From 773eda309c6bd2f929bf77c67c9e7e2ccd1611de Mon Sep 17 00:00:00 2001 From: Moritz Zimmer Date: Mon, 16 Sep 2024 09:23:48 +0200 Subject: [PATCH] feat(vpc): added dual-stack support in ipv6 enabled VPCs (#146) --- Makefile | 9 ++ README.md | 9 +- examples/complete/README.md | 6 +- examples/complete/versions.tf | 4 +- examples/container-image/README.md | 6 +- examples/container-image/versions.tf | 4 +- examples/deployment/complete/README.md | 2 +- examples/deployment/complete/versions.tf | 2 +- examples/deployment/container-image/README.md | 6 +- .../deployment/container-image/versions.tf | 4 +- examples/deployment/s3/README.md | 6 +- examples/deployment/s3/versions.tf | 4 +- examples/fixtures/versions.tf | 2 +- .../with-cloudwatch-event-rules/README.md | 6 +- .../with-cloudwatch-event-rules/versions.tf | 4 +- .../README.md | 4 +- .../versions.tf | 4 +- .../dynamodb-with-alias/README.md | 6 +- .../dynamodb-with-alias/versions.tf | 4 +- .../kinesis/README.md | 6 +- .../kinesis/versions.tf | 4 +- .../with-event-source-mappings/sqs/README.md | 6 +- .../sqs/versions.tf | 4 +- examples/with-sns-subscriptions/README.md | 6 +- examples/with-sns-subscriptions/versions.tf | 4 +- examples/with-vpc/README.md | 54 +++++++++++ examples/with-vpc/main.tf | 50 ++++++++++ examples/with-vpc/provider.tf | 8 ++ examples/with-vpc/variables.tf | 4 + examples/with-vpc/versions.tf | 14 +++ main.tf | 94 ++++++++++--------- modules/deployment/README.md | 6 +- modules/deployment/versions.tf | 4 +- variables.tf | 21 ++++- versions.tf | 2 +- 35 files changed, 271 insertions(+), 108 deletions(-) create mode 100644 examples/with-vpc/README.md create mode 100644 examples/with-vpc/main.tf create mode 100644 examples/with-vpc/provider.tf create mode 100644 examples/with-vpc/variables.tf create mode 100644 examples/with-vpc/versions.tf diff --git a/Makefile b/Makefile index fd7dc39..e9d3b71 100644 --- a/Makefile +++ b/Makefile @@ -103,6 +103,15 @@ release: check-git-branch bump-version ## Releases a new module version -d "{\"tag_name\":\"$(NEXT_TAG)\",\"generate_release_notes\":true}"; \ fi; +.PHONY: update +update: ## Upgrades Terraform core and providers constraints recursively using https://github.com/minamijoyo/tfupdate + @echo "+ $@" + @command -v tfupdate >/dev/null 2>&1 || { echo >&2 "Please install tfupdate: 'brew install minamijoyo/tfupdate/tfupdate'"; exit 1; } + @tfupdate terraform -v ">= 1.3" -r . + @tfupdate provider aws -v ">= 5.32" -r . + @tfupdate provider archive -v ">= 2.2" -r . + @tfupdate provider null -v ">= 3.2" -r . + .PHONY: help help: ## Display this help screen @grep -E '^[0-9a-zA-Z_-]+:.*?## .*$$' $(MAKEFILE_LIST) | sort | awk 'BEGIN {FS = ":.*?## "}; {printf "\033[36m%-30s\033[0m %s\n", $$1, $$2}' diff --git a/README.md b/README.md index 78cd532..e21c081 100644 --- a/README.md +++ b/README.md @@ -315,6 +315,7 @@ see [examples](examples/deployment) for details. - [with-cloudwatch-logs-subscription](examples/with-cloudwatch-logs-subscription) - [with-event-source-mappings](examples/with-event-source-mappings) - [with-sns-subscriptions](examples/with-sns-subscriptions) +- [with-vpc](examples/with-vpc) ## Bootstrap new projects @@ -344,13 +345,13 @@ should migrate to this module as a drop-in replacement to benefit from new featu | Name | Version | |------|---------| | [terraform](#requirement\_terraform) | >= 1.3 | -| [aws](#requirement\_aws) | >= 5.0 | +| [aws](#requirement\_aws) | >= 5.32 | ## Providers | Name | Version | |------|---------| -| [aws](#provider\_aws) | >= 5.0 | +| [aws](#provider\_aws) | >= 5.32 | ## Modules @@ -417,6 +418,8 @@ No modules. | [memory\_size](#input\_memory\_size) | Amount of memory in MB your Lambda Function can use at runtime. | `number` | `128` | no | | [package\_type](#input\_package\_type) | The Lambda deployment package type. Valid values are Zip and Image. | `string` | `"Zip"` | no | | [publish](#input\_publish) | Whether to publish creation/change