Updates lambda implementation to the terraform-aws-lambda module (#10)

- Removes layer references in favor of the automated terraform-aws-lambda requirements management
- Updates lambda python runtime from 3.8 to 3.9
- adds additional_iam_policy_statements input variable

Author: userhas404d

data.tf

@@ -1,27 +1,3 @@
-locals {
-  // https://github.com/phzietsman/aws-lambda-layer-common
-  python_layers = {
-    "ap-northeast-1" = "arn:aws:lambda:ap-northeast-1:306986787463:layer:common-python-libraries:1"
-    "us-east-1"      = "arn:aws:lambda:us-east-1:306986787463:layer:common-python-libraries:1"
-    "ap-southeast-1" = "arn:aws:lambda:ap-southeast-1:306986787463:layer:common-python-libraries:1"
-    "eu-west-1"      = "arn:aws:lambda:eu-west-1:306986787463:layer:common-python-libraries:1"
-    "us-west-1"      = "arn:aws:lambda:us-west-1:306986787463:layer:common-python-libraries:1"
-    "ap-east-1"      = "arn:aws:lambda:ap-east-1:306986787463:layer:common-python-libraries:1"
-    "ap-northeast-2" = "arn:aws:lambda:ap-northeast-2:306986787463:layer:common-python-libraries:1"
-    "ap-northeast-3" = "arn:aws:lambda:ap-northeast-3:306986787463:layer:common-python-libraries:1"
-    "ap-south-1"     = "arn:aws:lambda:ap-south-1:306986787463:layer:common-python-libraries:1"
-    "ap-southeast-2" = "arn:aws:lambda:ap-southeast-2:306986787463:layer:common-python-libraries:1"
-    "ca-central-1"   = "arn:aws:lambda:ca-central-1:306986787463:layer:common-python-libraries:1"
-    "eu-central-1"   = "arn:aws:lambda:eu-central-1:306986787463:layer:common-python-libraries:1"
-    "eu-north-1"     = "arn:aws:lambda:eu-north-1:306986787463:layer:common-python-libraries:1"
-    "eu-west-2"      = "arn:aws:lambda:eu-west-2:306986787463:layer:common-python-libraries:1"
-    "eu-west-3"      = "arn:aws:lambda:eu-west-3:306986787463:layer:common-python-libraries:1"
-    "sa-east-1"      = "arn:aws:lambda:sa-east-1:306986787463:layer:common-python-libraries:1"
-    "us-east-2"      = "arn:aws:lambda:us-east-2:306986787463:layer:common-python-libraries:1"
-    "us-west-2"      = "arn:aws:lambda:us-west-2:306986787463:layer:common-python-libraries:1"
-  }
-}
-
 data "aws_s3_bucket" "cloudtrail_bucket" {
   bucket = var.cloudtrail_bucket_name
 }

iam.tf

@@ -1,57 +1,4 @@
-resource "aws_iam_role" "lambda" {
-  name               = var.naming_prefix
-  assume_role_policy = data.aws_iam_policy_document.lambda_role_trust.json
-
-  tags = var.tags
-}
-
-data "aws_iam_policy_document" "lambda_role_trust" {
-  statement {
-    sid = "LambdaTrust"
-
-    actions = [
-      "sts:AssumeRole"
-    ]
-
-    principals {
-      type        = "Service"
-      identifiers = ["lambda.amazonaws.com"]
-    }
-  }
-}
-
-resource "aws_iam_role_policy" "lambda_permissions" {
-  name   = var.naming_prefix
-  role   = aws_iam_role.lambda.id
-  policy = data.aws_iam_policy_document.lambda_permissions.json
-}
-
 data "aws_iam_policy_document" "lambda_permissions" {
-  statement {
-    sid = "LoggingCreateGroup"
-
-    actions = [
-      "logs:CreateLogGroup"
-    ]
-
-    resources = [
-      "arn:aws:logs:${var.region}:${data.aws_caller_identity.current.account_id}:log-group:${aws_cloudwatch_log_group.func.name}"
-    ]
-  }
-
-  statement {
-    sid = "LoggingStreamPutEvents"
-
-    actions = [
-      "logs:CreateLogStream",
-      "logs:PutLogEvents"
-    ]
-
-    resources = [
-      "arn:aws:logs:${var.region}:${data.aws_caller_identity.current.account_id}:log-group:${aws_cloudwatch_log_group.func.name}:log-stream:*"
-    ]
-  }
-
   statement {
     sid = "S3AccessBucket"
 

lambda.tf

@@ -1,51 +1,48 @@
-resource "aws_lambda_function" "func" {
 
-  function_name = var.naming_prefix
-  role          = aws_iam_role.lambda.arn
+module "clickops_notifier_lambda" {
+  source = "git::https://github.com/terraform-aws-modules/terraform-aws-lambda.git?ref=v3.2.1"
 
-  handler = "main.handler"
-  runtime = "python3.8"
+  function_name = var.naming_prefix
+  description   = "ClickOps Notifier Lambda"
 
