Skip to content

Commit

Permalink
feat: Allow to specify custom KMS key for S3 object (#505)
Browse files Browse the repository at this point in the history
Co-authored-by: Anton Babenko <anton@antonbabenko.com>
  • Loading branch information
joschna and antonbabenko authored Nov 3, 2023
1 parent d4bc88a commit eb339d6
Show file tree
Hide file tree
Showing 8 changed files with 153 additions and 144 deletions.
4 changes: 2 additions & 2 deletions .pre-commit-config.yaml
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
repos:
- repo: https://github.com/antonbabenko/pre-commit-terraform
rev: v1.81.0
rev: v1.83.5
hooks:
- id: terraform_fmt
- id: terraform_wrapper_module_for_each
Expand All @@ -24,7 +24,7 @@ repos:
- '--args=--only=terraform_standard_module_structure'
- '--args=--only=terraform_workspace_remote'
- repo: https://github.com/pre-commit/pre-commit-hooks
rev: v4.4.0
rev: v4.5.0
hooks:
- id: check-merge-conflict
- id: end-of-file-fixer
11 changes: 6 additions & 5 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -558,31 +558,31 @@ module "lambda_function_existing_package_from_remote_url" {
```

## <a name="sam_cli_integration"></a> How to use AWS SAM CLI to test Lambda Function?
[AWS SAM CLI](https://docs.aws.amazon.com/serverless-application-model/latest/developerguide/serverless-sam-cli-command-reference.html) is an open source tool that help the developers to initiate, build, test, and deploy serverless
[AWS SAM CLI](https://docs.aws.amazon.com/serverless-application-model/latest/developerguide/serverless-sam-cli-command-reference.html) is an open source tool that help the developers to initiate, build, test, and deploy serverless
applications. SAM CLI tool [supports Terraform applications](https://docs.aws.amazon.com/serverless-application-model/latest/developerguide/what-is-terraform-support.html).

SAM CLI provides two ways of testing: local testing and testing on-cloud (Accelerate).

### Local Testing
Using SAM CLI, you can invoke the lambda functions defined in the terraform application locally using the [sam local invoke](https://docs.aws.amazon.com/serverless-application-model/latest/developerguide/sam-cli-command-reference-sam-local-invoke.html)
command, providing the function terraform address, or function name, and to set the `hook-name` to `terraform` to tell SAM CLI that the underlying project is a terraform application.
command, providing the function terraform address, or function name, and to set the `hook-name` to `terraform` to tell SAM CLI that the underlying project is a terraform application.

You can execute the `sam local invoke` command from your terraform application root directory as following:
```
sam local invoke --hook-name terraform module.hello_world_function.aws_lambda_function.this[0]
sam local invoke --hook-name terraform module.hello_world_function.aws_lambda_function.this[0]
```
You can also pass an event to your lambda function, or overwrite its environment variables. Check [here](https://docs.aws.amazon.com/serverless-application-model/latest/developerguide/serverless-sam-cli-using-invoke.html) for more information.

You can also invoke your lambda function in debugging mode, and step-through your lambda function source code locally in your preferred editor. Check [here](https://docs.aws.amazon.com/serverless-application-model/latest/developerguide/serverless-sam-cli-using-debugging.html) for more information.

### Testing on-cloud (Accelerate)
You can use AWS SAM CLI to quickly test your application on your AWS development account. Using SAM Accelerate, you will be able to develop your lambda functions locally,
You can use AWS SAM CLI to quickly test your application on your AWS development account. Using SAM Accelerate, you will be able to develop your lambda functions locally,
and once you save your updates, SAM CLI will update your development account with the updated Lambda functions. So, you can test it on cloud, and if there is any bug,
you can quickly update the code, and SAM CLI will take care of pushing it to the cloud. Check [here](https://docs.aws.amazon.com/serverless-application-model/latest/developerguide/accelerate.html) for more information about SAM Accelerate.

You can execute the `sam sync` command from your terraform application root directory as following:
```
sam sync --hook-name terraform --watch
sam sync --hook-name terraform --watch
```

## <a name="deployment"></a> How to deploy and manage Lambda Functions?
Expand Down Expand Up @@ -838,6 +838,7 @@ No modules.
