Vault Lambda Extension updates (hashicorp#380)

* Vault Lambda Extension updates

- Update Vault version
- Update PostgreSQL version
- Resolve a deprecation notice from Terraform
- Add some lambda with caching example configurations

* Cached versions

Author: brianshumate

ecosystem/vault-lambda-extension/Dockerfile

@@ -18,4 +18,4 @@ FROM public.ecr.aws/lambda/provided:al2
 COPY --from=build /go/src/demo-function/bin/main /main
 COPY extensions/vault-lambda-extension /opt/extensions/vault-lambda-extension
 
-ENTRYPOINT [ "/main" ]
+ENTRYPOINT [ "/main" ]

ecosystem/vault-lambda-extension/README.md

@@ -1,3 +1,3 @@
 # Vault Lambda Extension
 
-These assets are provided to perform the tasks described in the [Vault AWS Lambda Extension](https://learn.hashicorp.com/tutorials/vault/aws-lambda) tutorial.
+These assets are provided to perform the tasks described in the [Vault AWS Lambda Extension](https://learn.hashicorp.com/tutorials/vault/aws-lambda) tutorial.

ecosystem/vault-lambda-extension/build.sh

@@ -1,4 +1,4 @@
-#!/bin/sh
+#!/usr/bin/env bash
 
 set -euo pipefail
 
@@ -17,4 +17,4 @@ echo
 echo "Making new zip..."
 zip -j -D -r demo-function.zip bin/bootstrap bin/main
 
-popd # ${DIR}
+popd # ${DIR}

ecosystem/vault-lambda-extension/lambda-as_a_container.tf.disabled

@@ -29,4 +29,4 @@ The lambda function is ready to run.
         | base64 --decode
 
 EOF
-}
+}

ecosystem/vault-lambda-extension/lambda-as_a_container_caching.tf.disabled

@@ -0,0 +1,34 @@
+resource "aws_lambda_function" "function" {
+  function_name = "${var.environment_name}-function"
+  description   = "Demo Vault AWS Lambda extension in container"
+  role          = aws_iam_role.lambda.arn
+  image_uri     = "${data.aws_caller_identity.current.account_id}.dkr.ecr.${var.aws_region}.amazonaws.com/demo-function:latest"
+  package_type  = "Image"
+
+  environment {
+    variables = {
+      VAULT_ADDR           = "http://${aws_instance.vault-server.public_ip}:8200",
+      VAULT_AUTH_ROLE      = aws_iam_role.lambda.name,
+      VAULT_AUTH_PROVIDER  = "aws",
+      VAULT_SECRET_PATH_DB = "database/creds/lambda-function",
+      VAULT_SECRET_FILE_DB = "/tmp/vault_secret.json",
+      VAULT_DEFAULT_CACHE_ENABLE = true,
+      VAULT_DEFAULT_CACHE_TTL = "5m",
+      DATABASE_URL         = aws_db_instance.main.address
+    }
+  }
+}
+
+output "lambda" {
+  value = <<EOF
+
+The lambda function is ready to run.
+
+    aws lambda invoke --function-name ${aws_lambda_function.function.function_name} /dev/null \
+        --log-type Tail \
+        --region ${var.aws_region} \
+        | jq -r '.LogResult' \
+        | base64 --decode
+
+EOF
+}

ecosystem/vault-lambda-extension/lambda-as_an_archive.tf.disabled

@@ -31,4 +31,4 @@ The lambda function is ready to run.
         | base64 --decode
 
 EOF
-}
+}

ecosystem/vault-lambda-extension/lambda-as_an_archive_caching.tf.disabled

@@ -0,0 +1,36 @@
+resource "aws_lambda_function" "function" {
+  function_name = "${var.environment_name}-function"
+  description   = "Demo Vault AWS Lambda extension"
+  role          = aws_iam_role.lambda.arn
+  filename      = "./demo-function/demo-function.zip"
+  handler       = "main"
+  runtime       = "provided.al2"
+  layers        = ["arn:aws:lambda:${var.aws_region}:634166935893:layer:vault-lambda-extension:6"]
+
+  environment {
+    variables = {
+      VAULT_ADDR           = "http://${aws_instance.vault-server.public_ip}:8200",
+      VAULT_AUTH_ROLE      = aws_iam_role.lambda.name,
+      VAULT_AUTH_PROVIDER  = "aws",
+      VAULT_SECRET_PATH_DB = "database/creds/lambda-function",
+      VAULT_SECRET_FILE_DB = "/tmp/vault_secret.json",
+      VAULT_DEFAULT_CACHE_ENABLE = true,
+      VAULT_DEFAULT_CACHE_TTL = "5m",
+      DATABASE_URL         = aws_db_instance.main.address
+    }
+  }
+}
+
+output "lambda" {
+  value = <<EOF
+
+The lambda function is ready to run.
+
+    aws lambda invoke --function-name ${aws_lambda_function.function.function_name} /dev/null \
+        --log-type Tail \
+        --region ${var.aws_region} \
+        | jq -r '.LogResult' \
+        | base64 --decode
+
+EOF
+}

ecosystem/vault-lambda-extension/outputs.tf

@@ -18,4 +18,3 @@ You can SSH into the Vault EC2 instance using private.key:
 
 EOF
 }
-

ecosystem/vault-lambda-extension/rds.tf

@@ -7,9 +7,9 @@ resource "aws_db_instance" "main" {
   allocated_storage      = 20
   storage_type           = "gp2"
   engine                 = "postgres"
-  engine_version         = "12.3"
+  engine_version         = "12.10"
   instance_class         = var.db_instance_type
-  name                   = "lambdadb"
+  db_name                = "lambdadb"
   username               = "vaultadmin"
   password               = random_password.password.result
   vpc_security_group_ids = [aws_security_group.rds.id]

ecosystem/vault-lambda-extension/security-groups.tf

@@ -62,4 +62,3 @@ resource "aws_security_group" "rds" {
     cidr_blocks = ["0.0.0.0/0"]
   }
 }
-

ecosystem/vault-lambda-extension/terraform.tfvars.example

@@ -7,8 +7,8 @@ aws_region = "us-east-1"
 environment_name = "vault-lambda-extension-demo"
 
 # URL for Vault OSS binary
-# default: Vault 1.7.2
-vault_zip_file = "https://releases.hashicorp.com/vault/1.7.2/vault_1.7.2_linux_amd64.zip"
+# default: Vault 1.10.0
+vault_zip_file = "https://releases.hashicorp.com/vault/1.10.0/vault_1.10.0_linux_amd64.zip"
 
 # Instance size
 # default: 't2.micro'

ecosystem/vault-lambda-extension/variables.tf

@@ -10,7 +10,7 @@ variable "environment_name" {
 
 # URL for Vault OSS binary
 variable "vault_zip_file" {
-  default = "https://releases.hashicorp.com/vault/1.6.0/vault_1.6.0_linux_amd64.zip"
+  default = "https://releases.hashicorp.com/vault/1.10.0/vault_1.10.0_linux_amd64.zip"
 }
 
 # Instance size