feat: 🎸 Initial commit

lyonsden · lyonsden · commit 2d5333ba3a2a · 2024-03-13T14:10:42.000-04:00
Inintial population of repository
diff --git a/README.md b/README.md
@@ -1,2 +1,104 @@
-# .github
-This repo is used for default community health files, such as CONTRIBUTING and CODE_OF_CONDUCT, for this organization. Default files will be used for any public repository in this organization that does not contain its own of that type. 
+# terraform-aws-ip-address-release
+
+Sometimes AWS fails to release an allocated IP address when tearing down the associated resources. This lambda will release/delete all network interfaces that are in `Status: Available` as they are not associated with a current AWS resource but can't be used by a new AWS resource.
+
+An exception is made for ENIs attached to DataSync tasks since DataSync only establishes ENIs at task creation time.
+
+This includes a 24 hour cloudwatch alarm to trigger the lambda regularly in an effort to keep the account clean and make the resources available for another consumer.
+
+<!-- BEGIN_TF_DOCS -->
+## Requirements
+
+| Name                                                                      | Version  |
+| ------------------------------------------------------------------------- | -------- |
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 0.14  |
+| <a name="requirement_archive"></a> [archive](#requirement\_archive)       | ~> 2.2   |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws)                   | > 4.0    |
+| <a name="requirement_random"></a> [random](#requirement\_random)          | >= 3.1.0 |
+
+## Providers
+
+| Name                                                          | Version |
+| ------------------------------------------------------------- | ------- |
+| <a name="provider_archive"></a> [archive](#provider\_archive) | ~> 2.2  |
+| <a name="provider_aws"></a> [aws](#provider\_aws)             | > 4.0   |
+
+## Modules
+
+| Name                                          | Source | Version |
+| --------------------------------------------- | ------ | ------- |
+| <a name="module_iam"></a> [iam](#module\_iam) | ./iam  | n/a     |
+
+## Resources
+
+| Name                                                                                                                                                                | Type        |
+| ------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------- |
+| [aws_cloudwatch_event_rule.ip_address_release_lambda_interval](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_event_rule)   | resource    |
+| [aws_cloudwatch_event_target.ip_address_release_lambda_attach](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_event_target) | resource    |
+| [aws_lambda_function.ip_address_release_lambda](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_function)                        | resource    |
+| [aws_lambda_permission.event_permission](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_permission)                             | resource    |
+| [archive_file.lambda_source](https://registry.terraform.io/providers/hashicorp/archive/latest/docs/data-sources/file)                                               | data source |
+| [aws_security_group.https-internet-egress](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/security_group)                           | data source |
+| [aws_vpc.internal](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/vpc)                                                              | data source |
+
+## Inputs
+
+| Name                                                                                                                               | Description                                                                                                 | Type           | Default | Required |
+| ---------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------- | -------------- | ------- | :------: |
+| <a name="input_account_name"></a> [account\_name](#input\_account\_name)                                                           | The account name for use in alarm description.                                                              | `string`       | n/a     |   yes    |
+| <a name="input_create_iam_role"></a> [create\_iam\_role](#input\_create\_iam\_role)                                                | Pass in `false` if you are supplying an IAM role.                                                           | `bool`         | `true`  |    no    |
+| <a name="input_iam_role_arn"></a> [iam\_role\_arn](#input\_iam\_role\_arn)                                                         | The ARN of the IAM Role to use (creates a new one if set to `null`)                                         | `string`       | `null`  |    no    |
+| <a name="input_internet_egress_security_group"></a> [internet\_egress\_security\_group](#input\_internet\_egress\_security\_group) | Name of a security group that allows internet outbound calls to port 443                                    | `string`       | n/a     |   yes    |
+| <a name="input_permissions_boundary_arn"></a> [permissions\_boundary\_arn](#input\_permissions\_boundary\_arn)                     | The ARN of the policy that is used to set the permissions boundary for the IAM roles.                       | `string`       | `null`  |    no    |
+| <a name="input_subnet_ids"></a> [subnet\_ids](#input\_subnet\_ids)                                                                 | Subnets that Lambda will be created with in the VPC                                                         | `list(string)` | `[]`    |    no    |
+| <a name="input_timeout"></a> [timeout](#input\_timeout)                                                                            | Timeout value for the lambda                                                                                | `number`       | `300`   |    no    |
+| <a name="input_usecase"></a> [usecase](#input\_usecase)                                                                            | Usecase name, can be a team or product name. E.g., 'SRE'                                                    | `string`       | n/a     |   yes    |
+| <a name="input_vpc_id"></a> [vpc\_id](#input\_vpc\_id)                                                                             | VPC ID to attach the IP Address Release lambda to. Only necessary if there are multiple VPCs in an account. | `string`       | `null`  |    no    |
+
+## Outputs
+
+| Name                                                                         | Description                                 |
+| ---------------------------------------------------------------------------- | ------------------------------------------- |
+| <a name="output_iam_role_arn"></a> [iam\_role\_arn](#output\_iam\_role\_arn) | The IAM Role created, or the one passed in. |
+<!-- END_TF_DOCS -->
+
+# Multi-region deployment
+The IAM role created for the initial region can be reused for the second region by referencing the outputs from the first region.
