Merge pull request #362 from lorengordon/lambda-new

Author: lorengordon

.bumpversion.cfg

@@ -1,5 +1,5 @@
 [bumpversion]
-current_version = 0.4.2
+current_version = 1.0.0
 commit = True
 message = Bumps version to {new_version}
 tag = False

.github/dependabot.yml

@@ -5,16 +5,6 @@ updates:
   schedule:
     interval: weekly
   open-pull-requests-limit: 10
-- package-ecosystem: pip
-  directory: "lambda/tests/"
-  schedule:
-    interval: weekly
-  open-pull-requests-limit: 10
-- package-ecosystem: pip
-  directory: "tests/"
-  schedule:
-    interval: weekly
-  open-pull-requests-limit: 10
 - package-ecosystem: pip
   directory: "/"
   schedule:

.gitignore

@@ -22,3 +22,7 @@ tests/go.*
 # python cache
 __pycache__
 .python-version
+.pytest_cache
+
+# lambda builds
+builds/

.travis.yml

@@ -46,8 +46,7 @@ jobs:
           (set -x; git tag -a $RELEASE_VERSION -m $RELEASE_VERSION)
       deploy:
         provider: releases
-        api_key:
-          secure: ZAqybnZivV40iVEAU5qYsQD2fFoDdwkbHpQwxya6IPyCkt6dUlY46xio4gjl18a2PQ+gUV/uZB72f2OOHSnwIkzPQkSXOc+DMSkYzDuBfmvTChZZ9lTVt4gyh6NoAkIIJquHP36JotacvO/dkVNaORc5zMxm+UCc28fB8QjCIc9cMuI9kpHGtza4qvGLCKs7EGMbSTvrffiUSiY2Vwm/HBK2VwU9C48TxC100PDo09JjXvIYEzfICuhR+3u7igmIWrHtMoNJ/r540tEsJD8XUrXSdO18DpqEIFd7J2qEMifN7kmP+Y8zxW2U4jx1bYHCy14uhNWBHE2mgjrcMbgS7TLcMi6UUlekDIYxWq7NHmf9n1YFGMfBhDXGiI/LgglGM9RzgXXk6jC1ptQAb1tUIWHc2294j53fEkecoIifq/zD4aqZ0/O9jj74vCF2NhcOKiZchsXuUDRPg3Vc/PJAC4taehgPr2ift4R7jOSSAMRQV4Gznc7FkwAWs9PCyCQQ3IJ0+qPxawcqz7iSXENb1ZZLaNf0hcD1CtyRQ/7oDKGwfNcn0Q6TQeCSBy85QTtclTwCurHrJ7Ct7egIzU3dHWuwOdx4URghJzothC+r8cQj0nvZuH4gkD8TUpHU82CKpdx9sh0ArRkKaFf41xHvKJFBoQ6HyxTHw3SzpuhFAbI=
+        api_key: $GH_RELEASES_TOKEN
         name: $RELEASE_VERSION
         body: $RELEASE_BODY
         tag_name: $RELEASE_VERSION

CHANGELOG.md

@@ -4,6 +4,22 @@ All notable changes to this project will be documented in this file.
 
 The format is based on [Keep a Changelog](http://keepachangelog.com/) and this project adheres to [Semantic Versioning](http://semver.org/).
 
+### 1.0.0
+
+**Commit Delta**: [Change from 0.4.2 release](https://github.com/plus3it/terraform-aws-org-new-account-trust-policy/compare/0.4.2...1.0.0)
+
+**Released**: 2022.10.14
+
+**Summary**:
+
+*   Changed lambda module to one published by terraform-aws-modules, for better long-term support
+
+*   Exposed new `lambda` variable that wraps arguments for the upstream lambda module
+
+*   Added support for creating multiple instances of this module. This achieved by either:
+    *   Tailoring the artifact location, by setting `lambda.artifacts_dir` to a different location for each instance
+    *   Creating the package separately from the lambda functions, see `tests/test_create_package_separately` for an example
+
 ### 0.4.2
 
 **Commit Delta**: [Change from 0.4.1 release](https://github.com/plus3it/terraform-aws-org-new-account-trust-policy/compare/0.4.1...0.4.2)

