The latest articles on Forem by Santanu Das (@santanu_das). https://forem.com/santanu_das https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F2098163%2F024cb922-92c5-4222-bb5b-1edd87a2c5b9.jpg https://forem.com/santanu_das en Santanu Das Sun, 25 Jan 2026 14:26:49 +0000 https://forem.com/santanu_das/automating-externally-managed-stateful-rule-groups-in-aws-network-firewall-using-terraform-part-2-226j https://forem.com/santanu_das/automating-externally-managed-stateful-rule-groups-in-aws-network-firewall-using-terraform-part-2-226j <p>In <a href="https://dev.to/santanu_das/automating-externally-managed-stateful-rule-groups-in-aws-network-firewall-using-terraform-54b4">Part 1</a>, we established the Terraform scaffolding for a resilient AWS Network Firewall, focusing on <strong>strict rule ordering</strong> and a <strong>decoupled parent-child module</strong> architecture. By defining clear boundaries between <em>Terraform-owned</em> and <em>Automation-owned</em> resources, we successfully eliminated the state drift <em>tug-of-war</em> for dynamic rule groups. Now, in Part 2, we move from infrastructure to orchestration to see how an event-driven, serverless pipeline manages high-frequency rule updates programmatically.</p> <p><strong>TL;DR</strong><br> Externally managed stateful rule groups safely decoupled tenant-driven rule changes from Terraform-managed infrastructure, preserving IaC workflows and remote state — but automation is what makes them safe.</p> <h2> Table Of Contents </h2> <ul> <li>Architectural Overview</li> <li>Engineering Walkthrough</li> <li>Source Config <ul> <li>Source of Truth</li> <li>S3 Event Bridge</li> <li>Cross-Account Trust</li> <li>Capturing Events</li> </ul> </li> <li>Target Config <ul> <li>Custom Event Bus</li> <li>Actionable Changes</li> <li>Lambda Role/Policy</li> </ul> </li> <li>Runtime Environment <ul> <li>Lambda function</li> <li>Explicit Invocation</li> <li> Pipeline wiring </li> </ul> </li> <li>The Firewall-Lambda</li> <li>The Final Words</li> </ul> <h2> Architectural Overview <a></a> </h2> <p>After analyzing the application’s update frequency and internal logic, it became clear that a traditional IaC approach would be insufficient. To support high-frequency rule updates without manual bottlenecks or the risk of Terraform state drift, an asynchronous, event-driven pipeline was the only scalable path forward.</p> <p>This architecture creates a strict Separation of Concerns: it decouples the tenant-facing application logic from the core network security layer. By moving the <em>heavy lifting</em> to a dedicated automation plane, security constraints are enforced programmatically and independently of the application's lifecycle.</p> <p>The following diagram illustrates the unidirectional flow from the tenant's request to the firewall's enforcement:</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fascszirvhdolu371y5go.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fascszirvhdolu371y5go.png" alt="Cross-Account EventBridge Message Flow" width="800" height="408"></a></p> <p>1️⃣ <strong>Tenant Self-Serviced Input:</strong> <br> Tenants submit hostname (new/update) via a their Admin UI. This is the entry point for all allowlist modifications.</p> <p>2️⃣ <strong>Backend Application Processing:</strong> <br> The backend application first validates the input for format and ownership constraints. Once validated, it persists the record to the Application Database and immediately invokes <strong>Application Lambda</strong> function to handle the downstream synchronization.</p> <p>3️⃣ <strong>Source-of-Truth Synchronization:</strong> <br> The <em>application-lambda</em> aggregates the active hosts and updates <code>tenant_hosts.json</code> file in one pre-configured <strong>Amazon S3 bucket</strong>. This file acts as the definitive <em>Desired State</em> for the firewall. The bucket is versioned to allow for immediate rollbacks and historical auditing.</p> <p>4️⃣ <strong>S3 Event → EventBridge:</strong> <br> Critically, the application does not communicate with the firewall directly. Instead, the update to the S3 object emits an event to <strong>Amazon EventBridge</strong>. This event is filtered by bucket name and object key (tenant_hosts), ensuring the pipeline is only triggered by valid state changes.</p> <p>5️⃣ <strong>Firewall Automation Lambda:</strong> <br> The EventBridge trigger invokes the <strong>Firewall Lambda</strong>, which serves as the authoritative control plane. This function:</p> <ul> <li>Reads the <em>updated</em> <code>tenant_hosts.json</code> file from S3.</li> <li>Generates the corresponding <em>suricata-compatible rule</em> syntax.</li> <li>Performs a <em>logical <code>Diff</code></em> against the active AWS Network Firewall configuration.</li> <li>Executes an API update to the Externally Managed Rule Group only if actual changes are detected.</li> </ul> <p>6️⃣ <strong>Human Visibility (ChatOps):</strong> <br> Once the operation is complete, the Lambda dispatches a success or failure notification to <strong>Microsoft Teams</strong>. This closes the feedback loop, providing the engineering team with real-time visibility into the automated security operations.</p> <h2>  Engineering Walkthrough <a></a> </h2> <p>As illustrated in the architectural diagram, this is a multi-account system. Both the <em>Internal_Apps</em> account and the <em>External-Comm</em> accounts must be configured in tandem to facilitate this cross-account event flow.</p> <blockquote> <p><strong>Note on Cross-Account Events:</strong> While the granular details of cross-account EventBridge bus configurations are out of scope for this article, you can find a comprehensive guide on <em>Triggering Cross-Account Workflows</em> <a href="https://dev.to/santanu_das/trigger-aws-codepipeline-from-a-cross-account-s3-upload-using-eventbridge-iam-roles-185d">here</a>.</p> </blockquote> <h3> <u>Source Side Config:</u> </h3> <h3> Generating the Source of Truth <a></a> </h3> <p>The application-side implementation was moderately simple: Terraform provisions the <em>application-lambda</em> as part of the EKS-apps infrastructure and injects its metadata (ARN/ID) into the application pods as environment variables.</p> <p>Whenever a tenant modifies their hostname, the backend invokes the Lambda using the <code>${lambda_function_arn}</code>. The Lambda then aggregates the current state and updates the <code>tenant_hosts.json</code> file in the S3 bucket. This file serves as the immutable <em>desired state</em> for our firewall.</p> <h3> Configuring the S3 Event Bridge <a></a> </h3> <p>To expose S3 activity to this automation pipeline, the bucket must be configured to <strong>publish events to Amazon EventBridge</strong> across the accounts. As S3 bucket operations are scoped to the service itself by default, <strong>S3 Event Notifications</strong> must be explicitly enabled for Amazon EventBridge.</p> <p>Using <code>aws_s3_bucket_notification</code> resource, this can be enabled globally for the bucket. It will then allows S3 to publish <em>Object Created</em> events (from <em>Internal-Apps</em> account) directly to the EventBridge bus (in <em>External-Comm</em> account), eliminating the need for any intermediate Lambda functions or custom notification logic.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">resource</span> <span class="s2">"aws_s3_bucket_notification"</span> <span class="s2">"eb_xacc"</span> <span class="p">{</span> <span class="nx">bucket</span> <span class="p">=</span> <span class="nx">module</span><span class="p">.</span><span class="nx">nfw_bucket</span><span class="p">.</span><span class="nx">name</span> <span class="nx">eventbridge</span> <span class="p">=</span> <span class="kc">true</span> <span class="nx">provider</span> <span class="p">=</span> <span class="nx">aws</span><span class="p">.</span><span class="nx">eksapp</span> <span class="c1">#&lt;-- required for cross-account</span> <span class="p">}</span> </code></pre> </div> <h3> Establishing the Cross-Account Trust <a></a> </h3> <p>For Amazon EventBridge to forward events across account boundaries, it requires explicit permission to <em>hand-off</em> the data. It can be achieved by provisioning a <strong>dedicated IAM Role</strong> within the <strong>Internal-Apps account</strong> that the EventBridge service is authorized to assume.</p> <p>This role serves a single, highly-scoped purpose: it grants the local EventBridge service the <code>events:PutEvents</code> permission, specifically targeting the ARN of our central Event Bus in the External-Comm account. This setup ensures that as soon as S3 drops a notification into the local bus, EventBridge has the credentials necessary to push that event across the border to our automation pipeline.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">resource</span> <span class="s2">"aws_iam_role"</span> <span class="s2">"eb_forward"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"${local.template_name}-xacc-s3eb-Role"</span> <span class="nx">assume_role_policy</span> <span class="p">=</span> <span class="nx">jsonencode</span><span class="p">({</span> <span class="nx">Version</span> <span class="p">=</span> <span class="s2">"2012-10-17"</span><span class="p">,</span> <span class="nx">Statement</span> <span class="p">=</span> <span class="p">[{</span> <span class="nx">Effect</span> <span class="p">=</span> <span class="s2">"Allow"</span><span class="p">,</span> <span class="nx">Principal</span> <span class="p">=</span> <span class="p">{</span> <span class="s2">"Service"</span> <span class="err">:</span> <span class="s2">"events.amazonaws.com"</span> <span class="p">},</span> <span class="nx">Action</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"sts:AssumeRole"</span><span class="p">]</span> <span class="p">}]</span> <span class="p">})</span> <span class="nx">provider</span> <span class="p">=</span> <span class="nx">aws</span><span class="p">.</span><span class="nx">eksapp</span> <span class="c1">#&lt;-- if you doing cross-account</span> <span class="p">}</span> <span class="nx">resource</span> <span class="s2">"aws_iam_role_policy"</span> <span class="s2">"eb_forward"</span> <span class="p">{</span> <span class="nx">role</span> <span class="p">=</span> <span class="nx">aws_iam_role</span><span class="p">.</span><span class="nx">eb_forward</span><span class="p">.</span><span class="nx">id</span> <span class="nx">policy</span> <span class="p">=</span> <span class="nx">jsonencode</span><span class="p">({</span> <span class="nx">Version</span> <span class="p">=</span> <span class="s2">"2012-10-17"</span><span class="p">,</span> <span class="nx">Statement</span> <span class="p">=</span> <span class="p">[{</span> <span class="nx">Effect</span> <span class="p">=</span> <span class="s2">"Allow"</span><span class="p">,</span> <span class="nx">Action</span> <span class="p">=</span> <span class="s2">"events:PutEvents"</span><span class="p">,</span> <span class="nx">Resource</span> <span class="p">=</span> <span class="nx">aws_cloudwatch_event_bus</span><span class="p">.</span><span class="nx">s3_trigger</span><span class="p">[</span><span class="nx">each</span><span class="p">.</span><span class="nx">value</span><span class="p">].</span><span class="nx">arn</span> <span class="p">}]</span> <span class="p">})</span> <span class="nx">provider</span> <span class="p">=</span> <span class="nx">aws</span><span class="p">.</span><span class="nx">eksapp</span> <span class="c1">#&lt;-- if you doing cross-account</span> <span class="p">}</span> </code></pre> </div> <h3> Capturing and Forwarding the Event(s) <a></a> </h3> <p>With the permissions established, only thing was needed, a mechanism to intercept the specific S3 notifications and direct them to our cross-account destination. This is handled by the EventBridge Rule and its corresponding Target.</p> <p>The EventBridge rule acts as a targeted filter on the application account’s default event bus. Instead of forwarding all S3 activities, it is configured with a highly specific event pattern that matches only <em>Object Created</em> events from the designated S3 bucket and restricts them further to the <em>tenant_hosts</em> key prefix. This precision filter prevents unnecessary Lambda invocations in the downstream account, keeping the overall design both efficient and cost-effective.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">resource</span> <span class="s2">"aws_cloudwatch_event_rule"</span> <span class="s2">"eb_xacc"</span> <span class="p">{</span> <span class="nx">for_each</span> <span class="p">=</span> <span class="nx">local</span><span class="p">.