+```terraform
+* assumes a non-aliased provider is setup elsewhere
+module "ip-address-release-primary" {
+  source = "git::https://github.com/StateFarmIns/terraform-aws-ip-address-release?ref=1.0.0" 
+
+  providers = {
+    aws = aws
+  }
+
+  usecase                           = "SRE"
+  account_name                      = var.account_name
+  permissions_boundary_arn          = local.permissions_boundary
+  internet_egress_security_group_id = data.aws_security_group.https-internet-egress.id
+  vpc_id                            = data.aws_vpc.internal.id
+}
+
+* assumes an aliased (secondary) provider is setup elsewhere
+module "ip-address-release-secondary" {
+  source = "git::https://github.com/StateFarmIns/terraform-aws-ip-address-release?ref=1.0.0" 
+
+  providers = {
+    aws = aws.secondary
+  }
+
+  usecase                           = "SRE"
+  account_name                      = var.account_name
+  permissions_boundary_arn          = local.permissions_boundary
+  internet_egress_security_group_id = data.aws_security_group.https-internet-egress_secondary.id
+  iam_role_arn                      = module.ip-address-release-primary.iam_role_arn # reference the IAM Role created earlier
+  vpc_id                            = data.aws_vpc.internal_secondary.id
+}
+```
+
+# Links
+* [Why can't I detach or delete an elastic network interface that Lambda created?](https://aws.amazon.com/premiumsupport/knowledge-center/lambda-eni-find-delete/)
+* [Requester Managed Network Interfaces](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/requester-managed-eni.html)
+* findassociations script copied from [AWS-support-tools](https://github.com/awslabs/aws-support-tools)
+
diff --git a/cloudwatch.tf b/cloudwatch.tf
@@ -0,0 +1,19 @@
+# This file contains the Cloudwatch alarms that attach to the timer service alarm lambda.
+resource "aws_cloudwatch_event_rule" "ip_address_release_lambda_interval" {
+  name                = "${var.usecase}-ip-address-lambda-release-rule"
+  description         = "Fires every 24 hours"
+  schedule_expression = "rate(24 hours)"
+}
+
+resource "aws_cloudwatch_event_target" "ip_address_release_lambda_attach" {
+  rule = aws_cloudwatch_event_rule.ip_address_release_lambda_interval.name
+  arn  = aws_lambda_function.ip_address_release_lambda.arn
+}
+
+resource "aws_lambda_permission" "event_permission" {
+  statement_id  = "AllowExecutionFromCloudWatch"
+  action        = "lambda:InvokeFunction"
+  function_name = aws_lambda_function.ip_address_release_lambda.function_name
+  principal     = "events.amazonaws.com"
+  source_arn    = aws_cloudwatch_event_rule.ip_address_release_lambda_interval.arn
+}
diff --git a/data.tf b/data.tf
@@ -0,0 +1,5 @@
+data "archive_file" "lambda_source" {
+  type        = "zip"
+  source_dir  = "${path.module}/lambda_source"
+  output_path = "${path.module}/ip_address.zip"
+}
diff --git a/iam/data.tf b/iam/data.tf
@@ -0,0 +1,7 @@
+data "aws_caller_identity" "current" {}
+data "aws_iam_account_alias" "current" {}
+data "aws_region" "current" {}
+
+data "aws_kms_key" "master" {
+  key_id = "alias/${data.aws_iam_account_alias.current.account_alias}-${data.aws_region.current.name}-master-kmskey"
+}
diff --git a/iam/iam.tf b/iam/iam.tf
@@ -0,0 +1,74 @@
+resource "random_string" "random" {
+  special = false
+  length  = 5
+}
+resource "aws_iam_role" "lambda_role" {
+  name                 = "${var.usecase}-ip-address-release-lambda-role-${random_string.random.result}"
+  assume_role_policy   = data.aws_iam_policy_document.lambda_role_trust.json
