Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Provide initial functionality #6

Merged
merged 50 commits into from
May 31, 2024
Merged

Provide initial functionality #6

merged 50 commits into from
May 31, 2024

Conversation

dav3r
Copy link
Member

@dav3r dav3r commented Jul 22, 2022

🗣 Description

This PR implements the initial functionality for this repository, namely Terraform to do the following:

  • Deploy a Lambda function, specifically cisagov/publish-egress-ip-lambda, and it's execution role/policy
  • Create the CloudWatch log group used by the Lambda
  • Schedule the Lambda to run every X minutes using a CloudWatch event
  • Create an S3 bucket to host the published files (objects) containing egress IP information
  • Deploy a CloudFront distribution to enable HTTPS access to the egress IP info in the S3 bucket
  • Create DNS records that point to the CloudFront distribution

💭 Motivation and context

We need a mechanism to publish egress IP info from a subset of our AWS accounts and this Terraform will allow us to deploy the infrastructure to do that.

This is part of the work for:

This PR is related to the following:

This PR resolves #5 (via f22ab6d).

🧪 Testing

I successfully applied all of this Terraform and confirmed that the Lambda was deployed, scheduled, and worked as expected. I also confirmed that I could cleanly destroy all of this Terraform.

✅ Pre-approval checklist

  • This PR has an informative and human-readable title.
  • Changes are limited to a single goal - eschew scope creep!
  • All future TODOs are captured in issues, which are referenced
    in code comments.
  • All relevant type-of-change labels have been added.
  • I have read the CONTRIBUTING document.
  • These code changes follow cisagov code standards.
  • All relevant repo and/or project documentation has been updated
    to reflect the changes in this PR.
  • All new and existing tests pass.

✅ Pre-merge checklist

✅ Post-merge checklist

  • Confirm that all internal stakeholders are ready for this deployment
  • Deploy to Production

@dav3r dav3r added documentation This issue or pull request improves or adds to documentation improvement This issue or pull request will add or improve functionality, maintainability, or ease of use labels Jul 22, 2022
@dav3r dav3r requested review from felddy, jsf9k and mcdonnnj as code owners July 22, 2022 17:25
@dav3r dav3r self-assigned this Jul 22, 2022
Copy link
Member

@jsf9k jsf9k left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice work! I have one question before approving.

route53.tf Outdated Show resolved Hide resolved
Copy link
Member

@jsf9k jsf9k left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Powerful work!

Copy link
Member

@mcdonnnj mcdonnnj left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Some suggestions/thoughts on my first pass. I think I have suggestions in variables.tf corresponding to all suggestions in README.md.

README.md Show resolved Hide resolved
README.md Outdated Show resolved Hide resolved
README.md Outdated Show resolved Hide resolved
README.md Outdated Show resolved Hide resolved
README.md Outdated Show resolved Hide resolved
lambda.tf Outdated Show resolved Hide resolved
lambda_assume_role_policy_doc.tf Show resolved Hide resolved
variables.tf Outdated Show resolved Hide resolved
variables.tf Outdated Show resolved Hide resolved
README.md Outdated Show resolved Hide resolved
lambda.tf Outdated Show resolved Hide resolved
@dav3r dav3r requested a review from mcdonnnj July 26, 2022 19:47
Copy link
Member

@mcdonnnj mcdonnnj left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for your continued work on this. I have for your consideration some suggestions around the validation you added for the lambda_schedule_interval variable, correctly defining the rate provided to the schedule_expression argument, and then some miscellaneous capitalization/language suggestions.

lambda.tf Outdated Show resolved Hide resolved
variables.tf Outdated Show resolved Hide resolved
README.md Outdated Show resolved Hide resolved
variables.tf Outdated Show resolved Hide resolved
README.md Outdated Show resolved Hide resolved
cloudfront.tf Outdated Show resolved Hide resolved
lambda.tf Outdated Show resolved Hide resolved
lambda.tf Outdated Show resolved Hide resolved
providers.tf Outdated Show resolved Hide resolved
providers.tf Outdated Show resolved Hide resolved
@dav3r dav3r added the blocked This issue or pull request is awaiting the outcome of another issue or pull request label Aug 1, 2022
@dav3r
Copy link
Member Author

dav3r commented Aug 1, 2022

I just added the blocked label on this PR so that I don't merge it until after cisagov/publish-egress-ip-lambda#4 has been approved and merged. I also added a Pre-merge checklist checkbox to the PR description above.

