From 12d1a6595e83cc31a99e73b363d61dcf994066bf Mon Sep 17 00:00:00 2001 From: bondezbond Date: Sat, 14 Aug 2021 08:31:49 -0400 Subject: [PATCH 1/8] feat: Expose ecr tag & scan variables in docker-build module (#189) --- modules/docker-build/README.md | 3 +++ modules/docker-build/main.tf | 9 ++++++++- modules/docker-build/variables.tf | 19 +++++++++++++++++++ 3 files changed, 30 insertions(+), 1 deletion(-) diff --git a/modules/docker-build/README.md b/modules/docker-build/README.md index b2c33207..0c82cea2 100644 --- a/modules/docker-build/README.md +++ b/modules/docker-build/README.md @@ -71,7 +71,10 @@ No modules. | [create\_ecr\_repo](#input\_create\_ecr\_repo) | Controls whether ECR repository for Lambda image should be created | `bool` | `false` | no | | [docker\_file\_path](#input\_docker\_file\_path) | Path to Dockerfile in source package | `string` | `"Dockerfile"` | no | | [ecr\_repo](#input\_ecr\_repo) | Name of ECR repository to use or to create | `string` | `null` | no | +| [ecr\_repo\_tags](#input\_ecr\_repo\_tags) | A map of tags to assign to ECR repository | `map(string)` | `{}` | no | | [image\_tag](#input\_image\_tag) | Image tag to use. If not specified current timestamp in format 'YYYYMMDDhhmmss' will be used. This can lead to unnecessary rebuilds. | `string` | `null` | no | +| [image\_tag\_mutability](#input\_image\_tag\_mutability) | The tag mutability setting for the repository. Must be one of: `MUTABLE` or `IMMUTABLE` | `string` | `"MUTABLE"` | no | +| [scan\_on\_push](#input\_scan\_on\_push) | Indicates whether images are scanned after being pushed to the repository | `bool` | `false` | no | | [source\_path](#input\_source\_path) | Path to folder containing application code | `string` | `null` | no | ## Outputs diff --git a/modules/docker-build/main.tf b/modules/docker-build/main.tf index c2aad58c..f33ca1ae 100644 --- a/modules/docker-build/main.tf +++ b/modules/docker-build/main.tf @@ -31,5 +31,12 @@ resource "docker_registry_image" "this" { resource "aws_ecr_repository" "this" { count = var.create_ecr_repo ? 1 : 0 - name = var.ecr_repo + name = var.ecr_repo + image_tag_mutability = var.image_tag_mutability + + image_scanning_configuration { + scan_on_push = var.scan_on_push + } + + tags = var.ecr_repo_tags } diff --git a/modules/docker-build/variables.tf b/modules/docker-build/variables.tf index 5e3f4677..e1321279 100644 --- a/modules/docker-build/variables.tf +++ b/modules/docker-build/variables.tf @@ -27,3 +27,22 @@ variable "docker_file_path" { type = string default = "Dockerfile" } + + +variable "image_tag_mutability" { + description = "The tag mutability setting for the repository. Must be one of: `MUTABLE` or `IMMUTABLE`" + type = string + default = "MUTABLE" +} + +variable "scan_on_push" { + description = "Indicates whether images are scanned after being pushed to the repository" + type = bool + default = false +} + +variable "ecr_repo_tags" { + description = "A map of tags to assign to ECR repository" + type = map(string) + default = {} +} From 8575fd329c1f9f8d409ce0a2beb5928216425523 Mon Sep 17 00:00:00 2001 From: Anton Babenko Date: Sat, 14 Aug 2021 14:32:06 +0200 Subject: [PATCH 2/8] Updated CHANGELOG --- CHANGELOG.md | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 757f46b3..3859758d 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -7,6 +7,12 @@ All notable changes to this project will be documented in this file. + +## [v2.8.0] - 2021-08-14 + +- feat: Expose ecr tag & scan variables in docker-build module ([#189](https://github.com/terraform-aws-modules/terraform-aws-lambda/issues/189)) + + ## [v2.7.0] - 2021-07-08 @@ -446,7 +452,8 @@ All notable changes to this