Feature Lambda buckets & ECS tags

ecs_api.tf

@@ -93,9 +93,10 @@ data "template_file" "api_service_container_definitions" {
   template = file("templates/api_service_task_definition.tpl")
 
   vars = {
-    api_image_uri        = "${aws_ecr_repository.api.repository_url}:latest"
+    api_image_uri        = "${aws_ecr_repository.api.repository_url}:${var.api_image_tag}"
+    api_image_uri        = "${var.api_container_repo_url != "" ? var.api_container_repo_url : aws_ecr_repository.api.repository_url}:${var.api_image_tag}"
     config_var_prefix    = local.config_var_prefix
-    migrations_image_uri = "${aws_ecr_repository.migrations.repository_url}:latest"
+    migrations_image_uri = "${var.migrations_container_repo_url != "" ? var.migrations_container_repo_url : aws_ecr_repository.migrations.repository_url}:${var.api_image_tag}"
     listening_port       = var.api_listening_port
     logs_service_name    = aws_cloudwatch_log_group.api.name
     log_group_region     = var.aws_region

ecs_push.tf

@@ -81,7 +81,8 @@ data "template_file" "push_service_container_definitions" {
 
   vars = {
     config_var_prefix = local.config_var_prefix
-    image_uri         = "${aws_ecr_repository.push.repository_url}:latest"
+
+    image_uri         = "${var.push_container_repo_url != "" ? var.push_container_repo_url : aws_ecr_repository.push.repository_url}:${var.push_image_tag}"
     listening_port    = var.push_listening_port
     logs_service_name = aws_cloudwatch_log_group.push.name
     log_group_region  = var.aws_region

env-vars/deployables.tfvars

@@ -0,0 +1,22 @@
+
+authorizer_lambda_s3_bucket   = ""
+authorizer_lambda_s3_key      = ""
+callback_lambda_s3_bucket     = ""
+callback_lambda_s3_key        = ""
+cso_lambda_s3_bucket          = ""
+cso_lambda_s3_key             = ""
+exposures_lambda_s3_bucket    = ""
+exposures_lambda_s3_key       = ""
+settings_lambda_s3_bucket     = ""
+settings_lambda_s3_key        = ""
+stats_lambda_s3_bucket        = ""
+stats_lambda_s3_key           = ""
+token_lambda_s3_bucket        = ""
+token_lambda_s3_key           = ""
+
+push_container_repo_url       = ""
+api_container_repo_url        = ""
+migrations_container_repo_url = ""
+
+push_container_tag            = "latest"
+api_container_tag             = "latest"

lambda-authorizer.tf

@@ -65,10 +65,17 @@ data "aws_secretsmanager_secret_version" "jwt_secret" {
   secret_id = "${data.aws_secretsmanager_secret.jwt_secret.id}"
 }
 
+resource "aws_s3_bucket_object" "authorizer_s3_file" {
+  bucket = aws_s3_bucket.lambdas.id
+  key    = "lambdas/${module.labels.id}_authorizer.zip"
+  source = "${path.module}/.zip/${module.labels.id}_authorizer.zip"
+}
+
 resource "aws_lambda_function" "authorizer" {
-  filename         = "${path.module}/.zip/${module.labels.id}_authorizer.zip"
+  s3_bucket        = (var.lambda_authorizer_s3_bucket != "" ? var.lambda_authorizer_s3_bucket : aws_s3_bucket_object.authorizer_s3_file.bucket)
+  s3_key           = (var.lambda_authorizer_s3_key != "" ? var.lambda_authorizer_s3_key : aws_s3_bucket_object.authorizer_s3_file.key)
   function_name    = "${module.labels.id}-authorizer"
-  source_code_hash = data.archive_file.authorizer.output_base64sha256
+  source_code_hash = (var.lambda_authorizer_s3_key != "" ? "" : data.archive_file.authorizer.output_base64sha256)
   role             = aws_iam_role.authorizer.arn
   runtime          = "nodejs10.x"
   handler          = "authorizer.handler"

lambda-callback.tf

@@ -69,10 +69,17 @@ resource "aws_iam_role_policy_attachment" "callback_logs" {
   policy_arn = "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"
 }
 
