diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index 09180238cdf5216f656a4e0c94ca5ee81db861e5..9873f784b92a06d48beaaca254b04d157fd37686 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -1,5 +1,5 @@
image:
- name: hashicorp/terraform:0.14.8
+ name: hashicorp/terraform:0.14.9
entrypoint:
- '/usr/bin/env'
- 'PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin'
@@ -9,26 +9,17 @@ stages:
- Staging Plan
- Staging Apply
- Integration Test
- - Production Plan
- - Production Apply
- Destroy
-Test and Lint:
- stage: Test and Lint
- script:
- - echo "test to do"
- rules:
- - if: '$CI_MERGE_REQUEST_TARGET_BRANCH_NAME =~ /^(master|production)$/ || $CI_COMMIT_BRANCH =~ /^(master|production)$/'
-
Validate Terraform:
stage: Test and Lint
script:
- cd deploy/
+ - terraform fmt -check -recursive
- terraform init -backend=false
- terraform validate
- - terraform fmt -check
rules:
- - if: '$CI_MERGE_REQUEST_TARGET_BRANCH_NAME =~ /^(master|production)$/ || $CI_COMMIT_BRANCH =~ /^(master|production)$/'
+ - if: '$CI_MERGE_REQUEST_TARGET_BRANCH_NAME =~ /^(master)$/ || $CI_COMMIT_BRANCH =~ /^(master)$/'
Staging Plan:
stage: Staging Plan
@@ -36,9 +27,9 @@ Staging Plan:
- cd deploy/
- terraform init
- terraform workspace select staging || terraform workspace new staging
- - terraform plan
+ - terraform plan -var-file=vars/staging.tfvars
rules:
- - if: '$CI_COMMIT_BRANCH =~ /^(master|production)$/'
+ - if: '$CI_MERGE_REQUEST_TARGET_BRANCH_NAME =~ /^(master)$/ || $CI_COMMIT_BRANCH =~ /^(master)$/'
Staging Apply:
stage: Staging Apply
@@ -50,28 +41,28 @@ Staging Apply:
- cd -
- terraform init
- terraform workspace select staging
- - terraform apply -auto-approve
+ - terraform apply -var-file=vars/staging.tfvars -auto-approve
- echo "API_ENDPOINT=$(terraform output -raw api_endpoint)" >> ../deploy.env
artifacts:
reports:
dotenv: deploy.env
rules:
- - if: '$CI_COMMIT_BRANCH =~ /^(master|production)$/'
+ - if: '$CI_COMMIT_BRANCH =~ /^(master)$/'
Integration Tests:
stage: Integration Test
image:
- name: postman/newman
+ name: postman/newman:5
entrypoint: [""]
script:
- newman run Lambda_CRUD.postman_collection.json --env-var "endpoint=$API_ENDPOINT"
rules:
- - if: '$CI_COMMIT_BRANCH =~ /^(master|production)$/'
+ - if: '$CI_COMMIT_BRANCH =~ /^(master)$/'
Load Tests:
stage: Integration Test
image:
- name: peterevans/vegeta
+ name: peterevans/vegeta:6.9
entrypoint: [""]
script:
- echo "GET $API_ENDPOINT/crud" | vegeta attack -duration=3s -rate=100/s | vegeta report
@@ -79,47 +70,16 @@ Load Tests:
- echo "PATCH $API_ENDPOINT/crud" | vegeta attack -duration=3s -rate=100/s | vegeta report
