gmail.com>
Date: Wed, 12 Jun 2024 07:55:01 -0500
Subject: [PATCH 2/7] #14 corrected resource arn

---
 data.tf      | 2 +-
 variables.tf | 5 +++++
 2 files changed, 6 insertions(+), 1 deletion(-)

diff --git a/data.tf b/data.tf
index dd0fab8..4a339a7 100644
--- a/data.tf
+++ b/data.tf
@@ -2,5 +2,5 @@ data "aws_caller_identity" "current" {}
 locals {
   principal_root_arn       = "arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"
   principal_logs_arn       = "logs.${var.region}.amazonaws.com"
-  cloudwatch_log_group_arn = "arn:aws:logs:${var.region}:${data.aws_caller_identity.current.account_id}:log-group:${var.name}*"
+  cloudwatch_log_group_arn = "arn:aws:logs:${var.region}:${data.aws_caller_identity.current.account_id}:log-group:${var.log_group_prefix}${var.name}*"
 }
\ No newline at end of file
diff --git a/variables.tf b/variables.tf
index 37d78a9..6dd382e 100644
--- a/variables.tf
+++ b/variables.tf
@@ -22,4 +22,9 @@ variable "name" {
   description = "The name of the application."
   type        = string
   default     = "app-7"
+}
+variable "log_group_prefix" {
+  description = "The name of the log group."
+  type        = string
+  default     = "/aws/lambda/"
 }
\ No newline at end of file

From 5d83bcdc44d00f924ecbf09d678b4542b6908220 Mon Sep 17 00:00:00 2001
From: Sourav Kundu <skundu.dev@gmail.com>
Date: Wed, 12 Jun 2024 07:56:12 -0500
Subject: [PATCH 3/7] #14 added logging capability

---
 lambda.tf | 16 +++++++++++-----
 1 file changed, 11 insertions(+), 5 deletions(-)

diff --git a/lambda.tf b/lambda.tf
index 1e11939..be633db 100644
--- a/lambda.tf
+++ b/lambda.tf
@@ -5,11 +5,17 @@ data "archive_file" "python_file" {
 }
 
 resource "aws_lambda_function" "lambda_run" {
-  filename      = "${path.module}/lambda_function/lambda_function.zip"
-  function_name = "write_parameter_to_cloudwatch"
-  role          = aws_iam_role.lambda_role.arn
-  handler       = "handler.lambda_handler"
-  runtime       = "python3.8"
+  filename         = "${path.module}/lambda_function/lambda_function.zip"
+  source_code_hash = data.archive_file.python_file.output_base64sha256
+  function_name    = var.name
+  role             = aws_iam_role.lambda_role.arn
+  handler          = "handler.lambda_handler"
+  runtime          = "python3.8"
+  logging_config {
+    log_format       = "JSON"
+    log_group        = aws_cloudwatch_log_group.lambda_log.name
+    system_log_level = "INFO"
+  }
 }
 
 resource "aws_cloudwatch_event_rule" "lambda_trigger" {

From d678181873c9bfd2ecd4a4c441367f8fca0d8678 Mon Sep 17 00:00:00 2001
From: Sourav Kundu <skundu.dev@gmail.com>
Date: Wed, 12 Jun 2024 07:57:04 -0500
Subject: [PATCH 4/7] #15 converted to variables

---
 lambda.tf                  | 7 +++++++
 lambda_function/handler.py | 8 ++++----
 2 files changed, 11 insertions(+), 4 deletions(-)

diff --git a/lambda.tf b/lambda.tf
index be633db..b237796 100644
--- a/lambda.tf
+++ b/lambda.tf
@@ -16,6 +16,13 @@ resource "aws_lambda_function" "lambda_run" {
     log_group        = aws_cloudwatch_log_group.lambda_log.name
     system_log_level = "INFO"
   }
+  environment {
+    variables = {
+      parameter_name  = aws_ssm_parameter.parameter.name
+      log_group_name  = aws_cloudwatch_log_group.lambda_log.name
+      log_stream_name = aws_cloudwatch_log_stream.log_stream.name
+    }
+  }
 }
 
 resource "aws_cloudwatch_event_rule" "lambda_trigger" {
diff --git a/lambda_function/handler.py b/lambda_function/handler.py
index d412b69..ba264c5 100644
--- a/lambda_function/handler.py
+++ b/lambda_function/handler.py
@@ -1,21 +1,21 @@
 import boto3
 import logging
 import time
+import os
 
 def lambda_handler(event, context):
     # Initialize the Boto3 clients for SSM and CloudWatch Logs
     ssm_client = boto3.client('ssm')
     logs_client = boto3.client('logs')
-    parameter_name = '/app-7'
-    log_group_name = 'app-7'
-    log_stream_name = 'app-7-lambda-log-stream'
+    parameter_name = os.environ['parameter_name']
+    log_group_name = os.environ['log_group_name']
+    log_stream_name = os.environ['log_stream_name']
     try:
         # Read the parameter from SSM Parameter Store
         response = ssm_client.get_parameter(Name=parameter_name, WithDecryption=True)
         parameter_value = response['Parameter']['Value']
         
