diff --git a/.editorconfig b/.editorconfig new file mode 100644 index 0000000..88cb251 --- /dev/null +++ b/.editorconfig @@ -0,0 +1,30 @@ +# EditorConfig is awesome: http://EditorConfig.org +# Uses editorconfig to maintain consistent coding styles + +# top-most EditorConfig file +root = true + +# Unix-style newlines with a newline ending every file +[*] +charset = utf-8 +end_of_line = lf +indent_size = 2 +indent_style = space +insert_final_newline = true +max_line_length = 80 +trim_trailing_whitespace = true + +[*.{tf,tfvars}] +indent_size = 2 +indent_style = space + +[*.md] +max_line_length = 0 +trim_trailing_whitespace = false + +[Makefile] +tab_width = 2 +indent_style = tab + +[COMMIT_EDITMSG] +max_line_length = 0 diff --git a/README.md b/README.md index ccef183..f86952e 100644 --- a/README.md +++ b/README.md @@ -1,7 +1,7 @@ -# aws-letsencrypt-lambda + +[![Github release](https://img.shields.io/github/v/release/kvendingoldo/aws-letsencrypt-lambda?style=for-the-badge)](https://github.com/kvendingoldo/aws-letsencrypt-lambda/releases) [![Contributors](https://img.shields.io/github/contributors/kvendingoldo/aws-letsencrypt-lambda?style=for-the-badge)](https://github.com/kvendingoldo/aws-letsencrypt-lambda/graphs/contributors) ![maintenance status](https://img.shields.io/maintenance/yes/2024.svg?style=for-the-badge) [![Go report](https://img.shields.io/badge/go%20report-A+-brightgreen.svg?style=for-the-badge)](https://goreportcard.com/report/github.com/kvendingoldo/aws-letsencrypt-lambda/) [![OpenTofu support](https://img.shields.io/badge/opentofu-supported-blue.svg?logo=opentofu&style=for-the-badge)](https://opentofu.org/) [![OpenTofu support](https://img.shields.io/badge/terraform-supported-blue.svg?logo=terraform&style=for-the-badge)](https://www.terraform.io/) -[![Github release](https://img.shields.io/github/v/release/kvendingoldo/aws-letsencrypt-lambda?style=for-the-badge)](https://github.com/kvendingoldo/aws-letsencrypt-lambda/releases) [![Contributors](https://img.shields.io/github/contributors/kvendingoldo/aws-letsencrypt-lambda?style=for-the-badge)](https://github.com/kvendingoldo/aws-letsencrypt-lambda/graphs/contributors) ![maintenance status](https://img.shields.io/maintenance/yes/2024.svg?style=for-the-badge) -[![support opentofu](https://img.shields.io/badge/supports-opentofu-green?style=for-the-badge)](https://opentofu.org/) +# aws-letsencrypt-lambda ## Overview It's common for people to desire having valid TLS certificates without wanting to pay for them. @@ -14,4 +14,4 @@ You can review the following documents on the Lambda to learn more: * [How to use the Lambda inside of AWS](docs/how_to_use_aws.md) * [How to use the Lambda locally](docs/how_to_use_locally.md) * [How to use Terraform automation](docs/how_to_use_terraform.md) -* [Lambda's environment variables](docs/environment_variables.md) +* [Labmda's environment variables](docs/environment_variables.md) diff --git a/files/terraform/module/README.md b/files/terraform/module/README.md index e4a58aa..fa450c1 100644 --- a/files/terraform/module/README.md +++ b/files/terraform/module/README.md @@ -34,7 +34,10 @@ No modules. | [aws_cloudwatch_event_rule.schedule](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_event_rule) | resource | | [aws_cloudwatch_event_target.event_target](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_event_target) | resource | | [aws_cloudwatch_log_group.main](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_group) | resource | +<<<<<<< HEAD | [aws_ecr_pull_through_cache_rule.lambda](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ecr_pull_through_cache_rule) | resource | +======= +>>>>>>> 0a93985 (feat: add ecr_proxy support, documentation improvements) | [aws_iam_policy.acm](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource | | [aws_iam_policy.logging](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource | | [aws_iam_policy.route53](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource | diff --git a/files/terraform/module/ecr_proxy.tf b/files/terraform/module/ecr_proxy.tf new file mode 100644 index 0000000..9487cc3 --- /dev/null +++ b/files/terraform/module/ecr_proxy.tf @@ -0,0 +1,16 @@ +resource "aws_ecr_repository" "lambda_proxy" { + count = var.enable_ecr_proxy ? 0 : 1 + name = var.ecr_repository_prefix + image_tag_mutability = "MUTABLE" + force_delete = true + image_scanning_configuration { + scan_on_push = false + } +} + +resource "aws_ecr_pull_through_cache_rule" "docker_hub" { + count = var.enable_ecr_proxy ? 