Merge pull request #13 from highwingio/ianbender/remove-old-deployment-buckets

Clear out unneeded S3 resource

Author: ianbender

README.md

@@ -41,23 +41,23 @@ No modules.
 | [aws_cloudwatch_log_group.lambda](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_group) | resource |
 | [aws_cloudwatch_metric_alarm.lambda_errors](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_metric_alarm) | resource |
 | [aws_iam_role_policy_attachment.lambda_basic_execution](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
+| [aws_iam_role_policy_attachment.lambda_insights](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
 | [aws_iam_role_policy_attachment.lambda_networking](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
 | [aws_iam_role_policy_attachment.lambda_xray](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
 | [aws_lambda_function.lambda](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_function) | resource |
-| [aws_s3_bucket.lambda_deploy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket) | resource |
 | [aws_s3_bucket_object.lambda_deploy_object](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_object) | resource |
-| [aws_s3_bucket_policy.lambda_deploy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_policy) | resource |
-| [aws_s3_bucket_public_access_block.lambda_deploy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block) | resource |
 | [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
-| [aws_iam_policy_document.lambda_deploy_bucket_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [aws_ssm_parameter.deployment_bucket_id](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ssm_parameter) | data source |
 
 ## Inputs
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
+| <a name="input_deployment_bucket_id"></a> [deployment\_bucket\_id](#input\_deployment\_bucket\_id) | ID of S3 bucket that should store our deployment artifacts. Will use the /account/DEPLOYMENT\_BUCKET\_ID value from SSM unless specified otherwise. | `string` | `null` | no |
 | <a name="input_description"></a> [description](#input\_description) | Description of the Lambda Function | `string` | `null` | no |
 | <a name="input_environment"></a> [environment](#input\_environment) | Environment variables to be passed to the function | `map(string)` | `{}` | no |
 | <a name="input_error_rate_alarm_threshold"></a> [error\_rate\_alarm\_threshold](#input\_error\_rate\_alarm\_threshold) | Error rate (in percent, 1-100) at which to trigger an alarm notification | `number` | `25` | no |
+| <a name="input_git_sha"></a> [git\_sha](#input\_git\_sha) | Hash generated by `git hash-object` in source repo and used to determine whether a lambda needs to be updated | `string` | `null` | no |
 | <a name="input_handler"></a> [handler](#input\_handler) | Name of the handler function inside the artifact (https://docs.aws.amazon.com/lambda/latest/dg/configuration-console.html) | `string` | n/a | yes |
 | <a name="input_layer_arns"></a> [layer\_arns](#input\_layer\_arns) | List of ARNs for layers to use with the function | `list(string)` | `[]` | no |
 | <a name="input_log_retention_in_days"></a> [log\_retention\_in\_days](#input\_log\_retention\_in\_days) | Number of days to keep function logs in Cloudwatch | `number` | `365` | no |

main.tf

@@ -23,9 +23,10 @@
  */
 
 locals {
-  deploy_artifact_key = "deploy.zip"
-  source_hash         = coalesce(var.git_sha, filebase64sha256(var.path))
-  role_arn            = "arn:aws:iam::${data.aws_caller_identity.current.account_id}:role/${var.role_name}"
+  deploy_artifact_key  = "deploy.zip"
+  deployment_bucket_id = coalesce(var.deployment_bucket_id, data.aws_ssm_parameter.deployment_bucket_id.value)
+  source_hash          = coalesce(var.git_sha, filebase64sha256(var.path))
+  role_arn             = "arn:aws:iam::${data.aws_caller_identity.current.account_id}:role/${var.role_name}"
 }
 
 # Configure default role permissions
@@ -49,75 +50,9 @@ resource "aws_iam_role_policy_attachment" "lambda_insights" {
   policy_arn = "arn:aws:iam::aws:policy/CloudWatchLambdaInsightsExecutionRolePolicy"
 }
 
-# S3 bucket for deploying Lambda artifacts
-# Not always required but it's more consistent for deploying larger files
-resource "aws_s3_bucket" "lambda_deploy" {
-  acl           = "private"
-  bucket_prefix = "lambda-deploy"
-  force_destroy = true
-
-  versioning {
-    enabled = true
-  }
-
-  server_side_encryption_configuration {
-    rule {
-      apply_server_side_encryption_by_default {
-        sse_algorithm = "AES256"
-      }
-    }
-  }
-
-  tags = var.tags
-}
-
-# Block public access to the deploy artifacts
-resource "aws_s3_bucket_public_access_block" "lambda_deploy" {
-  bucket = aws_s3_bucket.lambda_deploy.id
-
-  block_public_acls       = true
-  block_public_policy     = true
-  ignore_public_acls      = true
-  restrict_public_buckets = true
-}
-
-# Deny insecure requests for deploy artifacts
-data "aws_iam_policy_document" "lambda_deploy_bucket_policy" {
-  statement {
-    sid = "OnlyAllowSSLRequests"
-
-    actions = [
-      "s3:*",
-    ]
-
-    effect = "Deny"
-
-    resources = [
-      aws_s3_bucket.lambda_deploy.arn,
-      "${aws_s3_bucket.lambda_deploy.arn}/*",
-    ]
-
-    condition {
-      test     = "Bool"
-      variable = "aws:SecureTransport"
-      values   = ["false"]
-    }
-
-    principals {
-      type        = "*"
-      identifiers = ["*"]
-    }
-  }
-}
-
-resource "aws_s3_bucket_policy" "lambda_deploy" {
-  bucket = aws_s3_bucket.lambda_deploy.id
-  policy = data.aws_iam_policy_document.lambda_deploy_bucket_policy.json
-}
-
 # S3 object to hold the deployed artifact
 resource "aws_s3_bucket_object" "lambda_deploy_object" {
-  bucket      = data.aws_ssm_parameter.deployment_bucket_id.value
+  bucket      = local.deployment_bucket_id
   key         = "${var.name}/${local.deploy_artifact_key}"
   source      = var.path
   source_hash = md5(local.source_hash)
@@ -140,7 +75,7 @@ resource "aws_lambda_function" "lambda" {
   reserved_concurrent_executions = var.reserved_concurrent_executions
   role                           = local.role_arn
   runtime                        = var.runtime
-  s3_bucket                      = data.aws_ssm_parameter.deployment_bucket_id.value
+  s3_bucket                      = local.deployment_bucket_id
   s3_key                         = aws_s3_bucket_object.lambda_deploy_object.key
   s3_object_version              = aws_s3_bucket_object.lambda_deploy_object.version_id
   tags                           = var.tags

vars.tf

@@ -4,6 +4,12 @@ variable "description" {
   type        = string
 }
 
+variable "deployment_bucket_id" {
+  default     = null
+  description = "ID of S3 bucket that should store our deployment artifacts. Will use the /account/DEPLOYMENT_BUCKET_ID value from SSM unless specified otherwise."
+  type        = string
+}
+
 variable "environment" {
   default     = {}
   description = "Environment variables to be passed to the function"
@@ -17,9 +23,9 @@ variable "error_rate_alarm_threshold" {
 }
 
 variable "git_sha" {
-  type        = string
-  description = "Git SHA hash for lambda source code"
   default     = null
+  description = "Hash generated by `git hash-object` in source repo and used to determine whether a lambda needs to be updated"
+  type        = string
 }
 
 variable "handler" {