CDK for Terraform

* Created a working version of the Lambda function
* Created a zip file of the Lambda code and uploaded to the S3 code
  bucket
* Added a CloudWatch Group and IAM role to be used by the Lambda
  function
* Added an IAM policy for logging to CloudWatch and attached to the IAM
  Role
* Enabled versioning on the S3 code bucket
* Ended up having to switch from using a SourceCodeHash to the S3
  version...
  * Tried to use both the asset and source hash of both the zip file as
    well as the uploaded S3 object and both were causing a continuous
    update of the function
    (hashicorp/terraform-provider-aws#7385)
  * Tried to manually create the base64 encoded hash from the Lambda
    code zip, but CDKTF was trying to access the zip before it was
    actually created
  * Seems like this is a better solution anyway, as the S3 bucket for
    the code should probably be versioned anyway

cdk-terraform/README.md

@@ -6,6 +6,7 @@ Cloud Development Kit for Terraform (CDKTF)
 * [Install CDKTF](https://learn.hashicorp.com/tutorials/terraform/cdktf-install?in=terraform/cdktf)
 
 ## Running Through CDKTF
+* These should all be ran from the `cdk-terraform` directory
 * Deploy the state stack to manage state:
   * `cdktf deploy cdk-terraform-state`
   * **This does have to be deployed before the Lambda stack**
@@ -18,7 +19,7 @@ Cloud Development Kit for Terraform (CDKTF)
   * `cdktf destroy lambda cdk-terraform-state`
 
 ## Running Using Native Terraform
-* Running a Terraform init with migrating the state:
+* Running a Terraform init with migrating the state or reconfiguring:
   * `terraform -chdir=cdktf.out/stacks/lambda init -migrate-state`
   * `terraform -chdir=cdktf.out/stacks/lambda init -reconfigure`
 

cdk-terraform/lib/s3Bucket.ts

@@ -4,7 +4,8 @@ import { s3, kms } from "@cdktf/provider-aws";
 export function createBucket(
   stack: TerraformStack,
   bucketName: string,
-  encrypt: boolean
+  encrypt: boolean,
+  versioning: boolean
 ) {
 
   const bucket = new s3.S3Bucket(stack, bucketName, {
@@ -31,6 +32,15 @@ export function createBucket(
     });
   }
 
+  if (versioning) {
+    new s3.S3BucketVersioningA(stack, 'bucket-versioning', {
+      bucket: bucket.bucket,
+      versioningConfiguration: {
+        status: "Enabled"
+      },
+    });
+  }
+
   new s3.S3BucketPublicAccessBlock(stack, 'statelock-public-access-block', {
     bucket: bucket.bucket,
     blockPublicAcls: true,

cdk-terraform/stacks/lambda.ts

@@ -1,18 +1,111 @@
-import { TerraformStack } from "cdktf";
+import { AssetType, TerraformAsset, TerraformStack } from "cdktf";
 import { Construct } from "constructs";
-import { AwsProvider } from "@cdktf/provider-aws";
+import { AwsProvider, s3, cloudwatch, iam, lambdafunction } from "@cdktf/provider-aws";
 import * as s3Lib from "../lib/s3Bucket";
+import path = require("path");
 
 export interface LambdaProps {
   readonly projectName: string,
 }
 
+const lambdaAssumePolicy = {
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Action": "sts:AssumeRole",
+      "Principal": {
+        "Service": "lambda.amazonaws.com"
+      },
+      "Effect": "Allow",
+      "Sid": ""
+    }
+  ]
+}
+
+const lambdaCloudWatchPolicy = {
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Action": [
+        "logs:CreateLogStream",
+        "logs:PutLogEvents"
+      ],
+      "Resource": "arn:aws:logs:*:*:*",
+      "Effect": "Allow",
+      "Sid": ""
+    }
+  ]
+}
+
+const lambdaExecutionPolicyArn = 'arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole'
+
 export class LambdaStack extends TerraformStack {
   constructor(scope: Construct, name: string, props: LambdaProps) {
     super(scope, name);
-
     new AwsProvider(this, 'aws', {});
 
-    s3Lib.createBucket(this, props.projectName + "-code", true);
+    const lambdaName = `${props.projectName}-lambda`
+
+    const codeBucket = s3Lib.createBucket(
+      this,
+      props.projectName + "-code",
+      true,
+      true
+    );
+
+    const lambdaZip = new TerraformAsset(this, "lambdaZip", {
+      path: path.resolve("../lambda"),
+      type: AssetType.ARCHIVE
+    });
+
+    const lambdaZipUpload = new s3.S3Object(this, "lambdaZipUpload", {
+      bucket: codeBucket.bucket,
+      key: "lambda.zip",
+      source: lambdaZip.path,
+      sourceHash: lambdaZip.assetHash
+    });
+
+    const logGroup = new cloudwatch.CloudwatchLogGroup(this, "lambdaCloudWatchGroup", {
+      name: `/aws/lambda/${lambdaName}`,
+      retentionInDays: 7
+    });
+
+    const lambdaRole = new iam.IamRole(this, "lambdaRole", {
+      name: `${props.projectName}-lambda`,
+      assumeRolePolicy: JSON.stringify(lambdaAssumePolicy)
+    });
+
+    const lambdaLoggingPolicy = new iam.IamPolicy(this, "lambdaLoggingPolicy", {
+      name: `${props.projectName}-lambda-logging`,
+      path: "/",
+      description: "Policy to allow the IAM role for Lambda to write to CloudWatch Logs",
+      policy: JSON.stringify(lambdaCloudWatchPolicy)
+    });
+
+    const loggingPolicyAttachment = new iam.IamRolePolicyAttachment(this, "loggingPolicyAttachment", {
+      policyArn: lambdaLoggingPolicy.arn,
+      role: lambdaRole.name
+    });
+
+    new iam.IamRolePolicyAttachment(this, "executionPolicyAttachment", {
+      policyArn: lambdaExecutionPolicyArn,
+      role: lambdaRole.name
+    });
+
+    new lambdafunction.LambdaFunction(this, "lambdaFunction", {
+      functionName: lambdaName,
+      role: lambdaRole.arn,
+      s3Bucket: codeBucket.bucket,
+      s3Key: lambdaZipUpload.key,
+      s3ObjectVersion: lambdaZipUpload.versionId,
+      // TODO Make it dynamic
+      handler: "index.handler",
+      // TODO Make this dynamic as well
+      runtime: "nodejs16.x",
+      dependsOn: [
+        logGroup,
+        loggingPolicyAttachment,
+      ],
+    });
   }
 }

cdk-terraform/stacks/state.ts

@@ -14,7 +14,7 @@ export class State extends TerraformStack {
 
     new AwsProvider(this, 'aws', {});
 
-    const stateBucket = s3Lib.createBucket(this, props.bucketName, true);
+    const stateBucket = s3Lib.createBucket(this, props.bucketName, true, false);
 
     new TerraformOutput(this, "stateBucket",  {
       value: stateBucket.id

lambda/index.js

@@ -1,4 +1,5 @@
 exports.handler = async (event) => {
+  console.log("Test log!!!");
   const response = {
       statusCode: 200,
       body: JSON.stringify('Hello from Lambda!!!'),