A helper module to deploy lambda functions in a quick and consistent fashion. The module will take care of a lot of boilerplate code such as creating roles, setting up the correct permissions for CloudWatch, configure log retention windows, setup CloudWatch triggers, correct assign AWS API Gateway permissions and more.
This module is used extensively throughout other OpenDevSecOps projects as well as secapps.com.
The module is automatically published to the Terraform Module Registry. More information about the available inputs, outputs, dependencies, and instructions on how to use the module can be found at the official page here.
The following example can be used as starting point:
module "acme_lambda" {
source = "opendevsecops/lambda/aws"
version = "2.0.0"
runtime = "nodejs10.x"
source_dir = "../src/"
output_dir = "../build/"
name = "acme_agent"
role_name = "acme_agent_role"
log_retention_in_days = 90
timeout = 300
environment = {
ACME_KEY_ID = data.aws_secretsmanager_secret.acme.id
}
schedule = [
{
name = "RunDaily"
schedule_expression = "rate(1 day)"
input = <<EOF
{
"op": "runSchedule",
"params": {
"schedule": "daily"
}
}
EOF
}
]
tags = local.tags
module_depends_on = [
aws_secretsmanager_secret.acme
]
}
You can setup additional permissions using a custom role policy like this:
resource "aws_iam_role_policy" "acme_agent_role_policy" {
name = "policy"
role = module.acme_lambda.role_name
policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "secretsmanager:GetSecretValue",
"Resource": "${data.aws_secretsmanager_secret.acme.arn}"
}
]
}
EOF
}
Refer to the module registry page for additional information on optional inputs and configuration.