as new Lambda Function Version. | `bool` | `false` | no | +| [replace\_security\_groups\_on\_destroy](#input\_replace\_security\_groups\_on\_destroy) | (Optional) Whether to replace the security groups on the function's VPC configuration prior to destruction. Removing these security group associations prior to function destruction can speed up security group deletion times of AWS's internal cleanup operations. By default, the security groups will be replaced with the default security group in the function's configured VPC. Set the `replacement_security_group_ids` attribute to use a custom list of security groups for replacement. | `bool` | `null` | no | +| [replacement\_security\_group\_ids](#input\_replacement\_security\_group\_ids) | (Optional) List of security group IDs to assign to the function's VPC configuration prior to destruction. `replace_security_groups_on_destroy` must be set to `true` to use this attribute. | `list(string)` | `null` | no | | [reserved\_concurrent\_executions](#input\_reserved\_concurrent\_executions) | The amount of reserved concurrent executions for this lambda function. A value of 0 disables lambda from being triggered and -1 removes any concurrency limitations. | `number` | `-1` | no | | [runtime](#input\_runtime) | The runtime environment for the Lambda function you are uploading. | `string` | `""` | no | | [s3\_bucket](#input\_s3\_bucket) | The S3 bucket location containing the function's deployment package. Conflicts with filename and image\_uri. This bucket must reside in the same AWS region where you are creating the Lambda function. | `string` | `null` | no | @@ -429,7 +432,7 @@ No modules. | [tags](#input\_tags) | A mapping of tags to assign to the Lambda function and all resources supporting tags. | `map(string)` | `{}` | no | | [timeout](#input\_timeout) | The amount of time your Lambda Function has to run in seconds. | `number` | `3` | no | | [tracing\_config\_mode](#input\_tracing\_config\_mode) | Tracing config mode of the Lambda function. Can be either PassThrough or Active. | `string` | `null` | no | -| [vpc\_config](#input\_vpc\_config) | Provide this to allow your function to access your VPC (if both 'subnet\_ids' and 'security\_group\_ids' are empty then vpc\_config is considered to be empty or unset, see https://docs.aws.amazon.com/lambda/latest/dg/vpc.html for details). | 
object({
    security_group_ids = list(string)
    subnet_ids         = list(string)
  })
| `null` | no | +| [vpc\_config](#input\_vpc\_config) | Provide this to allow your function to access your VPC (if both `subnet_ids` and `security_group_ids` are empty then vpc\_config is considered to be empty or unset, see https://docs.aws.amazon.com/lambda/latest/dg/vpc.html for details). | 
object({
    ipv6_allowed_for_dual_stack = optional(bool, false)
    security_group_ids          = list(string)
    subnet_ids                  = list(string)
  })
| `null` | no | ## Outputs diff --git a/examples/complete/README.md b/examples/complete/README.md index 2b1bfa9..348ba78 100644 --- a/examples/complete/README.md +++ b/examples/complete/README.md @@ -17,15 +17,15 @@ Note that this example may create resources which cost money. Run `terraform des | Name | Version | |------|---------| -| [terraform](#requirement\_terraform) | >= 1.0 | -| [aws](#requirement\_aws) | >= 5.0 | +| [terraform](#requirement\_terraform) | >= 1.3 | +| [aws](#requirement\_aws) | >= 5.32 | | [random](#requirement\_random) | >= 3.5 | ## Providers | Name | Version | |------|---------| -| [aws](#provider\_aws) | >= 5.0 | +| [aws](#provider\_aws) | >= 5.32 | | [random](#provider\_random) | >= 3.5 | ## Modules diff --git a/examples/complete/versions.tf b/examples/complete/versions.tf index 3a07cce..88c6e64 100644 --- a/examples/complete/versions.tf +++ b/examples/complete/versions.tf @@ -1,10 +1,10 @@ terraform { - required_version = ">= 1.0" + required_version = ">= 1.3" required_providers { aws = { source = "hashicorp/aws" - version = ">= 5.0" + version = ">= 5.32" } random = { source = "hashicorp/random" diff --git a/examples/container-image/README.md b/examples/container-image/README.md index ad0e3ea..0b99e85 100644 --- a/examples/container-image/README.md +++ b/examples/container-image/README.md @@ -17,15 +17,15 @@ Note that this example may create resources which cost money. Run `terraform des | Name | Version | |------|---------| -| [terraform](#requirement\_terraform) | >= 1.0 | -| [aws](#requirement\_aws) | >= 5.0 | +| [terraform](#requirement\_terraform) | >= 1.3 | +| [aws](#requirement\_aws) | >= 5.32 | | [null](#requirement\_null) | >= 3.2 | ## Providers | Name | Version | |------|---------| -| [aws](#provider\_aws) | >= 5.0 | +| [aws](#provider\_aws) | >= 5.32 | | [null](#provider\_null) | >= 3.2 | ## Modules diff --git a/examples/container-image/versions.tf b/examples/container-image/versions.tf index 82de95e..7dcf91a 100644 --- a/examples/container-image/versions.tf +++ b/examples/container-image/versions.tf @@ -1,10 +1,10 @@ terraform { - required_version = ">= 1.0" + required_version = ">= 1.3" required_providers { aws = { source = "hashicorp/aws" - version = ">= 5.0" + version = ">= 5.32" } null = { source = "hashicorp/null" diff --git a/examples/deployment/complete/README.md b/examples/deployment/complete/README.md index 0285c0a..f051874 100644 --- a/examples/deployment/complete/README.md +++ b/examples/deployment/complete/README.md @@ -30,7 +30,7 @@ aws s3api put-object --bucket example-ci-{account_id}-{region} --key deployment- | Name | Version | |------|---------| -| [terraform](#requirement\_terraform) | >= 1.0 | +| [terraform](#requirement\_terraform) | >= 1.3 | | [archive](#requirement\_archive) | >= 2.2 | | [aws](#requirement\_aws) | >= 5.32 | diff --git a/examples/deployment/complete/versions.tf b/examples/deployment/complete/versions.tf index c695c63..228a3fb 100644 --- a/examples/deployment/complete/versions.tf +++ b/examples/deployment/complete/versions.tf @@ -1,5 +1,5 @@ terraform { - required_version = ">= 1.0" + required_version = ">= 1.3" required_providers { aws = { diff --git a/examples/deployment/container-image/README.md b/examples/deployment/container-image/README.md index 0b8301a..0ce717f 100644 --- a/examples/deployment/container-image/README.md +++ b/examples/deployment/container-image/README.md @@ -26,15 +26,15 @@ docker push {account_id}.dkr.ecr.{region}.amazonaws.com/with-ecr-deployment:prod | Name | Version | |------|---------| -| [terraform](#requirement\_terraform) | >= 1.0 | -| [aws](#requirement\_aws) | >= 5.0 | +| [terraform](#requirement\_terraform) | >= 1.3 | +| [aws](#requirement\_aws) | >= 5.32 | | [null](#requirement\_null) | >= 3.2 | ## Providers | Name | Version | |------|---------| -| [aws](#provider\_aws) | >= 5.0 | +| [aws](#provider\_aws) | >= 5.32 | | [null](#provider\_null) | >= 3.2 | ## Modules diff --git a/examples/deployment/container-image/versions.tf b/examples/deployment/container-image/versions.tf index 82de95e..7dcf91a 100644 --- a/examples/deployment/container-image/versions.tf +++ b/examples/deployment/container-image/versions.tf @@ -1,10 +1,10 @@ terraform { - required_version = ">= 1.0" + required_version = ">= 1.3" required_providers { aws = { source = "hashicorp/aws" - version = ">= 5.0" + version = ">= 5.32" } null = { source = "hashicorp/null" diff --git a/examples/deployment/s3/README.md b/examples/deployment/s3/README.md index 49bb960..024503b 100644 --- a/examples/deployment/s3/README.md +++ b/examples/deployment/s3/README.md @@ -24,14 +24,14 @@ aws s3api put-object --bucket example-ci-{account_id}-{region} --key s3-deployme | Name | Version | |------|---------| -| [terraform](#requirement\_terraform) | >= 1.0 | -| [aws](#requirement\_aws) | >= 5.0 | +| [terraform](#requirement\_terraform) | >= 1.3 | +| [aws](#requirement\_aws) | >= 5.32 | ## Providers | Name | Version | |------|---------| -| [aws](#provider\_aws) | >= 5.0 | +| [aws](#provider\_aws) | >= 5.32 | ## Modules diff --git a/examples/deployment/s3/versions.tf b/examples/deployment/s3/versions.tf index ddfcb0e..2731a61 100644 --- a/examples/deployment/s3/versions.tf +++ b/examples/deployment/s3/versions.tf @@ -1,10 +1,10 @@ terraform { - required_version = ">= 1.0" + required_version = ">= 1.3" required_providers { aws = { source = "hashicorp/aws" - version = ">= 5.0" + version = ">= 5.32" } } } diff --git a/examples/fixtures/versions.tf b/examples/fixtures/versions.tf index a579392..2cf639f 100644 --- a/examples/fixtures/versions.tf +++ b/examples/fixtures/versions.tf @@ -1,5 +1,5 @@ terraform { - required_version = ">= 1.0" + required_version = ">= 1.3" required_providers { archive = { diff --git a/examples/with-cloudwatch-event-rules/README.md b/examples/with-cloudwatch-event-rules/README.md index b4bed14..acad0e3 100644 --- a/examples/with-cloudwatch-event-rules/README.md +++ b/examples/with-cloudwatch-event-rules/README.md @@ -18,14 +18,14 @@ Note that this example may create resources which cost money. Run `terraform des | Name | Version | |------|---------| -| [terraform](#requirement\_terraform) | >= 1.0 | -| [aws](#requirement\_aws) | >= 5.0 | +| [terraform](#requirement\_terraform) | >= 1.3 | +| [aws](#requirement\_aws) | >= 5.32 | ## Providers | Name | Version | |------|---------| -| [aws](#provider\_aws) | >= 5.0 | +| [aws](#provider\_aws) | >= 5.32 | ## Modules diff --git a/examples/with-cloudwatch-event-rules/versions.tf b/examples/with-cloudwatch-event-rules/versions.tf index ddfcb0e..2731a61 100644 --- a/examples/with-cloudwatch-event-rules/versions.tf +++ b/examples/with-cloudwatch-event-rules/versions.tf @@ -1,10 +1,10 @@ terraform { - required_version = ">= 1.0" + required_version = ">= 1.3" required_providers { aws = { source = "hashicorp/aws" - version = ">= 5.0" + version = ">= 5.32" } } } diff --git a/examples/with-cloudwatch-logs-subscription/README.md b/examples/with-cloudwatch-logs-subscription/README.md index d5a618b..780389d 100644 --- a/examples/with-cloudwatch-logs-subscription/README.md +++ b/examples/with-cloudwatch-logs-subscription/README.md @@ -17,8 +17,8 @@ Note that this example may create resources which cost money. Run `terraform des | Name | Version | |------|---------| -| [terraform](#requirement\_terraform) | >= 1.0 | -| [aws](#requirement\_aws) | >= 5.0 | +| [terraform](#requirement\_terraform) | >= 1.3 | +| [aws](#requirement\_aws) | >= 5.32 | ## Providers diff --git a/examples/with-cloudwatch-logs-subscription/versions.tf b/examples/with-cloudwatch-logs-subscription/versions.tf index ddfcb0e..2731a61 100644 --- a/examples/with-cloudwatch-logs-subscription/versions.tf +++ b/examples/with-cloudwatch-logs-subscription/versions.tf @@ -1,10 +1,10 @@ terraform { - required_version = ">= 1.0" + required_version = ">= 1.3" required_providers { aws = { source = "hashicorp/aws" - version = ">= 5.0" + version = ">= 5.32" } } } diff --git a/examples/with-event-source-mappings/dynamodb-with-alias/README.md b/examples/with-event-source-mappings/dynamodb-with-alias/README.md index 86860d8..a3c9a27 100644 --- a/examples/with-event-source-mappings/dynamodb-with-alias/README.md +++ b/examples/with-event-source-mappings/dynamodb-with-alias/README.md @@ -18,16 +18,16 @@ Note that this example may create resources which cost money. Run `terraform des | Name | Version | |------|---------| -| [terraform](#requirement\_terraform) | >= 1.0 | +| [terraform](#requirement\_terraform) | >= 1.3 | | [archive](#requirement\_archive) | >= 2.2 | -| [aws](#requirement\_aws) | >= 5.0 | +| [aws](#requirement\_aws) | >= 5.32 | ## Providers | Name | Version | |------|---------| | [archive](#provider\_archive) | >= 2.2 | -| [aws](#provider\_aws) | >= 5.0 | +| [aws](#provider\_aws) | >= 5.32 | ## Modules diff --git a/examples/with-event-source-mappings/dynamodb-with-alias/versions.tf