+resource "aws_s3_bucket_object" "callback_s3_file" {
+  bucket = aws_s3_bucket.lambdas.id
+  key    = "lambdas/${module.labels.id}_callback.zip"
+  source = "${path.module}/.zip/${module.labels.id}_callback.zip"
+}
+
 resource "aws_lambda_function" "callback" {
-  filename         = "${path.module}/.zip/${module.labels.id}_callback.zip"
+  s3_bucket        = (var.lambda_callback_s3_bucket != "" ? var.lambda_callback_s3_bucket : aws_s3_bucket_object.callback_s3_file.bucket)
+  s3_key           = (var.lambda_callback_s3_key != "" ? var.lambda_callback_s3_key : aws_s3_bucket_object.callback_s3_file.key)
   function_name    = "${module.labels.id}-callback"
-  source_code_hash = data.archive_file.callback.output_base64sha256
+  source_code_hash = (var.lambda_callback_s3_key != "" ? "" : data.archive_file.callback.output_base64sha256)
   role             = aws_iam_role.callback.arn
   runtime          = "nodejs10.x"
   handler          = "callback.handler"

lambda-cso.tf

@@ -66,11 +66,18 @@ resource "aws_iam_role_policy_attachment" "cso_logs" {
   policy_arn = "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"
 }
 
+resource "aws_s3_bucket_object" "cso_s3_file" {
+  bucket = aws_s3_bucket.lambdas.id
+  key    = "lambdas/${module.labels.id}_cso.zip"
+  source = "${path.module}/.zip/${module.labels.id}_cso.zip"
+}
+
 resource "aws_lambda_function" "cso" {
   count            = local.lambda_cso_count
-  filename         = "${path.module}/.zip/${module.labels.id}_cso.zip"
+  s3_bucket        = (var.lambda_cso_s3_bucket != "" ? var.lambda_cso_s3_bucket : aws_s3_bucket_object.cso_s3_file.bucket)
+  s3_key           = (var.lambda_cso_s3_key != "" ? var.lambda_cso_s3_key : aws_s3_bucket_object.cso_s3_file.key)
   function_name    = "${module.labels.id}-cso"
-  source_code_hash = data.archive_file.cso.output_base64sha256
+  source_code_hash = (var.lambda_cso_s3_key != "" ? "" : data.archive_file.cso.output_base64sha256)
   role             = aws_iam_role.cso[0].arn
   runtime          = "nodejs10.x"
   handler          = "cso.handler"

lambda-exposures.tf

@@ -61,10 +61,17 @@ resource "aws_iam_role_policy_attachment" "exposures_logs" {
   policy_arn = "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"
 }
 
+resource "aws_s3_bucket_object" "exposures_s3_file" {
+  bucket = aws_s3_bucket.lambdas.id
+  key    = "lambdas/${module.labels.id}_exposures.zip"
+  source = "${path.module}/.zip/${module.labels.id}_exposures.zip"
+}
+
 resource "aws_lambda_function" "exposures" {
-  filename         = "${path.module}/.zip/${module.labels.id}_exposures.zip"
+  s3_bucket        = (var.lambda_exposures_s3_bucket != "" ? var.lambda_exposures_s3_bucket : aws_s3_bucket_object.exposures_s3_file.bucket)
+  s3_key           = (var.lambda_exposures_s3_key != "" ? var.lambda_exposures_s3_key : aws_s3_bucket_object.exposures_s3_file.key)
   function_name    = "${module.labels.id}-exposures"
-  source_code_hash = data.archive_file.exposures.output_base64sha256
+  source_code_hash = (var.lambda_exposures_s3_key != "" ? "" : data.archive_file.exposures.output_base64sha256)
   role             = aws_iam_role.exposures.arn
   runtime          = "nodejs10.x"
   handler          = "exposures.handler"

lambda-settings.tf

@@ -61,10 +61,17 @@ resource "aws_iam_role_policy_attachment" "settings_logs" {
   policy_arn = "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"
 }
 