Dockerfile

@@ -1,11 +1,11 @@
 FROM plus3it/tardigrade-ci:0.23.2
 
-COPY ./lambda/src/requirements.txt /lambda/src/requirements.txt
-COPY ./lambda/tests/requirements_dev.txt /lambda/tests/requirements_dev.txt
-COPY ./tests/requirements_test.txt /tests/requirements_test.txt
-COPY ./requirements_common.txt /requirements_common.txt
+COPY ./lambda/src/requirements.txt /app/requirements.txt
+COPY ./requirements/requirements_dev.txt /app/requirements_dev.txt
+COPY ./requirements/requirements_test.txt /app/requirements_test.txt
+COPY ./requirements/requirements_common.txt /app/requirements_common.txt
 
 RUN python -m pip install --no-cache-dir \
-    -r /lambda/src/requirements.txt \
-    -r /lambda/tests/requirements_dev.txt \
-    -r /tests/requirements_test.txt
+    -r /app/requirements.txt \
+    -r /app/requirements_dev.txt \
+    -r /app/requirements_test.txt

Dockerfile_test

@@ -1,6 +1,26 @@
 FROM plus3it/tardigrade-ci:0.23.2
 
-COPY ./tests/requirements_test.txt /tests/requirements_test.txt
-COPY ./requirements_common.txt /requirements_common.txt
+USER root
 
-RUN python -m pip install --no-cache-dir -r /tests/requirements_test.txt
+#Set of all dependencies needed for pyenv to work on Ubuntu
+RUN apt-get update \
+        && apt-get install -y --no-install-recommends make build-essential libssl-dev zlib1g-dev libbz2-dev libreadline-dev libsqlite3-dev wget ca-certificates curl llvm libncurses5-dev xz-utils tk-dev libxml2-dev libxmlsec1-dev libffi-dev liblzma-dev mecab-ipadic-utf8 git
+
+USER tardigrade-ci
+
+# Set-up necessary Env vars for PyEnv
+ENV PYTHON_VERSION 3.8.10
+ENV PYENV_ROOT /home/tardigrade-ci/.pyenv
+ENV PATH $PYENV_ROOT/shims:$PYENV_ROOT/bin:$PATH
+
+# Install pyenv
+RUN curl https://pyenv.run | bash \
+    && pyenv update \
+    && pyenv install $PYTHON_VERSION \
+    && pyenv rehash \
+    && pyenv global system ${PYTHON_VERSION}
+
+COPY ./requirements/requirements_test.txt /app/requirements_test.txt
+COPY ./requirements/requirements_common.txt /app/requirements_common.txt
+
+RUN python -m pip install --no-cache-dir -r /app/requirements_test.txt

README.md

@@ -37,14 +37,19 @@ make mockstack/clean
 
 | Name | Version |
 |------|---------|
-| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 0.12 |
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 0.13.1 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 4.9 |
+| <a name="requirement_external"></a> [external](#requirement\_external) | >= 1.0 |
+| <a name="requirement_local"></a> [local](#requirement\_local) | >= 1.0 |
+| <a name="requirement_null"></a> [null](#requirement\_null) | >= 2.0 |
+| <a name="requirement_random"></a> [random](#requirement\_random) | >= 3.0 |
 
 ## Providers
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | n/a |
-| <a name="provider_random"></a> [random](#provider\_random) | n/a |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 4.9 |
+| <a name="provider_random"></a> [random](#provider\_random) | >= 3.0 |
 
