Refactor to use new terraform-aws-lambda module

modules/lambda/rotate-aes128-key-binary/README.md

@@ -37,11 +37,9 @@ Argument Reference
 
 The following arguments are supported:
 
-* `name` - (Optional) Lambda function name (default is "rotate-aes128-key-binary").
-
-* `role` - (Optional) Role name (default is the same as `name`).
+* `logging_config` - (Optional) A [`logging_config`](#logging_config) block containing advanced logging settings.
 
-* `policy` - (Optional) Policy name (default is the same as `name`).
+* `name` - (Optional) Lambda function name (default is "rotate-aes128-key-binary").
 
 * `runtime` - (Required) Lambda runtime (e.g., "python3.12"). Runtime *must* be Python 3.x.
 
@@ -51,6 +49,18 @@ The following arguments are supported:
 
 * `timeout` - (Optional) Lambda function timeout.
 
+`logging_config`
+-------
+A `logging_config` block supports the following.
+
+* `application_log_level` - (Optional) Detail level of application logs.
+
+* `log_format` - (Required) Log format.
+
+* `log_group` - (Optional) CloudWatch log group where logs are sent.
+
+* `system_log_level` - (Optional) Detail level of Lambda platform logs.
+
 Attributes Reference
 --------------------
 

modules/lambda/rotate-aes128-key-binary/iam.tf

@@ -1,31 +1,14 @@
-resource "aws_iam_role" "default" {
-  name               = (var.role != null) ? var.role : var.name
-  assume_role_policy = data.aws_iam_policy_document.lambda.json
-}
-
-resource "aws_iam_role_policy_attachment" "lambda_basic" {
-  role       = aws_iam_role.default.name
-  policy_arn = "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"
-}
-
-resource "aws_iam_role_policy_attachment" "default" {
-  role       = aws_iam_role.default.name
-  policy_arn = aws_iam_policy.default.arn
-}
-
-resource "aws_iam_policy" "default" {
-  name   = (var.policy != null) ? var.policy : var.name
-  path   = "/"
-  policy = data.aws_iam_policy_document.default.json
-}
-
+# Create and attach policy that grants the lambda function access
+# to SecretsManager.
+#
 # https://docs.aws.amazon.com/secretsmanager/latest/userguide/rotating-secrets-required-permissions.html
+
 data "aws_iam_policy_document" "default" {
   statement {
     condition {
       test     = "StringEquals"
       variable = "secretsmanager:resource/AllowRotationLambdaArn"
-      values   = [aws_lambda_function.default.arn]
+      values   = [module.rotate.lambda_function.arn]
     }
 
     actions = [
@@ -38,3 +21,15 @@ data "aws_iam_policy_document" "default" {
     resources = ["*"]
   }
 }
+
+resource "aws_iam_policy" "default" {
+  name   = var.name
+  path   = "/"
+  policy = data.aws_iam_policy_document.default.json
+  tags   = local.tags
+}
+
+resource "aws_iam_role_policy_attachment" "default" {
+  role       = module.rotate.role.name
+  policy_arn = aws_iam_policy.default.arn
+}

modules/lambda/rotate-aes128-key-binary/main.tf

@@ -1,30 +1,37 @@
-resource "aws_lambda_function" "default" {
-  function_name = var.name
-  description   = "Generate random AES-128 keys in binary form"
-  handler       = "lambda.lambda_handler"
-  publish       = true
+data "aws_region" "current" {}
 
-  role    = aws_iam_role.default.arn
-  runtime = var.runtime
-  tags    = merge({ Name = var.name }, var.tags)
-  timeout = var.timeout
+locals {
+  tags = merge({ Name = var.name }, var.tags)
+}
 
-  filename         = data.archive_file.selected.output_path
-  source_code_hash = data.archive_file.selected.output_base64sha256
+module "rotate" {
+  source = "[email protected]:techservicesillinois/terraform-aws-lambda?ref=v3.0.0"
 
-  environment {
+  environment = {
     variables = {
       SECRETS_MANAGER_ENDPOINT = "https://secretsmanager.${data.aws_region.current.region}.amazonaws.com"
       SEALER_KEY_VERSION_COUNT = var.sealer_key_version_count
     }
   }
+
+  description    = "Generate random AES-128 keys in binary form"
+  function_name  = var.name
+  handler        = "lambda.lambda_handler"
+  logging_config = var.logging_config
+  publish        = true
+  quiet          = false
+  runtime        = var.runtime
+  source_file    = "${path.module}/lambda.py"
+  tags           = local.tags
+  timeout        = var.timeout
 }
 
 # https://docs.aws.amazon.com/secretsmanager/latest/userguide/rotating-secrets-required-permissions.html
+
 resource "aws_lambda_permission" "allow_secrets_manager" {
   statement_id = "AllowExecutionFromSecretsManager"
 
   action        = "lambda:InvokeFunction"
-  function_name = aws_lambda_function.default.function_name
+  function_name = module.rotate.lambda_function.function_name
   principal     = "secretsmanager.amazonaws.com"
 }

modules/lambda/rotate-aes128-key-binary/outputs.tf

@@ -1,7 +1,7 @@
 output "qualified_arn" {
-  value = aws_lambda_function.default.qualified_arn
+  value = module.rotate.lambda_function.qualified_arn
 }
 
 output "version" {
-  value = aws_lambda_function.default.version
+  value = module.rotate.lambda_function.version
 }

modules/lambda/rotate-aes128-key-binary/variables.tf

@@ -1,16 +1,17 @@
-variable "name" {
-  description = "Lambda function name"
-  default     = "rotate-aes128-key-binary"
-}
-
-variable "policy" {
-  description = "Policy name"
+variable "logging_config" {
+  type = object({
+    application_log_level = optional(string)
+    log_format            = string
+    log_group             = optional(string)
+    system_log_level      = optional(string)
+  })
+  description = "Configuration block for advanced logging settings"
   default     = null
 }
 
-variable "role" {
-  description = "Role name"
-  default     = null
+variable "name" {
+  description = "Lambda function name"
+  default     = "rotate-aes128-key-binary"
 }
 
 variable "runtime" {

modules/lambda/rotate-aes128-key-binary/versions.tf

@@ -1,3 +1,3 @@
 terraform {
-  required_version = ">= 0.12"
+  required_version = ">= 1.12"
 }