Page MenuHomePhabricator
Files F2867398

D9878.id33448.diff
No OneTemporary
Actions

D9878.id33448.diff
View Options

diff --git a/services/terraform/modules/shared/outputs.tf b/services/terraform/modules/shared/outputs.tf
--- a/services/terraform/modules/shared/outputs.tf
+++ b/services/terraform/modules/shared/outputs.tf
@@ -4,6 +4,7 @@
aws_dynamodb_table.backup-service-backup,
aws_dynamodb_table.reports-service-reports,
aws_dynamodb_table.tunnelbroker-undelivered-messages,
+ aws_dynamodb_table.identity-users,
]
}
@@ -13,4 +14,4 @@
for table in local.exported_dynamodb_tables :
table.name => table
}
-}
+}
\ No newline at end of file
diff --git a/services/terraform/modules/shared/search_index_lambda.tf b/services/terraform/modules/shared/search_index_lambda.tf
new file mode 100644
--- /dev/null
+++ b/services/terraform/modules/shared/search_index_lambda.tf
@@ -0,0 +1,115 @@
+variable iam_role_arn {
+ default = "arn:aws:iam::000000000000:role/lambda-role"
+}
+
+variable lambda_zip_dir {
+ type = string
+ # default = "${path.module}/../../../search-index-lambda/target/lambda/search-index-lambda"
+ default = "../../search-index-lambda/target/lambda/search-index-lambda"
+}
+
+# data "archive_file" "lambda_zip" {
+# type = "zip"
+# source_dir = var.lambda_zip_dir
+# output_path = "${var.lambda_zip_dir}/bootstrap.zip"
+# }
+
+resource "aws_lambda_function" "search_index_lambda" {
+ function_name = "search-index-lambda-function"
+ # filename = data.archive_file.lambda_zip_file.output_path
+ # filename = var.lambda_zip_path
+ # filename = "${path.module}/../../../search-index-lambda/target/lambda/search-index-lambda/bootstrap.zip"
+ filename = "${var.lambda_zip_dir}/bootstrap.zip"
+ # source_code_hash = "${data.archive_file.lambda_zip.output_base64sha256}"
+ source_code_hash = filebase64sha256("${var.lambda_zip_dir}/bootstrap.zip")
+ handler = "bootstrap"
+ # role = aws_iam_role.lambda_assume_role.arn
+ # role = "arn:aws:iam::000000000000:role/lambda-role"
+ role = var.iam_role_arn
+ # runtime = "provided.al2"
+ runtime = "provided.al2"
+ architectures = ["arm64"]
+ memory_size = 5120
+ timeout = 300
+
+ environment {
+ variables = {
+ RUST_BACKTRACE = "1"
+ }
+ }
+
+ tracing_config {
+ mode = "Active"
+ }
+}
+
+resource "aws_lambda_event_source_mapping" "trigger" {
+ count = var.is_dev ? 0 : 1
+ event_source_arn = aws_dynamodb_table.identity-users.stream_arn
+ function_name = aws_lambda_function.search_index_lambda.arn
+ starting_position = "LATEST"
+}
+
+# data "archive_file" "lambda_zip_file" {
+# output_path = "${path.module}/lambda_zip/lambda.zip"
+# source_dir = "${path.module}/../../../search-index-lambda/target/lambda/bootstrap.zip"
+# excludes = ["__init__.py", "*.pyc"]
+# type = "zip"
+# }
+
+# resource "aws_lambda_event_source_mapping" "example" {
+# event_source_arn = aws_dynamodb_table.dynamodb_table.stream_arn
+# function_name = aws_lambda_function.lambda_function.arn
+# starting_position = "LATEST"
+# }
+
+# resource "aws_iam_role" "lambda_assume_role" {
+# name = "lambda-dynamodb-role"
+# assume_role_policy = <<EOF
+# {
+# "Version": "2012-10-17",
+# "Statement": [
+# {
+# "Action": "sts:AssumeRole",
+# "Principal": {
+# "Service": "lambda.amazonaws.com"
+# },
+# "Effect": "Allow",
+# "Sid": "LambdaAssumeRole"
+# }
+# ]
+# }
+# EOF
+# }
+
+# resource "aws_iam_role_policy" "dynamodb_read_log_policy" {
+# name = "lambda-dynamodb-log-policy"
+# role = aws_iam_role.lambda_assume_role.id
+# policy = <<EOF
+# {
+# "Version": "2012-10-17",
+# "Statement": [
+# {
+# "Action": [ "logs:*" ],
+# "Effect": "Allow",
+# "Resource": [ "arn:aws:logs:*:*:*" ]
+# },
+# {
+# "Action": [ "dynamodb:BatchGetItem",
+# "dynamodb:GetItem",
+# "dynamodb:GetRecords",