         # Write the parameter value to CloudWatch Logs
-        logs_client.create_log_stream(logGroupName=log_group_name, logStreamName=log_stream_name)
         logs_client.put_log_events(
             logGroupName=log_group_name,
             logStreamName=log_stream_name,

From d67cb9ff1bbe3e0dfe125edaf20abcf51aa678f8 Mon Sep 17 00:00:00 2001
From: Sourav Kundu <skundu.dev@gmail.com>
Date: Wed, 12 Jun 2024 08:04:10 -0500
Subject: [PATCH 5/7] #2 enabled scan pipeline

---
 .github/workflows/code-scan.yml | 16 ++++++++--------
 1 file changed, 8 insertions(+), 8 deletions(-)

diff --git a/.github/workflows/code-scan.yml b/.github/workflows/code-scan.yml
index dced46f..79d3069 100644
--- a/.github/workflows/code-scan.yml
+++ b/.github/workflows/code-scan.yml
@@ -3,14 +3,14 @@ name: checkov-static-analysis-scan
 # Controls when the workflow will run
 on:
   # Triggers the workflow on push or pull request events but only for the "main" branch
-  # push:
-  #   branches: [ '*' ]
-  #   paths-ignore:
-  #     - '**/README.md'
-  # pull_request:
-  #   branches: ["main"]
-  #   paths-ignore:
-  #     - '**/README.md'
+  push:
+    branches: [ '*' ]
+    paths-ignore:
+      - '**/README.md'
+  pull_request:
+    branches: ["main"]
+    paths-ignore:
+      - '**/README.md'
 
   # Allows you to run this workflow manually from the Actions tab
   workflow_dispatch:

From bdd5ceac696586e6d9c5da89a2ca29bdcf3e1db9 Mon Sep 17 00:00:00 2001
From: Sourav Kundu <skundu.dev@gmail.com>
Date: Wed, 12 Jun 2024 08:54:25 -0500
Subject: [PATCH 6/7] fixed checkov scan findings

---
 lambda.tf | 38 ++++++++++++++++++++++++++++++++------
 1 file changed, 32 insertions(+), 6 deletions(-)

diff --git a/lambda.tf b/lambda.tf
index b237796..830eb1d 100644
--- a/lambda.tf
+++ b/lambda.tf
@@ -5,12 +5,14 @@ data "archive_file" "python_file" {
 }
 
 resource "aws_lambda_function" "lambda_run" {
-  filename         = "${path.module}/lambda_function/lambda_function.zip"
-  source_code_hash = data.archive_file.python_file.output_base64sha256
-  function_name    = var.name
-  role             = aws_iam_role.lambda_role.arn
-  handler          = "handler.lambda_handler"
-  runtime          = "python3.8"
+  filename                = "${path.module}/lambda_function/lambda_function.zip"
+  source_code_hash        = data.archive_file.python_file.output_base64sha256
+  function_name           = var.name
+  role                    = aws_iam_role.lambda_role.arn
+  handler                 = "handler.lambda_handler"
+  runtime                 = "python3.8"
+  code_signing_config_arn = aws_lambda_code_signing_config.signing_config.arn
+  kms_key_arn             = aws_kms_key.encryption_rest.arn
   logging_config {
     log_format       = "JSON"
     log_group        = aws_cloudwatch_log_group.lambda_log.name
@@ -22,9 +24,33 @@ resource "aws_lambda_function" "lambda_run" {
       log_group_name  = aws_cloudwatch_log_group.lambda_log.name
       log_stream_name = aws_cloudwatch_log_stream.log_stream.name
     }
+
   }
+  #checkov:skip=CKV_AWS_50: Not applicable in this use case: X-Ray tracing is enabled for Lambda
+  #checkov:skip=CKV_AWS_115: Not applicable in this use case: Ensure that AWS Lambda function is configured for function-level concurrent execution limit
+  #checkov:skip=CKV_AWS_117: This AWS Lambda function does not require access to anything inside a VPC
+  #checkov:skip=CKV_AWS_116: Not applicable in this use case
+  #checkov:skip=CKV_AWS_173: Not applicable in this use case
 }
+resource "aws_signer_signing_profile" "prod_sp" {
+  platform_id = "AWSLambda-SHA384-ECDSA"
+  name_prefix = "prod_sp_"
 
+  signature_validity_period {
+    value = 5
+    type  = "YEARS"
+  }
+}
+resource "aws_lambda_code_signing_config" "signing_config" {
+  allowed_publishers {
+    signing_profile_version_arns = [aws_signer_signing_profile.prod_sp.arn]
+  }
+  policies {
+    untrusted_artifact_on_deployment = "Enforce"
+  }
+
+  description = "Code signing config for AWS Lambda."
+}
 resource "aws_cloudwatch_event_rule" "lambda_trigger" {
   name                = "lambda_trigger_rule"
   schedule_expression = "rate(10 minutes)"

