Skip to content

Commit

Permalink
rds export policies and lambda roles (#1475)
Browse files Browse the repository at this point in the history
* clarify variables

* export role policy update

* update export bucket var

* kms permissions for copier

* update env variables

* workflow permissions

* add policy params for rds snapshot

* update lambda handler

* add lambda timeouts

* update s3 prefix

* policy attachments

* lambda name formatting

* add lambda roles var

* fix lambda role condition

* fix naming

* fix attachment issues

* add s3 actions

* rename method
  • Loading branch information
timburke-hackit authored Oct 31, 2023
1 parent 0d21a2a commit 76b4776
Show file tree
Hide file tree
Showing 6 changed files with 66 additions and 27 deletions.
2 changes: 1 addition & 1 deletion lambdas/export_rds_snapshot_to_s3/main.py
Original file line number Diff line number Diff line change
Expand Up @@ -16,7 +16,7 @@ def lambda_handler(event, context):
kms_key_id = os.environ["KMS_KEY_ID"]

try:
rds.export_snapshot_to_s3(
rds.start_export_task(
ExportTaskIdentifier=snapshot_identifier,
SourceArn=source_arn,
S3BucketName=bucket_name,
Expand Down
6 changes: 6 additions & 0 deletions terraform/modules/aws-lambda/02-inputs-optional.tf
Original file line number Diff line number Diff line change
Expand Up @@ -80,3 +80,9 @@ variable "install_requirements" {
description = "Whether to create and install requirements.txt for the Lambda Function"
default = false
}

variable "lambda_role_arn" {
type = string
description = "ARN of the IAM Role to use for the Lambda Function"
default = null
}
4 changes: 2 additions & 2 deletions terraform/modules/aws-lambda/20-iam.tf
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
resource "aws_iam_role" "lambda_role" {
name = "${var.identifier_prefix}${var.lambda_name}-role"
name = "${var.identifier_prefix}-${var.lambda_name}-role"
assume_role_policy = jsonencode({
Version = "2012-10-17"
Statement = [
Expand Down Expand Up @@ -27,7 +27,7 @@ data "aws_iam_policy_document" "lambda_role" {
}

resource "aws_iam_policy" "lambda_role" {
name = lower("${var.identifier_prefix}${var.lambda_name}")
name = lower("${var.identifier_prefix}-${var.lambda_name}")
policy = data.aws_iam_policy_document.lambda_role.json
tags = var.tags
}
Expand Down
4 changes: 2 additions & 2 deletions terraform/modules/aws-lambda/30-lambda.tf
Original file line number Diff line number Diff line change
Expand Up @@ -5,8 +5,8 @@ locals {
}

resource "aws_lambda_function" "lambda" {
function_name = lower("${var.identifier_prefix}${var.lambda_name}")
role = aws_iam_role.lambda_role.arn
function_name = lower("${var.identifier_prefix}-${var.lambda_name}")
role = var.lambda_role_arn == null ? aws_iam_role.lambda_role.arn : var.lambda_role_arn
handler = var.handler
runtime = var.runtime
source_code_hash = data.archive_file.lambda.output_base64sha256
Expand Down
75 changes: 53 additions & 22 deletions terraform/modules/rds-snapshot-to-s3/iam.tf
Original file line number Diff line number Diff line change
Expand Up @@ -52,10 +52,24 @@ resource "aws_iam_role_policy" "cloudwatch_events_policy" {
})
}

data "aws_iam_policy_document" "lambda_assume_role" {
statement {
actions = [
"sts:AssumeRole"
]
principals {
identifiers = [
"lambda.amazonaws.com"
]
type = "Service"
}
}
}

# RDS Snapshot to S3 lambda IAM
resource "aws_iam_role" "rds_snapshot_to_s3_lambda_role" {
name = "rds-snapshot-to-s3-lambda-role"
name = "${var.identifier_prefix}-rds-snapshot-to-s3-lambda-role"
assume_role_policy = data.aws_iam_policy_document.lambda_assume_role.json

