wip

README.md

@@ -103,22 +103,10 @@ Once Localstack is ready to use you should be able to interact with local AWS se
 
 Now that we have localstack up and running it's time to deploy our local AWS services to mimic our cloud environments.
 
-#### Deploy on fresh Localstack instance
-
-```shell
-$ ./localstack_services.sh clean
-```
-
-The `clean` argument will make sure all existing Terraform state files are being deleted first.
-
-#### Deploy on existing Localstack instance
-
 ```shell
 $ ./localstack_services.sh
 ```
 
-This is something you may have to do if you want to deploy an infrastructure update to your current Localstack instance.
-
 **Please note that if you stop Localstack you don't need to run this script again.**
 **Localstack Pro offers automatic persistence for all deployed services. This is enabled by default and can be tweaked through your `.env` file.**
 

aws/alarms/inputs.tf

@@ -155,12 +155,7 @@ variable "sns_topic_alert_ok_us_east_arn" {
   type        = string
 }
 
-variable "lambda_code_id" {
-  description = "S3 bucket id for lambda code"
-  type        = string
-}
-
-variable "lambda_code_arn" {
-  description = "S3 bucket arn for lambda code"
+variable "ecr_repository_url_notify_slack_lambda" {
+  description = "URL of the Notify Slack Lambda ECR"
   type        = string
 }

aws/alarms/lambda.tf

@@ -1,30 +1,14 @@
 #
 # Lambda - Notify Slack and OpsGenie
 #
-data "archive_file" "notify_slack_code" {
-  type        = "zip"
-  source_dir  = "lambda/notify_slack/dist"
-  output_path = "/tmp/notify_slack_code.zip"
-}
-resource "aws_s3_object" "notify_slack_code" {
-  bucket      = var.lambda_code_id
-  key         = "notify_slack_code"
-  source      = data.archive_file.notify_slack_code.output_path
-  source_hash = data.archive_file.notify_slack_code.output_base64sha256
-}
 
 #tfsec:ignore:aws-lambda-enable-tracing
 resource "aws_lambda_function" "notify_slack" {
-  s3_bucket         = aws_s3_object.notify_slack_code.bucket
-  s3_key            = aws_s3_object.notify_slack_code.key
-  s3_object_version = aws_s3_object.notify_slack_code.version_id
-  function_name     = "NotifySlack"
-  role              = aws_iam_role.notify_slack_lambda.arn
-  handler           = "notify_slack.handler"
-
-  source_code_hash = data.archive_file.notify_slack_code.output_base64sha256
-  runtime          = "nodejs18.x"
-  timeout          = 300
+  function_name = "notify-slack"
+  image_uri     = "${var.ecr_repository_url_notify_slack_lambda}:latest"
+  package_type  = "Image"
+  role          = aws_iam_role.notify_slack_lambda.arn
+  timeout       = 300
 
   environment {
     variables = {
@@ -90,24 +74,6 @@ resource "aws_iam_role" "notify_slack_lambda" {
   assume_role_policy = data.aws_iam_policy_document.lambda_assume_policy.json
 }
 
-data "aws_iam_policy_document" "lambda_s3" {
-  statement {
-    effect = "Allow"
-
-    actions = [
-      "s3:DeleteObject",
-      "s3:GetObject",
-      "s3:PutObject",
-      "s3:ListBucket"
-    ]
-
-    resources = [
-      var.lambda_code_arn,
-      "${var.lambda_code_arn}/*"
-    ]
-  }
-}
-
 data "aws_iam_policy_document" "lambda_assume_policy" {
   statement {
     effect = "Allow"

aws/cognito/inputs.tf

@@ -14,12 +14,12 @@ variable "notify_api_key_secret_arn" {
   sensitive   = true
 }
 
-variable "lambda_code_arn" {
-  description = "S3 bucket arn for lambda code"
+variable "ecr_repository_url_cognito_email_sender_lambda" {
+  description = "URL of the Cognito Email Sender Lambda ECR"
   type        = string
 }
 
-variable "lambda_code_id" {
-  description = "S3 bucket id for lambda code"
+variable "ecr_repository_url_cognito_pre_sign_up_lambda" {
+  description = "URL of the Cognito Pre Sign Up Lambda ECR"
   type        = string
 }

