cds-snc / forms-terraform

Infrastructure as Code for the GC Forms environment
MIT License
16 stars 7 forks source link

feat: Nagware Lambda connect to Redis #807

Closed patheard closed 2 months ago

patheard commented 2 months ago

Summary

Update the Nagware Lambda function so that it can connect to Redis. This requires moving the function into the private subnets of the VPC and providing it a new security group.

Related

github-actions[bot] commented 2 months ago

⚠ Terrform update available

Terraform: 1.9.5 (using 1.9.2)
Terragrunt: 0.67.3 (using 0.63.2)
github-actions[bot] commented 2 months ago

Staging: network

✅   Terraform Init: success ✅   Terraform Validate: success ✅   Terraform Format: success ✅   Terraform Plan: success ✅   Conftest: success

Plan: 5 to add, 0 to change, 0 to destroy
Show summary | CHANGE | NAME | |--------|--------------------------------------------------------------| | add | `aws_security_group.lambda_nagware` | | | `aws_security_group_rule.lambda_nagware_egress_internet` | | | `aws_security_group_rule.lambda_nagware_egress_redis` | | | `aws_security_group_rule.privatelink_lambda_nagware_ingress` | | | `aws_security_group_rule.redis_ingress_lambda_nagware` |
Show plan ```terraform Resource actions are indicated with the following symbols: + create Terraform will perform the following actions: # aws_security_group.lambda_nagware will be created + resource "aws_security_group" "lambda_nagware" { + arn = (known after apply) + description = "Lambda Nagware" + egress = (known after apply) + id = (known after apply) + ingress = (known after apply) + name = "lambda_nagware" + name_prefix = (known after apply) + owner_id = (known after apply) + revoke_rules_on_delete = false + tags_all = { + "CostCentre" = "forms-platform-staging" + "Terraform" = "true" } + vpc_id = "vpc-0ad5b3739860129d0" } # aws_security_group_rule.lambda_nagware_egress_internet will be created + resource "aws_security_group_rule" "lambda_nagware_egress_internet" { + cidr_blocks = [ + "0.0.0.0/0", ] + description = "Egress to the internet from Nagware Lambda function" + from_port = 443 + id = (known after apply) + protocol = "tcp" + security_group_id = (known after apply) + security_group_rule_id = (known after apply) + self = false + source_security_group_id = (known after apply) + to_port = 443 + type = "egress" } # aws_security_group_rule.lambda_nagware_egress_redis will be created + resource "aws_security_group_rule" "lambda_nagware_egress_redis" { + description = "Egress from Nagware Lambda function to Redis" + from_port = 6379 + id = (known after apply) + protocol = "tcp" + security_group_id = (known after apply) + security_group_rule_id = (known after apply) + self = false + source_security_group_id = "sg-092fddfbbac0e15aa" + to_port = 6379 + type = "egress" } # aws_security_group_rule.privatelink_lambda_nagware_ingress will be created + resource "aws_security_group_rule" "privatelink_lambda_nagware_ingress" { + description = "Security group rule for Nagware Lambda function ingress" + from_port = 443 + id = (known after apply) + protocol = "tcp" + security_group_id = "sg-089a83b7d81dff031" + security_group_rule_id = (known after apply) + self = false + source_security_group_id = (known after apply) + to_port = 443 + type = "ingress" } # aws_security_group_rule.redis_ingress_lambda_nagware will be created + resource "aws_security_group_rule" "redis_ingress_lambda_nagware" { + description = "Ingress to Redis from Nagware Lambda function" + from_port = 6379 + id = (known after apply) + protocol = "tcp" + security_group_id = "sg-092fddfbbac0e15aa" + security_group_rule_id = (known after apply) + self = false + source_security_group_id = (known after apply) + to_port = 6379 + type = "ingress" } Plan: 5 to add, 0 to change, 0 to destroy. Changes to Outputs: + lambda_nagware_security_group_id = (known after apply) ───────────────────────────────────────────────────────────────────────────── Saved the plan to: plan.tfplan To perform exactly these actions, run the following command to apply: terraform apply "plan.tfplan" ```
Show Conftest results ```sh WARN - plan.json - main - Missing Common Tags: ["aws_default_network_acl.forms"] WARN - plan.json - main - Missing Common Tags: ["aws_default_security_group.default"] WARN - plan.json - main - Missing Common Tags: ["aws_eip.forms_natgw[0]"] WARN - plan.json - main - Missing Common Tags: ["aws_eip.forms_natgw[1]"] WARN - plan.json - main - Missing Common Tags: ["aws_eip.forms_natgw[2]"] WARN - plan.json - main - Missing Common Tags: ["aws_flow_log.vpc_flow_logs[0]"] WARN - plan.json - main - Missing Common Tags: ["aws_internet_gateway.forms"] WARN - plan.json - main - Missing Common Tags: ["aws_nat_gateway.forms[0]"] WARN - plan.json - main - Missing Common Tags: ["aws_nat_gateway.forms[1]"] WARN - plan.json - main - Missing Common Tags: ["aws_nat_gateway.forms[2]"] WARN - plan.json - main - Missing Common Tags: ["aws_route_table.forms_private_subnet[0]"] WARN - plan.json - main - Missing Common Tags: ["aws_route_table.forms_private_subnet[1]"] WARN - plan.json - main - Missing Common Tags: ["aws_route_table.forms_private_subnet[2]"] WARN - plan.json - main - Missing Common Tags: ["aws_route_table.forms_public_subnet"] WARN - plan.json - main - Missing Common Tags: ["aws_security_group.api_ecs[0]"] WARN - plan.json - main - Missing Common Tags: ["aws_security_group.connector_db"] WARN - plan.json - main - Missing Common Tags: ["aws_security_group.forms"] WARN - plan.json - main - Missing Common Tags: ["aws_security_group.forms_database"] WARN - plan.json - main - Missing Common Tags: ["aws_security_group.forms_egress"] WARN - plan.json - main - Missing Common Tags: ["aws_security_group.forms_load_balancer"] WARN - plan.json - main - Missing Common Tags: ["aws_security_group.forms_redis"] WARN - plan.json - main - Missing Common Tags: ["aws_security_group.idp_db[0]"] WARN - plan.json - main - Missing Common Tags: ["aws_security_group.idp_ecs[0]"] WARN - plan.json - main - Missing Common Tags: ["aws_security_group.idp_lb[0]"] WARN - plan.json - main - Missing Common... ```
github-actions[bot] commented 2 months ago