}

data "aws_iam_policy_document" "rds_snapshot_to_s3_lambda" {
Expand Down Expand Up @@ -99,12 +113,40 @@ data "aws_iam_policy_document" "rds_snapshot_to_s3_lambda" {
var.rds_export_storage_kms_key_arn
]
}

statement {
actions = [
"s3:PutObject*",
"s3:GetObject*",
"s3:ListBucket",
"s3:DeleteObject*",
"s3:GetBucketLocation"
]
effect = "Allow"
resources = [
var.rds_export_bucket_arn,
"${var.rds_export_bucket_arn}/*"
]
}
}

resource "aws_iam_policy" "rds_snapshot_to_s3_lambda_role_policy" {
name = lower("${var.identifier_prefix}-rds-snapshot-to-s3-lambda-policy")
policy = data.aws_iam_policy_document.rds_snapshot_to_s3_lambda.json
tags = var.tags
}

resource "aws_iam_policy_attachment" "rds_snapshot_copier_attachment" {
name = "${var.identifier_prefix}-rds-snapshot-s3-to-s3-lambda-policy-attachment"
policy_arn = aws_iam_policy.rds_snapshot_to_s3_lambda_role_policy.arn
roles = [
aws_iam_role.rds_snapshot_to_s3_lambda_role.name
]
}

# S3 to S3 copier lambda IAM
resource "aws_iam_role" "rds_snapshot_s3_to_s3_copier_lambda_role" {
name = "rds-snapshot-s3-to-s3-copier-lambda-role"
name = "${var.identifier_prefix}-rds-snapshot-s3-to-s3-copier-lambda-role"
assume_role_policy = data.aws_iam_policy_document.lambda_assume_role.json
}

Expand All @@ -123,10 +165,11 @@ data "aws_iam_policy_document" "rds_snapshot_s3_to_s3_copier_role_policy" {

statement {
actions = [
"s3:GetObject",
"s3:PutObject",
"s3:PutObject*",
"s3:GetObject*",
"s3:ListBucket",
"s3:DeleteObject"
"s3:DeleteObject*",
"s3:GetBucketLocation"
]
effect = "Allow"
resources = [
Expand Down Expand Up @@ -168,24 +211,12 @@ resource "aws_iam_policy" "rds_snapshot_s3_to_s3_copier_role_policy" {
tags = var.tags
}

resource "aws_iam_policy_attachment" "rds_snapshot_copier_attachment" {
name = "${var.identifier_prefix}-rds-snapshot-s3-to-s3-lambda-policy-attachment"
resource "aws_iam_policy_attachment" "rds_snapshot_s3_to_s3_copier_attachment" {
name = "${var.identifier_prefix}-rds-snapshot-s3-to-s3-copier-lambda-policy-attachment"
policy_arn = aws_iam_policy.rds_snapshot_s3_to_s3_copier_role_policy.arn
roles = [
aws_iam_role.rds_snapshot_to_s3_lambda_role.name
aws_iam_role.rds_snapshot_s3_to_s3_copier_lambda_role.name
]
}

data "aws_iam_policy_document" "lambda_assume_role" {
statement {
actions = [
"sts:AssumeRole"
]
principals {
identifiers = [
"lambda.amazonaws.com"
]
type = "Service"
}
}
}

2 changes: 2 additions & 0 deletions terraform/modules/rds-snapshot-to-s3/lambda.tf
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,7 @@ module "trigger_rds_snapshot_export" {
lambda_name = "export-rds-snapshot-to-s3"
runtime = "python3.9"
handler = "main.lambda_handler"
lambda_role_arn = aws_iam_role.rds_snapshot_to_s3_lambda_role.arn
lambda_timeout = 60
lambda_artefact_storage_bucket = var.lambda_artefact_storage_bucket
lambda_source_dir = "../../lambdas/export_rds_snapshot_to_s3"
Expand All @@ -22,6 +23,7 @@ module "rds_snapshot_s3_to_s3_copier" {
lambda_name = "rds-export-s3-to-s3-copier"
runtime = "python3.9"
handler = "main.lambda_handler"
lambda_role_arn = aws_iam_role.rds_snapshot_s3_to_s3_copier_lambda_role.arn
lambda_timeout = 900
lambda_artefact_storage_bucket = var.lambda_artefact_storage_bucket
lambda_source_dir = "../../lambdas/rds_snapshot_export_s3_to_s3_copier"
Expand Down

0 comments on commit 76b4776

Please sign in to comment.