+resource "aws_s3_bucket_object" "settings_s3_file" {
+  bucket = aws_s3_bucket.lambdas.id
+  key    = "lambdas/${module.labels.id}_settings.zip"
+  source = "${path.module}/.zip/${module.labels.id}_settings.zip"
+}
+
 resource "aws_lambda_function" "settings" {
-  filename         = "${path.module}/.zip/${module.labels.id}_settings.zip"
+  s3_bucket        = (var.lambda_settings_s3_bucket != "" ? var.lambda_settings_s3_bucket : aws_s3_bucket_object.settings_s3_file.bucket)
+  s3_key           = (var.lambda_settings_s3_key != "" ? var.lambda_settings_s3_key : aws_s3_bucket_object.settings_s3_file.key)
   function_name    = "${module.labels.id}-settings"
-  source_code_hash = data.archive_file.settings.output_base64sha256
+  source_code_hash = (var.lambda_settings_s3_key != "" ? "" : data.archive_file.settings.output_base64sha256)
   role             = aws_iam_role.settings.arn
   runtime          = "nodejs10.x"
   handler          = "settings.handler"

lambda-stats.tf

@@ -61,10 +61,17 @@ resource "aws_iam_role_policy_attachment" "stats_logs" {
   policy_arn = "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"
 }
 
+resource "aws_s3_bucket_object" "stats_s3_file" {
+  bucket = aws_s3_bucket.lambdas.id
+  key    = "lambdas/${module.labels.id}_stats.zip"
+  source = "${path.module}/.zip/${module.labels.id}_stats.zip"
+}
+
 resource "aws_lambda_function" "stats" {
-  filename         = "${path.module}/.zip/${module.labels.id}_stats.zip"
+  s3_bucket        = (var.lambda_stats_s3_bucket != "" ? var.lambda_stats_s3_bucket : aws_s3_bucket_object.stats_s3_file.bucket)
+  s3_key           = (var.lambda_stats_s3_key != "" ? var.lambda_stats_s3_key : aws_s3_bucket_object.stats_s3_file.key)
   function_name    = "${module.labels.id}-stats"
-  source_code_hash = data.archive_file.stats.output_base64sha256
+  source_code_hash = (var.lambda_stats_s3_key != "" ? "" : data.archive_file.stats.output_base64sha256)
   role             = aws_iam_role.stats.arn
   runtime          = "nodejs10.x"
   handler          = "stats.handler"

lambda-token.tf

@@ -61,10 +61,17 @@ resource "aws_iam_role_policy_attachment" "token_logs" {
   policy_arn = "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"
 }
 
+resource "aws_s3_bucket_object" "token_s3_file" {
+  bucket = aws_s3_bucket.lambdas.id
+  key    = "lambdas/${module.labels.id}_token.zip"
+  source = "${path.module}/.zip/${module.labels.id}_token.zip"
+}
+
 resource "aws_lambda_function" "token" {
-  filename         = "${path.module}/.zip/${module.labels.id}_token.zip"
+  s3_bucket        = (var.lambda_token_s3_bucket != "" ? var.lambda_token_s3_bucket : aws_s3_bucket_object.token_s3_file.bucket)
+  s3_key           = (var.lambda_token_s3_key != "" ? var.lambda_token_s3_key : aws_s3_bucket_object.token_s3_file.key)
   function_name    = "${module.labels.id}-token"
-  source_code_hash = data.archive_file.token.output_base64sha256
+  source_code_hash = (var.lambda_token_s3_key != "" ? "" : data.archive_file.token.output_base64sha256)
   role             = aws_iam_role.token.arn
   runtime          = "nodejs10.x"
   handler          = "token.handler"

