feat: deploy lambda via docker image stagenet

axelarnetwork · Apr 25, 2024 · dc28714 · dc28714
1 parent bc1817e
commit dc28714
Show file tree

Hide file tree

Showing 2 changed files with 86 additions and 42 deletions.
diff --git a/terraform/stagenet/main.tf b/terraform/stagenet/main.tf
@@ -24,8 +24,6 @@ provider "aws" {
   }
 }
 
-provider "archive" {}
-
 locals {
   url_subpath_api_mapping = "api" # map apigw to url subpath /api from aws_api_gateway_domain_name
 }
@@ -34,55 +32,92 @@ data "aws_api_gateway_domain_name" "stagenet" {
   domain_name = "stagenet.api.axelarscan.io"
 }
 
-data "archive_file" "zip" {
-  type        = "zip"
-  source_dir  = "../../"
-  excludes    = ["terraform", ".gitignore", "README.md", "LICENSE", "yarn.lock", ".env.example", ".env", "test"]
-  output_path = "${var.package_name}.zip"
-}
-
-data "aws_iam_policy_document" "policy" {
-  statement {
-    sid     = ""
-    effect  = "Allow"
-    actions = ["sts:AssumeRole"]
-    principals {
-      identifiers = ["lambda.amazonaws.com"]
-      type        = "Service"
+resource "aws_iam_role" "lambda_role" {
+  name = "${var.package_name}-${var.environment}-role"
+  assume_role_policy = jsonencode(
+    {
+      Statement = [
+        {
+          Action = "sts:AssumeRole"
+          Effect = "Allow"
+          Principal = {
+            Service = "lambda.amazonaws.com"
+          }
+        },
+      ]
+      Version = "2012-10-17"
     }
+  )
+
+  inline_policy {
+    name = "secret_manager_policy"
+    policy = jsonencode(
+      {
+        Statement = [
+          {
+            Action = [
+              "secretsmanager:GetSecretValue",
+            ]
+            Effect   = "Allow"
+            Resource = "*"
+          },
+        ]
+        Version = "2012-10-17"
+      }
+    )
   }
-}
 
-data "aws_iam_role" "role" {
-  name = var.iam_role
-}
-
-resource "aws_iam_policy_attachment" "attachment" {
-  name       = "${var.project_name}-attachment"
-  roles      = [data.aws_iam_role.role.name]
-  policy_arn = "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"
+  inline_policy {
+    name = "lambda_execution_policy"
+    policy = jsonencode(
+      {
+        Statement = [
+          {
+            Action = [
+              "logs:CreateLogGroup",
+              "logs:CreateLogStream",
+              "logs:PutLogEvents"
+            ]
+            Effect   = "Deny"
+            Resource = "*"
+          },
+        ]
+        Version = "2012-10-17"
+      }
+    )
+  }
 }
 
 resource "aws_lambda_function" "function" {
-  function_name    = "${var.package_name}-${var.environment}"
-  filename         = data.archive_file.zip.output_path
-  source_code_hash = data.archive_file.zip.output_base64sha256
-  role             = data.aws_iam_role.role.arn
-  handler          = "index.handler"
-  runtime          = "nodejs20.x"
-  timeout          = 30
-  memory_size      = 512
-  publish          = true
+  function_name = "${var.package_name}-${var.environment}"
+  package_type  = "Image"
+  image_uri     = "499786161782.dkr.ecr.us-east-2.amazonaws.com/axelarscan-api:v${var.app_version}"
+  role          = aws_iam_role.lambda_role.arn
+  timeout       = 30
+  memory_size   = 512
+  publish       = true
   environment {
     variables = {
-      NODE_NO_WARNINGS = 1
-      ENVIRONMENT      = var.environment
-      INDEXER_URL      = var.indexer_url
-      INDEXER_USERNAME = var.indexer_username
-      INDEXER_PASSWORD = var.indexer_password
-      LOG_LEVEL        = var.log_level
+      NODE_NO_WARNINGS      = 1
+      ENVIRONMENT           = var.environment
+      INDEXER_URL           = var.indexer_url
+      INDEXER_USERNAME      = var.indexer_username
+      INDEXER_PASSWORD      = var.indexer_password
+      LOG_LEVEL             = var.log_level
+      DD_LAMBDA_HANDLER     = "index.handler"
+      DD_SITE               = "datadoghq.com"
+      DD_API_KEY_SECRET_ARN = "arn:aws:secretsmanager:us-east-2:499786161782:secret:DdApiKeySecret-gJ9EIYVknJGu-HYZ3nM"
+      DD_TRACE_ENABLED      = true
+      DD_ENV                = var.environment
+      DD_SERVICE            = "${var.package_name}-${var.environment}"
+      DD_VERSION            = "${var.app_version}"
     }
   }
+  image_config {
+    command = [
+      "node_modules/datadog-lambda-js/dist/handler.handler",
+    ]
+  }
   kms_key_arn = ""
 }
 

diff --git a/terraform/stagenet/variables.tf.example b/terraform/stagenet/variables.tf.example
@@ -41,4 +41,13 @@ variable "indexer_password" {
 variable "log_level" {
   description = "Log level"
   default     = "debug"
-}
+}
+
+variable "app_version" {
+  description = "App version, same as docker image version"
+  default     = "0.0.1"
+  validation {
+    error_message = "Must be valid semantic version. $Major.$Minor.$Patch"
+    condition     = can(regex("^(0|[1-9]\\d*)\\.(0|[1-9]\\d*)\\.(0|[1-9]\\d*)(?:-((?:0|[1-9]\\d*|\\d*[a-zA-Z-][0-9a-zA-Z-]*)(?:\\.(?:0|[1-9]\\d*|\\d*[a-zA-Z-][0-9a-zA-Z-]*))*))?(?:\\+([0-9a-zA-Z-]+(?:\\.[0-9a-zA-Z-]+)*))?$", var.app_version))
+  }
+}