- echo "DELETE $API_ENDPOINT/crud" | vegeta attack -duration=3s -rate=100/s | vegeta report
rules:
- - if: '$CI_COMMIT_BRANCH =~ /^(master|production)$/'
+ - if: '$CI_COMMIT_BRANCH =~ /^(master)$/'
when: manual
-Production Plan:
- stage: Production Plan
- script:
- - cd deploy/
- - terraform init
- - terraform workspace select production || terraform workspace new production
- - terraform plan
- rules:
- - if: '$CI_COMMIT_BRANCH == "production"'
-
-Production Apply:
- stage: Production Apply
- script:
- - cd deploy/
- - terraform init
- - terraform workspace select production
- - terraform apply -auto-approve
- rules:
- - if: '$CI_COMMIT_BRANCH == "production"'
-
Staging Destroy:
stage: Destroy
script:
- cd deploy/
- terraform init
- terraform workspace select staging
- - terraform destroy -auto-approve
- rules:
- - if: '$CI_COMMIT_BRANCH =~ /^(master|production)$/'
- when: manual
-
-Production Destroy:
- stage: Destroy
- script:
- - cd deploy/
- - terraform init
- - terraform workspace select production
- - terraform destroy -auto-approve
+ - terraform destroy -var-file=vars/staging.tfvars -auto-approve
rules:
- - if: '$CI_COMMIT_BRANCH == "production"'
+ - if: '$CI_COMMIT_BRANCH =~ /^(master)$/'
when: manual
diff --git a/deploy/.terraform.lock.hcl b/deploy/.terraform.lock.hcl
index 5faf07bdb2dce9e789687584079d24a62e4e24ed..e1ec1ea8b12df7a000c4c1d4f7a069b802d284df 100644
--- a/deploy/.terraform.lock.hcl
+++ b/deploy/.terraform.lock.hcl
@@ -3,7 +3,7 @@
provider "registry.terraform.io/hashicorp/archive" {
version = "2.1.0"
- constraints = ">= 2.1.0"
+ constraints = "~> 2.1"
hashes = [
"h1:K4Q9hmTnCrGbXZBq2hf6CbekHx5oXFwPBmWOwAPNqtM=",
"h1:Rjd4bHMA69V+16tiriAUTW8vvqoljzNLmEaRBCgzpUs=",
@@ -23,39 +23,22 @@ provider "registry.terraform.io/hashicorp/archive" {
}
provider "registry.terraform.io/hashicorp/aws" {
- version = "3.30.0"
- constraints = ">= 3.30.0"
+ version = "3.33.0"
+ constraints = "~> 3.30"
hashes = [
- "h1:H1Vg0BX4XMIQAE6NEOR95wst+ETcrv/tSwz+m04rszE=",
- "h1:PmKa3uxO2mDA5FJfGmpX+4e0x70vFLV5Ka9NxkuMpUo=",
- "h1:z9kdXY2A/+dIZrPy9hNlg/B5I/AuETQsp0jz9EgprIQ=",
- "zh:01f562a6a31fe46a8ca74804f360e3452b26f71abc549ce1f0ab5a8af2484cdf",
- "zh:25bacc5ed725051f0ab1f7d575e45c901e5b8e1d50da4156a31dda92b2b7e481",
- "zh:349b79979d9169db614d8ebd1bc2e0caeb7a38dc816e261b8b2b4b5204615519",
- "zh:5e41446acc54c6fc15e82c3fa14b72174b30eba81e0711ede297e5620c55a628",
- "zh:68ad98f6d612bdc35a65d48950abc8e75c69decb49db28258ce8eeb5458586b7",
- "zh:704603d65e8bac17d203b57c2db142c3134a91076e1b4a31c40f75eb3257dde8",
- "zh:a362c700032b2db047d16007d52f28b3f216d32671b6b355d23bdaa082c66a4b",
