Merge branch '11-code-review-of-poc' into 'master'

Resolve "Code review of POC"

Closes #11

See merge request edebrye/cloud-monitor!14

.gitlab-ci.yml

 image: 
-  name: hashicorp/terraform:0.14.8
+  name: hashicorp/terraform:0.14.9
   entrypoint:
     - '/usr/bin/env'
     - 'PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin'
@@ -9,26 +9,17 @@ stages:
   - Staging Plan
   - Staging Apply
   - Integration Test
-  - Production Plan
-  - Production Apply
   - Destroy
 
-Test and Lint:
-  stage: Test and Lint
-  script:
-    - echo "test to do"
-  rules:
-    - if: '$CI_MERGE_REQUEST_TARGET_BRANCH_NAME =~ /^(master|production)$/ || $CI_COMMIT_BRANCH =~ /^(master|production)$/'
-
 Validate Terraform:
   stage: Test and Lint
   script:
     - cd deploy/
+    - terraform fmt -check -recursive
     - terraform init -backend=false
     - terraform validate
-    - terraform fmt -check
   rules:
-    - if: '$CI_MERGE_REQUEST_TARGET_BRANCH_NAME =~ /^(master|production)$/ || $CI_COMMIT_BRANCH =~ /^(master|production)$/'
+    - if: '$CI_MERGE_REQUEST_TARGET_BRANCH_NAME =~ /^(master)$/ || $CI_COMMIT_BRANCH =~ /^(master)$/'
 
 Staging Plan:
   stage: Staging Plan
@@ -36,9 +27,9 @@ Staging Plan:
     - cd deploy/
     - terraform init
     - terraform workspace select staging || terraform workspace new staging
-    - terraform plan
+    - terraform plan -var-file=vars/staging.tfvars
   rules:
-    - if: '$CI_COMMIT_BRANCH =~ /^(master|production)$/'
+    - if: '$CI_MERGE_REQUEST_TARGET_BRANCH_NAME =~ /^(master)$/ || $CI_COMMIT_BRANCH =~ /^(master)$/'
 
 Staging Apply:
   stage: Staging Apply
@@ -50,28 +41,28 @@ Staging Apply:
     - cd -
     - terraform init
     - terraform workspace select staging
-    - terraform apply -auto-approve
+    - terraform apply -var-file=vars/staging.tfvars -auto-approve
     - echo "API_ENDPOINT=$(terraform output -raw api_endpoint)" >> ../deploy.env
   artifacts:
     reports:
       dotenv: deploy.env
   rules:
-    - if: '$CI_COMMIT_BRANCH =~ /^(master|production)$/'
+    - if: '$CI_COMMIT_BRANCH =~ /^(master)$/'
 
 Integration Tests:
   stage: Integration Test
   image: 
-    name: postman/newman
+    name: postman/newman:5
     entrypoint: [""]
   script:
     - newman run Lambda_CRUD.postman_collection.json --env-var "endpoint=$API_ENDPOINT"
   rules:
-    - if: '$CI_COMMIT_BRANCH =~ /^(master|production)$/'
+    - if: '$CI_COMMIT_BRANCH =~ /^(master)$/'
 
 Load Tests:
   stage: Integration Test
   image: 
-    name: peterevans/vegeta
+    name: peterevans/vegeta:6.9
     entrypoint: [""]
   script:
     - echo "GET $API_ENDPOINT/crud" | vegeta attack -duration=3s -rate=100/s | vegeta report
@@ -79,47 +70,16 @@ Load Tests:
     - echo "PATCH $API_ENDPOINT/crud" | vegeta attack -duration=3s -rate=100/s | vegeta report
     - echo "DELETE $API_ENDPOINT/crud" | vegeta attack -duration=3s -rate=100/s | vegeta report
   rules:
-    - if: '$CI_COMMIT_BRANCH =~ /^(master|production)$/'
+    - if: '$CI_COMMIT_BRANCH =~ /^(master)$/'
       when: manual
 
-Production Plan:
-  stage: Production Plan
-  script:
-    - cd deploy/
-    - terraform init
-    - terraform workspace select production || terraform workspace new production
-    - terraform plan
-  rules:
-    - if: '$CI_COMMIT_BRANCH == "production"'
-
-Production Apply:
-  stage: Production Apply
-  script:
-    - cd deploy/
-    - terraform init
-    - terraform workspace select production
-    - terraform apply -auto-approve
-  rules:
-    - if: '$CI_COMMIT_BRANCH == "production"'
-
 Staging Destroy:
   stage: Destroy
   script:
     - cd deploy/
     - terraform init
     - terraform workspace select staging
-    - terraform destroy -auto-approve
-  rules: 
-    - if: '$CI_COMMIT_BRANCH =~ /^(master|production)$/'
-      when: manual
-
-Production Destroy:
-  stage: Destroy
-  script:
-    - cd deploy/
-    - terraform init
-    - terraform workspace select production
-    - terraform destroy -auto-approve
+    - terraform destroy -var-file=vars/staging.tfvars -auto-approve
   rules: 
-    - if: '$CI_COMMIT_BRANCH == "production"'
+    - if: '$CI_COMMIT_BRANCH =~ /^(master)$/'
       when: manual

