Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: Allow to specify custom KMS key for S3 object #505

Merged
merged 4 commits into from
Nov 3, 2023
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 2 additions & 2 deletions .pre-commit-config.yaml
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
repos:
- repo: https://github.com/antonbabenko/pre-commit-terraform
rev: v1.81.0
rev: v1.83.5
hooks:
- id: terraform_fmt
- id: terraform_wrapper_module_for_each
Expand All @@ -24,7 +24,7 @@ repos:
- '--args=--only=terraform_standard_module_structure'
- '--args=--only=terraform_workspace_remote'
- repo: https://github.com/pre-commit/pre-commit-hooks
rev: v4.4.0
rev: v4.5.0
hooks:
- id: check-merge-conflict
- id: end-of-file-fixer
11 changes: 6 additions & 5 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -558,31 +558,31 @@ module "lambda_function_existing_package_from_remote_url" {
```

## <a name="sam_cli_integration"></a> How to use AWS SAM CLI to test Lambda Function?
[AWS SAM CLI](https://docs.aws.amazon.com/serverless-application-model/latest/developerguide/serverless-sam-cli-command-reference.html) is an open source tool that help the developers to initiate, build, test, and deploy serverless
[AWS SAM CLI](https://docs.aws.amazon.com/serverless-application-model/latest/developerguide/serverless-sam-cli-command-reference.html) is an open source tool that help the developers to initiate, build, test, and deploy serverless
applications. SAM CLI tool [supports Terraform applications](https://docs.aws.amazon.com/serverless-application-model/latest/developerguide/what-is-terraform-support.html).

SAM CLI provides two ways of testing: local testing and testing on-cloud (Accelerate).

### Local Testing
Using SAM CLI, you can invoke the lambda functions defined in the terraform application locally using the [sam local invoke](https://docs.aws.amazon.com/serverless-application-model/latest/developerguide/sam-cli-command-reference-sam-local-invoke.html)
command, providing the function terraform address, or function name, and to set the `hook-name` to `terraform` to tell SAM CLI that the underlying project is a terraform application.
command, providing the function terraform address, or function name, and to set the `hook-name` to `terraform` to tell SAM CLI that the underlying project is a terraform application.

You can execute the `sam local invoke` command from your terraform application root directory as following:
```
sam local invoke --hook-name terraform module.hello_world_function.aws_lambda_function.this[0]
sam local invoke --hook-name terraform module.hello_world_function.aws_lambda_function.this[0]
```
You can also pass an event to your lambda function, or overwrite its environment variables. Check [here](https://docs.aws.amazon.com/serverless-application-model/latest/developerguide/serverless-sam-cli-using-invoke.html) for more information.

You can also invoke your lambda function in debugging mode, and step-through your lambda function source code locally in your preferred editor. Check [here](https://docs.aws.amazon.com/serverless-application-model/latest/developerguide/serverless-sam-cli-using-debugging.html) for more information.

### Testing on-cloud (Accelerate)
You can use AWS SAM CLI to quickly test your application on your AWS development account. Using SAM Accelerate, you will be able to develop your lambda functions locally,
You can use AWS SAM CLI to quickly test your application on your AWS development account. Using SAM Accelerate, you will be able to develop your lambda functions locally,
and once you save your updates, SAM CLI will update your development account with the updated Lambda functions. So, you can test it on cloud, and if there is any bug,
you can quickly update the code, and SAM CLI will take care of pushing it to the cloud. Check [here](https://docs.aws.amazon.com/serverless-application-model/latest/developerguide/accelerate.html) for more information about SAM Accelerate.

You can execute the `sam sync` command from your terraform application root directory as following:
```
sam sync --hook-name terraform --watch
sam sync --hook-name terraform --watch
```

## <a name="deployment"></a> How to deploy and manage Lambda Functions?
Expand Down Expand Up @@ -838,6 +838,7 @@ No modules.