0 : 1 + ecr_repository_prefix = var.ecr_repository_prefix + upstream_registry_url = "registry-1.docker.io" + credential_arn = var.dockerhub_proxy_secret_arn +} diff --git a/files/terraform/module/examples/full/main.tf b/files/terraform/module/examples/full/main.tf new file mode 100644 index 0000000..fa87a7f --- /dev/null +++ b/files/terraform/module/examples/full/main.tf @@ -0,0 +1,13 @@ +module "letsencrypt_lambda" { + source = "git@github.com:kvendingoldo/aws-letsencrypt-lambda.git//files/terraform/module?ref=rc/0.9.0" + + blank_name = "test-letsencrypt-lambda" + tags = var.tags + + cron_schedule = var.letsencrypt_lambda_cron_schedule + image_uri = var.letsencrypt_lambda_image_uri + events = var.letsencrypt_lambda_events + + enable_ecr_proxy = false + ecr_image_uri = ".dkr.ecr.us-east-2.amazonaws.com/aws_letsencrypt_lambda:" +} diff --git a/files/terraform/module/examples/full/variables.tf b/files/terraform/module/examples/full/variables.tf new file mode 100644 index 0000000..fcd55cb --- /dev/null +++ b/files/terraform/module/examples/full/variables.tf @@ -0,0 +1,31 @@ +variable "tags" { + default = { + testTagKey : "testTagValue" + } +} +variable "letsencrypt_lambda_cron_schedule" { + default = "rate(168 hours)" +} +variable "letsencrypt_lambda_image_uri" { + default = ".dkr.ecr.us-east-2.amazonaws.com/aws_letsencrypt_lambda:" +} +variable "letsencrypt_lambda_events" { + default = [ + { + "domainName" : "", + "acmeUrl" : "stage", + "acmeEmail" : "", + "reImportThreshold" : 10, + "issueType" : "force" + }, + { + "acmRegion" : "us-east-2", + "route53Region" : "us-east-1", + "domainName" : "", + "acmeUrl" : "prod", + "acmeEmail" : "", + "reImportThreshold" : 30, + "issueType" : "default" + } + ] +} \ No newline at end of file diff --git a/files/terraform/module/examples/simple/main.tf b/files/terraform/module/examples/simple/main.tf new file mode 100644 index 0000000..3ef435b --- /dev/null +++ b/files/terraform/module/examples/simple/main.tf @@ -0,0 +1,10 @@ +module "letsencrypt_lambda" { + source = "git@github.com:kvendingoldo/aws-letsencrypt-lambda.git//files/terraform/module?ref=rc/0.9.0" + + blank_name = "test-letsencrypt-lambda" + tags = var.tags + + cron_schedule = var.letsencrypt_lambda_cron_schedule + image_uri = var.letsencrypt_lambda_image_uri + events = var.letsencrypt_lambda_events +} \ No newline at end of file diff --git a/files/terraform/module/examples/simple/variables.tf b/files/terraform/module/examples/simple/variables.tf new file mode 100644 index 0000000..3b786bd --- /dev/null +++ b/files/terraform/module/examples/simple/variables.tf @@ -0,0 +1,24 @@ +variable "tags" { + default = { + testTagKey : "testTagValue" + } +} +variable "letsencrypt_lambda_cron_schedule" { + default = "rate(168 hours)" +} +variable "letsencrypt_lambda_image_uri" { + default = ".dkr.ecr.us-east-2.amazonaws.com/aws_letsencrypt_lambda:" +} +variable "letsencrypt_lambda_events" { + default = [ + { + "acmRegion" : "us-east-2", + "route53Region" : "us-east-1", + "domainName" : "", + "acmeUrl" : "prod", + "acmeEmail" : "", + "reImportThreshold" : 30, + "issueType" : "default" + } + ] +} diff --git a/files/terraform/module/locals.tf b/files/terraform/module/locals.tf index 2ca5bfb..2dbee5f 100644 --- a/files/terraform/module/locals.tf +++ b/files/terraform/module/locals.tf @@ -1,4 +1,7 @@ locals { - events = { for event in var.events : event["domainName"] => event if var.cron_enabled } - image = "${data.aws_caller_identity.current.account_id}.dkr.ecr.${data.aws_region.current.name}.amazonaws.com/${var.ecr_proxy_repository_prefix}/${var.image}" + events = {for event in var.events : event["domainName"] => event if var.cron_enabled} + + ecr_domain = "${data.aws_caller_identity.current.account_id}.dkr.ecr.${data.aws_region.current.name}.amazonaws.com" + image_prefix = var.enable_ecr_proxy ? "${local.ecr_domain}/${var.ecr_repository_prefix}/" : "" + lambda_image = var.enable_ecr_proxy ? "${local.image_prefix}${var.dockerhub_image}" : var.ecr_image_uri } diff --git a/files/terraform/module/main.tf b/files/terraform/module/main.tf index d70354a..d5336b8 100644 --- a/files/terraform/module/main.tf +++ b/files/terraform/module/main.tf @@ -7,7 +7,7 @@ resource "aws_lambda_function" "main" { tags = var.tags role = var.create_iam_role ? aws_iam_role.main[0].arn : var.iam_role_arn - image_uri = local.image + image_uri = local.lambda_image package_type = "Image" timeout = var.timeout memory_size = var.memory_size diff --git a/files/terraform/module/variables.tf b/files/terraform/module/variables.tf index 1671ec2..a4627ff 100644 --- a/files/terraform/module/variables.tf +++ b/files/terraform/module/variables.tf @@ -127,3 +127,29 @@ variable "retention" { description = "Number of days to retain log events in the specified log group" default = 7 } + +# +# Lambda image +# +variable "dockerhub_image" { + default = "kvendingoldo/aws-letsencrypt-lambda:latest" +} +variable "ecr_image_uri" { + type = string + description = "ECR image URI containing the function's deployment package. Required only if enable_ecr_proxy is false" + default = null +} + +# +# ECR proxy for DockerHub +# +variable "enable_ecr_proxy" { + default = true +} +variable "ecr_repository_prefix" { + default = "dockerhub-public" +} +variable "dockerhub_proxy_secret_arn" { + description = "If left empty, image is pulled directly from Docker Hub, which might be throttled." + default = "" +}