| <a name="input_s3_acl"></a> [s3\_acl](#input\_s3\_acl) | The canned ACL to apply. Valid values are private, public-read, public-read-write, aws-exec-read, authenticated-read, bucket-owner-read, and bucket-owner-full-control. Defaults to private. | `string` | `"private"` | no |
| <a name="input_s3_bucket"></a> [s3\_bucket](#input\_s3\_bucket) | S3 bucket to store artifacts | `string` | `null` | no |
| <a name="input_s3_existing_package"></a> [s3\_existing\_package](#input\_s3\_existing\_package) | The S3 bucket object with keys bucket, key, version pointing to an existing zip-file to use | `map(string)` | `null` | no |
| <a name="input_s3_kms_key_id"></a> [s3\_kms\_key\_id](#input\_s3\_kms\_key\_id) | Specifies a custom KMS key to use for S3 object encryption. | `string` | `null` | no |
| <a name="input_s3_object_storage_class"></a> [s3\_object\_storage\_class](#input\_s3\_object\_storage\_class) | Specifies the desired Storage Class for the artifact uploaded to S3. Can be either STANDARD, REDUCED\_REDUNDANCY, ONEZONE\_IA, INTELLIGENT\_TIERING, or STANDARD\_IA. | `string` | `"ONEZONE_IA"` | no |
| <a name="input_s3_object_tags"></a> [s3\_object\_tags](#input\_s3\_object\_tags) | A map of tags to assign to S3 bucket object. | `map(string)` | `{}` | no |
| <a name="input_s3_object_tags_only"></a> [s3\_object\_tags\_only](#input\_s3\_object\_tags\_only) | Set to true to not merge tags with s3\_object\_tags. Useful to avoid breaching S3 Object 10 tag limit. | `bool` | `false` | no |
Expand Down
1 change: 1 addition & 0 deletions main.tf
Original file line number Diff line number Diff line change
Expand Up @@ -175,6 +175,7 @@ resource "aws_s3_object" "lambda_package" {
storage_class = var.s3_object_storage_class

server_side_encryption = var.s3_server_side_encryption
kms_key_id = var.s3_kms_key_id

tags = var.s3_object_tags_only ? var.s3_object_tags : merge(var.tags, var.s3_object_tags)

Expand Down
6 changes: 6 additions & 0 deletions variables.tf
Original file line number Diff line number Diff line change
Expand Up @@ -684,6 +684,12 @@ variable "s3_server_side_encryption" {
default = null
}

variable "s3_kms_key_id" {
description = "Specifies a custom KMS key to use for S3 object encryption."
type = string
default = null
}

variable "source_path" {
description = "The absolute path to a local file or directory containing your Lambda source code"
type = any # string | list(string | map(any))
Expand Down
20 changes: 10 additions & 10 deletions wrappers/alias/main.tf
Original file line number Diff line number Diff line change
Expand Up @@ -3,23 +3,23 @@ module "wrapper" {

for_each = var.items

allowed_triggers = try(each.value.allowed_triggers, var.defaults.allowed_triggers, {})
create = try(each.value.create, var.defaults.create, true)
use_existing_alias = try(each.value.use_existing_alias, var.defaults.use_existing_alias, false)
refresh_alias = try(each.value.refresh_alias, var.defaults.refresh_alias, true)
create_async_event_config = try(each.value.create_async_event_config, var.defaults.create_async_event_config, false)
create_version_async_event_config = try(each.value.create_version_async_event_config, var.defaults.create_version_async_event_config, true)
create_qualified_alias_allowed_triggers = try(each.value.create_qualified_alias_allowed_triggers, var.defaults.create_qualified_alias_allowed_triggers, true)
create_qualified_alias_async_event_config = try(each.value.create_qualified_alias_async_event_config, var.defaults.create_qualified_alias_async_event_config, true)
create_version_allowed_triggers = try(each.value.create_version_allowed_triggers, var.defaults.create_version_allowed_triggers, true)
create_qualified_alias_allowed_triggers = try(each.value.create_qualified_alias_allowed_triggers, var.defaults.create_qualified_alias_allowed_triggers, true)
name = try(each.value.name, var.defaults.name, "")
create_version_async_event_config = try(each.value.create_version_async_event_config, var.defaults.create_version_async_event_config, true)
description = try(each.value.description, var.defaults.description, "")
destination_on_failure = try(each.value.destination_on_failure, var.defaults.destination_on_failure, null)
destination_on_success = try(each.value.destination_on_success, var.defaults.destination_on_success, null)
event_source_mapping = try(each.value.event_source_mapping, var.defaults.event_source_mapping, {})
function_name = try(each.value.function_name, var.defaults.function_name, "")
function_version = try(each.value.function_version, var.defaults.function_version, "")