| <a name="input_s3_acl"></a> [s3\_acl](#input\_s3\_acl) | The canned ACL to apply. Valid values are private, public-read, public-read-write, aws-exec-read, authenticated-read, bucket-owner-read, and bucket-owner-full-control. Defaults to private. | `string` | `"private"` | no |
| <a name="input_s3_bucket"></a> [s3\_bucket](#input\_s3\_bucket) | S3 bucket to store artifacts | `string` | `null` | no |
| <a name="input_s3_existing_package"></a> [s3\_existing\_package](#input\_s3\_existing\_package) | The S3 bucket object with keys bucket, key, version pointing to an existing zip-file to use | `map(string)` | `null` | no |
| <a name="input_s3_kms_key_id"></a> [s3\_kms\_key\_id](#input\_s3\_kms\_key\_id) | Specifies a custom KMS key to use for S3 object encryption. | `string` | `null` | no |
| <a name="input_s3_object_storage_class"></a> [s3\_object\_storage\_class](#input\_s3\_object\_storage\_class) | Specifies the desired Storage Class for the artifact uploaded to S3. Can be either STANDARD, REDUCED\_REDUNDANCY, ONEZONE\_IA, INTELLIGENT\_TIERING, or STANDARD\_IA. | `string` | `"ONEZONE_IA"` | no |
| <a name="input_s3_object_tags"></a> [s3\_object\_tags](#input\_s3\_object\_tags) | A map of tags to assign to S3 bucket object. | `map(string)` | `{}` | no |
| <a name="input_s3_object_tags_only"></a> [s3\_object\_tags\_only](#input\_s3\_object\_tags\_only) | Set to true to not merge tags with s3\_object\_tags. Useful to avoid breaching S3 Object 10 tag limit. | `bool` | `false` | no |
Expand Down
1 change: 1 addition & 0 deletions main.tf
Original file line number Diff line number Diff line change
Expand Up @@ -175,6 +175,7 @@ resource "aws_s3_object" "lambda_package" {
storage_class = var.s3_object_storage_class

server_side_encryption = var.s3_server_side_encryption
kms_key_id = var.s3_kms_key_id

tags = var.s3_object_tags_only ? var.s3_object_tags : merge(var.tags, var.s3_object_tags)

Expand Down
6 changes: 6 additions & 0 deletions variables.tf
Original file line number Diff line number Diff line change
Expand Up @@ -684,6 +684,12 @@ variable "s3_server_side_encryption" {
default = null
}

variable "s3_kms_key_id" {
description = "Specifies a custom KMS key to use for S3 object encryption."
type = string
default = null
}

variable "source_path" {
description = "The absolute path to a local file or directory containing your Lambda source code"
type = any # string | list(string | map(any))
Expand Down
20 changes: 10 additions & 10 deletions wrappers/alias/main.tf
Original file line number Diff line number Diff line change
Expand Up @@ -3,23 +3,23 @@ module "wrapper" {

for_each = var.items

allowed_triggers = try(each.value.allowed_triggers, var.defaults.allowed_triggers, {})
create = try(each.value.create, var.defaults.create, true)
use_existing_alias = try(each.value.use_existing_alias, var.defaults.use_existing_alias, false)
refresh_alias = try(each.value.refresh_alias, var.defaults.refresh_alias, true)
create_async_event_config = try(each.value.create_async_event_config, var.defaults.create_async_event_config, false)
create_version_async_event_config = try(each.value.create_version_async_event_config, var.defaults.create_version_async_event_config, true)
create_qualified_alias_allowed_triggers = try(each.value.create_qualified_alias_allowed_triggers, var.defaults.create_qualified_alias_allowed_triggers, true)
create_qualified_alias_async_event_config = try(each.value.create_qualified_alias_async_event_config, var.defaults.create_qualified_alias_async_event_config, true)
create_version_allowed_triggers = try(each.value.create_version_allowed_triggers, var.defaults.create_version_allowed_triggers, true)
create_qualified_alias_allowed_triggers = try(each.value.create_qualified_alias_allowed_triggers, var.defaults.create_qualified_alias_allowed_triggers, true)
name = try(each.value.name, var.defaults.name, "")
create_version_async_event_config = try(each.value.create_version_async_event_config, var.defaults.create_version_async_event_config, true)
description = try(each.value.description, var.defaults.description, "")
destination_on_failure = try(each.value.destination_on_failure, var.defaults.destination_on_failure, null)
destination_on_success = try(each.value.destination_on_success, var.defaults.destination_on_success, null)
event_source_mapping = try(each.value.event_source_mapping, var.defaults.event_source_mapping, {})
function_name = try(each.value.function_name, var.defaults.function_name, "")
function_version = try(each.value.function_version, var.defaults.function_version, "")