From bde48998cfc36a3c2ef9b68ac3ac83718c65d721 Mon Sep 17 00:00:00 2001
From: Sourav Kundu <skundu.dev@gmail.com>
Date: Wed, 12 Jun 2024 11:21:06 -0500
Subject: [PATCH 7/7] removed signing logic

---
 README.md |  4 +++-
 lambda.tf | 35 ++++++++---------------------------
 2 files changed, 11 insertions(+), 28 deletions(-)

diff --git a/README.md b/README.md
index 0f6e628..6bf9dbe 100644
--- a/README.md
+++ b/README.md
@@ -1 +1,3 @@
-# add-aws-lambda
\ No newline at end of file
+[![License: Unlicense](https://img.shields.io/badge/license-Unlicense-white.svg)](https://choosealicense.com/licenses/unlicense/) [![GitHub pull-requests closed](https://img.shields.io/github/issues-pr-closed/kunduso/add-aws-lambda-terraform)](https://github.com/kunduso/add-aws-lambda-terraform/pulls?q=is%3Apr+is%3Aclosed) [![GitHub pull-requests](https://img.shields.io/github/issues-pr/kunduso/add-aws-lambda-terraform)](https://GitHub.com/kunduso/add-aws-lambda-terraform/pull/) 
+[![GitHub issues-closed](https://img.shields.io/github/issues-closed/kunduso/add-aws-lambda-terraform)](https://github.com/kunduso/add-aws-lambda-terraform/issues?q=is%3Aissue+is%3Aclosed) [![GitHub issues](https://img.shields.io/github/issues/kunduso/add-aws-lambda-terraform)](https://GitHub.com/kunduso/add-aws-lambda-terraform/issues/) 
+[![terraform-infra-provisioning](https://github.com/kunduso/add-aws-lambda-terraform/actions/workflows/terraform.yml/badge.svg?branch=main)](https://github.com/kunduso/add-aws-lambda-terraform/actions/workflows/terraform.yml) [![checkov-static-analysis-scan](https://github.com/kunduso/add-aws-lambda-terraform/actions/workflows/code-scan.yml/badge.svg?branch=main)](https://github.com/kunduso/add-aws-lambda-terraform/actions/workflows/code-scan.yml)
\ No newline at end of file
diff --git a/lambda.tf b/lambda.tf
index 830eb1d..68d0412 100644
--- a/lambda.tf
+++ b/lambda.tf
@@ -5,14 +5,13 @@ data "archive_file" "python_file" {
 }
 
 resource "aws_lambda_function" "lambda_run" {
-  filename                = "${path.module}/lambda_function/lambda_function.zip"
-  source_code_hash        = data.archive_file.python_file.output_base64sha256
-  function_name           = var.name
-  role                    = aws_iam_role.lambda_role.arn
-  handler                 = "handler.lambda_handler"
-  runtime                 = "python3.8"
-  code_signing_config_arn = aws_lambda_code_signing_config.signing_config.arn
-  kms_key_arn             = aws_kms_key.encryption_rest.arn
+  filename         = "${path.module}/lambda_function/lambda_function.zip"
+  source_code_hash = data.archive_file.python_file.output_base64sha256
+  function_name    = var.name
+  role             = aws_iam_role.lambda_role.arn
+  handler          = "handler.lambda_handler"
+  runtime          = "python3.8"
+  kms_key_arn      = aws_kms_key.encryption_rest.arn
   logging_config {
     log_format       = "JSON"
     log_group        = aws_cloudwatch_log_group.lambda_log.name
@@ -31,25 +30,7 @@ resource "aws_lambda_function" "lambda_run" {
   #checkov:skip=CKV_AWS_117: This AWS Lambda function does not require access to anything inside a VPC
   #checkov:skip=CKV_AWS_116: Not applicable in this use case
   #checkov:skip=CKV_AWS_173: Not applicable in this use case
-}
-resource "aws_signer_signing_profile" "prod_sp" {
-  platform_id = "AWSLambda-SHA384-ECDSA"
-  name_prefix = "prod_sp_"
-
-  signature_validity_period {
-    value = 5
-    type  = "YEARS"
-  }
-}
-resource "aws_lambda_code_signing_config" "signing_config" {
-  allowed_publishers {
-    signing_profile_version_arns = [aws_signer_signing_profile.prod_sp.arn]
-  }
-  policies {
-    untrusted_artifact_on_deployment = "Enforce"
-  }
-
-  description = "Code signing config for AWS Lambda."
+  #checkov:skip=CKV_AWS_272: Not applicable in this use case: Ensure AWS Lambda function is configured to validate code-signing
 }
 resource "aws_cloudwatch_event_rule" "lambda_trigger" {
   name                = "lambda_trigger_rule"