deploy/.terraform.lock.hcl

@@ -3,7 +3,7 @@
 
 provider "registry.terraform.io/hashicorp/archive" {
   version     = "2.1.0"
-  constraints = ">= 2.1.0"
+  constraints = "~> 2.1"
   hashes = [
     "h1:K4Q9hmTnCrGbXZBq2hf6CbekHx5oXFwPBmWOwAPNqtM=",
     "h1:Rjd4bHMA69V+16tiriAUTW8vvqoljzNLmEaRBCgzpUs=",
@@ -23,39 +23,22 @@ provider "registry.terraform.io/hashicorp/archive" {
 }
 
 provider "registry.terraform.io/hashicorp/aws" {
-  version     = "3.30.0"
-  constraints = ">= 3.30.0"
+  version     = "3.33.0"
+  constraints = "~> 3.30"
   hashes = [
-    "h1:H1Vg0BX4XMIQAE6NEOR95wst+ETcrv/tSwz+m04rszE=",
-    "h1:PmKa3uxO2mDA5FJfGmpX+4e0x70vFLV5Ka9NxkuMpUo=",
-    "h1:z9kdXY2A/+dIZrPy9hNlg/B5I/AuETQsp0jz9EgprIQ=",
-    "zh:01f562a6a31fe46a8ca74804f360e3452b26f71abc549ce1f0ab5a8af2484cdf",
-    "zh:25bacc5ed725051f0ab1f7d575e45c901e5b8e1d50da4156a31dda92b2b7e481",
-    "zh:349b79979d9169db614d8ebd1bc2e0caeb7a38dc816e261b8b2b4b5204615519",
-    "zh:5e41446acc54c6fc15e82c3fa14b72174b30eba81e0711ede297e5620c55a628",
-    "zh:68ad98f6d612bdc35a65d48950abc8e75c69decb49db28258ce8eeb5458586b7",
-    "zh:704603d65e8bac17d203b57c2db142c3134a91076e1b4a31c40f75eb3257dde8",
-    "zh:a362c700032b2db047d16007d52f28b3f216d32671b6b355d23bdaa082c66a4b",
-    "zh:bd197797b41268de3c93cad02b7c655dc0c4d8661abb37544ca049e6b1eccae6",
-    "zh:deb12ef0e3396a71d485977ddc14b695775f7937097ebf2b2f53ed348a4365e7",
-    "zh:ec8a7d0f02738f290107d39bf401d68ddce82a95cd9d998003f7e04b3a196411",
-    "zh:ffcc43b6c5e7f26c55e2a8c539d7370fca8042722400a3e06bdce4240bd7088a",
-  ]
-}
-
-provider "registry.terraform.io/hashicorp/template" {
-  version = "2.2.0"
-  hashes = [
-    "h1:94qn780bi1qjrbC3uQtjJh3Wkfwd5+tTtJHOb7KTg9w=",
-    "zh:01702196f0a0492ec07917db7aaa595843d8f171dc195f4c988d2ffca2a06386",
-    "zh:09aae3da826ba3d7df69efeb25d146a1de0d03e951d35019a0f80e4f58c89b53",
-    "zh:09ba83c0625b6fe0a954da6fbd0c355ac0b7f07f86c91a2a97849140fea49603",
-    "zh:0e3a6c8e16f17f19010accd0844187d524580d9fdb0731f675ffcf4afba03d16",
-    "zh:45f2c594b6f2f34ea663704cc72048b212fe7d16fb4cfd959365fa997228a776",
-    "zh:77ea3e5a0446784d77114b5e851c970a3dde1e08fa6de38210b8385d7605d451",
-    "zh:8a154388f3708e3df5a69122a23bdfaf760a523788a5081976b3d5616f7d30ae",
-    "zh:992843002f2db5a11e626b3fc23dc0c87ad3729b3b3cff08e32ffb3df97edbde",
-    "zh:ad906f4cebd3ec5e43d5cd6dc8f4c5c9cc3b33d2243c89c5fc18f97f7277b51d",
-    "zh:c979425ddb256511137ecd093e23283234da0154b7fa8b21c2687182d9aea8b2",
+    "h1:4+2CO4Pb3BKwI0MD+DBmnX5GFsYTs47y6w4/kQbPJIQ=",
+    "h1:UJcZV5+xJmHHDCsm+s8+xMonccZvVD0jdGwHAoi7nJg=",
+    "h1:dfszrcpjXjaZN3XsCz7TWhucZkNxZ6AVyoL890K+RdI=",
+    "zh:0e89b10323a59de9dd6f286423cc172cb1733683d654c886493c3bd4e43e6290",
+    "zh:288df55f0f4fac1e920cfa61616ac42a4e4414bd7a637902db03d0c7101f14ca",
+    "zh:303c9136c5bf97e6c1deda6e27f0d0931fe0eaaab547bf219b996623fb0ad522",
+    "zh:457a5da9f323e2781942df534153d000ea81727798ee0771177009d84b04aad7",
+    "zh:857fa3e29cc25ace76556a5edfded41628a3380cebf457e627576a83084852f8",
+    "zh:85e1eb383372f834630fac7b02ec9ae1e33d24d61cf5a7d832583a16e6b5add4",
+    "zh:9dd01eb05ac73146ac5f25421b7683fe4bffec23e408162887e1265f9bfe8462",
+    "zh:b1561e1335754ec93a54f45c18dc1cab70f38bc08adf244d793791134f5641ef",
+    "zh:bb96f57b80e3d94ee4bc05a5450fdd796424272b46cfc67ff9d094d5316c5fac",
+    "zh:e4ce241d8b5dd1124dc0f1da6c0840ab777de8717dac6e76afbbad9883f5ce34",
+    "zh:f2b292e813844d6d611db89017fc420ac05f2e3b25324e3c893481d375e23396",
   ]
 }