</span><span class="nx">nfw_svc_enabled</span> <span class="err">?</span> <span class="nx">toset</span><span class="p">([</span><span class="nx">var</span><span class="p">.</span><span class="nx">service_name</span><span class="p">])</span> <span class="err">:</span> <span class="p">[]</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"${local.template_name}-xacc"</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"Forward S3 Object Created events to EXC event bus"</span> <span class="nx">provider</span> <span class="p">=</span> <span class="nx">aws</span><span class="p">.</span><span class="nx">eksapp</span> <span class="c1">#&lt;-- if you doing cross-account</span> <span class="nx">event_pattern</span> <span class="p">=</span> <span class="nx">jsonencode</span><span class="p">({</span> <span class="nx">source</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"aws.s3"</span><span class="p">],</span> <span class="nx">detail-type</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"Object Created"</span><span class="p">],</span> <span class="nx">detail</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">bucket</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="p">[</span><span class="nx">local</span><span class="p">.</span><span class="nx">xacc_s3_trigger</span><span class="p">.</span><span class="nx">bucket</span><span class="p">]</span> <span class="p">},</span> <span class="nx">object</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">key</span> <span class="p">=</span> <span class="p">[</span> <span class="p">{</span> <span class="nx">prefix</span> <span class="p">=</span> <span class="nx">local</span><span class="p">.</span><span class="nx">xacc_s3_trigger</span><span class="p">.</span><span class="nx">object</span> <span class="p">}</span> <span class="p">]</span> <span class="p">}</span> <span class="p">}</span> <span class="p">})</span> <span class="p">}</span> </code></pre> </div> <p>The <code>aws_cloudwatch_event_target</code> then acts as the <em>exit ramp</em>. It connects the rule to our central Event Bus in the security account. By referencing the <code>${aws_iam_role.eb_forward}</code> we created earlier, the target has the authority to cross the account boundary and deliver the payload to our central automation hub.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">resource</span> <span class="s2">"aws_cloudwatch_event_target"</span> <span class="s2">"eb_xacc"</span> <span class="p">{</span> <span class="nx">rule</span> <span class="p">=</span> <span class="nx">aws_cloudwatch_event_rule</span><span class="p">.</span><span class="nx">eb_xacc</span><span class="p">.</span><span class="nx">name</span> <span class="nx">arn</span> <span class="p">=</span> <span class="nx">aws_cloudwatch_event_bus</span><span class="p">.</span><span class="nx">s3_trigger</span><span class="p">.</span><span class="nx">arn</span> <span class="nx">role_arn</span> <span class="p">=</span> <span class="nx">aws_iam_role</span><span class="p">.</span><span class="nx">eb_forward</span><span class="p">.</span><span class="nx">arn</span> <span class="nx">provider</span> <span class="p">=</span> <span class="nx">aws</span><span class="p">.</span><span class="nx">eksapp</span> <span class="c1">#&lt;-- if you doing cross-account</span> <span class="p">}</span> </code></pre> </div> <h3> <u>Target End Config:</u> </h3> <h3> Custom Event Bus and Permissions <a></a> </h3> <p>In the <em>External-Comm</em> account, I provisioned a dedicated <strong>Custom Event Bus</strong> to isolate our firewall automation traffic from the general noise of the account, to keep the security events clean and auditable. It's as simple as defining this:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">resource</span> <span class="s2">"aws_cloudwatch_event_bus"</span> <span class="s2">"s3_trigger"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"${local.template_name}-nfw-s3-trigger"</span> <span class="p">}</span> </code></pre> </div> <p>However, a custom bus is <em>closed</em> by default. So, to receive events from the <em>Internal-Apps</em> account, I created a dedicated <strong>Custom EventBridge event bus</strong> in the <em>External-Comm</em> account. To enable cross-account delivery, I used the <code>aws_cloudwatch_event_permission</code> resource to create a resource-based policy (details below) to explicitly allow <em>external-apps</em> account (referenced via <code>${local.xacc_s3_trigger.acc_id}</code>) to call <strong>PutEvents</strong> on this custom bus. In this way, the system can securely hand off S3 notifications across the account boundary without exposing the bus to the broader public.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">resource</span> <span class="s2">"aws_cloudwatch_event_permission"</span> <span class="s2">"s3_trigger"</span> <span class="p">{</span> <span class="nx">event_bus_name</span> <span class="p">=</span> <span class="nx">aws_cloudwatch_event_bus</span><span class="p">.</span><span class="nx">s3_trigger</span><span class="p">.</span><span class="nx">name</span> <span class="nx">principal</span> <span class="p">=</span> <span class="nx">local</span><span class="p">.</span><span class="nx">xacc_s3_trigger</span><span class="p">.</span><span class="nx">acc_id</span> <span class="nx">action</span> <span class="p">=</span> <span class="s2">"events:PutEvents"</span> <span class="nx">statement_id</span> <span class="p">=</span> <span class="s2">"AllowIncToPutEvents"</span> <span class="p">}</span> </code></pre> </div> <h3> Filtering for Actionable Changes <a></a> </h3> <p>On this custom bus, an EventBridge rule is defined to listen specifically for S3 <em>Object Created</em> events, originating from the expected bucket and object key prefix. When a matching event is received, the rule <strong>triggers the firewall-lambda</strong> responsible for validation and rule group updates. </p> <p>As soon as a new/updated <code>tenant_hosts.json</code> lands in S3 and crosses the border, this rule captures it and triggers the automation logic that keeps our firewall synchronized in real-time.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">resource</span> <span class="s2">"aws_cloudwatch_event_rule"</span> <span class="s2">"s3_trigger"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"${local.template_name}-s3-trigger"</span> <span class="nx">event_bus_name</span> <span class="p">=</span> <span class="nx">aws_cloudwatch_event_bus</span><span class="p">.</span><span class="nx">s3_trigger</span><span class="p">.</span><span class="nx">name</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"Trigger Lambda when object updated in ${local.xacc_s3_trigger.bucket}"</span> <span class="nx">event_pattern</span> <span class="p">=</span> <span class="nx">jsonencode</span><span class="p">({</span> <span class="nx">source</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"aws.s3"</span><span class="p">],</span> <span class="nx">detail-type</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"Object Created"</span><span class="p">],</span> <span class="nx">detail</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">bucket</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="p">[</span><span class="nx">local</span><span class="p">.</span><span class="nx">xacc_s3_trigger</span><span class="p">.</span><span class="nx">bucket</span><span class="p">]</span> <span class="p">},</span> <span class="nx">object</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">key</span> <span class="p">=</span> <span class="p">[{</span> <span class="nx">prefix</span> <span class="p">=</span> <span class="nx">local</span><span class="p">.</span><span class="nx">xacc_s3_trigger</span><span class="p">.</span><span class="nx">object</span> <span class="p">}]</span> <span class="p">}</span> <span class="p">}</span> <span class="p">})</span> <span class="p">}</span> </code></pre> </div> <h3> Lambda IAM Role &amp; Permissions <a></a> </h3> <p>For the automation to function, the <strong>firewall-lambda</strong> needs to act as a privileged operator across a nmber of AWS services. This IAM role and policy document are specificially designed using the <strong>principle of least privilege</strong>, ensuring the function has exactly what it needs to perform the <em>Diff and Update</em> logic—and nothing more.</p> <p>The most critical aspect of this policy is the <strong>AWS Network Firewall authority boundary</strong>. The <code>UpdateRuleGroup</code> and <code>DescribeRuleGroup</code> permissions are explicitly scoped to the A*<em>RN of the externally managed stateful rule group</em>* (<code>${local.extl_suricata_rg_arn}</code>) and nothing else. By restricting the access to a single resource, the automation pipeline is technically incapable of modifying any other <em>Terraform-managed</em> firewall rules or resources, even in a failure or misconfiguration scenario. Standard CloudWatch Logs permissions are also included to ensure every evaluation and decision made by the automation logic is fully auditable.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1">// IAM role for firewall-lambda</span> <span class="nx">resource</span> <span class="s2">"aws_iam_role"</span> <span class="s2">"nfw_lambda"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"${local.nfw_resource_prefix}-lambda-Role"</span> <span class="nx">assume_role_policy</span> <span class="p">=</span> <span class="nx">jsonencode</span><span class="p">({</span> <span class="nx">Version</span> <span class="p">=</span> <span class="s2">"2012-10-17"</span> <span class="nx">Statement</span> <span class="p">=</span> <span class="p">[</span> <span class="p">{</span> <span class="nx">Action</span> <span class="p">=</span> <span class="s2">"sts:AssumeRole"</span> <span class="nx">Effect</span> <span class="p">=</span> <span class="s2">"Allow"</span> <span class="nx">Principal</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">Service</span> <span class="p">=</span> <span class="p">[</span> <span class="s2">"lambda.amazonaws.com"</span> <span class="p">]</span> <span class="p">}</span> <span class="p">},</span> <span class="p">]</span> <span class="p">})</span> <span class="p">}</span> <span class="c1">// Policy document for firewall-lambda role</span> <span class="nx">data</span> <span class="s2">"aws_iam_policy_document"</span> <span class="s2">"nfw_lambda"</span> <span class="p">{</span> <span class="c1"># S3 permission: read tenant-hosts.json</span> <span class="nx">statement</span> <span class="p">{</span> <span class="nx">effect</span> <span class="p">=</span> <span class="s2">"Allow"</span> <span class="nx">actions</span> <span class="p">=</span> <span class="p">[</span> <span class="s2">"s3:GetObject"</span><span class="p">,</span> <span class="s2">"s3:GetObjectVersion"</span><span class="p">,</span> <span class="s2">"s3:ListBucket"</span> <span class="p">]</span> <span class="nx">resources</span> <span class="p">=</span> <span class="p">[</span> <span class="s2">"arn:aws:s3:::${local.xacc_s3_trigger.bucket}"</span><span class="p">,</span> <span class="s2">"arn:aws:s3:::${local.xacc_s3_trigger.bucket}/*"</span><span class="p">,</span> <span class="p">]</span> <span class="p">}</span> <span class="c1"># NFW permission: update the RSL rule group</span> <span class="nx">statement</span> <span class="p">{</span> <span class="nx">effect</span> <span class="p">=</span> <span class="s2">"Allow"</span> <span class="nx">actions</span> <span class="p">=</span> <span class="p">[</span> <span class="s2">"network-firewall:DescribeRuleGroup"</span><span class="p">,</span> <span class="s2">"network-firewall:UpdateRuleGroup"</span> <span class="p">]</span> <span class="nx">resources</span> <span class="p">=</span> <span class="p">[</span> <span class="nx">local</span><span class="p">.</span><span class="nx">extl_suricata_rg_arn</span> <span class="p">]</span> <span class="p">}</span> <span class="c1"># Allow Lambda to kms:Decrypt</span> <span class="nx">statement</span> <span class="p">{</span> <span class="nx">effect</span> <span class="p">=</span> <span class="s2">"Allow"</span> <span class="nx">actions</span> <span class="p">=</span> <span class="p">[</span> <span class="s2">"kms:Decrypt"</span><span class="p">,</span> <span class="s2">"kms:DescribeKey"</span><span class="p">,</span> <span class="s2">"kms:GenerateDataKey*"</span> <span class="p">]</span> <span class="nx">resources</span> <span class="p">=</span> <span class="p">[</span><span class="nx">module</span><span class="p">.