routing_additional_version_weights = try(each.value.routing_additional_version_weights, var.defaults.routing_additional_version_weights, {})
maximum_event_age_in_seconds = try(each.value.maximum_event_age_in_seconds, var.defaults.maximum_event_age_in_seconds, null)
maximum_retry_attempts = try(each.value.maximum_retry_attempts, var.defaults.maximum_retry_attempts, null)
destination_on_failure = try(each.value.destination_on_failure, var.defaults.destination_on_failure, null)
destination_on_success = try(each.value.destination_on_success, var.defaults.destination_on_success, null)
allowed_triggers = try(each.value.allowed_triggers, var.defaults.allowed_triggers, {})
event_source_mapping = try(each.value.event_source_mapping, var.defaults.event_source_mapping, {})
name = try(each.value.name, var.defaults.name, "")
refresh_alias = try(each.value.refresh_alias, var.defaults.refresh_alias, true)
routing_additional_version_weights = try(each.value.routing_additional_version_weights, var.defaults.routing_additional_version_weights, {})
use_existing_alias = try(each.value.use_existing_alias, var.defaults.use_existing_alias, false)
}
54 changes: 27 additions & 27 deletions wrappers/deploy/main.tf
Original file line number Diff line number Diff line change
Expand Up @@ -3,39 +3,39 @@ module "wrapper" {

for_each = var.items

create = try(each.value.create, var.defaults.create, true)
tags = try(each.value.tags, var.defaults.tags, {})
alias_name = try(each.value.alias_name, var.defaults.alias_name, "")
function_name = try(each.value.function_name, var.defaults.function_name, "")
current_version = try(each.value.current_version, var.defaults.current_version, "")
target_version = try(each.value.target_version, var.defaults.target_version, "")
before_allow_traffic_hook_arn = try(each.value.before_allow_traffic_hook_arn, var.defaults.before_allow_traffic_hook_arn, "")
after_allow_traffic_hook_arn = try(each.value.after_allow_traffic_hook_arn, var.defaults.after_allow_traffic_hook_arn, "")
interpreter = try(each.value.interpreter, var.defaults.interpreter, ["/bin/bash", "-c"])
description = try(each.value.description, var.defaults.description, "")
create_app = try(each.value.create_app, var.defaults.create_app, false)
use_existing_app = try(each.value.use_existing_app, var.defaults.use_existing_app, false)
alarm_enabled = try(each.value.alarm_enabled, var.defaults.alarm_enabled, false)
alarm_ignore_poll_alarm_failure = try(each.value.alarm_ignore_poll_alarm_failure, var.defaults.alarm_ignore_poll_alarm_failure, false)
alarms = try(each.value.alarms, var.defaults.alarms, [])
alias_name = try(each.value.alias_name, var.defaults.alias_name, "")
app_name = try(each.value.app_name, var.defaults.app_name, "")
create_deployment_group = try(each.value.create_deployment_group, var.defaults.create_deployment_group, false)
use_existing_deployment_group = try(each.value.use_existing_deployment_group, var.defaults.use_existing_deployment_group, false)
deployment_group_name = try(each.value.deployment_group_name, var.defaults.deployment_group_name, "")
deployment_config_name = try(each.value.deployment_config_name, var.defaults.deployment_config_name, "CodeDeployDefault.LambdaAllAtOnce")
attach_hooks_policy = try(each.value.attach_hooks_policy, var.defaults.attach_hooks_policy, true)
attach_triggers_policy = try(each.value.attach_triggers_policy, var.defaults.attach_triggers_policy, false)
auto_rollback_enabled = try(each.value.auto_rollback_enabled, var.defaults.auto_rollback_enabled, true)
auto_rollback_events = try(each.value.auto_rollback_events, var.defaults.auto_rollback_events, ["DEPLOYMENT_STOP_ON_ALARM"])
alarm_enabled = try(each.value.alarm_enabled, var.defaults.alarm_enabled, false)
alarms = try(each.value.alarms, var.defaults.alarms, [])
alarm_ignore_poll_alarm_failure = try(each.value.alarm_ignore_poll_alarm_failure, var.defaults.alarm_ignore_poll_alarm_failure, false)
triggers = try(each.value.triggers, var.defaults.triggers, {})
aws_cli_command = try(each.value.aws_cli_command, var.defaults.aws_cli_command, "aws")
save_deploy_script = try(each.value.save_deploy_script, var.defaults.save_deploy_script, false)
before_allow_traffic_hook_arn = try(each.value.before_allow_traffic_hook_arn, var.defaults.before_allow_traffic_hook_arn, "")
codedeploy_principals = try(each.value.codedeploy_principals, var.defaults.codedeploy_principals, ["codedeploy.amazonaws.com"])
codedeploy_role_name = try(each.value.codedeploy_role_name, var.defaults.codedeploy_role_name, "")
create = try(each.value.create, var.defaults.create, true)
create_app = try(each.value.create_app, var.defaults.create_app, false)