b/examples/with-event-source-mappings/dynamodb-with-alias/versions.tf index 79354d6..228a3fb 100644 --- a/examples/with-event-source-mappings/dynamodb-with-alias/versions.tf +++ b/examples/with-event-source-mappings/dynamodb-with-alias/versions.tf @@ -1,10 +1,10 @@ terraform { - required_version = ">= 1.0" + required_version = ">= 1.3" required_providers { aws = { source = "hashicorp/aws" - version = ">= 5.0" + version = ">= 5.32" } archive = { source = "hashicorp/archive" diff --git a/examples/with-event-source-mappings/kinesis/README.md b/examples/with-event-source-mappings/kinesis/README.md index 41aab0f..0d097a7 100644 --- a/examples/with-event-source-mappings/kinesis/README.md +++ b/examples/with-event-source-mappings/kinesis/README.md @@ -18,16 +18,16 @@ Note that this example may create resources which cost money. Run `terraform des | Name | Version | |------|---------| -| [terraform](#requirement\_terraform) | >= 1.0 | +| [terraform](#requirement\_terraform) | >= 1.3 | | [archive](#requirement\_archive) | >= 2.2 | -| [aws](#requirement\_aws) | >= 5.0 | +| [aws](#requirement\_aws) | >= 5.32 | ## Providers | Name | Version | |------|---------| | [archive](#provider\_archive) | >= 2.2 | -| [aws](#provider\_aws) | >= 5.0 | +| [aws](#provider\_aws) | >= 5.32 | ## Modules diff --git a/examples/with-event-source-mappings/kinesis/versions.tf b/examples/with-event-source-mappings/kinesis/versions.tf index 79354d6..228a3fb 100644 --- a/examples/with-event-source-mappings/kinesis/versions.tf +++ b/examples/with-event-source-mappings/kinesis/versions.tf @@ -1,10 +1,10 @@ terraform { - required_version = ">= 1.0" + required_version = ">= 1.3" required_providers { aws = { source = "hashicorp/aws" - version = ">= 5.0" + version = ">= 5.32" } archive = { source = "hashicorp/archive" diff --git a/examples/with-event-source-mappings/sqs/README.md b/examples/with-event-source-mappings/sqs/README.md index a2eb23a..5da5c14 100644 --- a/examples/with-event-source-mappings/sqs/README.md +++ b/examples/with-event-source-mappings/sqs/README.md @@ -18,16 +18,16 @@ Note that this example may create resources which cost money. Run `terraform des | Name | Version | |------|---------| -| [terraform](#requirement\_terraform) | >= 1.0 | +| [terraform](#requirement\_terraform) | >= 1.3 | | [archive](#requirement\_archive) | >= 2.2 | -| [aws](#requirement\_aws) | >= 5.0 | +| [aws](#requirement\_aws) | >= 5.32 | ## Providers | Name | Version | |------|---------| | [archive](#provider\_archive) | >= 2.2 | -| [aws](#provider\_aws) | >= 5.0 | +| [aws](#provider\_aws) | >= 5.32 | ## Modules diff --git a/examples/with-event-source-mappings/sqs/versions.tf b/examples/with-event-source-mappings/sqs/versions.tf index 79354d6..228a3fb 100644 --- a/examples/with-event-source-mappings/sqs/versions.tf +++ b/examples/with-event-source-mappings/sqs/versions.tf @@ -1,10 +1,10 @@ terraform { - required_version = ">= 1.0" + required_version = ">= 1.3" required_providers { aws = { source = "hashicorp/aws" - version = ">= 5.0" + version = ">= 5.32" } archive = { source = "hashicorp/archive" diff --git a/examples/with-sns-subscriptions/README.md b/examples/with-sns-subscriptions/README.md index 94683e1..3612917 100644 --- a/examples/with-sns-subscriptions/README.md +++ b/examples/with-sns-subscriptions/README.md @@ -25,16 +25,16 @@ $ cd example-with-sns && make init package plan | Name | Version | |------|---------| -| [terraform](#requirement\_terraform) | >= 1.0 | +| [terraform](#requirement\_terraform) | >= 1.3 | | [archive](#requirement\_archive) | >= 2.2 | -| [aws](#requirement\_aws) | >= 5.0 | +| [aws](#requirement\_aws) | >= 5.32 | ## Providers | Name | Version | |------|---------| | [archive](#provider\_archive) | >= 2.2 | -| [aws](#provider\_aws) | >= 5.0 | +| [aws](#provider\_aws) | >= 5.32 | ## Modules diff --git a/examples/with-sns-subscriptions/versions.tf b/examples/with-sns-subscriptions/versions.tf index 79354d6..228a3fb 