kunduso · kunduso · Jun 12, 2024 · Jun 12, 2024 · Jun 12, 2024 · Jun 12, 2024
diff --git a/.github/workflows/code-scan.yml b/.github/workflows/code-scan.yml
@@ -3,14 +3,14 @@ name: checkov-static-analysis-scan
 # Controls when the workflow will run
 on:
   # Triggers the workflow on push or pull request events but only for the "main" branch
-  # push:
-  #   branches: [ '*' ]
-  #   paths-ignore:
-  #     - '**/README.md'
-  # pull_request:
-  #   branches: ["main"]
-  #   paths-ignore:
-  #     - '**/README.md'
+  push:
+    branches: [ '*' ]
+    paths-ignore:
+      - '**/README.md'
+  pull_request:
+    branches: ["main"]
+    paths-ignore:
+      - '**/README.md'
 
   # Allows you to run this workflow manually from the Actions tab
   workflow_dispatch:

diff --git a/README.md b/README.md
@@ -1 +1,3 @@
-# add-aws-lambda
+[![License: Unlicense](https://img.shields.io/badge/license-Unlicense-white.svg)](https://choosealicense.com/licenses/unlicense/) [![GitHub pull-requests closed](https://img.shields.io/github/issues-pr-closed/kunduso/add-aws-lambda-terraform)](https://github.com/kunduso/add-aws-lambda-terraform/pulls?q=is%3Apr+is%3Aclosed) [![GitHub pull-requests](https://img.shields.io/github/issues-pr/kunduso/add-aws-lambda-terraform)](https://GitHub.com/kunduso/add-aws-lambda-terraform/pull/) 
+[![GitHub issues-closed](https://img.shields.io/github/issues-closed/kunduso/add-aws-lambda-terraform)](https://github.com/kunduso/add-aws-lambda-terraform/issues?q=is%3Aissue+is%3Aclosed) [![GitHub issues](https://img.shields.io/github/issues/kunduso/add-aws-lambda-terraform)](https://GitHub.com/kunduso/add-aws-lambda-terraform/issues/) 
+[![terraform-infra-provisioning](https://github.com/kunduso/add-aws-lambda-terraform/actions/workflows/terraform.yml/badge.svg?branch=main)](https://github.com/kunduso/add-aws-lambda-terraform/actions/workflows/terraform.yml) [![checkov-static-analysis-scan](https://github.com/kunduso/add-aws-lambda-terraform/actions/workflows/code-scan.yml/badge.svg?branch=main)](https://github.com/kunduso/add-aws-lambda-terraform/actions/workflows/code-scan.yml)
diff --git a/cloudwatch.tf b/cloudwatch.tf
@@ -1,6 +1,13 @@
 #https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_group
 resource "aws_cloudwatch_log_group" "lambda_log" {
-  name              = var.name
+  name              = "${var.log_group_prefix}${var.name}" #"/aws/lambda/${var.name}"
   retention_in_days = 365
   kms_key_id        = aws_kms_key.encryption_rest.arn
+  # depends_on = [ aws_kms_key.encryption_rest ]
+}
+#
+#https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_stream
+resource "aws_cloudwatch_log_stream" "log_stream" {
+  name           = "${var.name}-lambda-log-stream"
+  log_group_name = aws_cloudwatch_log_group.lambda_log.name
 }
diff --git a/data.tf b/data.tf
@@ -2,5 +2,5 @@ data "aws_caller_identity" "current" {}
 locals {
   principal_root_arn       = "arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"
   principal_logs_arn       = "logs.${var.region}.amazonaws.com"
-  cloudwatch_log_group_arn = "arn:aws:logs:${var.region}:${data.aws_caller_identity.current.account_id}:log-group:${var.name}*"
+  cloudwatch_log_group_arn = "arn:aws:logs:${var.region}:${data.aws_caller_identity.current.account_id}:log-group:${var.log_group_prefix}${var.name}*"
 }
diff --git a/lambda.tf b/lambda.tf
@@ -5,13 +5,33 @@ data "archive_file" "python_file" {
 }
 
 resource "aws_lambda_function" "lambda_run" {
-  filename      = "${path.module}/lambda_function/lambda_function.zip"
-  function_name = "write_parameter_to_cloudwatch"
-  role          = aws_iam_role.lambda_role.arn
-  handler       = "handler.lambda_handler"
-  runtime       = "python3.8"
-}
+  filename         = "${path.module}/lambda_function/lambda_function.zip"
+  source_code_hash = data.archive_file.python_file.output_base64sha256
+  function_name    = var.name
+  role             = aws_iam_role.lambda_role.arn
+  handler          = "handler.lambda_handler"
+  runtime          = "python3.8"
+  kms_key_arn      = aws_kms_key.encryption_rest.arn
+  logging_config {
+    log_format       = "JSON"
+    log_group        = aws_cloudwatch_log_group.lambda_log.name
+    system_log_level = "INFO"
+  }
+  environment {
+    variables = {
+      parameter_name  = aws_ssm_parameter.parameter.name
+      log_group_name  = aws_cloudwatch_log_group.lambda_log.name
+      log_stream_name = aws_cloudwatch_log_stream.log_stream.name
+    }
 
+  }
+  #checkov:skip=CKV_AWS_50: Not applicable in this use case: X-Ray tracing is enabled for Lambda
+  #checkov:skip=CKV_AWS_115: Not applicable in this use case: Ensure that AWS Lambda function is configured for function-level concurrent execution limit
+  #checkov:skip=CKV_AWS_117: This AWS Lambda function does not require access to anything inside a VPC
+  #checkov:skip=CKV_AWS_116: Not applicable in this use case
+  #checkov:skip=CKV_AWS_173: Not applicable in this use case
+  #checkov:skip=CKV_AWS_272: Not applicable in this use case: Ensure AWS Lambda function is configured to validate code-signing
+}
 resource "aws_cloudwatch_event_rule" "lambda_trigger" {
   name                = "lambda_trigger_rule"
   schedule_expression = "rate(10 minutes)"

diff --git a/lambda_function/handler.py b/lambda_function/handler.py
@@ -1,21 +1,21 @@
 import boto3
 import logging
 import time
+import os
 
 def lambda_handler(event, context):
     # Initialize the Boto3 clients for SSM and CloudWatch Logs
     ssm_client = boto3.client('ssm')
     logs_client = boto3.client('logs')
-    parameter_name = '/app-7'
-    log_group_name = 'app-7'
-    log_stream_name = 'app-7-lambda-log-stream'
+    parameter_name = os.environ['parameter_name']
+    log_group_name = os.environ['log_group_name']
+    log_stream_name = os.environ['log_stream_name']
     try:
         # Read the parameter from SSM Parameter Store
         response = ssm_client.get_parameter(Name=parameter_name, WithDecryption=True)
         parameter_value = response['Parameter']['Value']
 
         # Write the parameter value to CloudWatch Logs
-        logs_client.create_log_stream(logGroupName=log_group_name, logStreamName=log_stream_name)
         logs_client.put_log_events(
             logGroupName=log_group_name,
             logStreamName=log_stream_name,

diff --git a/variables.tf b/variables.tf
@@ -22,4 +22,9 @@ variable "name" {
   description = "The name of the application."
   type        = string
   default     = "app-7"
+}
+variable "log_group_prefix" {
+  description = "The name of the log group."
+  type        = string
+  default     = "/aws/lambda/"
 }