Include lambda-dead-queue in lambda function as is required by AWS config

[sylviamclaughlin]

Summary | Résumé

Changes required to meet lambda-dlq-check-conformance-pack-rfm1tg7he of AWS config. I am also subscribing the topic to a slack module so that we get slack alerts of failures or errors associated with the lambda function. More information can be found here as to the specific requirements requested.

[github-actions[bot]]

Staging: api

✅   Terraform Init: success ✅   Terraform Validate: success ✅   Terraform Format: success ✅   Terraform Plan: success ✅   Conftest: success

Plan: 8 to add, 1 to change, 0 to destroy

Show summary

| CHANGE | NAME | |--------|------------------------------------------------------------------------------------------| | add | `aws_sns_topic.lambda_dead_letter` | | | `aws_sns_topic_subscription.alert_lambda_dead_letter` | | | `module.cloudwatch_dead_letter_slack.aws_cloudwatch_log_group.notify_slack_lambda` | | | `module.cloudwatch_dead_letter_slack.aws_iam_policy.notify_slack_lambda` | | | `module.cloudwatch_dead_letter_slack.aws_iam_role.notify_slack_lambda` | | | `module.cloudwatch_dead_letter_slack.aws_iam_role_policy_attachment.notify_slack_lambda` | | | `module.cloudwatch_dead_letter_slack.aws_lambda_function.notify_slack` | | | `module.cloudwatch_dead_letter_slack.aws_lambda_permission.notify_slack[0]` | | update | `module.url_shortener_lambda.aws_lambda_function.this` |