aws/cognito/lambda.tf

@@ -2,32 +2,13 @@
 # COGNITO EMAIL SENDER
 ########################
 
-data "archive_file" "cognito_email_sender_code" {
-  type        = "zip"
-  source_dir  = "lambda/cognito_email_sender/dist"
-  output_path = "/tmp/cognito_email_sender.zip"
-}
-
-resource "aws_s3_object" "cognito_email_sender_code" {
-  bucket      = var.lambda_code_id
-  key         = "cognito_email_sender_code"
-  source      = data.archive_file.cognito_email_sender_code.output_path
-  source_hash = data.archive_file.cognito_email_sender_code.output_base64sha256
-}
-
 resource "aws_lambda_function" "cognito_email_sender" {
-  s3_bucket         = aws_s3_object.cognito_email_sender_code.bucket
-  s3_key            = aws_s3_object.cognito_email_sender_code.key
-  s3_object_version = aws_s3_object.cognito_email_sender_code.version_id
-  function_name     = "Cognito_Email_Sender"
-  role              = aws_iam_role.cognito_lambda.arn
-  handler           = "cognito_email_sender.handler"
-  timeout           = 300
-
-  source_code_hash = data.archive_file.cognito_email_sender_code.output_base64sha256
-
-  runtime = "nodejs18.x"
-
+  function_name = "cognito-email-sender"
+  image_uri     = "${var.ecr_repository_url_cognito_email_sender_lambda}:latest"
+  package_type  = "Image"
+  role          = aws_iam_role.cognito_lambda.arn
+  timeout       = 300
+
   environment {
     variables = {
       NOTIFY_API_KEY = var.notify_api_key_secret_arn
@@ -40,8 +21,6 @@ resource "aws_lambda_function" "cognito_email_sender" {
   tracing_config {
     mode = "PassThrough"
   }
-
-
 }
 
 resource "aws_cloudwatch_log_group" "cognito_email_sender" {
@@ -54,30 +33,18 @@ resource "aws_cloudwatch_log_group" "cognito_email_sender" {
 # PRE SIGN UP
 ########################
 
-data "archive_file" "cognito_pre_sign_up_main" {
-  type        = "zip"
-  source_file = "lambda/pre_sign_up/pre_sign_up.js"
-  output_path = "/tmp/pre_sign_up_main.zip"
-}
-
 resource "aws_lambda_function" "cognito_pre_sign_up" {
-  filename      = "/tmp/pre_sign_up_main.zip"
-  function_name = "Cognito_Pre_Sign_Up"
+  function_name = "cognito-pre-sign-up"
+  image_uri     = "${var.ecr_repository_url_cognito_pre_sign_up_lambda}:latest"
+  package_type  = "Image"
   role          = aws_iam_role.cognito_lambda.arn
-  handler       = "pre_sign_up.handler"
   timeout       = 300
 
-  source_code_hash = data.archive_file.cognito_pre_sign_up_main.output_base64sha256
-
-  runtime = "nodejs18.x"
-
   tracing_config {
     mode = "PassThrough"
   }
-
-
-
 }
+
 resource "aws_cloudwatch_log_group" "cognito_pre_sign_up" {
   name              = "/aws/lambda/${aws_lambda_function.cognito_pre_sign_up.function_name}"
   kms_key_id        = var.kms_key_cloudwatch_arn

aws/cognito/lambda_iam.tf

@@ -1,8 +1,6 @@
 resource "aws_iam_role" "cognito_lambda" {
   name               = "iam_for_cognito_lambda"
   assume_role_policy = data.aws_iam_policy_document.cognito_lambda_assume.json
-
-
 }
 
 data "aws_iam_policy_document" "cognito_lambda_assume" {
@@ -22,8 +20,6 @@ resource "aws_iam_policy" "cognito_lambda_logging" {
   path        = "/"
   description = "IAM policy for logging from a cognito lambda"
   policy      = data.aws_iam_policy_document.cognito_lambda_logging.json
-
-
 }
 
 data "aws_iam_policy_document" "cognito_lambda_logging" {
@@ -48,8 +44,6 @@ resource "aws_iam_policy" "cognito_lambda_kms" {
   path        = "/"
   description = "IAM policy for storing encrypting and decrypting data"
   policy      = data.aws_iam_policy_document.cognito_lambda_kms.json
-
-
 }
 
 data "aws_iam_policy_document" "cognito_lambda_kms" {
@@ -74,8 +68,6 @@ resource "aws_iam_policy" "cognito_lambda_secrets" {
   path        = "/"
   description = "IAM policy for accessing secret manager"
   policy      = data.aws_iam_policy_document.cognito_lambda_secrets.json
-
-
 }
 
 data "aws_iam_policy_document" "cognito_lambda_secrets" {
@@ -91,34 +83,6 @@ data "aws_iam_policy_document" "cognito_lambda_secrets" {
     ]
   }
 }
-# Allow lambda to access S3 buckets
-
-resource "aws_iam_policy" "lambda_s3" {
-  name        = "cognito_lambda_s3"
-  path        = "/"
-  description = "IAM policy for storing files in S3"
-  policy      = data.aws_iam_policy_document.lambda_s3.json
-
-
-}
-
-data "aws_iam_policy_document" "lambda_s3" {
-  statement {
-    effect = "Allow"
-
-    actions = [
-      "s3:DeleteObject",
-      "s3:GetObject",
-      "s3:PutObject",
-      "s3:ListBucket"
-    ]
-
-    resources = [
-      var.lambda_code_arn,
-      "${var.lambda_code_arn}/*"
-    ]
-  }
-}
 
 resource "aws_iam_role_policy_attachment" "cognito_lambda_logs" {
   role       = aws_iam_role.cognito_lambda.name