</span><span class="nx">nfw_bucket_key</span><span class="p">[</span><span class="nx">each</span><span class="p">.</span><span class="nx">value</span><span class="p">].</span><span class="nx">kms_key_arn</span><span class="p">]</span> <span class="p">}</span> <span class="c1"># CloudWatch Logs permission</span> <span class="nx">statement</span> <span class="p">{</span> <span class="nx">effect</span> <span class="p">=</span> <span class="s2">"Allow"</span> <span class="nx">actions</span> <span class="p">=</span> <span class="p">[</span> <span class="s2">"logs:CreateLogGroup"</span><span class="p">,</span> <span class="s2">"logs:CreateLogStream"</span><span class="p">,</span> <span class="s2">"logs:PutLogEvents"</span> <span class="p">]</span> <span class="nx">resources</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"*"</span><span class="p">]</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <h3> <u>Runtime Environment: </u> </h3> <h3> AWS Lambda Function <a></a> </h3> <p>The <code>dth_updater</code> (<em>Dynamic Tenant Hosts</em>) Lambda acts as the control plane for firewall updates, with all of the required context at runtime. It runs on Python 3.12 for strong[er] Boto3 support and efficient string processing when handling Suricata rules. Critical configuration is passed via environment variables, including the ARN of the externally managed rule group, <strong>SOPS-encrypted</strong> Microsoft Teams webhook etc., enabling secure, real-time notifications without exposing sensitive endpoints.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">resource</span> <span class="s2">"aws_lambda_function"</span> <span class="s2">"dth_updater"</span> <span class="p">{</span> <span class="nx">filename</span> <span class="p">=</span> <span class="nx">data</span><span class="p">.</span><span class="nx">archive_file</span><span class="p">.</span><span class="nx">dthu_lambda_zip</span><span class="p">.</span><span class="nx">output_path</span> <span class="nx">function_name</span> <span class="p">=</span> <span class="s2">"${local.template_name}-tenant-fw-updater"</span> <span class="nx">handler</span> <span class="p">=</span> <span class="s2">"nfw_tenant_hosts_updater.lambda_handler"</span> <span class="nx">role</span> <span class="p">=</span> <span class="nx">aws_iam_role</span><span class="p">.</span><span class="nx">nfw_lambda</span><span class="p">.</span><span class="nx">arn</span> <span class="nx">source_code_hash</span> <span class="p">=</span> <span class="nx">data</span><span class="p">.</span><span class="nx">archive_file</span><span class="p">.</span><span class="nx">dthu_lambda_zip</span><span class="p">.</span><span class="nx">output_base64sha256</span> <span class="nx">runtime</span> <span class="p">=</span> <span class="s2">"python3.12"</span> <span class="nx">timeout</span> <span class="p">=</span> <span class="mi">30</span> <span class="nx">environment</span> <span class="p">{</span> <span class="nx">variables</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">DYNAMIC_SURICATA_RG_ARN</span> <span class="p">=</span> <span class="nx">local</span><span class="p">.</span><span class="nx">extl_suricata_rg_arn</span> <span class="nx">TEAMS_WEBHOOK_URL</span> <span class="p">=</span> <span class="nx">lookup</span><span class="p">(</span> <span class="nx">data</span><span class="p">.</span><span class="nx">sops_file</span><span class="p">.</span><span class="nx">tenant_teams_wh</span><span class="p">.</span><span class="nx">data</span><span class="p">,</span> <span class="s2">"teams_webhook_url"</span><span class="p">,</span> <span class="kc">null</span> <span class="p">)</span> <span class="nx">ENV_NAME</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">aws_acc_name</span> <span class="nx">MSG_TITLE</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">notify_teams</span><span class="p">[</span><span class="s2">"tenant_hosts"</span><span class="p">].</span><span class="nx">title</span> <span class="nx">NOTIFY_TEAMS</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">notify_teams</span><span class="p">[</span><span class="s2">"tenant_hosts"</span><span class="p">].</span><span class="nx">enabled</span> <span class="nx">SERVICE_NAME</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">tf_module_name</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">depends_on</span> <span class="p">=</span> <span class="p">[</span> <span class="nx">aws_iam_role_policy_attachment</span><span class="p">.</span><span class="nx">nfw_lambda</span> <span class="p">]</span> <span class="p">}</span> </code></pre> </div> <h3> Explicit Invocation <a></a> </h3> <p>Provisioning the Lambda and EventBridge rule alone is not sufficient; AWS services default to a zero-trust invocation model. An explicit Lambda permission is required to allow EventBridge to invoke the function.</p> <p>By scoping the principal to <strong>events.amazonaws.com</strong> and restricting the source_arn to the <strong>specific S3-trigger rule</strong>, invocation is limited strictly to the events, originating from the custom event bus. This ensures the Lambda cannot be triggered accidentally or maliciously from other sources within the account.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">resource</span> <span class="s2">"aws_lambda_permission"</span> <span class="s2">"s3_trigger"</span> <span class="p">{</span> <span class="nx">statement_id</span> <span class="p">=</span> <span class="s2">"AllowEventsInvoke"</span> <span class="nx">action</span> <span class="p">=</span> <span class="s2">"lambda:InvokeFunction"</span> <span class="nx">function_name</span> <span class="p">=</span> <span class="nx">aws_lambda_function</span><span class="p">.</span><span class="nx">dth_updater</span><span class="p">.</span><span class="nx">function_name</span> <span class="nx">principal</span> <span class="p">=</span> <span class="s2">"events.amazonaws.com"</span> <span class="nx">source_arn</span> <span class="p">=</span> <span class="nx">aws_cloudwatch_event_rule</span><span class="p">.</span><span class="nx">s3_trigger</span><span class="p">.</span><span class="nx">arn</span> <span class="p">}</span> </code></pre> </div> <h3> Wiring the Pipeline <a></a> </h3> <p>The final component is the <strong>EventBridge target</strong>, which connects the filtered rule to the firewall automation Lambda. The target references the <code>dth_updater</code> function ARN directly. I also added the explicit dependency on to ensure Lambda invoke permissions are fully propagated before the target becomes active. This avoids race conditions during initial deployment and guarantees the pipeline is ready and reliable from the first S3 object update onward.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">resource</span> <span class="s2">"aws_cloudwatch_event_target"</span> <span class="s2">"s3_trigger"</span> <span class="p">{</span> <span class="nx">rule</span> <span class="p">=</span> <span class="nx">aws_cloudwatch_event_rule</span><span class="p">.</span><span class="nx">s3_trigger</span><span class="p">.</span><span class="nx">name</span> <span class="nx">event_bus_name</span> <span class="p">=</span> <span class="nx">aws_cloudwatch_event_bus</span><span class="p">.</span><span class="nx">s3_trigger</span><span class="p">.</span><span class="nx">name</span> <span class="nx">target_id</span> <span class="p">=</span> <span class="s2">"tenant-fw-updater"</span> <span class="nx">arn</span> <span class="p">=</span> <span class="nx">aws_lambda_function</span><span class="p">.</span><span class="nx">dth_updater</span><span class="p">.</span><span class="nx">arn</span> <span class="nx">depends_on</span> <span class="p">=</span> <span class="p">[</span> <span class="nx">aws_lambda_permission</span><span class="p">.</span><span class="nx">s3_trigger</span> <span class="p">]</span> <span class="p">}</span> </code></pre> </div> <h3> Filewall-Lambda Function <a></a> </h3> <h3> Function Code </h3> <p>I have added the Lambda function shown below is provided purely as a <strong>reference implementation</strong>. The exact structure, validation logic, and rule-generation strategy will vary depending on individual requirements, tenant models, and security posture. This is just to show one of the ways of implementing an event-driven automation Lambda can safely control an externally managed Network Firewall rule group.</p> <p>At a high level, this function performs the following steps:</p> <ul> <li>Parses the incoming EventBridge S3 event to identify the updated object</li> <li>Loads tenant-defined hostnames from S3 and expands them into fully qualified domains</li> <li>Reads the current externally managed Suricata rule group from Network Firewall</li> <li>Computes a deterministic diff between existing and desired state</li> <li>Skips the update entirely if no effective change is detected</li> <li>Rebuilds the Suricata ruleset and updates the rule group using an update token</li> <li>Optional - Emits a structured notification to Microsoft Teams for visibility and auditability</li> </ul> <p>This pattern keeps the Lambda focused on validation, diffing, and enforcement, while allowing upstream systems to express intent without direct access to the firewall control plane.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="k">def</span> <span class="nf">lambda_handler</span><span class="p">(</span><span class="n">event</span><span class="p">,</span> <span class="n">context</span><span class="p">):</span> <span class="sh">"""</span><span class="s"> Dynamic Suricata Rule-Group updater. Triggered via EventBridge when tenant-temp-hosts.json changes in S3. </span><span class="sh">"""</span> <span class="n">result</span> <span class="o">=</span> <span class="p">{</span> <span class="sh">"</span><span class="s">stage</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">start</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">status</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">ok</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">added</span><span class="sh">"</span><span class="p">:</span> <span class="p">[],</span> <span class="sh">"</span><span class="s">removed</span><span class="sh">"</span><span class="p">:</span> <span class="p">[],</span> <span class="sh">"</span><span class="s">error</span><span class="sh">"</span><span class="p">:</span> <span class="bp">None</span><span class="p">,</span> <span class="p">}</span> <span class="k">try</span><span class="p">:</span> <span class="n">logger</span><span class="p">.</span><span class="nf">info</span><span class="p">(</span><span class="sh">"</span><span class="s">Event: %s</span><span class="sh">"</span><span class="p">,</span> <span class="n">json</span><span class="p">.</span><span class="nf">dumps</span><span class="p">(</span><span class="n">event</span><span class="p">))</span> <span class="c1"># 1. Parse S3 event (EventBridge style) </span> <span class="c1"># ----------------------------------------------- </span> <span class="n">result</span><span class="p">[</span><span class="sh">"</span><span class="s">stage</span><span class="sh">"</span><span class="p">]</span> <span class="o">=</span> <span class="sh">"</span><span class="s">parse_event</span><span class="sh">"</span> <span class="k">try</span><span class="p">:</span> <span class="c1"># This is very important to pick up the correct </span> <span class="c1"># S3 bucket and object from event JSON </span> <span class="n">bucket</span> <span class="o">=</span> <span class="n">event</span><span class="p">[</span><span class="sh">"</span><span class="s">detail</span><span class="sh">"</span><span class="p">][</span><span class="sh">"</span><span class="s">bucket</span><span class="sh">"</span><span class="p">][</span><span class="sh">"</span><span class="s">name</span><span class="sh">"</span><span class="p">]</span> <span class="n">key</span> <span class="o">=</span> <span class="n">event</span><span class="p">[</span><span class="sh">"</span><span class="s">detail</span><span class="sh">"</span><span class="p">][</span><span class="sh">"</span><span class="s">object</span><span class="sh">"</span><span class="p">][</span><span class="sh">"</span><span class="s">key</span><span class="sh">"</span><span class="p">]</span> <span class="k">except</span> <span class="nb">Exception</span> <span class="k">as</span> <span class="n">e</span><span class="p">:</span> <span class="k">raise</span> <span class="nc">RuntimeError</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">Invalid EventBridge S3 event: </span><span class="si">{</span><span class="n">e</span><span class="si">}</span><span class="sh">"</span><span class="p">)</span> <span class="n">logger</span><span class="p">.