kunduso · kunduso · Nov 25, 2024 · Nov 22, 2024 · Nov 22, 2024 · Nov 22, 2024
diff --git a/cloudwatch.tf b/cloudwatch.tf
@@ -1,6 +1,6 @@
 #https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_group
 resource "aws_cloudwatch_log_group" "lambda_log" {
-  name              = "${var.log_group_prefix}${var.name}" #"/aws/lambda/${var.name}"
+  name              = "${var.log_group_prefix}${var.name}"
   retention_in_days = 365
   kms_key_id        = aws_kms_key.encryption.arn
 }

diff --git a/iam_role.tf b/iam_role.tf
@@ -63,4 +63,11 @@ resource "aws_iam_policy" "lambda_policy" {
 resource "aws_iam_role_policy_attachment" "lambda_policy_attachement" {
   role       = aws_iam_role.lambda_role.name
   policy_arn = aws_iam_policy.lambda_policy.arn
+}
+#https://docs.aws.amazon.com/lambda/latest/dg/configuration-vpc.html#configuration-vpc-permissions
+#https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSLambdaVPCAccessExecutionRole.html
+#https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment
+resource "aws_iam_role_policy_attachment" "managed_vpc_policy_attachement" {
+  role       = aws_iam_role.lambda_role.name
+  policy_arn = "arn:aws:iam::aws:policy/service-role/AWSLambdaVPCAccessExecutionRole"
 }
diff --git a/lambda.tf b/lambda.tf
@@ -18,6 +18,10 @@ resource "aws_lambda_function" "lambda_run" {
     log_group        = aws_cloudwatch_log_group.lambda_log.name
     system_log_level = "INFO"
   }
+  vpc_config {
+    subnet_ids         = [for subnet in module.vpc.private_subnets : subnet.id]
+    security_group_ids = [aws_security_group.lambda.id]
+  }
   environment {
     variables = {
       parameter_name  = aws_ssm_parameter.parameter.name
@@ -31,7 +35,6 @@ resource "aws_lambda_function" "lambda_run" {
   }
   reserved_concurrent_executions = 5
   #checkov:skip=CKV_AWS_50: Not applicable in this use case: X-Ray tracing is enabled for Lambda
-  #checkov:skip=CKV_AWS_117: This AWS Lambda function does not require access to anything inside a VPC
   #checkov:skip=CKV_AWS_272: Not applicable in this use case: Ensure AWS Lambda function is configured to validate code-signing
 }
 #https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_event_rule

diff --git a/security_group.tf b/security_group.tf
@@ -0,0 +1,19 @@
+#https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group
+resource "aws_security_group" "lambda" {
+  name        = "${var.name}-lambda-sg"
+  description = "Security group for Lambda in ${var.name}"
+  vpc_id      = module.vpc.vpc.id
+  tags = {
+    "Name" = "${var.name}-lambda-sg"
+  }
+}
+#https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule
+resource "aws_security_group_rule" "egress_vpc_endpoint_lambda" {
+  description              = "allow traffic from vpc-endpoint to reach lambda"
+  type                     = "egress"
+  from_port                = 443
+  to_port                  = 443
+  protocol                 = "tcp"
+  source_security_group_id = aws_security_group.endpoint_sg.id
+  security_group_id        = aws_security_group.lambda.id
+}
diff --git a/variables.tf b/variables.tf
@@ -27,4 +27,14 @@ variable "log_group_prefix" {
   description = "The name of the log group."
   type        = string
   default     = "/aws/lambda/"
+}
+variable "vpc_cidr" {
+  description = "The CIDR of the VPC."
+  type        = string
+  default     = "12.25.15.0/25"
+}
+variable "subnet_cidr_private" {
+  description = "The CIDR blocks for the private subnets."
+  type        = list(any)
+  default     = ["12.25.15.0/27", "12.25.15.32/27", "12.25.15.64/27"]
 }
diff --git a/vpc.tf b/vpc.tf
@@ -0,0 +1,12 @@
+module "vpc" {
+  #CKV_TF_1: Ensure Terraform module sources use a commit hash
+  #checkov:skip=CKV_TF_1: This is a self hosted module where the version number is tagged rather than the commit hash.
+  source               = "github.com/kunduso/terraform-aws-vpc?ref=v1.0.2"
+  region               = var.region
+  vpc_cidr             = var.vpc_cidr
+  enable_dns_support   = "true"
+  enable_dns_hostnames = "true"
+  vpc_name             = var.name
+  subnet_cidr_private  = var.subnet_cidr_private
+  enable_flow_log      = "true"
+}
diff --git a/vpc_endpoint.tf b/vpc_endpoint.tf
@@ -0,0 +1,43 @@
+#https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group
+resource "aws_security_group" "endpoint_sg" {
+  name        = "endpoint_access"
+  description = "allow inbound traffic"
+  vpc_id      = module.vpc.vpc.id
+  tags = {
+    "Name" = "${var.name}-endpoint-sg"
+  }
+}
+#https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule
+resource "aws_security_group_rule" "ingress_vpc_endpoint" {
+  description       = "Enable access for the endpoints."
+  type              = "ingress"
+  from_port         = 443
+  to_port           = 443
+  protocol          = "tcp"
+  cidr_blocks       = [module.vpc.vpc.cidr_block]
+  security_group_id = aws_security_group.endpoint_sg.id
+}
+#https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc_endpoint
+resource "aws_vpc_endpoint" "logs" {
+  vpc_id              = module.vpc.vpc.id
+  service_name        = "com.amazonaws.${var.region}.logs"
+  vpc_endpoint_type   = "Interface"
+  subnet_ids          = [for subnet in module.vpc.private_subnets : subnet.id]
+  security_group_ids  = [aws_security_group.endpoint_sg.id]
+  private_dns_enabled = true
+  tags = {
+    "Name" = "${var.name}-logs"
+  }
+}
+#https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc_endpoint
+resource "aws_vpc_endpoint" "ssm" {
+  vpc_id              = module.vpc.vpc.id
+  service_name        = "com.amazonaws.${var.region}.ssm"
+  vpc_endpoint_type   = "Interface"
+  subnet_ids          = [for subnet in module.vpc.private_subnets : subnet.id]
+  security_group_ids  = [aws_security_group.endpoint_sg.id]
+  private_dns_enabled = true
+  tags = {
+    "Name" = "${var.name}-ssm"
+  }
+}