deploy/api-gateway.tf → deploy/api_gateway.tf

 resource "aws_api_gateway_rest_api" "main" {
   name        = "${local.prefix}-main"
   description = "Internet facing API in order to access Lambda for DynamoDB CRUD operations"
+  tags        = local.common_tags
 }
 
 resource "aws_api_gateway_resource" "access" {
@@ -56,6 +57,7 @@ resource "aws_lambda_permission" "crud" {
   # within the API Gateway REST API.
   source_arn = "${aws_api_gateway_rest_api.main.execution_arn}/*/*"
 }
+
 resource "aws_lambda_permission" "index" {
   statement_id  = "AllowAPIGatewayInvoke"
   action        = "lambda:InvokeFunction"
@@ -76,6 +78,7 @@ resource "aws_api_gateway_deployment" "main" {
   }
 
   rest_api_id = aws_api_gateway_rest_api.main.id
+
   lifecycle {
     create_before_destroy = true
   }
@@ -89,6 +92,10 @@ resource "aws_api_gateway_stage" "main" {
   tags                 = local.common_tags
 }
 
+output "api_endpoint" {
+  value = aws_api_gateway_stage.main.invoke_url
+}
+
 resource "aws_api_gateway_method_settings" "general_settings" {
   rest_api_id = aws_api_gateway_rest_api.main.id
   stage_name  = aws_api_gateway_stage.main.stage_name

deploy/cloudwatch_alarms.tf

@@ -83,4 +83,4 @@ resource "aws_lambda_permission" "with_sns" {
   function_name = aws_lambda_function.slack.arn
   principal     = "sns.amazonaws.com"
   source_arn    = data.aws_sns_topic.cloudmon.arn
-}
+}
\ No newline at end of file

deploy/cloudwatch_api_logs.tf

 locals {
   API_GATEWAY_LOG_GROUP = "API-Gateway-Execution-Logs_${split("-", aws_api_gateway_stage.main.id)[1]}/${aws_api_gateway_stage.main.stage_name}"
 }
+
 output "log_groupe_name" {
   value = local.API_GATEWAY_LOG_GROUP
 }
+
 resource "aws_lambda_function" "logs" {
   filename                       = data.archive_file.lambda_logs_file.output_path
   function_name                  = "${local.prefix}-logs-apigw"
@@ -59,8 +61,7 @@ data "archive_file" "lambda_logs_event_file" {
 }
 
 resource "aws_iam_role" "iam_for_lambda_logs" {
-  name = "${local.prefix}-lambda-admin-cloudwatch-logs"
-
+  name               = "${local.prefix}-lambda-admin-cloudwatch-logs"
   assume_role_policy = file("./templates/lambda/assume-role-policy.json")
 }
 
