Merge pull request #9 from gchamon/feature/pass-precompiled-lambda-code

possibility to pass precompiled lambda zip and skip compilation
gchamon · Oct 22, 2019 · ad6259f · ad6259f
2 parents 0f8dc9b + 64407ce
commit ad6259f
Show file tree

Hide file tree

Showing 5 changed files with 27 additions and 6 deletions.
diff --git a/README.md b/README.md
@@ -46,6 +46,7 @@ Developed using version `0.12.9`. Should work on `0.12.x`
 | buckets-to-scan | List of bucket names to be scanned by the antivirus | list(string) | - | yes |
 | scanner-environment-variables | Custom environment variables for the scanner function | map(string) | {} | no |
 | updater-environment-variables | Custom environment variables for the definitions update function | map(string) | {} | no |
+| antivirus-lambda-code | Optional argument to provide precompiled zip file containing the lambda code, skipping the built in compilation process | string | null | no |
 | allow-public-access | If true, contents of the bucket in which the antivirus definitions are saved will be public. Good for sharing the same definitions across multiple accounts | bool | false | no |
 | antivirus-update-rate | Configures the antivirus update rate. Syntax is the same of cloudwatch rate schedule expression for rules | string | "3 hours" | no |
 

diff --git a/build-antivirus-from-source.tf b/build-antivirus-from-source.tf
@@ -1,4 +1,10 @@
 resource "null_resource" "build-antivirus-from-source" {
+  count = (
+    var.antivirus-lambda-code == null
+    ? 1
+    : 0
+  )
+
   provisioner "local-exec" {
     command = "bash ${path.module}/scripts/build-antivirus-from-source.sh"
   }
@@ -14,5 +20,9 @@ resource "aws_s3_bucket_object" "antivirus-code" {
   bucket = aws_s3_bucket.antivirus-code.bucket
   key    = "lambda.zip"
 
-  source = "/tmp/bucket-antivirus-function/build/lambda.zip"
+  source = (
+    var.antivirus-lambda-code == null
+    ? "/tmp/bucket-antivirus-function/build/lambda.zip"
+    : pathexpand(var.antivirus-lambda-code)
+  )
 }
diff --git a/policies/bucket-antivirus-update.json.tmpl b/policies/bucket-antivirus-update.json.tmpl
@@ -16,10 +16,14 @@
            "s3:GetObjectTagging",
            "s3:PutObject",
            "s3:PutObjectTagging",
-           "s3:PutObjectVersionTagging"
+           "s3:PutObjectVersionTagging",
+           "s3:ListBucket"
         ],
         "Effect":"Allow",
-        "Resource":"arn:aws:s3:::${bucket-name}/*"
+        "Resource":[
+            "arn:aws:s3:::${bucket-name}/*",
+            "arn:aws:s3:::${bucket-name}"
+        ]
      }
   ]
 }
diff --git a/update-function.tf b/update-function.tf
@@ -23,6 +23,6 @@ module "trigger-antivirus-update-periodically" {
   source = "./modules/periodic-lambda-trigger"
 
   lambda-function     = aws_lambda_function.antivirus-update
-  schedule-expression = "rate(${var.antivirus-update-rate}})"
+  schedule-expression = "rate(${var.antivirus-update-rate})"
   description         = "Update antivirus definitions every ${var.antivirus-update-rate}"
-}
+}
diff --git a/variables.tf b/variables.tf
@@ -15,6 +15,12 @@ variable "updater-environment-variables" {
   default     = {}
 }
 
+variable "antivirus-lambda-code" {
+  description = "Optional argument to provide precompiled zip file containing the lambda code, skipping the built in compilation process"
+  type        = string
+  default     = null
+}
+
 variable "allow-public-access" {
   description = "If true, contents of the bucket in which the antivirus definitions are saved will be public. Good for sharing the same definitions across multiple accounts."
   type        = bool
@@ -25,4 +31,4 @@ variable "antivirus-update-rate" {
   description = "Configures the antivirus update rate. Syntax is the same of cloudwatch rate schedule expression for rules"
   type        = string
   default     = "3 hours"
-}
+}