project will be documented in this file. - first commit -[Unreleased]: https://github.com/terraform-aws-modules/terraform-aws-lambda/compare/v2.7.0...HEAD +[Unreleased]: https://github.com/terraform-aws-modules/terraform-aws-lambda/compare/v2.8.0...HEAD +[v2.8.0]: https://github.com/terraform-aws-modules/terraform-aws-lambda/compare/v2.7.0...v2.8.0 [v2.7.0]: https://github.com/terraform-aws-modules/terraform-aws-lambda/compare/v2.6.0...v2.7.0 [v2.6.0]: https://github.com/terraform-aws-modules/terraform-aws-lambda/compare/v2.5.0...v2.6.0 [v2.5.0]: https://github.com/terraform-aws-modules/terraform-aws-lambda/compare/v2.4.0...v2.5.0 From 376d5e75fd62791cfb333e5f6f14411dc52df763 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Pawe=C5=82=20Muszy=C5=84ski?= <63265460+pawelmuszynski@users.noreply.github.com> Date: Fri, 20 Aug 2021 12:29:47 +0200 Subject: [PATCH 3/8] feat: Add topics parameter support for lambda event source (#166) --- main.tf | 1 + 1 file changed, 1 insertion(+) diff --git a/main.tf b/main.tf index bcaef9c4..a400077f 100644 --- a/main.tf +++ b/main.tf @@ -228,6 +228,7 @@ resource "aws_lambda_event_source_mapping" "this" { maximum_retry_attempts = lookup(each.value, "maximum_retry_attempts", null) maximum_record_age_in_seconds = lookup(each.value, "maximum_record_age_in_seconds", null) bisect_batch_on_function_error = lookup(each.value, "bisect_batch_on_function_error", null) + topics = lookup(each.value, "topics", null) dynamic "destination_config" { for_each = lookup(each.value, "destination_arn_on_failure", null) != null ? [true] : [] From afbf7bd3cbe4a476bafe07327793fc9dd7b99cf4 Mon Sep 17 00:00:00 2001 From: Anton Babenko Date: Fri, 20 Aug 2021 12:30:19 +0200 Subject: [PATCH 4/8] Updated CHANGELOG --- CHANGELOG.md | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 3859758d..4a86dfff 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -7,6 +7,12 @@ All notable changes to this project will be documented in this file. + +## [v2.9.0] - 2021-08-20 + +- feat: Add topics parameter support for lambda event source ([#166](https://github.com/terraform-aws-modules/terraform-aws-lambda/issues/166)) + + ## [v2.8.0] - 2021-08-14 @@ -452,7 +458,8 @@ All notable changes to this project will be documented in this file. - first commit -[Unreleased]: https://github.com/terraform-aws-modules/terraform-aws-lambda/compare/v2.8.0...HEAD +[Unreleased]: https://github.com/terraform-aws-modules/terraform-aws-lambda/compare/v2.9.0...HEAD +[v2.9.0]: https://github.com/terraform-aws-modules/terraform-aws-lambda/compare/v2.8.0...v2.9.0 [v2.8.0]: https://github.com/terraform-aws-modules/terraform-aws-lambda/compare/v2.7.0...v2.8.0 [v2.7.0]: https://github.com/terraform-aws-modules/terraform-aws-lambda/compare/v2.6.0...v2.7.0 [v2.6.0]: https://github.com/terraform-aws-modules/terraform-aws-lambda/compare/v2.5.0...v2.6.0 From 508f0d5be43a8262da82bc2733bfb0999b799908 Mon Sep 17 00:00:00 2001 From: anoshi Date: Sat, 21 Aug 2021 01:20:49 +1000 Subject: [PATCH 5/8] feat: Add support for separate deployments of infra and code (#175) --- CHANGELOG.md | 2 +- README.md | 27 ++++++++++++++++++++++++++ examples/complete/README.md | 2 ++ examples/complete/main.tf | 38 +++++++++++++++++++++++++++++++++++++ main.tf | 4 ++-- variables.tf | 6 ++++++ 6 files changed, 76 insertions(+), 3 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 4a86dfff..0e3dc20f 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -5,7 +5,7 @@ All notable changes to this project will be documented in this file. ## [Unreleased] - +- feat: Add `ignore_source_code_hash` variable to allow the lambda function resource to be managed by terraform but have the function