+# "dynamodb:Scan", We will have the recores inside of the lambda function in event `object`. We can also configure the stream to capture additional data such as "before" and "after" images of modified items.
+# "dynamodb:Query",
+# "dynamodb:GetShardIterator",
+# "dynamodb:DescribeStream",
+# "dynamodb:ListStreams" ],
+# "Effect": "Allow",
+# "Resource": [
+# "${aws_dynamodb_table.dynamodb_table.arn}",
+# "${aws_dynamodb_table.dynamodb_table.arn}/*"
+# ]
+# }
+# ]
+# }
+# EOF
+# }
diff --git a/services/terraform/remote/aws_iam.tf b/services/terraform/remote/aws_iam.tf
--- a/services/terraform/remote/aws_iam.tf
+++ b/services/terraform/remote/aws_iam.tf
@@ -194,3 +194,78 @@
aws_iam_policy.manage_reports_ddb.arn
]
}
+
+
+data "aws_iam_policy_document" "assume_role_lambda" {
+ statement {
+ effect = "Allow"
+
+ principals {
+ type = "Service"
+ identifiers = ["lambda.amazonaws.com"]
+ }
+
+ actions = ["sts:AssumeRole"]
+ }
+}
+
+resource "aws_iam_role" "search_index_lambda_role" {
+ name = "search_index_lambda_role"
+ assume_role_policy = data.aws_iam_policy_document.assume_role_lambda.json
+}
+
+data "aws_iam_policy_document" "manage_dynamodb_stream" {
+ statement {
+ effect = "Allow"
+
+ actions = [
+ "dynamodb:GetRecords",
+ "dynamodb:GetShardIterator",
+ "dynamodb:DescribeStream",
+ "dynamodb:ListStreams"
+ ]
+ resources = [
+ module.shared.dynamodb_tables["identity-users"].arn,
+ module.shared.dynamodb_tables["identity-users"].stream_arn,
+ "${module.shared.dynamodb_tables["identity-users"].arn}/stream/*",
+ ]
+ }
+}
+
+resource "aws_iam_policy" "manage_dynamodb_stream" {
+ name = "manage_dynamodb_stream"
+ path = "/"
+ description = "IAM policy for managing dynamodb streams"
+ policy = data.aws_iam_policy_document.manage_dynamodb_stream.json
+}
+
+data "aws_iam_policy_document" "lambda_logging" {
+ statement {
+ effect = "Allow"
+
+ actions = [
+ "logs:CreateLogGroup",
+ "logs:CreateLogStream",
+ "logs:PutLogEvents",
+ ]
+
+ resources = ["arn:aws:logs:*:*:*"]
+ }
+}
+
+resource "aws_iam_policy" "lambda_logging" {
+ name = "lambda_logging"
+ path = "/"
+ description = "IAM policy for logging from a lambda"
+ policy = data.aws_iam_policy_document.lambda_logging.json
+}
+
+resource "aws_iam_role_policy_attachment" "lambda_logs" {
+ role = "${aws_iam_role.search_index_lambda_role.name}"
+ policy_arn = aws_iam_policy.lambda_logging.arn
+}
+
+resource "aws_iam_role_policy_attachment" "lambda_stream_attach" {
+ role = "${aws_iam_role.search_index_lambda_role.name}"
+ policy_arn = aws_iam_policy.manage_dynamodb_stream.arn
+}
\ No newline at end of file
diff --git a/services/terraform/remote/aws_vpc.tf b/services/terraform/remote/aws_vpc.tf
--- a/services/terraform/remote/aws_vpc.tf
+++ b/services/terraform/remote/aws_vpc.tf
@@ -42,6 +42,30 @@
map_public_ip_on_launch = true
}
+resource "aws_vpc_endpoint" "dynamodb_endpoint" {
+ vpc_id = aws_vpc.default.id
+ service_name = "com.amazonaws.us-east-2.dynamodb"
+ vpc_endpoint_type = "Gateway"
+
+ policy = <<POLICY
+ {
+ "Statement": [
+ {
+ "Action": "*",
+ "Effect": "Allow",
+ "Resource": "*",
+ "Principal": "*"
+ }
+ ]
+ }
+ POLICY
+}
+
+resource "aws_vpc_endpoint_route_table_association" "dynamodb_endpoint" {
+ vpc_endpoint_id = "${aws_vpc_endpoint.dynamodb_endpoint.id}"
+ route_table_id = "${aws_vpc.default.main_route_table_id}"
+}
+
# These are described in AWS console as:
# > The following subnets have not been explicitly associated
# > with any route tables and are therefore associated with the main route table:

File Metadata

Mime Type
text/plain
Expires
Thu, Oct 3, 1:36 PM (21 h, 13 m)
Storage Engine
blob
Storage Format
Raw Data
Storage Handle
2223773
Default Alt Text
D9878.id33448.diff (7 KB)

Event Timeline