[TF] Update Lambda versioning/aliases logic and tune Lambdas

deployments/terraform_modules/santa_api/_providers.tf

@@ -0,0 +1,8 @@
+terraform {
+  required_providers {
+    aws = {
+      source = "hashicorp/aws"
+      version = "5.15.0"
+    }
+  }
+}

deployments/terraform_modules/santa_api/lambda.tf

@@ -144,6 +144,7 @@ module "postflight_function" {
   lambda_source_key         = aws_s3_bucket_object.santa_api_source.key
   lambda_source_hash        = local.lambda_source_hash
   endpoint                  = "postflight"
+  lambda_memory_size        = 512
   api_gateway_execution_arn = aws_api_gateway_rest_api.api_gateway.execution_arn
 
   env_vars = {

deployments/terraform_modules/santa_api/modules/firehose/s3.tf

@@ -12,62 +12,121 @@ resource "aws_s3_bucket" "s3_logging" {
   count = local.create_s3_logging_bucket ? 1 : 0
 
   bucket = local.s3_logging_bucket_name
-  acl    = "log-delivery-write"
+
+  force_destroy = true
+
+}
+
+resource "aws_s3_bucket_policy" "s3_logging" {
+  count = local.create_s3_logging_bucket ? 1 : 0
+
+  bucket = aws_s3_bucket.s3_logging[0].id
   policy = format(
     data.aws_iam_policy_document.firehose_bucket_policy_template.json,
     local.s3_logging_bucket_name,
     local.s3_logging_bucket_name
   )
+}
 
-  force_destroy = true
+resource "aws_s3_bucket_versioning" "s3_logging" {
+  count = local.create_s3_logging_bucket ? 1 : 0
 
-  versioning {
-    enabled = true
+  bucket = aws_s3_bucket.s3_logging[0].id
+  versioning_configuration {
+    status = "Enabled"
   }
+}
 
-  server_side_encryption_configuration {
-    rule {
-      apply_server_side_encryption_by_default {
-        sse_algorithm     = "aws:kms"
-        kms_master_key_id = aws_kms_key.s3_logging[0].key_id
-      }
+resource "aws_s3_bucket_server_side_encryption_configuration" "s3_logging" {
+  count = local.create_s3_logging_bucket ? 1 : 0
+
+  bucket = aws_s3_bucket.s3_logging[0].id
+
+  rule {
+    apply_server_side_encryption_by_default {
+      sse_algorithm     = "aws:kms"
+      kms_master_key_id = aws_kms_key.s3_logging[0].key_id
     }
   }
 }
 
+resource "aws_s3_bucket_ownership_controls" "s3_logging" {
+  count = local.create_s3_logging_bucket ? 1 : 0
+
+  bucket = aws_s3_bucket.s3_logging[0].id
+  rule {
+    object_ownership = "BucketOwnerPreferred"
+  }
+}
+
+resource "aws_s3_bucket_acl" "s3_logging" {
+  count = local.create_s3_logging_bucket ? 1 : 0
+
+  depends_on = [aws_s3_bucket_ownership_controls.s3_logging]
+
+  bucket = aws_s3_bucket.s3_logging[0].id
+  acl    = "log-delivery-write"
+}
+
 #
 # S3 Bucket for firehose
 #
 
 resource "aws_s3_bucket" "rudolph_eventsupload_firehose" {
   bucket = local.source_bucket_name
+
+  force_destroy = true
+
+
+}
+
+resource "aws_s3_bucket_ownership_controls" "rudolph_eventsupload_firehose" {
+  bucket = aws_s3_bucket.rudolph_eventsupload_firehose.id
+  rule {
+    object_ownership = "BucketOwnerPreferred"
+  }
+}
+
+resource "aws_s3_bucket_acl" "rudolph_eventsupload_firehose" {
+  depends_on = [aws_s3_bucket_ownership_controls.rudolph_eventsupload_firehose]
+
+  bucket = aws_s3_bucket.rudolph_eventsupload_firehose.id
   acl    = "private"
+}
+
+
+resource "aws_s3_bucket_policy" "rudolph_eventsupload_firehose" {
+  bucket = aws_s3_bucket.rudolph_eventsupload_firehose.id
   policy = format(
     data.aws_iam_policy_document.firehose_bucket_policy_template.json,
     local.source_bucket_name,
     local.source_bucket_name
   )
+}
 
-  force_destroy = true
-
-  versioning {
-    enabled = true
+resource "aws_s3_bucket_versioning" "rudolph_eventsupload_firehose" {
+  bucket = aws_s3_bucket.rudolph_eventsupload_firehose.id
+  versioning_configuration {
+    status = "Enabled"
   }
+}
 
-  dynamic "logging" {
-    for_each = var.enable_logging ? [1] : []
-    content {
-      target_bucket = local.s3_logging_bucket_name
-      target_prefix = "${local.source_bucket_name}/"
-    }
-  }
+resource "aws_s3_bucket_server_side_encryption_configuration" "rudolph_eventsupload_firehose" {
+  bucket = aws_s3_bucket.rudolph_eventsupload_firehose.id
 
-  server_side_encryption_configuration {
-    rule {
-      apply_server_side_encryption_by_default {
-        sse_algorithm     = "aws:kms"
-        kms_master_key_id = aws_kms_key.rudolph_eventsupload_kms_key.key_id
-      }
+  rule {
+    apply_server_side_encryption_by_default {
+      sse_algorithm     = "aws:kms"
+      kms_master_key_id = aws_kms_key.rudolph_eventsupload_kms_key.key_id
     }
   }
 }
+
+resource "aws_s3_bucket_logging" "rudolph_eventsupload_firehose" {
+  count = var.enable_logging ? 1 : 0
+
+  bucket = aws_s3_bucket.rudolph_eventsupload_firehose.id
+
+  target_bucket = local.s3_logging_bucket_name
+  target_prefix = "${local.source_bucket_name}/"
+}

deployments/terraform_modules/santa_api/modules/lambda/api-handler/lambda.tf

@@ -43,7 +43,7 @@ resource "aws_lambda_alias" "api_handler" {
   name             = var.alias_name
   description      = "${var.alias_name} alias for ${aws_lambda_function.api_handler.function_name}"
   function_name    = aws_lambda_function.api_handler.function_name
-  function_version = aws_lambda_function.api_handler.version
+  function_version = "$LATEST"
 }
 
 

scripts/build.sh

@@ -42,7 +42,6 @@ if [ "$(uname)" == "Darwin" ]; then
 else
     echo "  compiling cli..."
     go build -o $CLI_BUILD_DIR/cli $APPS_DIR/cli
-    ln -sf $CLI_BUILD_DIR/cli $DIR/$CLI_NAME
 fi
 
 echo "*** packaging... ***"