Merge pull request #3824 from ministryofjustice/LAWS-3514-add-ingress…

…-for-lambda inbound port 22 ssh access for lambda to connect to ec2 instance
ministryofjustice · Nov 8, 2023 · 2c234f2 · 2c234f2
2 parents 489392f + 8f6808d
commit 2c234f2
Show file tree

Hide file tree

Showing 7 changed files with 27 additions and 9 deletions.
diff --git a/terraform/environments/apex/dbconnect.js b/terraform/environments/apex/dbconnect.js
@@ -8,7 +8,7 @@
 /////////////////////////////////////////////////////////////////////
 
 const SSH = require("simple-ssh");
-const AWS = require("aws-sdk");
+const AWS = require("@aws-sdk/client-ec2");
 
 //SSM object with temp parms
 const ssm = new AWS.SSM({ apiVersion: "2014-11-06" });
@@ -170,4 +170,4 @@ exports.handler = async (event, context) => {
     console.error(error);
     context.fail();
   }
-};
+};
diff --git a/terraform/environments/apex/dbsnapshot.js b/terraform/environments/apex/dbsnapshot.js
@@ -7,7 +7,7 @@
 //   auth: phil h
 /////////////////////////////////////////////////////////////////////
 
-const AWS = require("aws-sdk");
+const AWS = require("@aws-sdk/client-ec2");
 
 //Set date format
 var date_ob = new Date();

diff --git a/terraform/environments/apex/ec2.tf b/terraform/environments/apex/ec2.tf
@@ -94,6 +94,13 @@ resource "aws_security_group" "ec2" {
     protocol    = "tcp"
     cidr_blocks = [local.application_data.accounts[local.environment].mp_vpc_cidr]
   }
+  ingress {
+    description = "inbound ssh access for Lambda"
+    from_port   = 22
+    to_port     = 22
+    protocol    = "tcp"
+    cidr_blocks = [local.application_data.accounts[local.environment].mp_vpc_cidr]
+  }
 
   egress {
     description = "Allow AWS SSM Session Manager"

diff --git a/terraform/environments/apex/event_triggers.tf b/terraform/environments/apex/event_triggers.tf
@@ -1,7 +1,7 @@
 resource "aws_cloudwatch_event_rule" "snapshotDBFunctionmon_sun" {
     name = "laa-createSnapshotRule-${local.application_name}-${local.environment}-mp"
     description = "Daily snapshots of Oracle volumes"
-    schedule_expression = "cron(00 04 ? * MON-SUN *)"
+    schedule_expression = "cron(51 14 ? * MON-SUN *)"
 }
 resource "aws_lambda_permission" "allow_cloudwatch_to_call_check_mon_sun" {
     statement_id = "AllowExecutionFromCloudWatch"

diff --git a/terraform/environments/apex/lambda.tf b/terraform/environments/apex/lambda.tf
@@ -10,7 +10,7 @@ module "iambackup" {
 module "s3_bucket_lambda" {
   source = "./modules/s3"
 
-  bucket_name = "laa-${local.application_name}-${local.environment}-mp" 
+  bucket_name = "laa-${local.application_name}-${local.environment}-mp"
   tags = merge(
     local.tags,
     { Name = "laa-${local.application_name}-${local.environment}-mp" }
@@ -72,6 +72,9 @@ resource "aws_lambda_function" "snapshotDBFunction" {
   layers = [aws_lambda_layer_version.lambda_layer.arn]
   s3_bucket = module.s3_bucket_lambda.lambdabucketname
   s3_key = local.snapshotDBFunctionfilename
+  memory_size = 350
+  timeout = 300
+
 
   environment {
     variables = {
@@ -124,6 +127,8 @@ resource "aws_lambda_function" "connectDBFunction" {
   layers = [aws_lambda_layer_version.lambda_layer.arn]
   s3_bucket = module.s3_bucket_lambda.lambdabucketname
   s3_key = local.connectDBFunctionfilename
+  memory_size = 350
+  timeout = 300
 
   environment {
     variables = {

diff --git a/terraform/environments/apex/locals.tf b/terraform/environments/apex/locals.tf
@@ -5,15 +5,15 @@ locals {
   dbsnapshot_source_file = "dbsnapshot.js"
   deletesnapshot_source_file = "deletesnapshots.py"
   dbconnect_source_file = "dbconnect.js"
-  
+
   dbsnapshot_output_path = "dbsnapshot.zip"
   deletesnapshot_output_path = "deletesnapshots.zip"
   dbconnect_output_path = "dbconnect.zip"
 
   #Lambda Function creation
   snapshotDBFunctionname = "snapshotDBFunction"
   snapshotDBFunctionhandler = "snapshot/dbsnapshot.handler"
-  snapshotDBFunctionruntime = "nodejs14.x"
+  snapshotDBFunctionruntime = "nodejs18.x"
   snapshotDBFunctionfilename = "dbsnapshot.zip"
 
   deletesnapshotFunctionname = "deletesnapshotFunction"
@@ -23,12 +23,12 @@ locals {
 
   connectDBFunctionname = "connectDBFunction"
   connectDBFunctionhandler = "ssh/dbconnect.handler"
-  connectDBFunctionruntime = "nodejs14.x"
+  connectDBFunctionruntime = "nodejs18.x"
   connectDBFunctionfilename = "dbconnect.zip"
 
   #layer config
   s3layerkey = "nodejs.zip"
-  compatible_runtimes = "nodejs14.x"
+  compatible_runtimes = "nodejs18.x"
 
   application_test_url = "https://apex.laa-development.modernisation-platform.service.justice.gov.uk/apex/"
 }
diff --git a/terraform/environments/apex/modules/s3/main.tf b/terraform/environments/apex/modules/s3/main.tf
@@ -26,3 +26,9 @@ resource "aws_s3_bucket_public_access_block" "default" {
   restrict_public_buckets = true
 }
 
+resource "aws_s3_bucket_versioning" "laa-lambda-backup-versioning" {
+  bucket = aws_s3_bucket.laa-lambda-backup.id
+  versioning_configuration {
+    status = "Enabled"
+  }
+}