Staging: lambdas

✅   Terraform Init: success ✅   Terraform Validate: success ✅   Terraform Format: success ✅   Terraform Plan: success ✅   Conftest: success

Plan: 0 to add, 1 to change, 0 to destroy
Show summary | CHANGE | NAME | |--------|-------------------------------| | update | `aws_lambda_function.nagware` |
Show plan ```terraform Resource actions are indicated with the following symbols: ~ update in-place Terraform will perform the following actions: # aws_lambda_function.nagware will be updated in-place ~ resource "aws_lambda_function" "nagware" { id = "nagware" tags = {} # (28 unchanged attributes hidden) + vpc_config { + ipv6_allowed_for_dual_stack = false + security_group_ids = [ + "sg-1234", ] + subnet_ids = [ + "subnet-07e38df0760d389d1", + "subnet-07f9debd31e48ce64", + "subnet-0af8e6e3cf80f582d", ] } # (4 unchanged blocks hidden) } Plan: 0 to add, 1 to change, 0 to destroy. ───────────────────────────────────────────────────────────────────────────── Saved the plan to: plan.tfplan To perform exactly these actions, run the following command to apply: terraform apply "plan.tfplan" ```
Show Conftest results ```sh WARN - plan.json - main - Missing Common Tags: ["aws_cloudwatch_event_rule.audit_logs_archiver_lambda_trigger"] WARN - plan.json - main - Missing Common Tags: ["aws_cloudwatch_event_rule.form_archiver_lambda_trigger"] WARN - plan.json - main - Missing Common Tags: ["aws_cloudwatch_event_rule.nagware_lambda_trigger"] WARN - plan.json - main - Missing Common Tags: ["aws_cloudwatch_event_rule.reliability_dlq_lambda_trigger"] WARN - plan.json - main - Missing Common Tags: ["aws_cloudwatch_event_rule.response_archiver_lambda_trigger"] WARN - plan.json - main - Missing Common Tags: ["aws_cloudwatch_log_group.archive_form_templates"] WARN - plan.json - main - Missing Common Tags: ["aws_cloudwatch_log_group.audit_logs"] WARN - plan.json - main - Missing Common Tags: ["aws_cloudwatch_log_group.audit_logs_archiver"] WARN - plan.json - main - Missing Common Tags: ["aws_cloudwatch_log_group.dead_letter_queue_consumer"] WARN - plan.json - main - Missing Common Tags: ["aws_cloudwatch_log_group.nagware"] WARN - plan.json - main - Missing Common Tags: ["aws_cloudwatch_log_group.reliability"] WARN - plan.json - main - Missing Common Tags: ["aws_cloudwatch_log_group.response_archiver"] WARN - plan.json - main - Missing Common Tags: ["aws_cloudwatch_log_group.submission"] WARN - plan.json - main - Missing Common Tags: ["aws_cloudwatch_log_group.vault_integrity"] WARN - plan.json - main - Missing Common Tags: ["aws_iam_policy.lambda_dynamodb"] WARN - plan.json - main - Missing Common Tags: ["aws_iam_policy.lambda_kms"] WARN - plan.json - main - Missing Common Tags: ["aws_iam_policy.lambda_logging"] WARN - plan.json - main - Missing Common Tags: ["aws_iam_policy.lambda_rds"] WARN - plan.json - main - Missing Common Tags: ["aws_iam_policy.lambda_s3"] WARN - plan.json - main - Missing Common Tags: ["aws_iam_policy.lambda_secrets"] WARN - plan.json - main - Missing Common Tags: ["aws_iam_policy.lambda_sns"] WARN - plan.json - main - Missing Common Tags: ["aws_iam_policy.lambda_sqs"] WARN -... ```