- "zh:bd197797b41268de3c93cad02b7c655dc0c4d8661abb37544ca049e6b1eccae6",
- "zh:deb12ef0e3396a71d485977ddc14b695775f7937097ebf2b2f53ed348a4365e7",
- "zh:ec8a7d0f02738f290107d39bf401d68ddce82a95cd9d998003f7e04b3a196411",
- "zh:ffcc43b6c5e7f26c55e2a8c539d7370fca8042722400a3e06bdce4240bd7088a",
- ]
-}
-
-provider "registry.terraform.io/hashicorp/template" {
- version = "2.2.0"
- hashes = [
- "h1:94qn780bi1qjrbC3uQtjJh3Wkfwd5+tTtJHOb7KTg9w=",
- "zh:01702196f0a0492ec07917db7aaa595843d8f171dc195f4c988d2ffca2a06386",
- "zh:09aae3da826ba3d7df69efeb25d146a1de0d03e951d35019a0f80e4f58c89b53",
- "zh:09ba83c0625b6fe0a954da6fbd0c355ac0b7f07f86c91a2a97849140fea49603",
- "zh:0e3a6c8e16f17f19010accd0844187d524580d9fdb0731f675ffcf4afba03d16",
- "zh:45f2c594b6f2f34ea663704cc72048b212fe7d16fb4cfd959365fa997228a776",
- "zh:77ea3e5a0446784d77114b5e851c970a3dde1e08fa6de38210b8385d7605d451",
- "zh:8a154388f3708e3df5a69122a23bdfaf760a523788a5081976b3d5616f7d30ae",
- "zh:992843002f2db5a11e626b3fc23dc0c87ad3729b3b3cff08e32ffb3df97edbde",
- "zh:ad906f4cebd3ec5e43d5cd6dc8f4c5c9cc3b33d2243c89c5fc18f97f7277b51d",
- "zh:c979425ddb256511137ecd093e23283234da0154b7fa8b21c2687182d9aea8b2",
+ "h1:4+2CO4Pb3BKwI0MD+DBmnX5GFsYTs47y6w4/kQbPJIQ=",
+ "h1:UJcZV5+xJmHHDCsm+s8+xMonccZvVD0jdGwHAoi7nJg=",
+ "h1:dfszrcpjXjaZN3XsCz7TWhucZkNxZ6AVyoL890K+RdI=",
+ "zh:0e89b10323a59de9dd6f286423cc172cb1733683d654c886493c3bd4e43e6290",
+ "zh:288df55f0f4fac1e920cfa61616ac42a4e4414bd7a637902db03d0c7101f14ca",
+ "zh:303c9136c5bf97e6c1deda6e27f0d0931fe0eaaab547bf219b996623fb0ad522",
+ "zh:457a5da9f323e2781942df534153d000ea81727798ee0771177009d84b04aad7",
+ "zh:857fa3e29cc25ace76556a5edfded41628a3380cebf457e627576a83084852f8",
+ "zh:85e1eb383372f834630fac7b02ec9ae1e33d24d61cf5a7d832583a16e6b5add4",
+ "zh:9dd01eb05ac73146ac5f25421b7683fe4bffec23e408162887e1265f9bfe8462",
+ "zh:b1561e1335754ec93a54f45c18dc1cab70f38bc08adf244d793791134f5641ef",
+ "zh:bb96f57b80e3d94ee4bc05a5450fdd796424272b46cfc67ff9d094d5316c5fac",
+ "zh:e4ce241d8b5dd1124dc0f1da6c0840ab777de8717dac6e76afbbad9883f5ce34",
+ "zh:f2b292e813844d6d611db89017fc420ac05f2e3b25324e3c893481d375e23396",
]
}
diff --git a/deploy/api-gateway.tf b/deploy/api_gateway.tf
similarity index 96%
rename from deploy/api-gateway.tf
rename to deploy/api_gateway.tf
index f8443d9eb855838b89dd259185a47b6812ba3ba4..7b31edb8c70cebd700d1a002dd897e0e23365bf6 100644
--- a/deploy/api-gateway.tf
+++ b/deploy/api_gateway.tf
@@ -1,6 +1,7 @@
resource "aws_api_gateway_rest_api" "main" {
name = "${local.prefix}-main"
description = "Internet facing API in order to access Lambda for DynamoDB CRUD operations"