+  description          = "service role for ip address release lambda"
+  permissions_boundary = var.permissions_boundary_arn
+  tags = {
+    Name = "${var.usecase} lambda role"
+  }
+}
+
+data "aws_iam_policy_document" "lambda_role_trust" {
+  statement {
+    effect  = "Allow"
+    actions = ["sts:AssumeRole"]
+
+    principals {
+      type        = "Service"
+      identifiers = ["lambda.amazonaws.com"]
+    }
+  }
+}
+
+resource "aws_iam_role_policy_attachment" "lambda-policy-attachment" {
+  role       = aws_iam_role.lambda_role.name
+  policy_arn = aws_iam_policy.lambda_policy.arn
+}
+
+resource "aws_iam_policy" "lambda_policy" {
+  name        = "${var.usecase}-ip-address-release-lambda-policy-${random_string.random.result}"
+  description = "lambda policy for ip address release lambda"
+  policy      = data.aws_iam_policy_document.lambda_policy_document.json
+  tags = {
+    Name = "${var.usecase} IP Address Release Lambda Policy"
+  }
+}
+
+data "aws_iam_policy_document" "lambda_policy_document" {
+  statement {
+    sid    = "lambda"
+    effect = "Allow"
+    actions = [
+      "logs:*",
+    ]
+    resources = ["*"]
+  }
+  statement {
+    sid    = "kms"
+    effect = "Allow"
+    actions = [
+      "kms:ListAliases*",
+      "kms:CreateGrant",
+      "kms:Encrypt",
+      "kms:Decrypt"
+    ]
+    resources = [
+      data.aws_kms_key.master.arn
+    ]
+  }
+  statement {
+    sid    = "VPC"
+    effect = "Allow"
+    actions = [
+      "ec2:CreateNetworkInterface",
+      "ec2:DescribeNetworkInterfaces",
+      "ec2:DeleteNetworkInterface",
+      "ec2:DescribeSubnets"
+    ]
+    resources = ["*"]
+  }
+}
diff --git a/iam/outputs.tf b/iam/outputs.tf
@@ -0,0 +1,3 @@
+output "role_arn" {
+  value = aws_iam_role.lambda_role.arn
+}
diff --git a/iam/variables.tf b/iam/variables.tf
@@ -0,0 +1,6 @@
+variable "usecase" {}
+variable "account_name" {}
+variable "permissions_boundary_arn" {
+  type    = string
+  default = null
+}
diff --git a/lambda.tf b/lambda.tf
@@ -0,0 +1,24 @@
+resource "aws_lambda_function" "ip_address_release_lambda" {
+  filename         = data.archive_file.lambda_source.output_path
+  function_name    = "${var.usecase}-ip-address-release-lambda"
+  role             = var.iam_role_arn == null ? module.iam[0].role_arn : var.iam_role_arn
+  handler          = "lambda_function.lambda_handler"
+  source_code_hash = filebase64sha256(data.archive_file.lambda_source.output_path)
+  runtime          = var.lambda_runtime
+  architectures    = ["arm64"]
+  timeout          = var.timeout
+
+  environment {
+    variables = {
+      USECASE = var.usecase
+    }
+  }
+
+  vpc_config {
+    subnet_ids = var.subnet_ids
+    security_group_ids = [
+      var.internet_egress_security_group_id
+    ]
+  }
+}
+
diff --git a/lambda_source/lambda_function.py b/lambda_source/lambda_function.py
@@ -0,0 +1,39 @@
+import boto3
+import botocore.exceptions
+import logging
+
+client = boto3.client('ec2')
+logger = logging.getLogger()
+logger.setLevel(logging.INFO)
+
+
+def lambda_handler(event, context):
+    paginator = client.get_paginator('describe_network_interfaces')
+
+    interfaces = paginator.paginate(
+        Filters=[
+            {
+                'Name': 'status',
+                'Values': ['available']
+            }
+        ]
+    ).build_full_result()
+
+    count = len(interfaces['NetworkInterfaces'])
+
+    x = 1
+    for interface in interfaces['NetworkInterfaces']:
+        description = interface.get('Description', '')