code managed externally ## [v2.9.0] - 2021-08-20 diff --git a/README.md b/README.md index 1715f143..b657f60f 100644 --- a/README.md +++ b/README.md @@ -106,6 +106,32 @@ module "lambda_function_existing_package_local" { } ``` +### Lambda Function or Lambda Layer with the deployable artifact maintained separately from the infrastructure + +If you want to manage function code and infrastructure resources (such as IAM permissions, policies, events, etc) in separate flows (e.g., different repositories, teams, CI/CD pipelines). + +Disable source code tracking to turn off deployments (and rollbacks) using the module by setting `ignore_source_code_hash = true` and deploy a _dummy function_. + +When the infrastructure and the dummy function is deployed, you can use external tool to update the source code of the function (eg, using [AWS CLI](https://docs.aws.amazon.com/cli/latest/reference/lambda/update-function-code.html)) and keep using this module via Terraform to manage the infrastructure. + +Be aware that changes in `local_existing_package` value may trigger deployment via Terraform. + +```hcl +module "lambda_function_externally_managed_package" { + source = "terraform-aws-modules/lambda/aws" + + function_name = "my-lambda-externally-managed-package" + description = "My lambda function code is deployed separately" + handler = "index.lambda_handler" + runtime = "python3.8" + + create_package = false + local_existing_package = "./lambda_functions/code.zip" + + ignore_source_code_hash = true +} +``` + ### Lambda Function with existing package (prebuilt) stored in S3 bucket Note that this module does not copy prebuilt packages into S3 bucket. This module can only store packages it builds locally and in S3 bucket. @@ -664,6 +690,7 @@ No modules. | [function\_name](#input\_function\_name) | A unique name for your Lambda Function | `string` | `""` | no | | [handler](#input\_handler) | Lambda Function entrypoint in your code | `string` | `""` | no | | [hash\_extra](#input\_hash\_extra) | The string to add into hashing function. Useful when building same source path for different functions. | `string` | `""` | no | +| [ignore\_source\_code\_hash](#input\_ignore\_source\_code\_hash) | Whether to ignore changes to the function's source code hash. Set to true if you manage infrastructure and code deployments separately. | `bool` | `false` | no | | [image\_config\_command](#input\_image\_config\_command) | The CMD for the docker image | `list(string)` | `[]` | no | | [image\_config\_entry\_point](#input\_image\_config\_entry\_point) | The ENTRYPOINT for the docker image | `list(string)` | `[]` | no | | [image\_config\_working\_directory](#input\_image\_config\_working\_directory) | The working directory for the docker image | `string` | `null` | no | diff --git a/examples/complete/README.md b/examples/complete/README.md index 5cbdce79..94d81913 100644 --- a/examples/complete/README.md +++ b/examples/complete/README.md @@ -40,8 +40,10 @@ Note that this example may create resources which cost money. Run `terraform des | [lambda\_function](#module\_lambda\_function) | ../../ | | | [lambda\_function\_existing\_package\_local](#module\_lambda\_function\_existing\_package\_local) | ../../ | | | [lambda\_function\_for\_each](#module\_lambda\_function\_for\_each) | ../../ | | +| [lambda\_function\_with\_package\_deploying\_externally](#module\_lambda\_function\_with\_package\_deploying\_externally) | ../../ | | | [lambda\_layer\_local](#module\_lambda\_layer\_local) | ../../ | | | [lambda\_layer\_s3](#module\_lambda\_layer\_s3) | ../../ | | +| [lambda\_layer\_with\_package\_deploying\_externally](#module\_lambda\_layer\_with\_package\_deploying\_externally) | ../../ | | | [lambda\_with\_mixed\_trusted\_entities](#module\_lambda\_with\_mixed\_trusted\_entities) | ../../ | | | [lambda\_with\_provisioned\_concurrency](#module\_lambda\_with\_provisioned\_concurrency) | ../../ | | | [s3\_bucket](#module\_s3\_bucket) | terraform-aws-modules/s3-bucket/aws | | diff --git a/examples/complete/main.tf b/examples/complete/main.tf index 7a189597..348aab8c 100644 --- a/examples/complete/main.tf +++ b/examples/complete/main.tf @@ -167,6 +167,26 @@ module "lambda_layer_local" { source_path = "${path.module}/../fixtures/python3.8-app1" } +#################################################### +# Lambda Layer with package deploying externally +# (e.g., using separate CI/CD pipeline) +#################################################### + +module "lambda_layer_with_package_deploying_externally" { + source = "../../" + + create_layer = true + + layer_name = "${random_pet.this.id}-layer-local" + description = "My amazing lambda layer (deployed from local)" + compatible_runtimes = ["python3.8"] + + create_package = false + local_existing_package = "../fixtures/python3.8-zip/existing_package.zip" + + ignore_source_code_hash = true +} + ############################### # Lambda Layer (storing on S3) ############################### @@ -277,6 +297,24 @@ module "lambda_function_for_each" { local_existing_package = "${path.module}/../fixtures/python3.8-zip/existing_package.zip" } +#################################################### +# Lambda Function with package deploying externally +# (e.g., using separate CI/CD pipeline) +#################################################### + +module "lambda_function_with_package_deploying_externally" { + source = "../../" + + function_name = "${random_pet.this.id}-lambda-with-package-deploying-externally" + handler = "index.lambda_handler" + runtime = "python3.8" + + create_package = false + local_existing_package = "../fixtures/python3.8-zip/existing_package.zip" + + ignore_source_code_hash = true +} + ########### # Disabled ########### diff --git a/main.tf b/main.tf index a400077f..5608b816 100644 --- a/main.tf +++ b/main.tf @@ -29,7 +29,7 @@ resource "aws_lambda_function" "this" { package_type = var.package_type filename = local.filename - source_code_hash = (local.filename == null ? false : fileexists(local.filename)) && !local.was_missing ? filebase64sha256(local.filename) : null + source_code_hash = var.ignore_source_code_hash ? null : (local.filename == null ? false : fileexists(local.filename)) && !local.was_missing ? filebase64sha256(local.filename) : null s3_bucket = local.s3_bucket s3_key = local.s3_key @@ -100,7 +100,7 @@ resource "aws_lambda_layer_version" "this" { compatible_runtimes = length(var.compatible_runtimes) > 0 ? var.compatible_runtimes : [var.runtime] filename = local.filename - source_code_hash = (local.filename == null ? false : fileexists(local.filename)) && !local.was_missing ? filebase64sha256(local.filename) : null + source_code_hash = var.ignore_source_code_hash ? null : (local.filename == null ? false : fileexists(local.filename)) && !local.was_missing ? filebase64sha256(local.filename) : null s3_bucket = local.s3_bucket s3_key = local.s3_key diff --git a/variables.tf b/variables.tf index 6a683ed0..56af85ca 100644 --- a/variables.tf +++ b/variables.tf @@ -493,6 +493,12 @@ variable "artifacts_dir" { default = "builds" } +variable "ignore_source_code_hash" { + description = "Whether to ignore changes to the function's source code hash. Set to true if you manage infrastructure and code deployments separately." + type = bool + default = false +} + variable "local_existing_package" { description = "The absolute