</span><span class="nf">info</span><span class="p">(</span><span class="sh">"</span><span class="s">Processing file s3://%s/%s</span><span class="sh">"</span><span class="p">,</span> <span class="n">bucket</span><span class="p">,</span> <span class="n">key</span><span class="p">)</span> <span class="c1"># 2. Load tenants + expand to full FQDNs </span> <span class="c1"># ----------------------------------------------- </span> <span class="n">result</span><span class="p">[</span><span class="sh">"</span><span class="s">stage</span><span class="sh">"</span><span class="p">]</span> <span class="o">=</span> <span class="sh">"</span><span class="s">load_and_expand</span><span class="sh">"</span> <span class="n">host_map</span> <span class="o">=</span> <span class="nf">load_domain_map</span><span class="p">(</span><span class="n">bucket</span><span class="p">,</span> <span class="n">key</span><span class="p">)</span> <span class="n">new_fqdns</span> <span class="o">=</span> <span class="nf">expand_fqdns</span><span class="p">(</span><span class="n">host_map</span><span class="p">)</span> <span class="n">logger</span><span class="p">.</span><span class="nf">info</span><span class="p">(</span><span class="sh">"</span><span class="s">New expanded FQDNs: %d entries</span><span class="sh">"</span><span class="p">,</span> <span class="nf">len</span><span class="p">(</span><span class="n">new_fqdns</span><span class="p">))</span> <span class="c1"># 3. Read existing dynamic Suricata rule-group </span> <span class="c1"># ----------------------------------------------- </span> <span class="n">result</span><span class="p">[</span><span class="sh">"</span><span class="s">stage</span><span class="sh">"</span><span class="p">]</span> <span class="o">=</span> <span class="sh">"</span><span class="s">describe_rule_group</span><span class="sh">"</span> <span class="n">describe</span> <span class="o">=</span> <span class="n">nfw</span><span class="p">.</span><span class="nf">describe_rule_group</span><span class="p">(</span> <span class="n">RuleGroupArn</span><span class="o">=</span><span class="n">DYNAMIC_SURICATA_RG_ARN</span><span class="p">,</span> <span class="n">Type</span><span class="o">=</span><span class="sh">"</span><span class="s">STATEFUL</span><span class="sh">"</span> <span class="p">)</span> <span class="n">existing_desc</span> <span class="o">=</span> <span class="n">describe</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">RuleGroupResponse</span><span class="sh">"</span><span class="p">,</span> <span class="p">{}).</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">Description</span><span class="sh">"</span><span class="p">)</span> <span class="n">rule_group_def</span> <span class="o">=</span> <span class="n">describe</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">RuleGroup</span><span class="sh">"</span><span class="p">,</span> <span class="p">{})</span> <span class="n">update_token</span> <span class="o">=</span> <span class="n">describe</span><span class="p">[</span><span class="sh">"</span><span class="s">UpdateToken</span><span class="sh">"</span><span class="p">]</span> <span class="n">update_args</span> <span class="o">=</span> <span class="p">{</span> <span class="sh">"</span><span class="s">RuleGroupArn</span><span class="sh">"</span><span class="p">:</span> <span class="n">DYNAMIC_SURICATA_RG_ARN</span><span class="p">,</span> <span class="sh">"</span><span class="s">Type</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">STATEFUL</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">UpdateToken</span><span class="sh">"</span><span class="p">:</span> <span class="n">update_token</span><span class="p">,</span> <span class="sh">"</span><span class="s">RuleGroup</span><span class="sh">"</span><span class="p">:</span> <span class="n">rule_group_def</span><span class="p">,</span> <span class="p">}</span> <span class="c1"># Only include Description if AWS returned a valid string </span> <span class="k">if</span> <span class="nf">isinstance</span><span class="p">(</span><span class="n">existing_desc</span><span class="p">,</span> <span class="nb">str</span><span class="p">)</span> <span class="ow">and</span> <span class="n">existing_desc</span><span class="p">.</span><span class="nf">strip</span><span class="p">():</span> <span class="n">update_args</span><span class="p">[</span><span class="sh">"</span><span class="s">Description</span><span class="sh">"</span><span class="p">]</span> <span class="o">=</span> <span class="n">existing_desc</span> <span class="n">existing_rules_str</span> <span class="o">=</span> <span class="p">(</span> <span class="n">rule_group_def</span> <span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">RulesSource</span><span class="sh">"</span><span class="p">,</span> <span class="p">{})</span> <span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">RulesString</span><span class="sh">"</span><span class="p">,</span> <span class="sh">""</span><span class="p">)</span> <span class="p">)</span> <span class="n">old_fqdns</span> <span class="o">=</span> <span class="nf">extract_fqdns_from_rules</span><span class="p">(</span><span class="n">existing_rules_str</span><span class="p">)</span> <span class="c1"># 4. The Diff </span> <span class="c1"># ----------------------------------------------- </span> <span class="n">result</span><span class="p">[</span><span class="sh">"</span><span class="s">stage</span><span class="sh">"</span><span class="p">]</span> <span class="o">=</span> <span class="sh">"</span><span class="s">diff</span><span class="sh">"</span> <span class="n">new_set</span> <span class="o">=</span> <span class="nf">set</span><span class="p">(</span><span class="n">new_fqdns</span><span class="p">)</span> <span class="n">added</span> <span class="o">=</span> <span class="nf">sorted</span><span class="p">(</span><span class="n">new_set</span> <span class="o">-</span> <span class="n">old_fqdns</span><span class="p">)</span> <span class="n">removed</span> <span class="o">=</span> <span class="nf">sorted</span><span class="p">(</span><span class="n">old_fqdns</span> <span class="o">-</span> <span class="n">new_set</span><span class="p">)</span> <span class="n">result</span><span class="p">[</span><span class="sh">"</span><span class="s">added</span><span class="sh">"</span><span class="p">]</span> <span class="o">=</span> <span class="n">added</span> <span class="n">result</span><span class="p">[</span><span class="sh">"</span><span class="s">removed</span><span class="sh">"</span><span class="p">]</span> <span class="o">=</span> <span class="n">removed</span> <span class="k">if</span> <span class="ow">not</span> <span class="n">added</span> <span class="ow">and</span> <span class="ow">not</span> <span class="n">removed</span><span class="p">:</span> <span class="n">logger</span><span class="p">.</span><span class="nf">info</span><span class="p">(</span><span class="sh">"</span><span class="s">No changes detected. RuleGroup remains unchanged.</span><span class="sh">"</span><span class="p">)</span> <span class="n">result</span><span class="p">[</span><span class="sh">"</span><span class="s">stage</span><span class="sh">"</span><span class="p">]</span> <span class="o">=</span> <span class="sh">"</span><span class="s">no_change</span><span class="sh">"</span> <span class="k">return</span> <span class="p">{</span> <span class="sh">"</span><span class="s">statusCode</span><span class="sh">"</span><span class="p">:</span> <span class="mi">200</span><span class="p">,</span> <span class="sh">"</span><span class="s">body</span><span class="sh">"</span><span class="p">:</span> <span class="n">json</span><span class="p">.</span><span class="nf">dumps</span><span class="p">({</span> <span class="sh">"</span><span class="s">message</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">No change in tenant rules</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">changed</span><span class="sh">"</span><span class="p">:</span> <span class="bp">False</span><span class="p">,</span> <span class="sh">"</span><span class="s">fqdn_count</span><span class="sh">"</span><span class="p">:</span> <span class="nf">len</span><span class="p">(</span><span class="n">new_fqdns</span><span class="p">),</span> <span class="p">}),</span> <span class="p">}</span> <span class="n">logger</span><span class="p">.</span><span class="nf">info</span><span class="p">(</span><span class="sh">"</span><span class="s">Changes detected: +%d, -%d</span><span class="sh">"</span><span class="p">,</span> <span class="nf">len</span><span class="p">(</span><span class="n">added</span><span class="p">),</span> <span class="nf">len</span><span class="p">(</span><span class="n">removed</span><span class="p">))</span> <span class="c1"># 5. Build new Suricata rules (stable hash SIDs) </span> <span class="c1"># ----------------------------------------------- </span> <span class="n">result</span><span class="p">[</span><span class="sh">"</span><span class="s">stage</span><span class="sh">"</span><span class="p">]</span> <span class="o">=</span> <span class="sh">"</span><span class="s">build_suricata_rules</span><span class="sh">"</span> <span class="n">new_rules_str</span> <span class="o">=</span> <span class="nf">build_suricata_rules</span><span class="p">(</span><span class="n">new_fqdns</span><span class="p">)</span> <span class="c1"># 6. Insert updated rules back into RuleGroup dict </span> <span class="c1"># ----------------------------------------------- </span> <span class="n">result</span><span class="p">[</span><span class="sh">"</span><span class="s">stage</span><span class="sh">"</span><span class="p">]</span> <span class="o">=</span> <span class="sh">"</span><span class="s">prepare_update</span><span class="sh">"</span> <span class="k">if</span> <span class="sh">"</span><span class="s">RulesSource</span><span class="sh">"</span> <span class="ow">not</span> <span class="ow">in</span> <span class="n">rule_group_def</span><span class="p">:</span> <span class="n">rule_group_def</span><span class="p">[</span><span class="sh">"</span><span class="s">RulesSource</span><span class="sh">"</span><span class="p">]</span> <span class="o">=</span> <span class="p">{}</span> <span class="n">rule_group_def</span><span class="p">[</span><span class="sh">"</span><span class="s">RulesSource</span><span class="sh">"</span><span class="p">][</span><span class="sh">"</span><span class="s">RulesString</span><span class="sh">"</span><span class="p">]</span> <span class="o">=</span> <span class="n">new_rules_str</span> <span class="c1"># 7. Update rule group in Network Firewall </span> <span class="c1"># ----------------------------------------------- </span> <span class="n">result</span><span class="p">[</span><span class="sh">"</span><span class="s">stage</span><span class="sh">"</span><span class="p">]</span> <span class="o">=</span> <span class="sh">"</span><span class="s">update_rule_group</span><span class="sh">"</span> <span class="n">resp</span> <span class="o">=</span> <span class="n">nfw</span><span class="p">.</span><span class="nf">update_rule_group</span><span class="p">(</span><span class="o">**</span><span class="n">update_args</span><span class="p">)</span> <span class="n">logger</span><span class="p">.</span><span class="nf">info</span><span class="p">(</span><span class="sh">"</span><span class="s">UpdateRuleGroup response: %s</span><span class="sh">"</span><span class="p">,</span> <span class="n">json</span><span class="p">.</span><span class="nf">dumps</span><span class="p">(</span><span class="n">resp</span><span class="p">,</span> <span class="n">default</span><span class="o">=</span><span class="nb">str</span><span class="p">))</span> <span class="n">result</span><span class="p">[</span><span class="sh">"</span><span class="s">stage</span><span class="sh">"</span><span class="p">]</span> <span class="o">=</span> <span class="sh">"</span><span class="s">completed</span><span class="sh">"</span> <span class="k">return</span> <span class="p">{</span> <span class="sh">"</span><span class="s">statusCode</span><span class="sh">"</span><span class="p">:</span> <span class="mi">200</span><span class="p">,</span> <span class="sh">"</span><span class="s">body</span><span class="sh">"</span><span class="p">:</span> <span class="n">json</span><span class="p">.