terraform & lambda - source code in s3. support for apigateway integration, xray and logging

build.sh

#! /usr/bin/env bash

# Exit script if you try to use an uninitialized variable.
set -o nounset

# Exit script if a statement returns a non-true return value.
set -o errexit

# Use the error status of the first failure, rather than that of the last item in a pipeline.
set -o pipefail


function errcho {
  echo "$@" 1>&2
}

# usage: error_exit <error message> <exit code>
function errxit {
    errcho "$1"
    exit "${2:-1}"  ## Return a code specified by $2 or 1 by default.
}

function _zip {
    # zip --show-files -1 --recurse-paths --update --test $@
    zip -1 --quiet --recurse-paths --update --test "$@"
}

function build_lambda_package {
  if [ -z "${1:-}" ] || [ "${2:-}" ]; then
    errxit 'Usage: build_lambda_package <name>';
  fi

  if [ ! -d "node_modules" ]; then
    errxit "Can't find node_modules dir"
  fi

  _lambda_package_name="$1";
  echo "Building '${_lambda_package_name}' lambda."
  _zip --junk-paths "${_lambda_package_name}".zip ../lambda/"${_lambda_package_name}"/* build.json
  _zip --grow "${_lambda_package_name}".zip node_modules
}

GITSHA=$(git rev-parse HEAD)
if [ -z "$GITSHA" ]  || [ ${#GITSHA} -ne 40 ]; then
  errxit 'Could not determine current git sha.'
fi

rm -rf build
mkdir -p build

if [ ! -f build.json ] || [ ! -s build.json ]; then
    echo "build.json not found, writing."
    echo '{}' > build/build.json
fi

echo "Build for version: ${GITSHA}"

CONTENT=$(jq -r --arg GITSHA "${GITSHA}" '.version=$GITSHA' build/build.json)


echo "${CONTENT}" > build/build.json

yarn install --frozen-lockfile
cp -R node_modules build/node_modules


# Perform the following inside the build/ dir
pushd build
"$(npm bin)"/modclean --run --modules-dir node_modules

# This writes build/hello.zip, build/version.zip, etc.
build_lambda_package hello

# back to where we were
popd

main.tf

resource "aws_s3_bucket" "lambdas" {
  bucket = "lambda-lambda-lambda-xyz"
  versioning {
    enabled = true
  }
}

data "aws_iam_policy_document" "lambda_exec" {
  statement {
    effect = "Allow"
    principals {
      type = "Service"
      identifiers = [
        "lambda.amazonaws.com",
        "apigateway.amazonaws.com",
      ]
    }
    actions = [
      "sts:AssumeRole",
    ]
  }
}

data "aws_iam_policy_document" "base_lambda_policy" {
  statement {
    actions = [
      "logs:*",
      "lambda:InvokeFunction",
      "xray:PutTraceSegments",
      "xray:PutTelemetryRecords",
    ]

    resources = ["*"]
  }
}


resource "aws_iam_role" "lambda_exec" {
  name = "lambda"
  assume_role_policy = "${data.aws_iam_policy_document.lambda_exec.json}"
}

resource "aws_iam_role_policy" "base_lambda_policy" {
  name   = "lambda_policy"
  role   = "${aws_iam_role.lambda_exec.id}"
  policy = "${data.aws_iam_policy_document.base_lambda_policy.json}"
}


# I build the helloworld lambda pkg into ../build/hello.zip
variable "package" {
  default = "../build/hello.zip"
}

variable "name"{
  default = "hello"
}

resource "aws_s3_bucket_object" "lambda_package_object" {
  bucket = "${aws_s3_bucket.lambdas.id}"
  key    = "${basename(var.package)}"
  source = "${pathexpand(var.package)}"
  etag = "${md5(file(pathexpand(var.package)))}"
}

resource "aws_lambda_function" "lambda_function" {
  function_name = "${var.name}"
  s3_bucket = "${aws_s3_bucket.lambdas.id}"
  s3_key    = "${basename(var.package)}"
  s3_object_version = "${aws_s3_bucket_object.lambda_package_object.version_id}"
  # used to trigger updates
  source_code_hash = "${base64sha256(file(pathexpand(var.package)))}"
  handler = "index.handler"
  runtime = "nodejs8.10"
  role = "${aws_iam_role.lambda_exec.arn}"
}

resource "aws_lambda_alias" "lambda_alias" {
  name             = "live"
  function_name    = "${aws_lambda_function.lambda_function.arn}"
  function_version = "${aws_lambda_function.lambda_function.version}"
  depends_on = ["aws_lambda_function.lambda_function"]
}