100644 --- a/examples/with-sns-subscriptions/versions.tf +++ b/examples/with-sns-subscriptions/versions.tf @@ -1,10 +1,10 @@ terraform { - required_version = ">= 1.0" + required_version = ">= 1.3" required_providers { aws = { source = "hashicorp/aws" - version = ">= 5.0" + version = ">= 5.32" } archive = { source = "hashicorp/archive" diff --git a/examples/with-vpc/README.md b/examples/with-vpc/README.md new file mode 100644 index 0000000..a44875d --- /dev/null +++ b/examples/with-vpc/README.md @@ -0,0 +1,54 @@ +# Example inside a VPC + +Creates an AWS Lambda function inside a VPC. + +## usage + +``` +terraform init +terraform plan +``` + +Note that this example may create resources which cost money. Run `terraform destroy` to destroy those resources. + + +## Requirements + +| Name | Version | +|------|---------| +| [terraform](#requirement\_terraform) | >= 1.3 | +| [aws](#requirement\_aws) | >= 5.32 | +| [random](#requirement\_random) | >= 3.5 | + +## Providers + +| Name | Version | +|------|---------| +| [aws](#provider\_aws) | >= 5.32 | +| [random](#provider\_random) | >= 3.5 | + +## Modules + +| Name | Source | Version | +|------|--------|---------| +| [lambda](#module\_lambda) | ../../ | n/a | +| [source](#module\_source) | ../fixtures | n/a | +| [vpc](#module\_vpc) | terraform-aws-modules/vpc/aws | ~> 5.0 | + +## Resources + +| Name | Type | +|------|------| +| [random_pet.this](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/pet) | resource | +| [aws_availability_zones.available](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/availability_zones) | data source | + +## Inputs + +| Name | Description | Type | Default | Required | +|------|-------------|------|---------|:--------:| +| [region](#input\_region) | n/a | `string` | `"eu-west-1"` | no | + +## Outputs + +No outputs. + \ No newline at end of file diff --git a/examples/with-vpc/main.tf b/examples/with-vpc/main.tf new file mode 100644 index 0000000..7b5a815 --- /dev/null +++ b/examples/with-vpc/main.tf @@ -0,0 +1,50 @@ +data "aws_availability_zones" "available" {} + +locals { + vpc_cidr = "10.0.0.0/16" + azs = slice(data.aws_availability_zones.available.names, 0, 3) +} + +module "source" { + source = "../fixtures" +} + +resource "random_pet" "this" { + length = 2 +} + +module "vpc" { + source = "terraform-aws-modules/vpc/aws" + version = "~> 5.0" + + azs = local.azs + cidr = local.vpc_cidr + enable_ipv6 = true + name = random_pet.this.id + private_subnets = [for k, v in local.azs : cidrsubnet(local.vpc_cidr, 8, k)] + private_subnet_ipv6_prefixes = [3, 4, 5] +} + +module "lambda" { + source = "../../" + + architectures = ["arm64"] + description = "Example AWS Lambda function inside a VPC." + ephemeral_storage_size = 512 + filename = module.source.output_path + function_name = random_pet.this.id + handler = "index.handler" + memory_size = 128 + replace_security_groups_on_destroy = true + runtime = "nodejs20.x" + publish = false + snap_start = false + source_code_hash = module.source.output_base64sha256 + timeout = 3 + + vpc_config = { + ipv6_allowed_for_dual_stack = true + security_group_ids = [module.vpc.default_security_group_id] + subnet_ids = module.vpc.private_subnets + } +} \ No newline at end of file diff --git a/examples/with-vpc/provider.tf b/examples/with-vpc/provider.tf new file mode 100644 index 0000000..aab71dc --- /dev/null +++ b/examples/with-vpc/provider.tf @@ -0,0 +1,8 @@ +provider "aws" { + region = var.region + + skip_credentials_validation = true + skip_metadata_api_check = true + skip_region_validation = true + +} diff --git a/examples/with-vpc/variables.tf b/examples/with-vpc/variables.tf new file mode 100644 index 0000000..9e475ae --- /dev/null +++ b/examples/with-vpc/variables.tf @@ -0,0 +1,4 @@ +variable "region" { + default = "eu-west-1" + type = string +} \ No newline at end of file diff --git a/examples/with-vpc/versions.tf b/examples/with-vpc/versions.tf new file mode 100644 index 0000000..88c6e64 --- /dev/null +++ b/examples/with-vpc/versions.tf @@ -0,0 +1,14 @@ +terraform { + required_version = ">= 1.3" + + required_providers { + aws = { + source = "hashicorp/aws" + version = ">= 5.32" + } + random = { + source = "hashicorp/random" + version = ">= 3.5" + } + } +} diff --git a/main.tf b/main.tf index b21ddbd..d726f38 100644 --- a/main.tf +++ b/main.tf @@ -14,26 +14,28 @@ resource "aws_lambda_function" "lambda" { count = var.ignore_external_function_updates ? 