From bf98818d11b59e458bdf146113ea7cd406169ece Mon Sep 17 00:00:00 2001 From: "Jon R. Roma" Date: Tue, 21 Oct 2025 15:28:27 -0500 Subject: [PATCH] Refactor to use new terraform-aws-lambda module --- .../lambda/rotate-aes128-key-binary/README.md | 18 +++++++-- .../lambda/rotate-aes128-key-binary/data.tf | 21 ---------- .../lambda/rotate-aes128-key-binary/iam.tf | 39 ++++++++----------- .../lambda/rotate-aes128-key-binary/main.tf | 33 +++++++++------- .../rotate-aes128-key-binary/outputs.tf | 4 +- .../rotate-aes128-key-binary/variables.tf | 21 +++++----- .../rotate-aes128-key-binary/versions.tf | 2 +- 7 files changed, 65 insertions(+), 73 deletions(-) delete mode 100644 modules/lambda/rotate-aes128-key-binary/data.tf diff --git a/modules/lambda/rotate-aes128-key-binary/README.md b/modules/lambda/rotate-aes128-key-binary/README.md index a92edef..f678eba 100644 --- a/modules/lambda/rotate-aes128-key-binary/README.md +++ b/modules/lambda/rotate-aes128-key-binary/README.md @@ -37,11 +37,9 @@ Argument Reference The following arguments are supported: -* `name` - (Optional) Lambda function name (default is "rotate-aes128-key-binary"). - -* `role` - (Optional) Role name (default is the same as `name`). +* `logging_config` - (Optional) A [`logging_config`](#logging_config) block containing advanced logging settings. -* `policy` - (Optional) Policy name (default is the same as `name`). +* `name` - (Optional) Lambda function name (default is "rotate-aes128-key-binary"). * `runtime` - (Required) Lambda runtime (e.g., "python3.12"). Runtime *must* be Python 3.x. @@ -51,6 +49,18 @@ The following arguments are supported: * `timeout` - (Optional) Lambda function timeout. +`logging_config` +------- +A `logging_config` block supports the following. + +* `application_log_level` - (Optional) Detail level of application logs. + +* `log_format` - (Required) Log format. + +* `log_group` - (Optional) CloudWatch log group where logs are sent. + +* `system_log_level` - (Optional) Detail level of Lambda platform logs. + Attributes Reference -------------------- diff --git a/modules/lambda/rotate-aes128-key-binary/data.tf b/modules/lambda/rotate-aes128-key-binary/data.tf deleted file mode 100644 index 00826a3..0000000 --- a/modules/lambda/rotate-aes128-key-binary/data.tf +++ /dev/null @@ -1,21 +0,0 @@ -data "aws_region" "current" {} - -data "aws_iam_policy_document" "lambda" { - statement { - actions = ["sts:AssumeRole"] - - principals { - type = "Service" - - identifiers = [ - "lambda.amazonaws.com", - ] - } - } -} - -data "archive_file" "selected" { - type = "zip" - source_file = "${path.module}/lambda.py" - output_path = "${path.module}/lambda.zip" -} diff --git a/modules/lambda/rotate-aes128-key-binary/iam.tf b/modules/lambda/rotate-aes128-key-binary/iam.tf index 4749039..b839766 100644 --- a/modules/lambda/rotate-aes128-key-binary/iam.tf +++ b/modules/lambda/rotate-aes128-key-binary/iam.tf @@ -1,31 +1,14 @@ -resource "aws_iam_role" "default" { - name = (var.role != null) ? var.role : var.name - assume_role_policy = data.aws_iam_policy_document.lambda.json -} - -resource "aws_iam_role_policy_attachment" "lambda_basic" { - role = aws_iam_role.default.name - policy_arn = "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole" -} - -resource "aws_iam_role_policy_attachment" "default" { - role = aws_iam_role.default.name - policy_arn = aws_iam_policy.default.arn -} - -resource "aws_iam_policy" "default" { - name = (var.policy != null) ? var.policy : var.name - path = "/" - policy = data.aws_iam_policy_document.default.json -} - +# Create and attach policy that grants the lambda function access +# to SecretsManager. +# # https://docs.aws.amazon.com/secretsmanager/latest/userguide/rotating-secrets-required-permissions.html + data "aws_iam_policy_document" "default" { statement { condition { test = "StringEquals" variable = "secretsmanager:resource/AllowRotationLambdaArn" - values = [aws_lambda_function.default.arn] + values = [module.rotate.lambda_function.arn] } actions = [ @@ -38,3 +21,15 @@ data "aws_iam_policy_document" "default" { resources = ["*"] } } + +resource "aws_iam_policy" "default" { + name = var.name + path = "/" + policy = data.aws_iam_policy_document.default.json + tags = local.tags +} + +resource "aws_iam_role_policy_attachment" "default" { + role = module.rotate.role.name + policy_arn = aws_iam_policy.default.arn +} diff --git a/modules/lambda/rotate-aes128-key-binary/main.tf b/modules/lambda/rotate-aes128-key-binary/main.tf index 25409ce..8258946 100644 --- a/modules/lambda/rotate-aes128-key-binary/main.tf +++ b/modules/lambda/rotate-aes128-key-binary/main.tf @@ -1,30 +1,37 @@ -resource "aws_lambda_function" "default" { - function_name = var.name - description = "Generate random AES-128 keys in binary form" - handler = "lambda.lambda_handler" - publish = true +data "aws_region" "current" {} - role = aws_iam_role.default.arn - runtime = var.runtime - tags = merge({ Name = var.name }, var.tags) - timeout = var.timeout +locals { + tags = merge({ Name = var.name }, var.tags) +} - filename = data.archive_file.selected.output_path - source_code_hash = data.archive_file.selected.output_base64sha256 +module "rotate" { + source = "git@github.com:techservicesillinois/terraform-aws-lambda?ref=v3.0.0" - environment { + environment = { variables = { SECRETS_MANAGER_ENDPOINT = "https://secretsmanager.${data.aws_region.current.region}.amazonaws.com" SEALER_KEY_VERSION_COUNT = var.sealer_key_version_count } } + + description = "Generate random AES-128 keys in binary form" + function_name = var.name + handler = "lambda.lambda_handler" + logging_config = var.logging_config + publish = true + quiet = false + runtime = var.runtime + source_file = "${path.module}/lambda.py" + tags = local.tags + timeout = var.timeout } # https://docs.aws.amazon.com/secretsmanager/latest/userguide/rotating-secrets-required-permissions.html + resource "aws_lambda_permission" "allow_secrets_manager" { statement_id = "AllowExecutionFromSecretsManager" action = "lambda:InvokeFunction" - function_name = aws_lambda_function.default.function_name + function_name = module.rotate.lambda_function.function_name principal = "secretsmanager.amazonaws.com" } diff --git a/modules/lambda/rotate-aes128-key-binary/outputs.tf b/modules/lambda/rotate-aes128-key-binary/outputs.tf index 314dcaa..88593d4 100644 --- a/modules/lambda/rotate-aes128-key-binary/outputs.tf +++ b/modules/lambda/rotate-aes128-key-binary/outputs.tf @@ -1,7 +1,7 @@ output "qualified_arn" { - value = aws_lambda_function.default.qualified_arn + value = module.rotate.lambda_function.qualified_arn } output "version" { - value = aws_lambda_function.default.version + value = module.rotate.lambda_function.version } diff --git a/modules/lambda/rotate-aes128-key-binary/variables.tf b/modules/lambda/rotate-aes128-key-binary/variables.tf index 2a75343..2e5c61f 100644 --- a/modules/lambda/rotate-aes128-key-binary/variables.tf +++ b/modules/lambda/rotate-aes128-key-binary/variables.tf @@ -1,16 +1,17 @@ -variable "name" { - description = "Lambda function name" - default = "rotate-aes128-key-binary" -} - -variable "policy" { - description = "Policy name" +variable "logging_config" { + type = object({ + application_log_level = optional(string) + log_format = string + log_group = optional(string) + system_log_level = optional(string) + }) + description = "Configuration block for advanced logging settings" default = null } -variable "role" { - description = "Role name" - default = null +variable "name" { + description = "Lambda function name" + default = "rotate-aes128-key-binary" } variable "runtime" { diff --git a/modules/lambda/rotate-aes128-key-binary/versions.tf b/modules/lambda/rotate-aes128-key-binary/versions.tf index d9b6f79..581e3c1 100644 --- a/modules/lambda/rotate-aes128-key-binary/versions.tf +++ b/modules/lambda/rotate-aes128-key-binary/versions.tf @@ -1,3 +1,3 @@ terraform { - required_version = ">= 0.12" + required_version = ">= 1.12" }