create_codedeploy_role = try(each.value.create_codedeploy_role, var.defaults.create_codedeploy_role, true)
create_deployment = try(each.value.create_deployment, var.defaults.create_deployment, false)
run_deployment = try(each.value.run_deployment, var.defaults.run_deployment, false)
create_deployment_group = try(each.value.create_deployment_group, var.defaults.create_deployment_group, false)
current_version = try(each.value.current_version, var.defaults.current_version, "")
deployment_config_name = try(each.value.deployment_config_name, var.defaults.deployment_config_name, "CodeDeployDefault.LambdaAllAtOnce")
deployment_group_name = try(each.value.deployment_group_name, var.defaults.deployment_group_name, "")
description = try(each.value.description, var.defaults.description, "")
force_deploy = try(each.value.force_deploy, var.defaults.force_deploy, false)
wait_deployment_completion = try(each.value.wait_deployment_completion, var.defaults.wait_deployment_completion, false)
create_codedeploy_role = try(each.value.create_codedeploy_role, var.defaults.create_codedeploy_role, true)
codedeploy_role_name = try(each.value.codedeploy_role_name, var.defaults.codedeploy_role_name, "")
codedeploy_principals = try(each.value.codedeploy_principals, var.defaults.codedeploy_principals, ["codedeploy.amazonaws.com"])
attach_hooks_policy = try(each.value.attach_hooks_policy, var.defaults.attach_hooks_policy, true)
attach_triggers_policy = try(each.value.attach_triggers_policy, var.defaults.attach_triggers_policy, false)
function_name = try(each.value.function_name, var.defaults.function_name, "")
get_deployment_sleep_timer = try(each.value.get_deployment_sleep_timer, var.defaults.get_deployment_sleep_timer, 5)
interpreter = try(each.value.interpreter, var.defaults.interpreter, ["/bin/bash", "-c"])
run_deployment = try(each.value.run_deployment, var.defaults.run_deployment, false)
save_deploy_script = try(each.value.save_deploy_script, var.defaults.save_deploy_script, false)
tags = try(each.value.tags, var.defaults.tags, {})
target_version = try(each.value.target_version, var.defaults.target_version, "")
triggers = try(each.value.triggers, var.defaults.triggers, {})
use_existing_app = try(each.value.use_existing_app, var.defaults.use_existing_app, false)
use_existing_deployment_group = try(each.value.use_existing_deployment_group, var.defaults.use_existing_deployment_group, false)
wait_deployment_completion = try(each.value.wait_deployment_completion, var.defaults.wait_deployment_completion, false)
}
14 changes: 7 additions & 7 deletions wrappers/docker-build/main.tf
Original file line number Diff line number Diff line change
Expand Up @@ -3,19 +3,19 @@ module "wrapper" {

for_each = var.items

build_args = try(each.value.build_args, var.defaults.build_args, {})
create_ecr_repo = try(each.value.create_ecr_repo, var.defaults.create_ecr_repo, false)
create_sam_metadata = try(each.value.create_sam_metadata, var.defaults.create_sam_metadata, false)
docker_file_path = try(each.value.docker_file_path, var.defaults.docker_file_path, "Dockerfile")
ecr_address = try(each.value.ecr_address, var.defaults.ecr_address, null)
ecr_force_delete = try(each.value.ecr_force_delete, var.defaults.ecr_force_delete, true)
ecr_repo = try(each.value.ecr_repo, var.defaults.ecr_repo, null)
ecr_repo_lifecycle_policy = try(each.value.ecr_repo_lifecycle_policy, var.defaults.ecr_repo_lifecycle_policy, null)
ecr_repo_tags = try(each.value.ecr_repo_tags, var.defaults.ecr_repo_tags, {})
image_tag = try(each.value.image_tag, var.defaults.image_tag, null)
source_path = try(each.value.source_path, var.defaults.source_path, null)
docker_file_path = try(each.value.docker_file_path, var.defaults.docker_file_path, "Dockerfile")
image_tag_mutability = try(each.value.image_tag_mutability, var.defaults.image_tag_mutability, "MUTABLE")
scan_on_push = try(each.value.scan_on_push, var.defaults.scan_on_push, false)
ecr_force_delete = try(each.value.ecr_force_delete, var.defaults.ecr_force_delete, true)
ecr_repo_tags = try(each.value.ecr_repo_tags, var.defaults.ecr_repo_tags, {})
build_args = try(each.value.build_args, var.defaults.build_args, {})
ecr_repo_lifecycle_policy = try(each.value.ecr_repo_lifecycle_policy, var.defaults.ecr_repo_lifecycle_policy, null)
keep_remotely = try(each.value.keep_remotely, var.defaults.keep_remotely, false)
platform = try(each.value.platform, var.defaults.platform, null)
scan_on_push = try(each.value.scan_on_push, var.defaults.scan_on_push, false)
source_path = try(each.value.source_path, var.defaults.source_path, null)
}
Loading