From 29fdbe8f366b6174dc5f5492fa38189e447d0127 Mon Sep 17 00:00:00 2001 From: Ryan Diers Date: Tue, 26 Mar 2024 17:41:31 -0700 Subject: [PATCH 1/5] update lambda aliases --- deployments/terraform_modules/santa_api/_providers.tf | 8 ++++++++ .../santa_api/modules/lambda/api-handler/lambda.tf | 2 +- 2 files changed, 9 insertions(+), 1 deletion(-) create mode 100644 deployments/terraform_modules/santa_api/_providers.tf diff --git a/deployments/terraform_modules/santa_api/_providers.tf b/deployments/terraform_modules/santa_api/_providers.tf new file mode 100644 index 0000000..ce128ba --- /dev/null +++ b/deployments/terraform_modules/santa_api/_providers.tf @@ -0,0 +1,8 @@ +terraform { + required_providers { + aws = { + source = "hashicorp/aws" + version = "5.15.0" + } + } +} \ No newline at end of file diff --git a/deployments/terraform_modules/santa_api/modules/lambda/api-handler/lambda.tf b/deployments/terraform_modules/santa_api/modules/lambda/api-handler/lambda.tf index 04b7c4d..4061fbc 100644 --- a/deployments/terraform_modules/santa_api/modules/lambda/api-handler/lambda.tf +++ b/deployments/terraform_modules/santa_api/modules/lambda/api-handler/lambda.tf @@ -43,7 +43,7 @@ resource "aws_lambda_alias" "api_handler" { name = var.alias_name description = "${var.alias_name} alias for ${aws_lambda_function.api_handler.function_name}" function_name = aws_lambda_function.api_handler.function_name - function_version = aws_lambda_function.api_handler.version + function_version = "$LATEST" } From 8acb43db033fd2f0d9504123048be5e92a36eaec Mon Sep 17 00:00:00 2001 From: Ryan Diers Date: Tue, 26 Mar 2024 18:12:23 -0700 Subject: [PATCH 2/5] tune lambda memory --- deployments/terraform_modules/santa_api/lambda.tf | 1 + 1 file changed, 1 insertion(+) diff --git a/deployments/terraform_modules/santa_api/lambda.tf b/deployments/terraform_modules/santa_api/lambda.tf index 6ff7b31..36b91f0 100644 --- a/deployments/terraform_modules/santa_api/lambda.tf +++ b/deployments/terraform_modules/santa_api/lambda.tf @@ -144,6 +144,7 @@ module "postflight_function" { lambda_source_key = aws_s3_bucket_object.santa_api_source.key lambda_source_hash = local.lambda_source_hash endpoint = "postflight" + lambda_memory_size = 512 api_gateway_execution_arn = aws_api_gateway_rest_api.api_gateway.execution_arn env_vars = { From d1153426bc77bb5cfd1cf4374f368bd7707d065e Mon Sep 17 00:00:00 2001 From: Ryan Diers Date: Wed, 27 Mar 2024 13:39:25 -0700 Subject: [PATCH 3/5] remove this broken symbolic link during builds --- scripts/build.sh | 1 - 1 file changed, 1 deletion(-) diff --git a/scripts/build.sh b/scripts/build.sh index dbf76a7..a8b1de2 100755 --- a/scripts/build.sh +++ b/scripts/build.sh @@ -42,7 +42,6 @@ if [ "$(uname)" == "Darwin" ]; then else echo " compiling cli..." go build -o $CLI_BUILD_DIR/cli $APPS_DIR/cli - ln -sf $CLI_BUILD_DIR/cli $DIR/$CLI_NAME fi echo "*** packaging... ***" From 0567bcdc43541243cbea244719708a75bf99f98f Mon Sep 17 00:00:00 2001 From: Ryan Diers Date: Wed, 27 Mar 2024 20:06:23 -0700 Subject: [PATCH 4/5] reduce warnings and migrate the firehose S3 TF resources --- .../santa_api/modules/firehose/s3.tf | 111 +++++++++++++----- 1 file changed, 84 insertions(+), 27 deletions(-) diff --git a/deployments/terraform_modules/santa_api/modules/firehose/s3.tf b/deployments/terraform_modules/santa_api/modules/firehose/s3.tf index 02f818d..b19ca2c 100644 --- a/deployments/terraform_modules/santa_api/modules/firehose/s3.tf +++ b/deployments/terraform_modules/santa_api/modules/firehose/s3.tf @@ -12,62 +12,119 @@ resource "aws_s3_bucket" "s3_logging" { count = local.create_s3_logging_bucket ? 1 : 0 bucket = local.s3_logging_bucket_name - acl = "log-delivery-write" + + force_destroy = true + +} + +resource "aws_s3_bucket_policy" "s3_logging" { + count = local.create_s3_logging_bucket ? 1 : 0 + + bucket = aws_s3_bucket.s3_logging[0].id policy = format( data.aws_iam_policy_document.firehose_bucket_policy_template.json, local.s3_logging_bucket_name, local.s3_logging_bucket_name ) +} - force_destroy = true +resource "aws_s3_bucket_versioning" "s3_logging" { + count = local.create_s3_logging_bucket ? 