README.md Outdated Show resolved Hide resolved
Copy link
Member

@mcdonnnj mcdonnnj left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Quick reminder to enable these ignore directives:

- package-ecosystem: "terraform"
directory: "/"
schedule:
interval: "weekly"
# ignore:
# - dependency-name: "hashicorp/aws"
- package-ecosystem: "terraform"
directory: "/examples/basic_usage"
schedule:
interval: "weekly"
# ignore:
# - dependency-name: "hashicorp/aws"

@dav3r
Copy link
Member Author

dav3r commented Sep 19, 2022

Quick reminder to enable these ignore directives

Thanks @mcdonnnj for the reminder! Done in 3d83004.

@dav3r dav3r added the hacktoberfest-accepted Pull request that should count toward Hacktoberfest participation label Oct 5, 2022
dav3r added 3 commits May 6, 2024 15:34
These are no longer needed now that we have moved to version 4.x of the Terraform AWS provider.
dav3r added 3 commits May 17, 2024 15:19
Using the current default runtime (nodejs14.x) of this module results in this error: "The runtime parameter of nodejs14.x is no longer supported for creating or updating AWS Lambda functions. We recommend you use the new runtime (nodejs20.x) while creating or updating functions."

Using the AWS-recommended runtime of nodejs20.x results in this error: "expected runtime to be one of [nodejs nodejs4.3 nodejs6.10 nodejs8.10 nodejs10.x nodejs12.x nodejs14.x nodejs16.x java8 java8.al2 java11 python2.7 python3.6 python3.7 python3.8 python3.9 dotnetcore1.0 dotnetcore2.0 dotnetcore2.1 dotnetcore3.1 dotnet6 nodejs4.3-edge go1.x ruby2.5 ruby2.7 provided provided.al2 nodejs18.x python3.10 java17], got nodejs20.x"

As best I can tell, this is because the Terraform AWS provider that we are currently pinned to (~> 4.9) does not support nodejs20.x.

Given all of the info above, I chose to set the runtime to nodejs18.x and everything is working.
…ss bucket

Things have changed a bit with how AWS does public bucket access since this code was initially created, so we must change with the times.
10 minutes was not long enough to iterate through all of our AWS accounts.
@dav3r dav3r requested review from jsf9k and mcdonnnj May 20, 2024 15:03
Copy link
Member

@jsf9k jsf9k left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I have one suggested language tweak, but nothing that should hold up this PR.

variables.tf Outdated Show resolved Hide resolved
README.md Outdated Show resolved Hide resolved
Co-authored-by: Shane Frasier <[email protected]>
s3.tf Outdated Show resolved Hide resolved
…Front to read the bucket contents

This is a more secure bucket configuration, since there is no direct public access to the bucket.

Co-authored-by: Nick <[email protected]>
Copy link
Member

@mcdonnnj mcdonnnj left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This looks pretty solid. Some minor items for your consideration. I didn't want to go wild with the formatting changes until we codify it in the development guide but left the two suggestions I'd already done.

README.md Outdated Show resolved Hide resolved
lambda_policy.tf Outdated Show resolved Hide resolved
route53.tf Outdated Show resolved Hide resolved
route53.tf Outdated Show resolved Hide resolved
@dav3r dav3r removed the blocked This issue or pull request is awaiting the outcome of another issue or pull request label May 31, 2024
@dav3r dav3r merged commit 0ba1733 into develop May 31, 2024
4 checks passed
@dav3r dav3r deleted the first-commits branch May 31, 2024 18:50
dav3r added a commit that referenced this pull request Jun 3, 2024
Note that some of these changes were overlooked at the end of PR #6.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
documentation This issue or pull request improves or adds to documentation hacktoberfest-accepted Pull request that should count toward Hacktoberfest participation improvement This issue or pull request will add or improve functionality, maintainability, or ease of use
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Remove S3 lifecycle blocks after we move to version 4.x of Terraform AWS provider
3 participants