+ tags = local.common_tags
}
resource "aws_api_gateway_resource" "access" {
@@ -56,6 +57,7 @@ resource "aws_lambda_permission" "crud" {
# within the API Gateway REST API.
source_arn = "${aws_api_gateway_rest_api.main.execution_arn}/*/*"
}
+
resource "aws_lambda_permission" "index" {
statement_id = "AllowAPIGatewayInvoke"
action = "lambda:InvokeFunction"
@@ -76,6 +78,7 @@ resource "aws_api_gateway_deployment" "main" {
}
rest_api_id = aws_api_gateway_rest_api.main.id
+
lifecycle {
create_before_destroy = true
}
@@ -89,6 +92,10 @@ resource "aws_api_gateway_stage" "main" {
tags = local.common_tags
}
+output "api_endpoint" {
+ value = aws_api_gateway_stage.main.invoke_url
+}
+
resource "aws_api_gateway_method_settings" "general_settings" {
rest_api_id = aws_api_gateway_rest_api.main.id
stage_name = aws_api_gateway_stage.main.stage_name
diff --git a/deploy/cloudwatch_alarms.tf b/deploy/cloudwatch_alarms.tf
index 2aaadeb63c2f4e32eb39bf0f8182204e87467ea1..f3d2ce7a85b47ae63dad4f82b697be94e46b0553 100644
--- a/deploy/cloudwatch_alarms.tf
+++ b/deploy/cloudwatch_alarms.tf
@@ -83,4 +83,4 @@ resource "aws_lambda_permission" "with_sns" {
function_name = aws_lambda_function.slack.arn
principal = "sns.amazonaws.com"
source_arn = data.aws_sns_topic.cloudmon.arn
-}
\ No newline at end of file
+}
diff --git a/deploy/cloudwatch_api_logs.tf b/deploy/cloudwatch_api_logs.tf
index 2120e552377bca8055bd1762d3715e0865187b29..a93dc1e985fd65ce41f63fc330dd013358de8d9b 100644
--- a/deploy/cloudwatch_api_logs.tf
+++ b/deploy/cloudwatch_api_logs.tf
@@ -1,9 +1,11 @@
locals {
API_GATEWAY_LOG_GROUP = "API-Gateway-Execution-Logs_${split("-", aws_api_gateway_stage.main.id)[1]}/${aws_api_gateway_stage.main.stage_name}"
}
+
output "log_groupe_name" {
value = local.API_GATEWAY_LOG_GROUP
}
+
resource "aws_lambda_function" "logs" {
filename = data.archive_file.lambda_logs_file.output_path
function_name = "${local.prefix}-logs-apigw"
@@ -59,8 +61,7 @@ data "archive_file" "lambda_logs_event_file" {
}
resource "aws_iam_role" "iam_for_lambda_logs" {
- name = "${local.prefix}-lambda-admin-cloudwatch-logs"
-
+ name = "${local.prefix}-lambda-admin-cloudwatch-logs"
assume_role_policy = file("./templates/lambda/assume-role-policy.json")
}
@@ -72,4 +73,4 @@ resource "aws_iam_role_policy_attachment" "lambda_logs_FA" {
resource "aws_iam_role_policy_attachment" "lambda_cloudwatch_FA" {
role = aws_iam_role.iam_for_lambda_logs.name
policy_arn = "arn:aws:iam::aws:policy/CloudWatchFullAccess"
-}
\ No newline at end of file
+}
diff --git a/deploy/dashboard.tf b/deploy/dashboard.tf
index 38486f608acc4324533d9f224ed5a36b665dcff8..2b100c5c6197dcb641a08e5657711e5248695089 100644
--- a/deploy/dashboard.tf
+++ b/deploy/dashboard.tf
@@ -11,7 +11,3 @@ resource "aws_cloudwatch_dashboard" "main" {
})
}
-
-output "dashboard_json" {
- value = aws_cloudwatch_dashboard.main.dashboard_body
-}
\ No newline at end of file
diff --git a/deploy/docker-compose.yml b/deploy/docker-compose.yml
index beb2ec4c8005312eeac94024a5e2e9b410cca052..e40688ebb268ffec3d21d3e5ddae0e648d2c226f 100644
--- a/deploy/docker-compose.yml
+++ b/deploy/docker-compose.yml
@@ -2,7 +2,7 @@ version: '3.7'
services:
terraform:
- image: hashicorp/terraform:0.14.8
+ image: hashicorp/terraform:0.14.9
volumes:
- .:/infra
working_dir: /infra
diff --git a/deploy/dynamodb.tf b/deploy/dynamodb.tf
index 5c7f89fef3145bbd653e9c9e1212d83a613b80c9..66d4d049e66d14c35239cbc693ee5fcff90de329 100644
--- a/deploy/dynamodb.tf
+++ b/deploy/dynamodb.tf
@@ -2,13 +2,21 @@ resource "aws_dynamodb_table" "main" {
name = "${local.prefix}-main-db"
hash_key = "ID"
billing_mode = "PROVISIONED"
- write_capacity = 5
- read_capacity = 5
+ read_capacity = var.dynamodb_read_capacity