</span><span class="nf">dumps</span><span class="p">({</span> <span class="sh">"</span><span class="s">message</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">Dynamic Suricata tenant allowlist updated</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">added</span><span class="sh">"</span><span class="p">:</span> <span class="n">added</span><span class="p">,</span> <span class="sh">"</span><span class="s">removed</span><span class="sh">"</span><span class="p">:</span> <span class="n">removed</span><span class="p">,</span> <span class="sh">"</span><span class="s">fqdn_count</span><span class="sh">"</span><span class="p">:</span> <span class="nf">len</span><span class="p">(</span><span class="n">new_fqdns</span><span class="p">),</span> <span class="sh">"</span><span class="s">changed</span><span class="sh">"</span><span class="p">:</span> <span class="bp">True</span><span class="p">,</span> <span class="p">}),</span> <span class="p">}</span> <span class="k">except</span> <span class="nb">Exception</span> <span class="k">as</span> <span class="n">e</span><span class="p">:</span> <span class="n">logger</span><span class="p">.</span><span class="nf">error</span><span class="p">(</span><span class="sh">"</span><span class="s">Lambda FAILED: %s</span><span class="sh">"</span><span class="p">,</span> <span class="n">e</span><span class="p">,</span> <span class="n">exc_info</span><span class="o">=</span><span class="bp">True</span><span class="p">)</span> <span class="n">result</span><span class="p">[</span><span class="sh">"</span><span class="s">status</span><span class="sh">"</span><span class="p">]</span> <span class="o">=</span> <span class="sh">"</span><span class="s">failure</span><span class="sh">"</span> <span class="n">result</span><span class="p">[</span><span class="sh">"</span><span class="s">error</span><span class="sh">"</span><span class="p">]</span> <span class="o">=</span> <span class="nf">str</span><span class="p">(</span><span class="n">e</span><span class="p">)</span> <span class="k">raise</span> <span class="k">finally</span><span class="p">:</span> <span class="c1"># 8. Teams notification (if enabled) </span> <span class="c1"># ----------------------------------------------- </span> <span class="k">if</span> <span class="n">NOTIFY_TEAMS</span><span class="p">:</span> <span class="k">try</span><span class="p">:</span> <span class="n">env_name</span> <span class="o">=</span> <span class="n">os</span><span class="p">.</span><span class="n">environ</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">ENV_NAME</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">unknown</span><span class="sh">"</span><span class="p">)</span> <span class="n">svc</span> <span class="o">=</span> <span class="n">os</span><span class="p">.</span><span class="n">environ</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">SERVICE_NAME</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">tenant-fw-updater</span><span class="sh">"</span><span class="p">)</span> <span class="nf">send_teams_update</span><span class="p">(</span> <span class="n">stage</span><span class="o">=</span><span class="n">result</span><span class="p">[</span><span class="sh">"</span><span class="s">stage</span><span class="sh">"</span><span class="p">],</span> <span class="n">status</span><span class="o">=</span><span class="p">(</span><span class="sh">"</span><span class="s">success</span><span class="sh">"</span> <span class="k">if</span> <span class="n">result</span><span class="p">[</span><span class="sh">"</span><span class="s">status</span><span class="sh">"</span><span class="p">]</span> <span class="o">==</span> <span class="sh">"</span><span class="s">ok</span><span class="sh">"</span> <span class="k">else</span> <span class="sh">"</span><span class="s">failure</span><span class="sh">"</span><span class="p">),</span> <span class="n">added</span><span class="o">=</span><span class="n">result</span><span class="p">[</span><span class="sh">"</span><span class="s">added</span><span class="sh">"</span><span class="p">],</span> <span class="n">removed</span><span class="o">=</span><span class="n">result</span><span class="p">[</span><span class="sh">"</span><span class="s">removed</span><span class="sh">"</span><span class="p">],</span> <span class="n">env</span><span class="o">=</span><span class="n">env_name</span><span class="p">,</span> <span class="n">service_name</span><span class="o">=</span><span class="n">svc</span><span class="p">,</span> <span class="n">error</span><span class="o">=</span><span class="n">result</span><span class="p">[</span><span class="sh">"</span><span class="s">error</span><span class="sh">"</span><span class="p">],</span> <span class="p">)</span> <span class="k">except</span> <span class="nb">Exception</span> <span class="k">as</span> <span class="n">te</span><span class="p">:</span> <span class="n">logger</span><span class="p">.</span><span class="nf">error</span><span class="p">(</span><span class="sh">"</span><span class="s">Teams notification failed: %s</span><span class="sh">"</span><span class="p">,</span> <span class="n">te</span><span class="p">)</span> </code></pre> </div> <h3> Helper Functions </h3> <p>For completeness, the following helper functions support the Lambda handler shown above. Python is not among my strongest skill-sets but worked for me handling domain normalization, deterministic rule generation, and extraction of existing state from the firewall rule group.</p> <ul> <li>Treating S3 as the canonical desired-state source</li> <li>Generating stable Suricata rule identifiers to avoid churn</li> <li>Rebuilding rules deterministically from intent, rather than mutating in place </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="k">def</span> <span class="nf">load_domain_map</span><span class="p">(</span><span class="n">bucket</span><span class="p">:</span> <span class="nb">str</span><span class="p">,</span> <span class="n">key</span><span class="p">:</span> <span class="nb">str</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="n">Dict</span><span class="p">[</span><span class="nb">str</span><span class="p">,</span> <span class="n">List</span><span class="p">[</span><span class="nb">str</span><span class="p">]]:</span> <span class="sh">"""</span><span class="s">Load JSON mapping of base_domain → list of tenant names.</span><span class="sh">"""</span> <span class="n">obj</span> <span class="o">=</span> <span class="n">s3</span><span class="p">.</span><span class="nf">get_object</span><span class="p">(</span><span class="n">Bucket</span><span class="o">=</span><span class="n">bucket</span><span class="p">,</span> <span class="n">Key</span><span class="o">=</span><span class="n">key</span><span class="p">)</span> <span class="n">text</span> <span class="o">=</span> <span class="n">obj</span><span class="p">[</span><span class="sh">"</span><span class="s">Body</span><span class="sh">"</span><span class="p">].</span><span class="nf">read</span><span class="p">().</span><span class="nf">decode</span><span class="p">(</span><span class="sh">"</span><span class="s">utf-8</span><span class="sh">"</span><span class="p">)</span> <span class="n">data</span> <span class="o">=</span> <span class="n">json</span><span class="p">.</span><span class="nf">loads</span><span class="p">(</span><span class="n">text</span><span class="p">)</span> <span class="k">if</span> <span class="ow">not</span> <span class="nf">isinstance</span><span class="p">(</span><span class="n">data</span><span class="p">,</span> <span class="nb">dict</span><span class="p">):</span> <span class="k">raise</span> <span class="nc">ValueError</span><span class="p">(</span><span class="sh">"</span><span class="s">JSON must be a dict of { base_domain: [tenants...] }</span><span class="sh">"</span><span class="p">)</span> <span class="n">out</span> <span class="o">=</span> <span class="p">{}</span> <span class="k">for</span> <span class="n">base</span><span class="p">,</span> <span class="n">tenants</span> <span class="ow">in</span> <span class="n">data</span><span class="p">.</span><span class="nf">items</span><span class="p">():</span> <span class="k">if</span> <span class="ow">not</span> <span class="nf">isinstance</span><span class="p">(</span><span class="n">tenants</span><span class="p">,</span> <span class="nb">list</span><span class="p">):</span> <span class="k">raise</span> <span class="nc">ValueError</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">Value for </span><span class="sh">'</span><span class="si">{</span><span class="n">base</span><span class="si">}</span><span class="sh">'</span><span class="s"> must be a list</span><span class="sh">"</span><span class="p">)</span> <span class="n">cleaned</span> <span class="o">=</span> <span class="p">[</span><span class="n">t</span><span class="p">.</span><span class="nf">strip</span><span class="p">().</span><span class="nf">lower</span><span class="p">()</span> <span class="k">for</span> <span class="n">t</span> <span class="ow">in</span> <span class="n">tenants</span> <span class="k">if</span> <span class="nf">str</span><span class="p">(</span><span class="n">t</span><span class="p">).</span><span class="nf">strip</span><span class="p">()]</span> <span class="k">if</span> <span class="n">cleaned</span><span class="p">:</span> <span class="n">out</span><span class="p">[</span><span class="n">base</span><span class="p">.</span><span class="nf">strip</span><span class="p">().</span><span class="nf">lower</span><span class="p">()]</span> <span class="o">=</span> <span class="n">cleaned</span> <span class="k">return</span> <span class="n">out</span> <span class="c1"># </span><span class="k">def</span> <span class="nf">expand_fqdns</span><span class="p">(</span><span class="n">mapping</span><span class="p">:</span> <span class="n">Dict</span><span class="p">[</span><span class="nb">str</span><span class="p">,</span> <span class="n">List</span><span class="p">[</span><span class="nb">str</span><span class="p">]])</span> <span class="o">-&gt;</span> <span class="n">List</span><span class="p">[</span><span class="nb">str</span><span class="p">]:</span> <span class="sh">"""</span><span class="s">Expand tenant + base domain to FQDNs.</span><span class="sh">"""</span> <span class="n">fqdns</span> <span class="o">=</span> <span class="nf">set</span><span class="p">()</span> <span class="k">for</span> <span class="n">base</span><span class="p">,</span> <span class="n">tenants</span> <span class="ow">in</span> <span class="n">mapping</span><span class="p">.</span><span class="nf">items</span><span class="p">():</span> <span class="k">for</span> <span class="n">t</span> <span class="ow">in</span> <span class="n">tenants</span><span class="p">:</span> <span class="n">fqdn</span> <span class="o">=</span> <span class="sa">f</span><span class="sh">"</span><span class="si">{</span><span class="n">t</span><span class="si">}</span><span class="s">.</span><span class="si">{</span><span class="n">base</span><span class="si">}</span><span class="sh">"</span> <span class="n">fqdns</span><span class="p">.</span><span class="nf">add</span><span class="p">(</span><span class="n">fqdn</span><span class="p">)</span> <span class="k">return</span> <span class="nf">sorted</span><span class="p">(</span><span class="n">fqdns</span><span class="p">)</span> <span class="c1"># </span><span class="k">def</span> <span class="nf">sid_for_fqdn</span><span class="p">(</span><span class="n">fqdn</span><span class="p">:</span> <span class="nb">str</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="nb">int</span><span class="p">:</span> <span class="sh">"""</span><span class="s">Stable hash-based SID.</span><span class="sh">"""</span> <span class="n">base</span> <span class="o">=</span> <span class="mi">30_000_000</span> <span class="n">h</span> <span class="o">=</span> <span class="n">zlib</span><span class="p">.</span><span class="nf">crc32</span><span class="p">(</span><span class="n">fqdn</span><span class="p">.