+        if 'datasync client for' in description:
+            logger.info(f"{x}/{count} ENI attached to DataSync task. Skipping Deletion for {interface['NetworkInterfaceId']} {interface['AvailabilityZone']} {interface['PrivateIpAddress']}")
+        else:
+            logger.info(f"{x}/{count} Deleting network interface {interface['NetworkInterfaceId']} {interface['AvailabilityZone']} {interface['PrivateIpAddress']}")
+            logger.info(f"Description: {interface['Description']}")
+
+            try:
+                response = client.delete_network_interface(NetworkInterfaceId=interface['NetworkInterfaceId'])
+                logger.info(f"Response: {response}")
+            except botocore.exceptions.ClientError as error:
+                logger.warn(f"Delete failed: {error}")
+
+        x += 1
diff --git a/main.tf b/main.tf
@@ -0,0 +1,8 @@
+module "iam" {
+  source = "./iam"
+
+  count                    = var.iam_role_arn == null ? 1 : 0
+  usecase                  = var.usecase
+  account_name             = var.account_name
+  permissions_boundary_arn = var.permissions_boundary_arn
+}
diff --git a/outputs.tf b/outputs.tf
@@ -0,0 +1,4 @@
+output "iam_role_arn" {
+  value       = var.iam_role_arn == null ? module.iam[0].role_arn : var.iam_role_arn
+  description = "The IAM Role created, or the one passed in."
+}
diff --git a/variables.tf b/variables.tf
@@ -0,0 +1,49 @@
+variable "account_name" {
+  type        = string
+  description = "The account name for use in alarm description."
+}
+
+variable "usecase" {
+  type        = string
+  description = "Usecase name, can be a team or product name. E.g., 'SRE'"
+}
+
+variable "timeout" {
+  type        = number
+  description = "Timeout value for the lambda"
+  default     = 300
+}
+
+variable "lambda_runtime" {
+  type        = string
+  description = "Python runtime to use for this lambda"
+  default     = "python3.9"
+}
+
+variable "permissions_boundary_arn" {
+  type        = string
+  default     = null
+  description = "The ARN of the policy that is used to set the permissions boundary for the IAM roles."
+}
+
+variable "iam_role_arn" {
+  type        = string
+  default     = null
+  description = "The ARN of the IAM Role to use (creates a new one if set to `null`)"
+}
+
+variable "internet_egress_security_group_id" {
+  type        = string
+  description = "security group id that allows internet outbound calls to port 443"
+}
+
+variable "vpc_id" {
+  type        = string
+  description = "VPC ID to attach the IP Address Release lambda to."
+}
+
+variable "subnet_ids" {
+  type        = list(string)
+  description = "Subnets that Lambda will be created with in the VPC"
+  default     = []
+}
diff --git a/versions.tf b/versions.tf
@@ -0,0 +1,18 @@
+terraform {
+  required_providers {
+    aws = {
+      configuration_aliases = [aws]
+      source                = "hashicorp/aws"
+      version               = "> 4.0"
+    }
+    random = {
+      source  = "hashicorp/random"
+      version = ">= 3.1.0"
+    }
+    archive = {
+      source  = "hashicorp/archive"
+      version = "~> 2.2"
+    }
+  }
+  required_version = ">= 0.14"
+}
diff --git a/workflows/cla.yml b/workflows/cla.yml
diff --git a/workflows/documentation.yml b/workflows/documentation.yml
diff --git a/workflows/lock.yml b/workflows/lock.yml
diff --git a/workflows/release.yml b/workflows/release.yml

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	`+output "role_arn" {`
	`2`	`+ value = aws_iam_role.lambda_role.arn`
	`3`	`+}`