Show plan

```terraform Resource actions are indicated with the following symbols: + create ~ update in-place <= read (data resources) Terraform will perform the following actions: # aws_sns_topic.lambda_dead_letter will be created + resource "aws_sns_topic" "lambda_dead_letter" { + arn = (known after apply) + content_based_deduplication = false + fifo_topic = false + id = (known after apply) + name = "cloudwatch-alarms-lambda-dead-letter" + name_prefix = (known after apply) + owner = (known after apply) + policy = (known after apply) + tags_all = (known after apply) } # aws_sns_topic_subscription.alert_lambda_dead_letter will be created + resource "aws_sns_topic_subscription" "alert_lambda_dead_letter" { + arn = (known after apply) + confirmation_timeout_in_minutes = 1 + confirmation_was_authenticated = (known after apply) + endpoint = (known after apply) + endpoint_auto_confirms = false + filter_policy_scope = (known after apply) + id = (known after apply) + owner_id = (known after apply) + pending_confirmation = (known after apply) + protocol = "lambda" + raw_message_delivery = false + topic_arn = (known after apply) } # module.cloudwatch_dead_letter_slack.data.aws_iam_policy_document.notify_slack_lambda will be read during apply # (config refers to values not yet known) <= data "aws_iam_policy_document" "notify_slack_lambda" { + id = (known after apply) + json = (known after apply) + statement { + actions = [ + "logs:CreateLogStream", + "logs:PutLogEvents", ] + effect = "Allow" + resources = [ + (known after apply), ] } } # module.cloudwatch_dead_letter_slack.aws_cloudwatch_log_group.notify_slack_lambda will be created + resource "aws_cloudwatch_log_group" "notify_slack_lambda" { + arn = (known after apply) + id = (known after apply) + name = "/aws/lambda/url-shortener-cloudwatch-alarms-slack" + name_prefix = (known after apply) + retention_in_days = 14 + skip_destroy = false + tags = { + "CostCentre" = "url-shortener-staging" } + tags_all = { + "CostCentre" = "url-shortener-staging" } } # module.cloudwatch_dead_letter_slack.aws_iam_policy.notify_slack_lambda will be created + resource "aws_iam_policy" "notify_slack_lambda" { + arn = (known after apply) + id = (known after apply) + name = "NotifySlackLambda-url-shortener-cloudwatch-alarms-slack" + path = "/" + policy = (known after apply) + policy_id = (known after apply) + tags_all = (known after apply) } # module.cloudwatch_dead_letter_slack.aws_iam_role.notify_slack_lambda will be created + resource "aws_iam_role" "notify_slack_lambda" { + arn = (known after apply) + assume_role_policy = jsonencode( { + Statement = [ + { + Action = "sts:AssumeRole" + Effect = "Allow" + Principal = { + Service = "lambda.amazonaws.com" } + Sid = "" }, ] + Version = "2012-10-17" } ) + create_date = (known after apply) + force_detach_policies = false + id = (known after apply) + managed_policy_arns = (known after apply) + max_session_duration = 3600 + name = "NotifySlackLambda-url-shortener-cloudwatch-alarms-slack" + name_prefix = (known after apply) + path = "/" + tags_all = (known after apply) + unique_id = (known after apply) + inline_policy { + name = (known after apply) + policy = (known after apply) } } # module.cloudwatch_dead_letter_slack.aws_iam_role_policy_attachment.notify_slack_lambda will be created + resource "aws_iam_role_policy_attachment" "notify_slack_lambda" { + id = (known after apply) + policy_arn = (known after apply) + role = "NotifySlackLambda-url-shortener-cloudwatch-alarms-slack" } # module.cloudwatch_dead_letter_slack.aws_lambda_function.notify_slack will be created + resource "aws_lambda_function" "notify_slack" { + architectures = (known after apply) + arn = (known after apply) + description = "Lambda function to post CloudWatch alarm notifications to a Slack channel." + filename = "/tmp/notify_slack.py.zip" + function_name = "url-shortener-cloudwatch-alarms-slack" + handler = "notify_slack.lambda_handler" + id = (known after apply) + invoke_arn = (known after apply) + last_modified = (known after apply) + memory_size = 128 + package_type = "Zip" + publish = false + qualified_arn = (known after apply) + qualified_invoke_arn = (known after apply) + reserved_concurrent_executions = -1 + role = (known after apply) + runtime = "python3.8" + signing_job_arn = (known after apply) + signing_profile_version_arn = (known after apply) + source_code_hash = "iC0Ta5b8fs9u6i/c3LA3/Tk8BUHfS6Jgq4NF8At0CBo=" + source_code_size = (known after apply) + tags = { + "CostCentre" = "url-shortener-staging" } + tags_all = { + "CostCentre" = "url-shortener-staging" } + timeout = 30 + version = (known after apply) + environment { + variables = { + "LOG_EVENTS" = "True" + "PROJECT_NAME" = "url-shortener" + "SLACK_WEBHOOK_URL" = (sensitive value) } } + ephemeral_storage { + size = (known after apply) } + tracing_config { + mode = (known after apply) } } # module.cloudwatch_dead_letter_slack.aws_lambda_permission.notify_slack[0] will be created + resource "aws_lambda_permission" "notify_slack" { + action = "lambda:InvokeFunction" + function_name = "url-shortener-cloudwatch-alarms-slack" + id = (known after apply) + principal = "sns.amazonaws.com" + source_arn = (known after apply) + statement_id = "AllowExecutionFromSNS-url-shortener-cloudwatch-alarms-slack-0" + statement_id_prefix = (known after apply) } # module.url_shortener_lambda.aws_lambda_function.this will be updated in-place ~ resource "aws_lambda_function" "this" { id = "url-shortener-api" tags = { "CostCentre" = "url-shortener-staging" "Terraform" = "true" } # (19 unchanged attributes hidden) + dead_letter_config { + target_arn = (known after apply) } # (4 unchanged blocks hidden) } Plan: 8 to add, 1 to change, 0 to destroy. ───────────────────────────────────────────────────────────────────────────── Saved the plan to: plan.tfplan To perform exactly these actions, run the following command to apply: terraform apply "plan.tfplan" ```

Show Conftest results

```sh WARN - plan.json - main - Missing Common Tags: ["aws_sns_topic.lambda_dead_letter"] WARN - plan.json - main - Missing Common Tags: ["module.cloudwatch_dead_letter_slack.aws_cloudwatch_log_group.notify_slack_lambda"] WARN - plan.json - main - Missing Common Tags: ["module.cloudwatch_dead_letter_slack.aws_iam_policy.notify_slack_lambda"] WARN - plan.json - main - Missing Common Tags: ["module.cloudwatch_dead_letter_slack.aws_iam_role.notify_slack_lambda"] WARN - plan.json - main - Missing Common Tags: ["module.cloudwatch_dead_letter_slack.aws_lambda_function.notify_slack"] WARN - plan.json - main - Missing Common Tags: ["module.sentinel_forwarder.aws_cloudwatch_log_group.sentinel_forwarder_lambda"] WARN - plan.json - main - Missing Common Tags: ["module.sentinel_forwarder.aws_iam_policy.sentinel_forwarder_lambda"] WARN - plan.json - main - Missing Common Tags: ["module.sentinel_forwarder.aws_iam_role.sentinel_forwarder_lambda"] WARN - plan.json - main - Missing Common Tags: ["module.sentinel_forwarder.aws_lambda_function.sentinel_forwarder"] 26 tests, 17 passed, 9 warnings, 0 failures, 0 exceptions ```

[sylviamclaughlin]

Closing this PR since we are not invoking lambda functions asynchronously.