Add monitoring and switch to a single security group

.circleci/config.yml

@@ -65,7 +65,7 @@ jobs:
 commands:
   bundle-install:
     steps:
-      - run: gem update --system
+      - run: gem update --system --no-document
       - run: gem install bundler
       - run: bundle install --path vendor/bundle
 
@@ -159,3 +159,5 @@ commands:
       - run:
           name: Run rubocop
           command: bundle exec rubocop
+
+

.gitignore

@@ -6,11 +6,13 @@
 /pkg/
 /spec/reports/
 /tmp/
+/vendor/
+/Gemfile.lock/
+/source/template.yml
+/source/template.yaml
 
 # rspec failure tracking
 .rspec_status
 
 /Gemfile.lock
 .aws-sam
-
-source/template.yaml # generated from bin/generate-template

lib/identity-idp-functions.rb

@@ -13,7 +13,7 @@ def function_path(function_name)
   end
 
   def helper_path(helper_name)
-    File.expand_path(File.join(root_path, 'source', 'aws-ruby-sdk', "#{helper_name}.rb"))
+    File.expand_path(File.join(root_path, 'source', 'doc_auth_layer', "#{helper_name}.rb"))
   end
 
   def root_path

lib/identity-idp-functions/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module IdentityIdpFunctions
-  VERSION = '0.8.2'
+  VERSION = '0.9.0'
 end

source/buildspec.yml

@@ -30,7 +30,11 @@ phases:
       - |
         for i in $(echo $APPLICATION_FUNCTIONS | tr ',' '\n')
         do
-          version=$(aws lambda get-function --function-name $i:$ENVIRONMENT --query 'Configuration.Version' --output text)
-          echo $version
-          aws lambda create-alias --function-name $i --name $gitsha_segment --function-version $version
+          if aws lambda get-alias --function-name $i --name $gitsha_segment --output text --query 'FunctionVersion'; then
+            version=$(aws lambda get-function --function-name $i:$ENVIRONMENT --query 'Configuration.Version' --output text)
+            aws lambda update-alias --function-name $i --name $gitsha_segment --function-version $version
+          else
+            version=$(aws lambda get-function --function-name $i:$ENVIRONMENT --query 'Configuration.Version' --output text)
+            aws lambda create-alias --function-name $i --name $gitsha_segment --function-version $version
+          fi
         done

source/template.yaml.erb

@@ -38,6 +38,7 @@ Globals:
     Timeout: 60
     MemorySize: 128
     Runtime: ruby2.7
+    Tracing: Active
     Environment:
       Variables:
         http_proxy: !Sub
@@ -93,7 +94,8 @@ Resources:
         Type: AllAtOnce
       VersionDescription: !Ref gitsha
       Layers:
-        - !Ref AWSRubySDKLayer
+        - !Ref DocAuthLayer
+        - "arn:aws:lambda:us-west-2:580247275435:layer:LambdaInsightsExtension:14"
       Environment:
         Variables:
           S3_BUCKET_NAME: !Sub
@@ -105,6 +107,7 @@ Resources:
             - ${Environment}-idp-doc-capture
             - Environment: !Ref environment
       Policies:
+        - CloudWatchLambdaInsightsExecutionRolePolicy
         - Statement:
           - Sid: S3ObjectAccess
             Effect: Allow
@@ -163,7 +166,7 @@ Resources:
               - "*"
       VpcConfig:
         SecurityGroupIds:
-          - !GetAtt <%= function.camelize %>SecurityGroup.GroupId
+          - !GetAtt DocAuthSecurityGroup.GroupId
         SubnetIds:
           - !Sub
               - '{{resolve:ssm:/${Environment}/network/subnet/private1/id:1}}'
@@ -186,22 +189,6 @@ Resources:
         - Environment: !Ref environment
       Value: !GetAtt <%= function.camelize %>Function.Arn
 
-  <%= function.camelize %>SecurityGroup:
-    Type: AWS::EC2::SecurityGroup
-    Properties:
-      VpcId: !Sub
-        - '{{resolve:ssm:/${Environment}/network/vpc/id:1}}'
-        - Environment: !Ref environment
-      GroupDescription: <%= function.titleize %> Lambda Function
-      SecurityGroupEgress:
-        - IpProtocol: tcp
-          FromPort: 443
-          ToPort: 443
-          CidrIp: 0.0.0.0/0
-        - IpProtocol: tcp
-          FromPort: 3128
-          ToPort: 3128
-          CidrIp: 172.16.32.0/22
   <%= function.camelize %>Alarm:
     Type: AWS::CloudWatch::Alarm
     Properties:
@@ -221,14 +208,28 @@ Resources:
       Statistic: Sum
       Threshold: 1
 <% end %>
-  AWSRubySDKLayer:
+
+  DocAuthSecurityGroup:
+    Type: AWS::EC2::SecurityGroup
+    Properties:
+      VpcId: !Sub
+        - '{{resolve:ssm:/${Environment}/network/vpc/id:1}}'
+        - Environment: !Ref environment
+      GroupDescription: Idp Doc Auth Security Group
+      SecurityGroupEgress:
+        - IpProtocol: tcp
+          FromPort: 3128
+          ToPort: 3128
+          CidrIp: 172.16.32.0/22
+
+  DocAuthLayer:
     Type: "AWS::Serverless::LayerVersion"
     Properties:
       LayerName: !Sub
-        - ${Environment}-idp-ruby-sdk
+        - ${Environment}-idp-doc-auth
         - Environment: !Ref environment
-      Description: AWS Ruby SDK
-      ContentUri: aws-ruby-sdk
+      Description: Doc Auth Layer
+      ContentUri: doc_auth_layer
       CompatibleRuntimes:
         - ruby2.7
       RetentionPolicy: Retain