1 : 0 - versioning { - enabled = true + bucket = aws_s3_bucket.s3_logging[0].id + versioning_configuration { + status = "Enabled" } +} - server_side_encryption_configuration { - rule { - apply_server_side_encryption_by_default { - sse_algorithm = "aws:kms" - kms_master_key_id = aws_kms_key.s3_logging[0].key_id - } +resource "aws_s3_bucket_server_side_encryption_configuration" "s3_logging" { + count = local.create_s3_logging_bucket ? 1 : 0 + + bucket = aws_s3_bucket.s3_logging[0].id + + rule { + apply_server_side_encryption_by_default { + sse_algorithm = "aws:kms" + kms_master_key_id = aws_kms_key.s3_logging[0].key_id } } } +resource "aws_s3_bucket_ownership_controls" "s3_logging" { + count = local.create_s3_logging_bucket ? 1 : 0 + + bucket = aws_s3_bucket.s3_logging[0].id + rule { + object_ownership = "BucketOwnerPreferred" + } +} + +resource "aws_s3_bucket_acl" "s3_logging" { + depends_on = [aws_s3_bucket_ownership_controls.s3_logging] + + bucket = aws_s3_bucket.s3_logging[0].id + acl = "log-delivery-write" +} + # # S3 Bucket for firehose # resource "aws_s3_bucket" "rudolph_eventsupload_firehose" { bucket = local.source_bucket_name + + force_destroy = true + + +} + +resource "aws_s3_bucket_ownership_controls" "rudolph_eventsupload_firehose" { + bucket = aws_s3_bucket.rudolph_eventsupload_firehose.id + rule { + object_ownership = "BucketOwnerPreferred" + } +} + +resource "aws_s3_bucket_acl" "rudolph_eventsupload_firehose" { + depends_on = [aws_s3_bucket_ownership_controls.rudolph_eventsupload_firehose] + + bucket = aws_s3_bucket.rudolph_eventsupload_firehose.id acl = "private" +} + + +resource "aws_s3_bucket_policy" "rudolph_eventsupload_firehose" { + bucket = aws_s3_bucket.rudolph_eventsupload_firehose.id policy = format( data.aws_iam_policy_document.firehose_bucket_policy_template.json, local.source_bucket_name, local.source_bucket_name ) +} - force_destroy = true - - versioning { - enabled = true +resource "aws_s3_bucket_versioning" "rudolph_eventsupload_firehose" { + bucket = aws_s3_bucket.rudolph_eventsupload_firehose.id + versioning_configuration { + status = "Enabled" } +} - dynamic "logging" { - for_each = var.enable_logging ? [1] : [] - content { - target_bucket = local.s3_logging_bucket_name - target_prefix = "${local.source_bucket_name}/" - } - } +resource "aws_s3_bucket_server_side_encryption_configuration" "rudolph_eventsupload_firehose" { + bucket = aws_s3_bucket.rudolph_eventsupload_firehose.id - server_side_encryption_configuration { - rule { - apply_server_side_encryption_by_default { - sse_algorithm = "aws:kms" - kms_master_key_id = aws_kms_key.rudolph_eventsupload_kms_key.key_id - } + rule { + apply_server_side_encryption_by_default { + sse_algorithm = "aws:kms" + kms_master_key_id = aws_kms_key.rudolph_eventsupload_kms_key.key_id } } } + +resource "aws_s3_bucket_logging" "rudolph_eventsupload_firehose" { + count = var.enable_logging ? 1 : 0 + + bucket = aws_s3_bucket.rudolph_eventsupload_firehose.id + + target_bucket = local.s3_logging_bucket_name + target_prefix = "${local.source_bucket_name}/" +} From 2e249a9270a682e4a57c01bb2b5d1563508f1e48 Mon Sep 17 00:00:00 2001 From: Ryan Diers Date: Wed, 27 Mar 2024 20:13:23 -0700 Subject: [PATCH 5/5] count --- deployments/terraform_modules/santa_api/modules/firehose/s3.tf | 2 ++ 1 file changed, 2 insertions(+) diff --git a/deployments/terraform_modules/santa_api/modules/firehose/s3.tf b/deployments/terraform_modules/santa_api/modules/firehose/s3.tf index b19ca2c..02dd519 100644 --- a/deployments/terraform_modules/santa_api/modules/firehose/s3.tf +++ b/deployments/terraform_modules/santa_api/modules/firehose/s3.tf @@ -60,6 +60,8 @@ resource "aws_s3_bucket_ownership_controls" "s3_logging" { } resource "aws_s3_bucket_acl" "s3_logging" { + count = local.create_s3_logging_bucket ? 1 : 0 + depends_on = [aws_s3_bucket_ownership_controls.s3_logging] bucket = aws_s3_bucket.s3_logging[0].id