</span><span class="nf">encode</span><span class="p">(</span><span class="sh">"</span><span class="s">utf-8</span><span class="sh">"</span><span class="p">))</span> <span class="o">&amp;</span> <span class="mh">0xFFFFFFFF</span> <span class="k">return</span> <span class="n">base</span> <span class="o">+</span> <span class="p">(</span><span class="n">h</span> <span class="o">%</span> <span class="mi">9_999_999</span><span class="p">)</span> <span class="c1"># </span><span class="k">def</span> <span class="nf">build_suricata_rules</span><span class="p">(</span><span class="n">fqdns</span><span class="p">:</span> <span class="n">List</span><span class="p">[</span><span class="nb">str</span><span class="p">])</span> <span class="o">-&gt;</span> <span class="nb">str</span><span class="p">:</span> <span class="sh">"""</span><span class="s">Generate Suricata rules for each FQDN.</span><span class="sh">"""</span> <span class="n">rules</span> <span class="o">=</span> <span class="p">[]</span> <span class="k">for</span> <span class="n">fqdn</span> <span class="ow">in</span> <span class="n">fqdns</span><span class="p">:</span> <span class="n">sid</span> <span class="o">=</span> <span class="nf">sid_for_fqdn</span><span class="p">(</span><span class="n">fqdn</span><span class="p">)</span> <span class="n">rule</span> <span class="o">=</span> <span class="p">(</span> <span class="sh">'</span><span class="s">pass tls $EXTERNAL_NET any -&gt; $HOME_NET any (</span><span class="sh">'</span> <span class="sa">f</span><span class="sh">'</span><span class="s">tls.sni; content:</span><span class="sh">"</span><span class="si">{</span><span class="n">fqdn</span><span class="si">}</span><span class="sh">"</span><span class="s">; </span><span class="sh">'</span> <span class="sh">'</span><span class="s">ssl_state:client_hello; </span><span class="sh">'</span> <span class="sh">'</span><span class="s">msg:</span><span class="sh">"</span><span class="s">Dynamic tenant allowed host</span><span class="sh">"</span><span class="s">; </span><span class="sh">'</span> <span class="sh">'</span><span class="s">flow:to_server, established; </span><span class="sh">'</span> <span class="sh">'</span><span class="s">nocase; </span><span class="sh">'</span> <span class="sa">f</span><span class="sh">"</span><span class="s">sid:</span><span class="si">{</span><span class="n">sid</span><span class="si">}</span><span class="s">; rev:1;)</span><span class="sh">"</span> <span class="p">)</span> <span class="n">rules</span><span class="p">.</span><span class="nf">append</span><span class="p">(</span><span class="n">rule</span><span class="p">)</span> <span class="k">return</span> <span class="sh">"</span><span class="se">\n</span><span class="sh">"</span><span class="p">.</span><span class="nf">join</span><span class="p">(</span><span class="n">rules</span><span class="p">)</span> <span class="o">+</span> <span class="sh">"</span><span class="se">\n</span><span class="sh">"</span> <span class="n">CONTENT_RE</span> <span class="o">=</span> <span class="n">re</span><span class="p">.</span><span class="nf">compile</span><span class="p">(</span><span class="sa">r</span><span class="sh">'</span><span class="s">content:</span><span class="sh">"</span><span class="s">([^</span><span class="sh">"</span><span class="s">]+)</span><span class="sh">"'</span><span class="p">)</span> <span class="c1"># </span><span class="k">def</span> <span class="nf">extract_fqdns_from_rules</span><span class="p">(</span><span class="n">rules</span><span class="p">:</span> <span class="nb">str</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="n">Set</span><span class="p">[</span><span class="nb">str</span><span class="p">]:</span> <span class="sh">"""</span><span class="s">Extract FQDNs from Suricata RulesString.</span><span class="sh">"""</span> <span class="k">if</span> <span class="ow">not</span> <span class="n">rules</span><span class="p">:</span> <span class="k">return</span> <span class="nf">set</span><span class="p">()</span> <span class="k">return</span> <span class="p">{</span><span class="n">m</span><span class="p">.</span><span class="nf">lower</span><span class="p">()</span> <span class="k">for</span> <span class="n">m</span> <span class="ow">in</span> <span class="n">CONTENT_RE</span><span class="p">.</span><span class="nf">findall</span><span class="p">(</span><span class="n">rules</span><span class="p">)}</span> </code></pre> </div> <h2>  At the Day's End <a></a> </h2> <p>That's all for now, folks!</p> <p>With the automated pipeline in place and cross-account EventBridge wiring established, I managed to turn our Network Firewall into a dynamic enforcement layer that responds safely to tenant-driven change. By delegating high-frequency updates to an event-driven Lambda workflow, we eliminated manual intervention and avoid the Terraform state drift that typically accompanies mutable firewall rules. As a result, now it <strong>takes only few secods to update the firewall</strong> (+ the time NFW takes to reload), compare to <strong>around 40 minitus</strong> with old HAProxy based system. </p> <p>Let me know in the commanet section below, if anyone interested in the observability features (Microsoft Teams notification) that I implemented, failure handling or the long-term maintainability option of dynamic Suricata rule sets - I can make the final part of this series, focusing on those.</p> <blockquote> <p><em>While I tried my best to ensure the accuracy of the code snippets provided; feel free to reach out in the comments below or via <a href="https://www.linkedin.com/in/santanu-das-32a80a40/" rel="noopener noreferrer">LinkedIn</a> if you spot any discrepancies or have questions regarding the implementation</em>.</p> </blockquote> aws terraform lambda devops Santanu Das Thu, 22 Jan 2026 14:37:35 +0000 https://forem.com/santanu_das/automating-externally-managed-stateful-rule-groups-in-aws-network-firewall-using-terraform-54b4 https://forem.com/santanu_das/automating-externally-managed-stateful-rule-groups-in-aws-network-firewall-using-terraform-54b4 <p><strong>TL;DR:</strong><br> Managing AWS Network Firewall via Terraform often leads to a <em>tug-of-war</em> when external automation (like a Lambda) needs to update dynamic rules (e.g., FQDNs for ephemeral tenants).</p> <p>In this post, I'll share an architecture that solves this by:</p> <ul> <li> <strong>Decoupling Ownership:</strong> Splitting rule groups into "Self-Managed" (Terraform-owned) and "Custom-Managed" (Automation-owned).</li> <li> <strong>Preventing State Drift:</strong> Using the lifecycle <code>{ ignore_changes = [...] }</code> block on custom resources so Terraform ignores updates made by external APIs.</li> <li> <strong>Enforcing Order:</strong> Implementing a <code>stateful_rule_group_order</code> list in the parent module to ensure a deterministic evaluation of Suricata, Domain Lists, and AWS-managed rules.</li> <li> <strong>Scaling Gracefully:</strong> Using a <em>placeholder</em> strategy to initialize high-capacity rule groups that are ready for high-frequency updates without ever re-running a pipeline.</li> </ul> <h2> Table Of Contents </h2> <ul> <li>The Background</li> <li>Architectural Requirements</li> <li>Core Challenges</li> <li>Engineering Overview</li> <li>Rules of Engagement</li> <li>Parent Module</li> <li>Child Module</li> <li>Rule Group Order</li> <li>Lessons Learned</li> <li>Part-2 Roadmap</li> </ul> <p>Since migrating our edge security stack from a combination of <strong>F5</strong>, <strong>HAProxy</strong>, and standalone <strong>Suricata</strong> to AWS Network Firewall (NFW), the relationship has been a bit sweet-and-sour.</p> <p>Having relied on Suricata for years, was excited to see that NFW supports Suricata-compatible IPS rules natively and based on that, our migration goals were very clear:</p> <ul> <li> <strong>Retain Suricata Semantics:</strong> Full support for TLS SNI filtering, IDS/IPS signatures, and custom rulesets.</li> <li> <strong>Preserve our Hostname Model:</strong> Maintain our existing user-defined hostname filtering logic without regression.</li> <li> <strong>Pure GitOps:</strong> The entire stack must be Infrastructure-as-Code (IaC) via Terraform and Terragrunt.</li> <li> <strong>Zero Manual Intervention:</strong> Eliminate "humans editing allow-lists" at all costs to ensure security and consistency.</li> </ul> <p>However, the path to a fully automated, stateful firewall wasn't as linear as the documentation suggested. This article breaks down the architectural hurdles we encountered, the technical trade-offs we faced, and the specific automation patterns I used to reach the summit.</p> <h2> Background Overview <a></a> </h2> <p>We operate a high-scale, multi-tenant SaaS platform. In our environment, customers can dynamically provision their own subdomains through a self-service user portal. The result is a constantly evolving list of hostnames, such as:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="k">${</span><span class="nv">TENANT_1</span><span class="k">}</span>.examples.site <span class="k">${</span><span class="nv">TENANT_2</span><span class="k">}</span>.examples.site ... </code></pre> </div> <p>The backend application processes these tenant registrations and exposes them to the public internet as fully-fledged websites. The traffic flow follows a standard high-availability pattern: <strong>Internet → Network Load Balancer (NLB) → AWS Network Firewall (NFW)</strong>.</p> <h2> Architectural Requirements <a></a> </h2> <p>To support this model at scale, our firewall layer had to meet five set criteria:</p> <ol> <li> <strong>L3/L4 Resilience:</strong> Robust protection against volumetric DDoS attacks.</li> <li> <strong>Suricata-grade IDS/IPS:</strong> Deep packet inspection using industry-standard Suricata signatures.</li> <li> <strong>Tenant-Specific Filtering:</strong> Granular hostname filtering to ensure traffic isolation and security.</li> <li> <strong>Zero-Touch Onboarding:</strong> A fully automated pipeline where a new tenant registration triggers a firewall update without manual intervention.</li> <li> <strong>In-line Propagation:</strong> Real-time availability for new sites to ensure a seamless user experience.</li> </ol> <p>Beyond these dynamic, user-generated endpoints, the firewall must also manage a collection of static internal endpoints. These are traditional infrastructure dependencies that require a stable, code-defined <em>allow-list</em> within our primary firewall policy.</p> <h2> The Core Challenges: Dynamic Ingress at Scale <a></a> </h2> <p>In our SaaS environment, hostnames are ephemeral — they are created (and removed) constantly. This means the ingress rule-set must be agile enough to reflect these changes in near real-time.</p> <p>The hurdle here is one of context: <strong>The Infrastructure/Networking layer has no inherent knowledge of which hosts are being added or removed</strong>; that metadata lives exclusively within the Application layer. To bridge this gap, we needed a <em>delivery mechanism</em> that could update our Access Control Lists (ACLs) the moment a change occurred in the database.</p> <h3> The War: Declarative Tooling in Ephemeral Environments </h3> <p>Initially, the challenge was more engineering-focused than architectural. As Terraform is <em>declarative</em>, my first instinct was to trigger a CI/CD pipeline to run <code>terraform apply</code> every time a new <em>hostname</em> was added. This would rebuild the entire ruleset with the new entries.</p> <p>However, I quickly realized this approach was unsustainable:</p> <ul> <li> <strong>Latency:</strong> Running a full Terraform plan/apply cycle for every single tenant change was painfully slow.</li> <li> <strong>Fragility:</strong> Frequent, automated applies increased the risk of state locks and race conditions, making the process highly error-prone</li> </ul> <h3>  And Peace: A Hybrid Ownership Model </h3> <p>To solve this, I moved toward a partitioned management strategy:</p> <ul> <li> <strong>Static Governance:</strong> Traditional Suricata rules (system-wide signatures and internal endpoints) remain strictly managed within Terraform.</li> <li> <strong>External Agility:</strong> Dynamic tenant rules are offloaded to a separate, externally-managed stateful rule group.</li> <li> <strong>Clean State:</strong> Safely automate that dynamic group via a Lambda or API call without Terraform ever knowing (or caring) that the rule content has changed.</li> <li> <strong>Enforced Logic:</strong> The evaluation order of all groups — both static and dynamic — is centrally controlled via the Firewall Policy to ensure consistent security.</li> </ul> <h2> Engineering Overview <a></a> </h2> <p>This workflow is based on a hybrid architecture that balances static infrastructure with dynamic security updates. The primary goal is to maintain a <em>clean</em> Terraform state while allowing external automation to handle high-frequency rule changes.