0 : 1 depends_on = [aws_cloudwatch_log_group.lambda] - architectures = var.architectures - description = var.description - filename = var.filename - function_name = var.function_name - handler = local.handler - image_uri = var.image_uri - kms_key_arn = var.kms_key_arn - layers = var.layers - memory_size = var.memory_size - package_type = var.package_type - publish = local.publish - reserved_concurrent_executions = var.reserved_concurrent_executions - role = aws_iam_role.lambda.arn - runtime = local.runtime - s3_bucket = var.s3_bucket - s3_key = var.s3_key - s3_object_version = var.s3_object_version - source_code_hash = var.source_code_hash - tags = var.tags - timeout = local.timeout + architectures = var.architectures + description = var.description + filename = var.filename + function_name = var.function_name + handler = local.handler + image_uri = var.image_uri + kms_key_arn = var.kms_key_arn + layers = var.layers + memory_size = var.memory_size + package_type = var.package_type + publish = local.publish + replace_security_groups_on_destroy = var.replace_security_groups_on_destroy + replacement_security_group_ids = var.replacement_security_group_ids + reserved_concurrent_executions = var.reserved_concurrent_executions + role = aws_iam_role.lambda.arn + runtime = local.runtime + s3_bucket = var.s3_bucket + s3_key = var.s3_key + s3_object_version = var.s3_object_version + source_code_hash = var.source_code_hash + tags = var.tags + timeout = local.timeout ephemeral_storage { size = var.ephemeral_storage_size @@ -65,8 +67,9 @@ resource "aws_lambda_function" "lambda" { dynamic "vpc_config" { for_each = var.vpc_config == null ? [] : [var.vpc_config] content { - security_group_ids = vpc_config.value.security_group_ids - subnet_ids = vpc_config.value.subnet_ids + ipv6_allowed_for_dual_stack = vpc_config.value.ipv6_allowed_for_dual_stack + security_group_ids = vpc_config.value.security_group_ids + subnet_ids = vpc_config.value.subnet_ids } } @@ -87,26 +90,28 @@ resource "aws_lambda_function" "lambda_external_lifecycle" { count = var.ignore_external_function_updates ? 1 : 0 depends_on = [aws_cloudwatch_log_group.lambda] - architectures = var.architectures - description = var.description - filename = var.filename - function_name = var.function_name - handler = local.handler - image_uri = var.image_uri - kms_key_arn = var.kms_key_arn - layers = var.layers - memory_size = var.memory_size - package_type = var.package_type - publish = local.publish - reserved_concurrent_executions = var.reserved_concurrent_executions - role = aws_iam_role.lambda.arn - runtime = local.runtime - s3_bucket = var.s3_bucket - s3_key = var.s3_key - s3_object_version = var.s3_object_version - source_code_hash = var.source_code_hash - tags = var.tags - timeout = local.timeout + architectures = var.architectures + description = var.description + filename = var.filename + function_name = var.function_name + handler = local.handler + image_uri = var.image_uri + kms_key_arn = var.kms_key_arn + layers = var.layers + memory_size = var.memory_size + package_type = var.package_type + publish = local.publish + replace_security_groups_on_destroy = var.replace_security_groups_on_destroy + replacement_security_group_ids = var.replacement_security_group_ids + reserved_concurrent_executions = var.reserved_concurrent_executions + role = aws_iam_role.lambda.arn + runtime = local.runtime + s3_bucket = var.s3_bucket + s3_key = var.s3_key + s3_object_version = var.s3_object_version + source_code_hash = var.source_code_hash + tags = var.tags + timeout = local.timeout ephemeral_storage { size = var.ephemeral_storage_size @@ -138,8 +143,9 @@ resource "aws_lambda_function" "lambda_external_lifecycle" { dynamic "vpc_config" { for_each = var.vpc_config == null ? [] : [var.vpc_config] content { - security_group_ids = vpc_config.value.security_group_ids - subnet_ids = vpc_config.value.subnet_ids + ipv6_allowed_for_dual_stack = vpc_config.value.ipv6_allowed_for_dual_stack + security_group_ids = vpc_config.value.security_group_ids + subnet_ids = vpc_config.value.subnet_ids } } diff --git a/modules/deployment/README.md b/modules/deployment/README.md index aa8bceb..f4288ba 100644 --- a/modules/deployment/README.md +++ b/modules/deployment/README.md @@ -359,14 +359,14 @@ module "deployment" { | Name | Version | |------|---------| -| [terraform](#requirement\_terraform) | >= 1.0 | -| [aws](#requirement\_aws) | >= 5.32.0 | +| [terraform](#requirement\_terraform) | >= 1.3 | +| [aws](#requirement\_aws) | >= 5.32 | ## Providers | Name | Version | |------|---------| -| [aws](#provider\_aws) | >= 5.32.0 | +| [aws](#provider\_aws) | >= 5.32 | ## Modules diff --git a/modules/deployment/versions.tf b/modules/deployment/versions.tf index 869f362..2731a61 100644 --- a/modules/deployment/versions.tf +++ b/modules/deployment/versions.tf @@ -1,10 +1,10 @@ terraform { - required_version = ">= 1.0" + required_version = ">= 1.3" required_providers { aws = { source = "hashicorp/aws" - version = ">= 5.32.0" + version = ">= 5.32" } } } diff --git a/variables.tf b/variables.tf index 48691c2..2051006 100644 --- a/variables.tf +++ b/variables.tf @@ -153,6 +153,18 @@ variable "publish" { type = bool } +variable "replace_security_groups_on_destroy" { + default = null + description = "(Optional) Whether to replace the security groups on the function's VPC configuration prior to destruction. Removing these security group associations prior to function destruction can speed up security group deletion times of AWS's internal cleanup operations. By default, the security groups will be replaced with the default security group in the function's configured VPC. Set the `replacement_security_group_ids` attribute to use a custom list of security groups for replacement." + type = bool +} + +variable "replacement_security_group_ids" { + description = "(Optional) List of security group IDs to assign to the function's VPC configuration prior to destruction. `replace_security_groups_on_destroy` must be set to `true` to use this attribute." + type = list(string) + default = null +} + variable "reserved_concurrent_executions" { description = "The amount of reserved concurrent executions for this lambda function. A value of 0 disables lambda from being triggered and -1 removes any concurrency limitations." default = -1 @@ -222,12 +234,15 @@ variable "tracing_config_mode" { } variable "vpc_config" { - description = "Provide this to allow your function to access your VPC (if both 'subnet_ids' and 'security_group_ids' are empty then vpc_config is considered to be empty or unset, see https://docs.aws.amazon.com/lambda/latest/dg/vpc.html for details)." + description = "Provide this to allow your function to access your VPC (if both `subnet_ids` and `security_group_ids` are empty then vpc_config is considered to be empty or unset, see https://docs.aws.amazon.com/lambda/latest/dg/vpc.html for details)." default = null type = object({ - security_group_ids = list(string) - subnet_ids = list(string) + ipv6_allowed_for_dual_stack = optional(bool, false) + security_group_ids = list(string) + subnet_ids = list(string) }) + + } variable "iam_role_name" { diff --git a/versions.tf b/versions.tf index 29ec41d..2731a61 100644 --- a/versions.tf +++ b/versions.tf @@ -4,7 +4,7 @@ terraform { required_providers { aws = { source = "hashicorp/aws" - version = ">= 5.0" + version = ">= 5.32" } } }