 ## Resources
 
@@ -61,6 +66,7 @@ make mockstack/clean
 | <a name="input_role_name"></a> [role\_name](#input\_role\_name) | Name of the IAM role to create in the target account (case sensitive) | `string` | n/a | yes |
 | <a name="input_role_permission_policy"></a> [role\_permission\_policy](#input\_role\_permission\_policy) | AWS-managed permission policy name to attach to the role (case sensitive) | `string` | n/a | yes |
 | <a name="input_trust_policy_json"></a> [trust\_policy\_json](#input\_trust\_policy\_json) | JSON-formatted string containing the role trust policy | `string` | n/a | yes |
+| <a name="input_lambda"></a> [lambda](#input\_lambda) | Map of any additional arguments for the upstream lambda module. See <https://github.com/terraform-aws-modules/terraform-aws-lambda> | `any` | `{}` | no |
 | <a name="input_log_level"></a> [log\_level](#input\_log\_level) | Log level of the lambda output, one of: debug, info, warning, error, critical | `string` | `"info"` | no |
 | <a name="input_tags"></a> [tags](#input\_tags) | Tags that are passed to resources | `map(string)` | `{}` | no |
 

lambda/tests/requirements_dev.txt

@@ -1,8 +1,3 @@
-
-terraform {
-  required_version = ">= 0.12"
-}
-
 locals {
   name = "new_account_iam_role_${random_string.id.result}"
 }
@@ -32,25 +27,32 @@ data "aws_iam_policy_document" "lambda" {
 }
 
 module "lambda" {
-  source = "git::https://github.com/plus3it/terraform-aws-lambda.git?ref=v1.3.0"
+  source = "git::https://github.com/terraform-aws-modules/terraform-aws-lambda.git?ref=v4.1.1"
 
   function_name = local.name
-  description   = "Create new IAM Account Role"
-  handler       = "new_account_iam_role.lambda_handler"
-  policy        = data.aws_iam_policy_document.lambda
-  runtime       = "python3.8"
-  source_path   = "${path.module}/lambda/src"
-  tags          = var.tags
-  timeout       = 300
-
-  environment = {
-    variables = {
-      ASSUME_ROLE_NAME  = var.assume_role_name
-      ROLE_NAME         = var.role_name
-      PERMISSION_POLICY = var.role_permission_policy
-      TRUST_POLICY_JSON = var.trust_policy_json
-      LOG_LEVEL         = var.log_level
-    }
+
+  description = "Create new IAM Account Role"
+  handler     = "new_account_iam_role.lambda_handler"
+  runtime     = "python3.8"
+  timeout     = 300
+  tags        = var.tags
+
+  attach_policy_json = true
+  policy_json        = data.aws_iam_policy_document.lambda.json
+
+  source_path = "${path.module}/lambda/src"
+
+  artifacts_dir            = try(var.lambda.artifacts_dir, "builds")
+  create_package           = try(var.lambda.create_package, true)
+  local_existing_package   = try(var.lambda.local_existing_package, null)
+  recreate_missing_package = try(var.lambda.recreate_missing_package, false)
+
+  environment_variables = {
+    ASSUME_ROLE_NAME  = var.assume_role_name
+    ROLE_NAME         = var.role_name
+    PERMISSION_POLICY = var.role_permission_policy
+    TRUST_POLICY_JSON = var.trust_policy_json
+    LOG_LEVEL         = var.log_level
   }
 }
 
@@ -81,12 +83,12 @@ resource "aws_cloudwatch_event_rule" "this" {
 
 resource "aws_cloudwatch_event_target" "this" {
   rule = aws_cloudwatch_event_rule.this.name
-  arn  = module.lambda.function_arn
+  arn  = module.lambda.lambda_function_arn
 }
 
 resource "aws_lambda_permission" "events" {
   action        = "lambda:InvokeFunction"
-  function_name = module.lambda.function_name
+  function_name = module.lambda.lambda_function_name
   principal     = "events.amazonaws.com"
   source_arn    = aws_cloudwatch_event_rule.this.arn
 }

main.tf

@@ -0,0 +1,2 @@
+moto==3.1.18
+-r ./requirements_common.txt

requirements_common.txt renamed to requirements/requirements_common.txt

@@ -1,3 +1,3 @@
 tftest==1.7.4
 localstack-client==1.39
--r ../requirements_common.txt
+-r ./requirements_common.txt

requirements/requirements_dev.txt

@@ -5,7 +5,7 @@ provider "aws" {
   skip_credentials_validation = true
   skip_metadata_api_check     = true
   skip_requesting_account_id  = true
-  s3_force_path_style         = true
+  s3_use_path_style           = true
 
   endpoints {
     cloudwatch       = "http://${var.localstack_host}:4566"