</p> <p>The diagram below is a conceptual view of the end-to-end process:</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fcbt0hxl8ipq9gal1bk23.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fcbt0hxl8ipq9gal1bk23.png" alt="Architectural diagram" width="800" height="436"></a></p> <h3> Key Architectural Concepts </h3> <ul> <li><p><strong>Hybrid Ownership:</strong> As shown in the Management Plane, the module orchestrates four logical <em>families</em> of stateful rule groups. This allows for a mix of static, code-defined groups and the dynamic, externally-managed groups targeted by the Lambda Function.</p></li> <li><p><strong>Deterministic Evaluation:</strong> By enforcing <code>STRICT_ORDER</code> within the stateful_engine_options, we ensure that rules are evaluated in a specific sequence rather than the default <em>Action Order</em>.</p></li> <li><p><strong>Managed Safety Net:</strong> AWS-managed rule groups (e.g., threat signatures and botnet filters) are appended to the end of the evaluation chain, acting as a global security layer for traffic that passes our custom filters.</p></li> <li><p><strong>State Decoupling:</strong> To prevent <em>tug-of-war</em> deployments, Terraform initializes the dynamic groups but explicitly ignores subsequent rule changes, handing off control to external processes.</p></li> </ul> <h3> Policy Structure &amp; Rule Families </h3> <p>The child module (<em>tf-module-nfw</em>) is responsible for building a prioritized <code>stateful_rule_group_order</code>. It categorizes rules into four distinct logical families, with the Evaluation Priority as listed below:</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Family</th> <th>Source</th> <th>Ownership</th> </tr> </thead> <tbody> <tr> <td><code>self_managed_domainlist</code></td> <td>FQDN Filter</td> <td> <strong>Terraform</strong>: Managed via code</td> </tr> <tr> <td><code>self_managed_suricata</code></td> <td>Suricata IPS</td> <td> <strong>Terraform</strong>: Managed via code</td> </tr> <tr> <td><code>extl_managed_suricata</code></td> <td>Suricata IPS</td> <td> <strong>External</strong>: Initialized by TF; updated by Lambda</td> </tr> <tr> <td><code>extl_managed_domainlist</code></td> <td>FQDN Filter</td> <td> <strong>External</strong>: Feed-driven updates</td> </tr> <tr> <td><code>aws_managed_groups</code></td> <td>Threat Intel</td> <td> <strong>AWS</strong>: Automatically updated by AWS</td> </tr> </tbody> </table></div> <p>This module concludes by constructing a flattened, ordered list of ARNs for the Firewall Policies, ensuring that the rules are applied in the exact sequence required by our security policy.</p> <h3> The <em>Conflict</em> Resolution </h3> <p>To prevent Terraform from overwriting updates made by external automation, I used a specific lifecycle strategy (as described below):</p> <ol> <li> <strong>Initialize:</strong> Terraform creates the rule group shell.</li> <li> <strong>Handoff:</strong> A dedicated Lambda (detailed in <a href="https://dev.to/santanu_das/automating-externally-managed-stateful-rule-groups-in-aws-network-firewall-using-terraform-54b4">Part 2</a>) updates the rules.</li> <li> <strong>Ignore:</strong> Terraform is configured to ignore changes to the rules_source, ensuring our <code>${variable}</code> definitions in external-system remain stable.</li> </ol> <h2> The Rules of Engagement <a></a> </h2> <p>To ensure a resilient and scalable architecture, the module follows these five non-negotiable principles:</p> <p><strong>1️⃣ Terraform as the Immutable Source of Truth</strong><br> The static Suricata rulesets originate within the configuration layer (Terragrunt), are rendered via Terraform, and persisted in S3 before deployment to the Network Firewall. To maintain architectural integrity, these core groups are treated as immutable; no external automation or manual intervention is permitted to modify them, ensuring a strictly code-defined security perimeter.</p> <p><strong>2️⃣ External Management for Dynamic Tenant Rules</strong><br> Since tenant FQDNs are ephemeral, re-running a full Terragrunt pipeline for every hostname change is unacceptable. The dynamic rule groups must be designed for external updates (e.g., via Lambda) without triggering a conflict with the Terraform state.</p> <p><strong>3️⃣ Unified Ordering Mechanism</strong><br> Firewall policy includes a diverse mix of rule types:</p> <ul> <li>Static Suricata (Standard signatures)</li> <li>Dynamic Suricata (Tenant-specific)</li> <li>Domain List Groups (FQDN filtering)</li> <li>AWS-Managed Groups (Global threat intel)</li> </ul> <p>Regardless of the source, I required a single, centralized configuration to manage the evaluation order across all groups.</p> <p><strong>4️⃣ Strict Ordering and Explicit Ownership</strong><br> For auditability and debugging, I enforced a clear Separation of Concerns:</p> <ul> <li> <strong><code>rule_order = "STRICT_ORDER"</code>:</strong> Enforced for all stateful Suricata groups to ensure predictable packet flow.</li> <li> <strong>Explicit Ownership:</strong> Every rule group is tagged as either <em>Terraform-owned</em> or <em>Automation-owned</em>, preventing overlapping authority.</li> </ul> <p><strong>5️⃣ Elimination of State Drift <em>Tug-of-War</em></strong><br> The most critical requirement is preventing Terraform from attempting to <em>revert</em> updates made by external automation. The module must be configured to explicitly ignore attributes that the Lambda is authorized to change, ensuring that terraform plan remains clean even after high-frequency rule updates.</p> <p>While the architectural blueprint involves both IaC and external automation, the following implementation details focus exclusively on the <strong>Terraform orchestration</strong> logic.</p> <h2> The Parent Module: Orchestrating Rule Groups <a></a> </h2> <p>The architectural <em>blueprint</em> is defined at the parent level. This is where I declared which rule families to include and precisely how I wanted them to be prioritized during packet inspection.</p> <h3> 1️⃣ Defining the Evaluation Hierarchy: </h3> <p>The global <em>ordering policy</em> is injected as a simple list. This dictated the sequence in which the AWS Network Firewall engine processed traffic:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1">## Rule evaluation order for stateful rule groups</span> <span class="nx">stateful_rule_group_order</span> <span class="err">=</span> <span class="p">[</span> <span class="s2">"self_managed_domainlist"</span><span class="p">,</span> <span class="s2">"self_managed_suricata"</span><span class="p">,</span> <span class="s2">"extl_managed_suricata"</span><span class="p">,</span> <span class="p">]</span> </code></pre> </div> <p>The resulting evaluation logic is deterministic:</p> <ol> <li> <u>Priority 1</u>: Any <code>self_managed_domainlist</code> groups are placed at the top of the stack.</li> <li> <u>Priority 2</u>: All <code>self_managed_suricata</code> groups follow.</li> <li> <u>Priority 3</u>: <code>extl_managed_suricata</code> groups are inserted next.</li> <li> <u>Baseline</u>: Finally automatically appends <em>AWS-managed</em> groups to the end of the chain as a final safety layer.</li> </ol> <p>By decoupling the evaluation order from the child module, the ability is achieved to adjust the security posture per environment (e.g., Dev vs. Prod) without modifying the underlying infrastructure code.</p> <h3> 2️⃣ Static Rule Generator </h3> <p>Since static rules are predictable and fixed in nature, the module utilizes a Terraform template to generate the rule-set dynamically. This ensures that adding new AllowListed FQDNs is a matter of updating a configuration list rather than manually writing Suricata syntax.</p> <p><strong>The Rule Template</strong><br> The following <code>.tftpl</code> file serves as the foundation. It combines global security alerts with a dynamic loop to generate pass rules for specific domains:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1">## Global rules</span> <span class="nx">alert</span> <span class="nx">tcp</span> <span class="nx">any</span> <span class="nx">any</span> <span class="nx">-</span><span class="err">&gt;</span> <span class="nx">any</span> <span class="p">[</span><span class="mi">443</span><span class="p">,</span><span class="mi">465</span><span class="p">]</span> <span class="err">(</span><span class="nx">msg</span><span class="err">:</span><span class="s2">"Detected non-TLS on TLS port"</span><span class="err">;</span> <span class="nx">flow</span><span class="err">:</span><span class="nx">to_server</span><span class="err">;</span> <span class="nx">app-layer-protocol</span><span class="err">:!</span><span class="nx">tls</span><span class="err">;</span> <span class="nx">threshold</span><span class="err">:</span> <span class="nx">type</span> <span class="nx">limit</span><span class="err">,</span> <span class="nx">track</span> <span class="nx">by_src</span><span class="err">,</span> <span class="nx">seconds</span> <span class="mi">90</span><span class="err">,</span> <span class="nx">count</span> <span class="mi">1</span><span class="err">;</span> <span class="nx">sid</span><span class="err">:</span><span class="mi">10000001</span><span class="err">;</span> <span class="nx">rev</span><span class="err">:</span><span class="mi">1</span><span class="err">;)</span> <span class="nx">alert</span> <span class="nx">tcp</span> <span class="nx">any</span> <span class="nx">any</span> <span class="nx">-</span><span class="err">&gt;</span> <span class="nx">any</span> <span class="nx">any</span> <span class="err">(</span><span class="nx">msg</span><span class="err">:</span><span class="s2">"ALERT TCP Alert testing"</span><span class="err">;</span> <span class="nx">flow</span><span class="err">:</span><span class="nx">to_server</span><span class="err">;</span> <span class="nx">sid</span><span class="err">:</span><span class="mi">10000002</span><span class="err">;</span> <span class="nx">rev</span><span class="err">:</span><span class="mi">1</span><span class="err">;)</span> <span class="nx">alert</span> <span class="nx">http</span> <span class="nx">any</span> <span class="nx">any</span> <span class="nx">-</span><span class="err">&gt;</span> <span class="nx">any</span> <span class="nx">any</span> <span class="err">(</span><span class="nx">msg</span><span class="err">:</span><span class="s2">"ALERT HTTP Alert testing"</span><span class="err">;</span> <span class="nx">flow</span><span class="err">:</span><span class="nx">to_server</span><span class="err">;</span> <span class="nx">sid</span><span class="err">:</span><span class="mi">10000003</span><span class="err">;</span> <span class="nx">rev</span><span class="err">:</span><span class="mi">1</span><span class="err">;)</span> <span class="nx">alert</span> <span class="nx">tls</span> <span class="nx">any</span> <span class="nx">any</span> <span class="nx">-</span><span class="err">&gt;</span> <span class="nx">any</span> <span class="nx">any</span> <span class="err">(</span><span class="nx">msg</span><span class="err">:</span><span class="s2">"ALERT TLS Alert testing"</span><span class="err">;</span> <span class="nx">flow</span><span class="err">:</span><span class="nx">to_server</span><span class="err">;</span> <span class="nx">sid</span><span class="err">:</span><span class="mi">10000004</span><span class="err">;</span> <span class="nx">rev</span><span class="err">:</span><span class="mi">1</span><span class="err">;)</span> <span class="c1">## AllowListed FQDNs</span> <span class="err">%</span><span class="p">{</span><span class="err">~</span> <span class="nx">for</span> <span class="nx">K1</span><span class="p">,</span> <span class="nx">V1</span> <span class="nx">in</span> <span class="nx">rule_sets</span> <span class="p">}</span> <span class="nx">pass</span> <span class="nx">tls</span> <span class="nx">$EXTERNAL_NET</span> <span class="nx">any</span> <span class="nx">-</span><span class="err">&gt;</span> <span class="nx">$HOME_NET</span> <span class="nx">any</span> <span class="err">(</span><span class="nx">tls</span><span class="err">.