routing_additional_version_weights = try(each.value.routing_additional_version_weights, var.defaults.routing_additional_version_weights, {})
maximum_event_age_in_seconds = try(each.value.maximum_event_age_in_seconds, var.defaults.maximum_event_age_in_seconds, null)
maximum_retry_attempts = try(each.value.maximum_retry_attempts, var.defaults.maximum_retry_attempts, null)
destination_on_failure = try(each.value.destination_on_failure, var.defaults.destination_on_failure, null)
destination_on_success = try(each.value.destination_on_success, var.defaults.destination_on_success, null)
allowed_triggers = try(each.value.allowed_triggers, var.defaults.allowed_triggers, {})
event_source_mapping = try(each.value.event_source_mapping, var.defaults.event_source_mapping, {})
name = try(each.value.name, var.defaults.name, "")
refresh_alias = try(each.value.refresh_alias, var.defaults.refresh_alias, true)
routing_additional_version_weights = try(each.value.routing_additional_version_weights, var.defaults.routing_additional_version_weights, {})
use_existing_alias = try(each.value.use_existing_alias, var.defaults.use_existing_alias, false)
}
54 changes: 27 additions & 27 deletions wrappers/deploy/main.tf
Original file line number Diff line number Diff line change
Expand Up @@ -3,39 +3,39 @@ module "wrapper" {

for_each = var.items

create = try(each.value.create, var.defaults.create, true)
tags = try(each.value.tags, var.defaults.tags, {})
alias_name = try(each.value.alias_name, var.defaults.alias_name, "")
function_name = try(each.value.function_name, var.defaults.function_name, "")
current_version = try(each.value.current_version, var.defaults.current_version, "")
target_version = try(each.value.target_version, var.defaults.target_version, "")
before_allow_traffic_hook_arn = try(each.value.before_allow_traffic_hook_arn, var.defaults.before_allow_traffic_hook_arn, "")
after_allow_traffic_hook_arn = try(each.value.after_allow_traffic_hook_arn, var.defaults.after_allow_traffic_hook_arn, "")
interpreter = try(each.value.interpreter, var.defaults.interpreter, ["/bin/bash", "-c"])
description = try(each.value.description, var.defaults.description, "")
create_app = try(each.value.create_app, var.defaults.create_app, false)
use_existing_app = try(each.value.use_existing_app, var.defaults.use_existing_app, false)
alarm_enabled = try(each.value.alarm_enabled, var.defaults.alarm_enabled, false)
alarm_ignore_poll_alarm_failure = try(each.value.alarm_ignore_poll_alarm_failure, var.defaults.alarm_ignore_poll_alarm_failure, false)
alarms = try(each.value.alarms, var.defaults.alarms, [])
alias_name = try(each.value.alias_name, var.defaults.alias_name, "")
app_name = try(each.value.app_name, var.defaults.app_name, "")
create_deployment_group = try(each.value.create_deployment_group, var.defaults.create_deployment_group, false)
use_existing_deployment_group = try(each.value.use_existing_deployment_group, var.defaults.use_existing_deployment_group, false)
deployment_group_name = try(each.value.deployment_group_name, var.defaults.deployment_group_name, "")
deployment_config_name = try(each.value.deployment_config_name, var.defaults.deployment_config_name, "CodeDeployDefault.LambdaAllAtOnce")
attach_hooks_policy = try(each.value.attach_hooks_policy, var.defaults.attach_hooks_policy, true)
attach_triggers_policy = try(each.value.attach_triggers_policy, var.defaults.attach_triggers_policy, false)
auto_rollback_enabled = try(each.value.auto_rollback_enabled, var.defaults.auto_rollback_enabled, true)
auto_rollback_events = try(each.value.auto_rollback_events, var.defaults.auto_rollback_events, ["DEPLOYMENT_STOP_ON_ALARM"])
alarm_enabled = try(each.value.alarm_enabled, var.defaults.alarm_enabled, false)
alarms = try(each.value.alarms, var.defaults.alarms, [])
alarm_ignore_poll_alarm_failure = try(each.value.alarm_ignore_poll_alarm_failure, var.defaults.alarm_ignore_poll_alarm_failure, false)
triggers = try(each.value.triggers, var.defaults.triggers, {})
aws_cli_command = try(each.value.aws_cli_command, var.defaults.aws_cli_command, "aws")
save_deploy_script = try(each.value.save_deploy_script, var.defaults.save_deploy_script, false)
before_allow_traffic_hook_arn = try(each.value.before_allow_traffic_hook_arn, var.defaults.before_allow_traffic_hook_arn, "")
codedeploy_principals = try(each.value.codedeploy_principals, var.defaults.codedeploy_principals, ["codedeploy.amazonaws.com"])
codedeploy_role_name = try(each.value.codedeploy_role_name, var.defaults.codedeploy_role_name, "")
create = try(each.value.create, var.defaults.create, true)
create_app = try(each.value.create_app, var.defaults.create_app, false)