tests/requirements_test.txt renamed to requirements/requirements_test.txt

@@ -0,0 +1,9 @@
+module "test_create_all" {
+  source = "../.."
+
+  assume_role_name       = "FOO"
+  trust_policy_json      = jsonencode({})
+  role_name              = "BAR"
+  role_permission_policy = "ReadOnlyAccess"
+  log_level              = "Info"
+}

tests/localstack.tf

@@ -0,0 +1,26 @@
+module "test_create_package" {
+  source = "git::https://github.com/terraform-aws-modules/terraform-aws-lambda.git?ref=v4.1.1"
+
+  create_function = false
+  create_package  = true
+
+  recreate_missing_package = false
+
+  runtime     = "python3.8"
+  source_path = "${path.module}/../../lambda/src"
+}
+
+module "test_create_function" {
+  source = "../.."
+
+  assume_role_name       = "FOO"
+  trust_policy_json      = jsonencode({})
+  role_name              = "BAR"
+  role_permission_policy = "ReadOnlyAccess"
+  log_level              = "Info"
+
+  lambda = {
+    local_existing_package = "${path.module}/${module.test_create_package.local_filename}"
+    create_package         = false
+  }
+}

tests/test_create_all/main.tf

@@ -140,7 +140,7 @@ def test_outputs(tf_output):
     prefix = "new_account_iam_role"
 
     lambda_module = tf_output["lambda"]
-    assert lambda_module["function_name"].startswith(prefix)
+    assert lambda_module["lambda_function_name"].startswith(prefix)
 
     event_rule_output = tf_output["aws_cloudwatch_event_rule"]
     assert event_rule_output["name"].startswith(prefix)
@@ -157,7 +157,7 @@ def test_lambda_dry_run(tf_output, localstack_session):
     lambda_client = localstack_session.client("lambda", region_name=AWS_DEFAULT_REGION)
     lambda_module = tf_output["lambda"]
     response = lambda_client.invoke(
-        FunctionName=lambda_module["function_name"],
+        FunctionName=lambda_module["lambda_function_name"],
         InvocationType="DryRun",
     )
     assert response["StatusCode"] == 204
@@ -174,7 +174,7 @@ def test_lambda_invocation(tf_output, localstack_session, mock_event):
     lambda_client = localstack_session.client("lambda", region_name=AWS_DEFAULT_REGION)
     lambda_module = tf_output["lambda"]
     response = lambda_client.invoke(
-        FunctionName=lambda_module["function_name"],
+        FunctionName=lambda_module["lambda_function_name"],
         InvocationType="RequestResponse",
         Payload=json.dumps(mock_event),
     )

tests/test_create_package_separately/main.tf

@@ -2,18 +2,28 @@ variable "assume_role_name" {
   description = "Name of IAM role to assume the target account (case sensitive)"
   type        = string
 }
+
 variable "role_name" {
   description = "Name of the IAM role to create in the target account (case sensitive)"
   type        = string
 }
+
 variable "role_permission_policy" {
   description = "AWS-managed permission policy name to attach to the role (case sensitive)"
   type        = string
 }
+
 variable "trust_policy_json" {
   description = "JSON-formatted string containing the role trust policy"
   type        = string
 }
+
+variable "lambda" {
+  description = "Map of any additional arguments for the upstream lambda module. See <https://github.com/terraform-aws-modules/terraform-aws-lambda>"
+  type        = any
+  default     = {}
+}
+
 variable "log_level" {
   default     = "info"
   description = "Log level of the lambda output, one of: debug, info, warning, error, critical"

tests/test_terraform_install.py

@@ -0,0 +1,26 @@
+terraform {
+  required_version = ">= 0.13.1"
+
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = ">= 4.9"
+    }
+    external = {
+      source  = "hashicorp/external"
+      version = ">= 1.0"
+    }
+    local = {
+      source  = "hashicorp/local"
+      version = ">= 1.0"
+    }
+    null = {
+      source  = "hashicorp/null"
+      version = ">= 2.0"
+    }
+    random = {
+      source  = "hashicorp/random"
+      version = ">= 3.0"
+    }
+  }
+}