-  filename         = data.archive_file.func.output_path
-  source_code_hash = filebase64sha256(data.archive_file.func.output_path)
+  handler     = "main.handler"
+  runtime     = "python3.9"
+  publish     = true
+  source_path = "${path.module}/lambda/app"
 
   timeout     = var.event_processing_timeout
   memory_size = 128
 
-  layers = [local.python_layers[var.region]]
-
-  environment {
-    variables = {
-      WEBHOOK_PARAMETER = aws_ssm_parameter.slack_webhook.name
-      EXCLUDED_ACCOUNTS = jsonencode(var.excluded_accounts)
-      INCLUDED_ACCOUNTS = jsonencode(var.included_accounts)
+  attach_policy_json = true
+  policy_json        = data.aws_iam_policy_document.lambda_permissions.json
 
-      EXCLUDED_USERS = jsonencode(var.excluded_users)
-      INCLUDED_USERS = jsonencode(var.included_users)
+  attach_policy_statements = true
+  policy_statements        = var.additional_iam_policy_statements
 
-      MESSAGE_FORMAT = var.message_format
+  cloudwatch_logs_retention_in_days = var.log_retention_in_days
 
-      LOG_LEVEL = "INFO"
-    }
-  }
+  environment_variables = {
+    WEBHOOK_PARAMETER = aws_ssm_parameter.slack_webhook.name
+    EXCLUDED_ACCOUNTS = jsonencode(var.excluded_accounts)
+    INCLUDED_ACCOUNTS = jsonencode(var.included_accounts)
 
-  tags = var.tags
-}
+    EXCLUDED_USERS = jsonencode(var.excluded_users)
+    INCLUDED_USERS = jsonencode(var.included_users)
 
-data "archive_file" "func" {
-  type             = "zip"
-  source_dir       = "${path.module}/lambda/app"
-  output_file_mode = "0666"
-  output_path      = "${path.module}/lambda.zip"
-}
+    MESSAGE_FORMAT = var.message_format
 
-resource "aws_lambda_event_source_mapping" "bucket_notifications" {
-  event_source_arn = aws_sqs_queue.bucket_notifications.arn
-  function_name    = aws_lambda_function.func.arn
+    LOG_LEVEL = "INFO"
+  }
 
-  batch_size                         = var.event_batch_size
-  maximum_batching_window_in_seconds = var.event_maximum_batching_window
+  event_source_mapping = {
+    sqs = {
+      event_source_arn                   = aws_sqs_queue.bucket_notifications.arn
+      batch_size                         = var.event_batch_size
+      maximum_batching_window_in_seconds = var.event_maximum_batching_window
+    }
+  }
 
+  tags = var.tags
 }
 
 resource "aws_ssm_parameter" "slack_webhook" {

lambda/app/requirements.txt

@@ -0,0 +1 @@
+requests==2.27.1

logging.tf

@@ -0,0 +1,7 @@
+output "clickops_notifier_lambda" {
+  value = module.clickops_notifier_lambda
+}
+
+output "sqs_queue" {
+  value = aws_sqs_queue.bucket_notifications
+}

outputs.tf

@@ -12,14 +12,12 @@ provider "aws" {
 }
 
 module "clickops_notifications" {
-    source = "../"
+  source = "../"
 
-    cloudtrail_bucket_name = var.cloudtrail_bucket_name
-    webhook = var.webhook
-    region = var.region
-    message_format = "slack"
+  cloudtrail_bucket_name = var.cloudtrail_bucket_name
+  webhook                = var.webhook
+  message_format         = "slack"
 }
 
-variable "cloudtrail_bucket_name" { }
-variable "webhook" { }
-variable "region" { }
+variable "cloudtrail_bucket_name" {}
+variable "webhook" {}

sample/sample.tf

@@ -36,4 +36,4 @@ resource "aws_s3_bucket_notification" "bucket_notification" {
   depends_on = [
     aws_sqs_queue_policy.bucket_notifications
   ]
-}
+}

trigger.tf

@@ -10,36 +10,6 @@ variable "webhook" {
   sensitive   = true
 }
 
-variable "region" {
-  type        = string
-  description = "Region where this will be deployed. Used for [getting the correct lambda layer]"
-
-  validation {
-    condition = contains([
-      "ap-northeast-1",
-      "us-east-1",
-      "ap-southeast-1",
-      "eu-west-1",
-      "us-west-1",
-      "ap-east-1",
-      "ap-northeast-2",
-      "ap-northeast-3",
-      "ap-south-1",
-      "ap-southeast-2",
-      "ca-central-1",
-      "eu-central-1",
-      "eu-north-1",
-      "eu-west-2",
-      "eu-west-3",
-      "sa-east-1",
-      "us-east-2",
-      "us-west-2"
-    ], var.region)
-    error_message = "Invalid region provided."
-  }
-}
-
-
 # Application Related Optional Variables
 
 variable "message_format" {
@@ -87,6 +57,12 @@ variable "naming_prefix" {
   default     = "clickops-notifier"
 }
 
+variable "additional_iam_policy_statements" {
+  description = "Map of dynamic policy statements to attach to Lambda Function role"
+  type        = any
+  default     = {}
+}
+
 variable "tags" {
   type        = map(string)
   description = "Tags to add to resources in addition to the default_tags for the provider"