create_codedeploy_role = try(each.value.create_codedeploy_role, var.defaults.create_codedeploy_role, true)
create_deployment = try(each.value.create_deployment, var.defaults.create_deployment, false)
run_deployment = try(each.value.run_deployment, var.defaults.run_deployment, false)
create_deployment_group = try(each.value.create_deployment_group, var.defaults.create_deployment_group, false)
current_version = try(each.value.current_version, var.defaults.current_version, "")
deployment_config_name = try(each.value.deployment_config_name, var.defaults.deployment_config_name, "CodeDeployDefault.LambdaAllAtOnce")
deployment_group_name = try(each.value.deployment_group_name, var.defaults.deployment_group_name, "")
description = try(each.value.description, var.defaults.description, "")
force_deploy = try(each.value.force_deploy, var.defaults.force_deploy, false)
wait_deployment_completion = try(each.value.wait_deployment_completion, var.defaults.wait_deployment_completion, false)
create_codedeploy_role = try(each.value.create_codedeploy_role, var.defaults.create_codedeploy_role, true)
codedeploy_role_name = try(each.value.codedeploy_role_name, var.defaults.codedeploy_role_name, "")
codedeploy_principals = try(each.value.codedeploy_principals, var.defaults.codedeploy_principals, ["codedeploy.amazonaws.com"])
attach_hooks_policy = try(each.value.attach_hooks_policy, var.defaults.attach_hooks_policy, true)
attach_triggers_policy = try(each.value.attach_triggers_policy, var.defaults.attach_triggers_policy, false)
function_name = try(each.value.function_name, var.defaults.function_name, "")
get_deployment_sleep_timer = try(each.value.get_deployment_sleep_timer, var.defaults.get_deployment_sleep_timer, 5)
interpreter = try(each.value.interpreter, var.defaults.interpreter, ["/bin/bash", "-c"])
run_deployment = try(each.value.run_deployment, var.defaults.run_deployment, false)
save_deploy_script = try(each.value.save_deploy_script, var.defaults.save_deploy_script, false)
tags = try(each.value.tags, var.defaults.tags, {})
target_version = try(each.value.target_version, var.defaults.target_version, "")
triggers = try(each.value.triggers, var.defaults.triggers, {})
use_existing_app = try(each.value.use_existing_app, var.defaults.use_existing_app, false)
use_existing_deployment_group = try(each.value.use_existing_deployment_group, var.defaults.use_existing_deployment_group, false)
wait_deployment_completion = try(each.value.wait_deployment_completion, var.defaults.wait_deployment_completion, false)
}
14 changes: 7 additions & 7 deletions wrappers/docker-build/main.tf
Original file line number Diff line number Diff line change
Expand Up @@ -3,19 +3,19 @@ module "wrapper" {

for_each = var.items

build_args = try(each.value.build_args, var.defaults.build_args, {})
create_ecr_repo = try(each.value.create_ecr_repo, var.defaults.create_ecr_repo, false)
create_sam_metadata = try(each.value.create_sam_metadata, var.defaults.create_sam_metadata, false)
docker_file_path = try(each.value.docker_file_path, var.defaults.docker_file_path, "Dockerfile")
ecr_address = try(each.value.ecr_address, var.defaults.ecr_address, null)
ecr_force_delete = try(each.value.ecr_force_delete, var.defaults.ecr_force_delete, true)
ecr_repo = try(each.value.ecr_repo, var.defaults.ecr_repo, null)
ecr_repo_lifecycle_policy = try(each.value.ecr_repo_lifecycle_policy, var.defaults.ecr_repo_lifecycle_policy, null)
ecr_repo_tags = try(each.value.ecr_repo_tags, var.defaults.ecr_repo_tags, {})
image_tag = try(each.value.image_tag, var.defaults.image_tag, null)
source_path = try(each.value.source_path, var.defaults.source_path, null)
docker_file_path = try(each.value.docker_file_path, var.defaults.docker_file_path, "Dockerfile")
image_tag_mutability = try(each.value.image_tag_mutability, var.defaults.image_tag_mutability, "MUTABLE")
scan_on_push = try(each.value.scan_on_push, var.defaults.scan_on_push, false)
ecr_force_delete = try(each.value.ecr_force_delete, var.defaults.ecr_force_delete, true)
ecr_repo_tags = try(each.value.ecr_repo_tags, var.defaults.ecr_repo_tags, {})
build_args = try(each.value.build_args, var.defaults.build_args, {})
ecr_repo_lifecycle_policy = try(each.value.ecr_repo_lifecycle_policy, var.defaults.ecr_repo_lifecycle_policy, null)
keep_remotely = try(each.value.keep_remotely, var.defaults.keep_remotely, false)
platform = try(each.value.platform, var.defaults.platform, null)
scan_on_push = try(each.value.scan_on_push, var.defaults.scan_on_push, false)
source_path = try(each.value.source_path, var.defaults.source_path, null)
}
Loading

0 comments on commit eb339d6

Please sign in to comment.