@@ -72,4 +73,4 @@ resource "aws_iam_role_policy_attachment" "lambda_logs_FA" {
 resource "aws_iam_role_policy_attachment" "lambda_cloudwatch_FA" {
   role       = aws_iam_role.iam_for_lambda_logs.name
   policy_arn = "arn:aws:iam::aws:policy/CloudWatchFullAccess"
-}
+}
\ No newline at end of file

deploy/dashboard.tf

@@ -11,7 +11,3 @@ resource "aws_cloudwatch_dashboard" "main" {
 
   })
 }
-
-output "dashboard_json" {
-  value = aws_cloudwatch_dashboard.main.dashboard_body
-}
\ No newline at end of file

deploy/docker-compose.yml

@@ -2,7 +2,7 @@ version: '3.7'
 
 services:
   terraform:
-    image: hashicorp/terraform:0.14.8
+    image: hashicorp/terraform:0.14.9
     volumes:
       - .:/infra
     working_dir: /infra

deploy/dynamodb.tf

@@ -2,13 +2,21 @@ resource "aws_dynamodb_table" "main" {
   name           = "${local.prefix}-main-db"
   hash_key       = "ID"
   billing_mode   = "PROVISIONED"
-  write_capacity = 5
-  read_capacity  = 5
+  read_capacity  = var.dynamodb_read_capacity
+  write_capacity = var.dynamodb_write_capacity
 
   attribute {
     name = "ID"
     type = "S"
   }
 
+  point_in_time_recovery {
+    enabled = var.dynamodb_enable_pitr
+  }
+
   tags = local.common_tags
+
+  lifecycle {
+    prevent_destroy = true
+  }
 }

deploy/lambda.tf

@@ -46,11 +46,10 @@ resource "aws_lambda_function" "index" {
   tags = local.common_tags
 }
 
-
 resource "aws_iam_role" "iam_for_lambda" {
-  name = "${local.prefix}-lambda"
-
+  name               = "${local.prefix}-lambda"
   assume_role_policy = file("./templates/lambda/assume-role-policy.json")
+  tags               = local.common_tags
 }
 
 # See also the following AWS managed policy: AWSLambdaBasicExecutionRole
@@ -58,8 +57,7 @@ resource "aws_iam_policy" "lambda_logging" {
   name        = "${local.prefix}-lambda_logging"
   path        = "/"
   description = "IAM policy for logging from a lambda"
-
-  policy = file("./templates/lambda/lambda-policy.json")
+  policy      = file("./templates/lambda/lambda-policy.json")
 }
 
 resource "aws_iam_role_policy_attachment" "lambda_logs" {

deploy/main.tf

 terraform {
 
   backend "s3" {
-    bucket         = "edebrye-cloud-monitor-tfstate"
-    key            = "cloud-monitor-app.tfstate"
-    region         = "eu-west-1"
-    encrypt        = true
-    dynamodb_table = "edebrye-cloud-monitor-tfstate-lock"
+    bucket               = "edebrye-cloud-monitor-tfstate"
+    key                  = "cloud-monitor-app.tfstate"
+    region               = "eu-west-1"
+    encrypt              = true
+    dynamodb_table       = "edebrye-cloud-monitor-tfstate-lock"
+    workspace_key_prefix = ""
   }
 
   required_providers {
     aws = {
-      version = ">= 3.30.0"
+      version = "~> 3.30"
       source  = "hashicorp/aws"
     }
 
     archive = {
-      version = ">=2.1.0"
+      version = "~> 2.1"
       source  = "hashicorp/archive"
     }
   }
@@ -49,4 +50,4 @@ locals {
   }
 }
 
-data "aws_region" "current" {}
+data "aws_region" "current" {}
\ No newline at end of file

deploy/outputs.tf

-output "api_endpoint" {
-  value = aws_api_gateway_stage.main.invoke_url
-}
\ No newline at end of file

deploy/variables.tf

@@ -19,11 +19,23 @@ variable "aws_region" {
 }
 
 variable "slack_webhook_url" {
-  sensitive = true
   type      = string
+  sensitive = true
 }
 
 variable "sns_topic_name" {
-  default = "edebrye-cloudmon"
   type    = string
+  default = "edebrye-cloudmon"
+}
+
+variable "dynamodb_read_capacity" {
+  type = number
+}
+
+variable "dynamodb_write_capacity" {
+  type = number
+}
+
+variable "dynamodb_enable_pitr" {
+  type = bool
 }

deploy/vars/staging.tfvars

+dynamodb_read_capacity  = 5
+dynamodb_write_capacity = 5
+dynamodb_enable_pitr    = true

deploy/xray.tf

@@ -2,4 +2,4 @@ resource "aws_xray_group" "main" {
   group_name        = "${local.prefix}-group"
   filter_expression = "http.url CONTAINS \"${aws_api_gateway_stage.main.invoke_url}\""
   tags              = local.common_tags
-}
+}
\ No newline at end of file