+ write_capacity = var.dynamodb_write_capacity
attribute {
name = "ID"
type = "S"
}
+ point_in_time_recovery {
+ enabled = var.dynamodb_enable_pitr
+ }
+
tags = local.common_tags
+
+ lifecycle {
+ prevent_destroy = true
+ }
}
diff --git a/deploy/lambda.tf b/deploy/lambda.tf
index 46eb720343150557c3927bef2e348d25c214f479..ee4146e26ac7a657bbca6603736ad0d9d7aaa855 100644
--- a/deploy/lambda.tf
+++ b/deploy/lambda.tf
@@ -46,11 +46,10 @@ resource "aws_lambda_function" "index" {
tags = local.common_tags
}
-
resource "aws_iam_role" "iam_for_lambda" {
- name = "${local.prefix}-lambda"
-
+ name = "${local.prefix}-lambda"
assume_role_policy = file("./templates/lambda/assume-role-policy.json")
+ tags = local.common_tags
}
# See also the following AWS managed policy: AWSLambdaBasicExecutionRole
@@ -58,8 +57,7 @@ resource "aws_iam_policy" "lambda_logging" {
name = "${local.prefix}-lambda_logging"
path = "/"
description = "IAM policy for logging from a lambda"
-
- policy = file("./templates/lambda/lambda-policy.json")
+ policy = file("./templates/lambda/lambda-policy.json")
}
resource "aws_iam_role_policy_attachment" "lambda_logs" {
diff --git a/deploy/main.tf b/deploy/main.tf
index 7f940c066e1a41640ee04fcb71494ecc3d03e646..fe1b750d8c5f37b573dd6594a17f6b0df1e8aed2 100644
--- a/deploy/main.tf
+++ b/deploy/main.tf
@@ -1,21 +1,22 @@
terraform {
backend "s3" {
- bucket = "edebrye-cloud-monitor-tfstate"
- key = "cloud-monitor-app.tfstate"
- region = "eu-west-1"
- encrypt = true
- dynamodb_table = "edebrye-cloud-monitor-tfstate-lock"
+ bucket = "edebrye-cloud-monitor-tfstate"
+ key = "cloud-monitor-app.tfstate"
+ region = "eu-west-1"
+ encrypt = true
+ dynamodb_table = "edebrye-cloud-monitor-tfstate-lock"
+ workspace_key_prefix = ""
}
required_providers {
aws = {
- version = ">= 3.30.0"
+ version = "~> 3.30"
source = "hashicorp/aws"
}
archive = {
- version = ">=2.1.0"
+ version = "~> 2.1"
source = "hashicorp/archive"
}
}
@@ -49,4 +50,4 @@ locals {
}
}
-data "aws_region" "current" {}
\ No newline at end of file
+data "aws_region" "current" {}
diff --git a/deploy/outputs.tf b/deploy/outputs.tf
deleted file mode 100644
index 2fae12f26feb0bc189626f902557918b2b3bd98c..0000000000000000000000000000000000000000
--- a/deploy/outputs.tf
+++ /dev/null
@@ -1,3 +0,0 @@
-output "api_endpoint" {
- value = aws_api_gateway_stage.main.invoke_url
-}
\ No newline at end of file
diff --git a/deploy/variables.tf b/deploy/variables.tf
index 2cb2f1aa25838b3b3157512e380b2b5a17cf9d83..13fa0d6466eb8c60bcfc1b3074029ccd9c9128b9 100644
--- a/deploy/variables.tf
+++ b/deploy/variables.tf
@@ -19,11 +19,23 @@ variable "aws_region" {
}
variable "slack_webhook_url" {
- sensitive = true
type = string
+ sensitive = true
}
variable "sns_topic_name" {
- default = "edebrye-cloudmon"
type = string
+ default = "edebrye-cloudmon"
+}
+
+variable "dynamodb_read_capacity" {
+ type = number
+}
+
+variable "dynamodb_write_capacity" {
+ type = number
+}
+
+variable "dynamodb_enable_pitr" {
+ type = bool
}
diff --git a/deploy/vars/staging.tfvars b/deploy/vars/staging.tfvars
new file mode 100644
index 0000000000000000000000000000000000000000..6980b79e8433ad023e3dabb12b3863ab49be3100
--- /dev/null
+++ b/deploy/vars/staging.tfvars
@@ -0,0 +1,3 @@
+dynamodb_read_capacity = 5
+dynamodb_write_capacity = 5
+dynamodb_enable_pitr = true
diff --git a/deploy/xray.tf b/deploy/xray.tf
index 0316034dab4213a86cb0df4683eeb654621b5c6d..b336b8615501d9eb00349bf4752fd62a42ee122e 100644
--- a/deploy/xray.tf
+++ b/deploy/xray.tf
@@ -2,4 +2,4 @@ resource "aws_xray_group" "main" {
group_name = "${local.prefix}-group"
filter_expression = "http.url CONTAINS \"${aws_api_gateway_stage.main.invoke_url}\""
tags = local.common_tags
-}
\ No newline at end of file
+}