s3-lambdas.tf

@@ -0,0 +1,18 @@
+resource "aws_s3_bucket" "lambdas" {
+  bucket = module.labels.id
+  acl    = "private"
+  tags   = module.labels.tags
+
+  versioning {
+    enabled = true
+  }
+}
+
+resource "aws_s3_bucket_public_access_block" "lambdas" {
+  bucket = aws_s3_bucket.assets.id
+
+  block_public_acls       = true
+  block_public_policy     = true
+  ignore_public_acls      = true
+  restrict_public_buckets = true
+}

variables.tf

@@ -315,3 +315,116 @@ variable "sms_sender" {
 variable "sms_region" {
   default = ""
 }
+variable "lambda_authorizer_s3_bucket" {
+  description = "S3 bucket name where the lambda content will be found"
+  type        = string
+  default     = ""
+}
+
+variable "lambda_authorizer_s3_key" {
+  description = "S3 key where the lambda archive will be found. This should be a path relative to the bucket root."
+  type        = string
+  default     = ""
+}
+
+variable "lambda_callback_s3_bucket" {
+  description = "S3 bucket name where the lambda content will be found"
+  type        = string
+  default     = ""
+}
+
+variable "lambda_callback_s3_key" {
+  description = "S3 key where the lambda archive will be found. This should be a path relative to the bucket root."
+  type        = string
+  default     = ""
+}
+
+variable "lambda_cso_s3_bucket" {
+  description = "S3 bucket name where the lambda content will be found"
+  type        = string
+  default     = ""
+}
+
+variable "lambda_cso_s3_key" {
+  description = "S3 key where the lambda archive will be found. This should be a path relative to the bucket root."
+  type        = string
+  default     = ""
+}
+
+variable "lambda_token_s3_bucket" {
+  description = "S3 bucket name where the lambda content will be found"
+  type        = string
+  default     = ""
+}
+
+variable "lambda_token_s3_key" {
+  description = "S3 key where the lambda archive will be found. This should be a path relative to the bucket root."
+  type        = string
+  default     = ""
+}
+
+variable "lambda_settings_s3_bucket" {
+  description = "S3 bucket name where the lambda content will be found"
+  type        = string
+  default     = ""
+}
+
+variable "lambda_settings_s3_key" {
+  description = "S3 key where the lambda archive will be found. This should be a path relative to the bucket root."
+  type        = string
+  default     = ""
+}
+
+variable "lambda_exposures_s3_key" {
+  description = "S3 key where the lambda archive will be found. This should be a path relative to the bucket root."
+  type        = string
+  default     = ""
+}
+
+variable "lambda_exposures_s3_bucket" {
+  description = "S3 bucket name where the lambda content will be found"
+  type        = string
+  default     = ""
+}
+
+variable "lambda_stats_s3_key" {
+  description = "S3 key where the lambda archive will be found. This should be a path relative to the bucket root."
+  type        = string
+  default     = ""
+}
+
+variable "lambda_stats_s3_bucket" {
+  description = "S3 bucket name where the lambda content will be found"
+  type        = string
+  default     = ""
+}
+
+variable "api_container_repo_url" {
+  description = "ECR repo to be deployed into ECS for the API container"
+  type        = string
+  default     = ""
+}
+
+variable "migrations_container_repo_url" {
+  description = "ECR repo to be deployed into ECS for the Migration container"
+  type        = string
+  default     = ""
+}
+
+variable "api_image_tag" {
+  description = "ECR image tag to be deployed into ECS for the API & Migration containers"
+  type        = string
+  default     = "latest"
+}
+
+variable "push_container_repo_url" {
+  description = "ECR repo to be deployed into ECS for the Push API container"
+  type        = string
+  default     = ""
+}
+
+variable "push_image_tag" {
+  description = "ECR image tag to be deployed into ECS for the Push API container"
+  type        = string
+  default     = "latest"
+}