path to an existing zip-file to use" type = string From 93dfd1485b68d6ddb86427431d6c04e10796875f Mon Sep 17 00:00:00 2001 From: Anton Babenko Date: Fri, 20 Aug 2021 17:21:13 +0200 Subject: [PATCH 6/8] Updated CHANGELOG --- CHANGELOG.md | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 0e3dc20f..62cefafa 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -5,7 +5,13 @@ All notable changes to this project will be documented in this file. ## [Unreleased] -- feat: Add `ignore_source_code_hash` variable to allow the lambda function resource to be managed by terraform but have the function code managed externally + + + +## [v2.10.0] - 2021-08-20 + +- feat: Add support for separate deployments of infra and code ([#175](https://github.com/terraform-aws-modules/terraform-aws-lambda/issues/175)) + ## [v2.9.0] - 2021-08-20 @@ -458,7 +464,8 @@ All notable changes to this project will be documented in this file. - first commit -[Unreleased]: https://github.com/terraform-aws-modules/terraform-aws-lambda/compare/v2.9.0...HEAD +[Unreleased]: https://github.com/terraform-aws-modules/terraform-aws-lambda/compare/v2.10.0...HEAD +[v2.10.0]: https://github.com/terraform-aws-modules/terraform-aws-lambda/compare/v2.9.0...v2.10.0 [v2.9.0]: https://github.com/terraform-aws-modules/terraform-aws-lambda/compare/v2.8.0...v2.9.0 [v2.8.0]: https://github.com/terraform-aws-modules/terraform-aws-lambda/compare/v2.7.0...v2.8.0 [v2.7.0]: https://github.com/terraform-aws-modules/terraform-aws-lambda/compare/v2.6.0...v2.7.0 From fd86a892fc205c40eb569676b080c86369251dec Mon Sep 17 00:00:00 2001 From: Patrick Decat Date: Fri, 20 Aug 2021 21:05:16 +0200 Subject: [PATCH 7/8] fix: No need to set `aws_s3_bucket_object` `etag` as filename is already a hash of the content (#180) --- main.tf | 1 - 1 file changed, 1 deletion(-) diff --git a/main.tf b/main.tf index 5608b816..e0da0cbc 100644 --- a/main.tf +++ b/main.tf @@ -116,7 +116,6 @@ resource "aws_s3_bucket_object" "lambda_package" { acl = var.s3_acl key = data.external.archive_prepare[0].result.filename source = data.external.archive_prepare[0].result.filename - etag = fileexists(data.external.archive_prepare[0].result.filename) ? filemd5(data.external.archive_prepare[0].result.filename) : null storage_class = var.s3_object_storage_class server_side_encryption = var.s3_server_side_encryption From 87d8a58d636dd220f71aed1435086621ddd3ad70 Mon Sep 17 00:00:00 2001 From: Anton Babenko Date: Fri, 20 Aug 2021 21:05:34 +0200 Subject: [PATCH 8/8] Updated CHANGELOG --- CHANGELOG.md | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 62cefafa..67ac5546 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -7,6 +7,12 @@ All notable changes to this project will be documented in this file. + +## [v2.11.0] - 2021-08-20 + +- fix: No need to set `aws_s3_bucket_object` `etag` as filename is already a hash of the content ([#180](https://github.com/terraform-aws-modules/terraform-aws-lambda/issues/180)) + + ## [v2.10.0] - 2021-08-20 @@ -464,7 +470,8 @@ All notable changes to this project will be documented in this file. - first commit -[Unreleased]: https://github.com/terraform-aws-modules/terraform-aws-lambda/compare/v2.10.0...HEAD +[Unreleased]: https://github.com/terraform-aws-modules/terraform-aws-lambda/compare/v2.11.0...HEAD +[v2.11.0]: https://github.com/terraform-aws-modules/terraform-aws-lambda/compare/v2.10.0...v2.11.0 [v2.10.0]: https://github.com/terraform-aws-modules/terraform-aws-lambda/compare/v2.9.0...v2.10.0 [v2.9.0]: https://github.com/terraform-aws-modules/terraform-aws-lambda/compare/v2.8.0...v2.9.0 [v2.8.0]: https://github.com/terraform-aws-modules/terraform-aws-lambda/compare/v2.7.0...v2.8.0