</span><span class="nx">sni</span><span class="err">;</span> <span class="nx">content</span><span class="err">:</span><span class="s2">"${V1.fqdn}"</span><span class="err">;</span> <span class="nx">ssl_state</span><span class="err">:</span><span class="nx">client_hello</span><span class="err">;</span> <span class="nx">msg</span><span class="err">:</span><span class="s2">"matching HTTPS allowListed FQDN"</span><span class="err">;</span> <span class="nx">flow</span><span class="err">:</span><span class="nx">to_server</span><span class="err">,</span> <span class="nx">established</span><span class="err">;</span> <span class="nx">nocase</span><span class="err">;</span> <span class="nx">sid</span><span class="err">:</span><span class="nx">$</span><span class="p">{</span><span class="nx">V1</span><span class="p">.</span><span class="nx">indx</span><span class="p">}</span><span class="err">;</span> <span class="nx">rev</span><span class="err">:</span><span class="mi">1</span><span class="err">;)</span> <span class="err">%</span><span class="p">{</span><span class="err">~</span> <span class="nx">endfor</span> <span class="p">}</span> </code></pre> </div> <p><strong>The Input Data</strong><br> It's a human-readable map of domains and their subdomains, presented in this form:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="err">&gt;</span> <span class="nx">local</span><span class="err">.</span><span class="nx">nfw_suricata_pass_hosts</span> <span class="p">{</span> <span class="s2">"iba.mysite.com"</span> <span class="p">=</span> <span class="nx">tolist</span><span class="p">([</span> <span class="s2">"api"</span><span class="p">,</span> <span class="s2">"app"</span><span class="p">,</span> <span class="p">])</span> <span class="s2">"iba.examples.site"</span> <span class="p">=</span> <span class="nx">tolist</span><span class="p">([</span> <span class="s2">"sports"</span><span class="p">,</span> <span class="s2">"news"</span><span class="p">,</span> <span class="p">])</span> <span class="p">....</span> <span class="p">}</span> </code></pre> </div> <p><strong>Data Transformation</strong><br> To feed the template, a local block transforms this map into a structured object. This step is critical because it generates a unique, deterministic sid (Security ID) for every entry—a requirement for Suricata rules:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">locals</span> <span class="p">{</span> <span class="p">....</span> <span class="nx">nfw_suricata_pass_rules</span> <span class="p">=</span> <span class="nx">merge</span><span class="p">([</span> <span class="nx">for</span> <span class="nx">K1</span><span class="p">,</span> <span class="nx">V1</span> <span class="nx">in</span> <span class="nx">keys</span><span class="p">(</span><span class="nx">local</span><span class="p">.</span><span class="nx">nfw_suricata_pass_hosts</span><span class="p">)</span> <span class="err">:</span> <span class="p">{</span> <span class="nx">for</span> <span class="nx">K2</span><span class="p">,</span> <span class="nx">V2</span> <span class="nx">in</span> <span class="nx">local</span><span class="p">.</span><span class="nx">nfw_sctpass_hosts</span><span class="p">[</span><span class="nx">V1</span><span class="p">]</span> <span class="err">:</span> <span class="s2">"${K1}-${K2}-${V2}"</span> <span class="p">=</span><span class="err">&gt;</span> <span class="p">{</span> <span class="nx">indx</span> <span class="p">=</span> <span class="nx">tonumber</span><span class="p">(</span><span class="s2">"11${K1}9989"</span><span class="p">)</span> <span class="err">+</span> <span class="mi">11</span> <span class="err">+</span> <span class="p">(</span><span class="nx">K2</span> <span class="err">+</span> <span class="mi">1</span><span class="p">),</span> <span class="nx">fqdn</span> <span class="p">=</span> <span class="s2">"${V2}.${V1}"</span><span class="p">,</span> <span class="p">}</span> <span class="p">}</span> <span class="p">]...)</span> <span class="p">}</span> </code></pre> </div> <p>The resulting state now looks like this, and ready for the template engine:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="err">&gt;</span> <span class="nx">local</span><span class="err">.</span><span class="nx">nfw_suricata_pass_rules</span> <span class="p">{</span> <span class="s2">"0-0-api"</span> <span class="p">=</span> <span class="p">{</span> <span class="s2">"fqdn"</span> <span class="p">=</span> <span class="s2">"api.iba.mysite.com"</span> <span class="s2">"indx"</span> <span class="p">=</span> <span class="mi">1110001</span> <span class="p">}</span> <span class="s2">"0-1-app"</span> <span class="p">=</span> <span class="p">{</span> <span class="s2">"fqdn"</span> <span class="p">=</span> <span class="s2">"app.iba.mysite.com"</span> <span class="s2">"indx"</span> <span class="p">=</span> <span class="mi">1110002</span> <span class="p">}</span> <span class="s2">"1-0-sports"</span> <span class="p">=</span> <span class="p">{</span> <span class="s2">"fqdn"</span> <span class="p">=</span> <span class="s2">"sports.iba.examples.site"</span> <span class="s2">"indx"</span> <span class="p">=</span> <span class="mi">1120001</span> <span class="p">}</span> <span class="p">....</span> <span class="p">}</span> </code></pre> </div> <p><strong>S3 as the Source of Truth</strong><br> <strong>Persistence &amp; the Source of Truth</strong><br> The final ruleset is rendered into a local variable using the templatefile function. This step acts as the compilation phase, merging the dynamic host data with the static Suricata templates:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">locals</span><span class="p">{</span> <span class="nx">nfw_rules_sets</span> <span class="p">=</span> <span class="nx">templatefile</span><span class="p">(</span> <span class="s2">"${path.module}/templates/suricata_ingress_rules.tftpl"</span><span class="p">,</span> <span class="p">{</span> <span class="nx">rule_sets</span> <span class="p">=</span> <span class="nx">local</span><span class="p">.</span><span class="nx">nfw_suricata_pass_rules</span> <span class="p">}</span> <span class="p">)</span> <span class="p">}</span> </code></pre> </div> <p>Once rendered, the ruleset is persisted to an S3 bucket. This serves as the <strong>definitive source of truth</strong> for the firewall, providing an immutable version history and enabling offline auditing or forensic review:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1">// Save rule sets in S3 as source-of-truth</span> <span class="nx">resource</span> <span class="s2">"aws_s3_object"</span> <span class="s2">"aso_sct_ingress"</span> <span class="p">{</span> <span class="nx">for_each</span> <span class="p">=</span> <span class="nx">local</span><span class="p">.</span><span class="nx">nfw_svc_enabled</span> <span class="err">?</span> <span class="nx">toset</span><span class="p">([</span><span class="nx">var</span><span class="p">.</span><span class="nx">service_name</span><span class="p">])</span> <span class="err">:</span> <span class="p">[]</span> <span class="nx">bucket</span> <span class="p">=</span> <span class="nx">module</span><span class="p">.</span><span class="nx">nfw_bucket</span><span class="p">[</span><span class="nx">var</span><span class="p">.</span><span class="nx">service_name</span><span class="p">].</span><span class="nx">name</span> <span class="nx">content_base64</span> <span class="p">=</span> <span class="nx">base64encode</span><span class="p">(</span><span class="nx">local</span><span class="p">.</span><span class="nx">nfw_rules_sets</span><span class="p">)</span> <span class="nx">content_type</span> <span class="p">=</span> <span class="s2">"text/plain"</span> <span class="nx">content_encoding</span> <span class="p">=</span> <span class="s2">"utf-8"</span> <span class="nx">key</span> <span class="p">=</span> <span class="s2">"suricata_ingress.rules"</span> <span class="nx">kms_key_id</span> <span class="p">=</span> <span class="nx">local</span><span class="p">.</span><span class="nx">remote_accs_data</span><span class="p">[</span><span class="nx">var</span><span class="p">.</span><span class="nx">eks_owner_acc</span><span class="p">].</span><span class="nx">nfw_bucket_key_arn</span> <span class="nx">provider</span> <span class="p">=</span> <span class="nx">aws</span><span class="p">.</span><span class="nx">eksapp</span> <span class="p">}</span> </code></pre> </div> <h3> 3️⃣ Defining Suricata Rule Groups: </h3> <p>A single list is used to define both the static and dynamic Suricata groups. To distinguish between them, I introduced a <code>self_managed</code> boolean flag, which is the primary pivot for how the child module handled the lifecycle of each group.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1">## Suricata Firewall Rule Groups</span> <span class="nx">suricata_stateful_rule_group</span> <span class="err">=</span> <span class="p">[</span> <span class="c1"># 1) Static Suricata rule group (Terraform-owned)</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="nx">format</span><span class="p">(</span><span class="s2">"${var.service_nfw.id}-suricata-%s-sf"</span><span class="p">,</span> <span class="nx">substr</span><span class="p">(</span><span class="nx">sha256</span><span class="p">(</span><span class="nx">local</span><span class="p">.</span><span class="nx">nfw_rules_sets</span><span class="p">),</span> <span class="mi">0</span><span class="p">,</span> <span class="mi">7</span><span class="p">))</span> <span class="nx">capacity</span> <span class="p">=</span> <span class="mi">100</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"Stateful Suricata rule-sets to allow static-hosts"</span> <span class="nx">rules_content</span> <span class="p">=</span> <span class="nx">base64decode</span><span class="p">(</span> <span class="nx">aws_s3_object</span><span class="p">.</span><span class="nx">aso_sct_ingress</span><span class="p">[</span><span class="nx">each</span><span class="p">.</span><span class="nx">value</span><span class="p">].</span><span class="nx">content_base64</span> <span class="p">)</span> <span class="nx">rule_variables</span> <span class="p">=</span> <span class="nx">local</span><span class="p">.</span><span class="nx">nfw_rule_variables</span> <span class="nx">self_managed</span> <span class="p">=</span> <span class="kc">true</span> <span class="p">},</span> <span class="c1"># 2) Dynamic Suricata rule group (externally-managed)</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"${var.service_nfw.id}-suricata-dynamic-sf"</span> <span class="nx">capacity</span> <span class="p">=</span> <span class="mi">8000</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"Stateful Suricata rule-sets for tenant-hosts"</span> <span class="nx">rules_file</span> <span class="p">=</span> <span class="s2">"${path.module}/templates/suricata_dynamic_placeholder"</span> <span class="nx">rule_variables</span> <span class="p">=</span> <span class="nx">local</span><span class="p">.</span><span class="nx">nfw_rule_variables</span> <span class="nx">self_managed</span> <span class="p">=</span> <span class="kc">false</span> <span class="p">},</span> <span class="p">]</span> </code></pre> </div> <p><strong>Key Implementation Details:</strong></p> <ul> <li><p><strong>The Static Group (<code>self_managed = true</code>):</strong> This configuration utilizes a multi-stage pipeline where Terraform first renders the Suricata ruleset from a template and persists the output to S3. By pulling the <em>rules_content</em> directly from the S3 object, the firewall remains pinned to a versioned, verifiable source of truth. A sha256 hash is incorporated into the resource naming convention to ensure that any change in the S3 content triggers a clean, deterministic update of the firewall rule group.</p></li> <li><p><strong>The Dynamic Group (<code>self_managed = false</code>):</strong> For the tenant-specific rules, I pointed rules_file to a simple placeholder template. This allowed me to satisfy the AWS Network Firewall requirement of having a valid Suricata structure at creation time. I set the capacity significantly higher (8,000 units) to provide enough "headroom" for the Lambda to inject thousands of tenant hostnames later without hitting architectural limits.</p></li> <li><p><strong>The Logic Pivot:</strong> The <code>self_managed</code> flag was the <em>brain</em> of the operation. Inside the child module, I used this to separate groups that Terraform must protect from those that Terraform must ignore after the initial creation.</p></li> </ul> <h3> 4️⃣ Implementing Domain List Rule Groups: </h3> <p>For the sake of completeness and architectural flexibility, I applied the exact same pattern to Domain List rule groups. While my primary focus was on Suricata for deep packet inspection and SNI filtering, I wanted the module to remain <em>type-agnostic</em>.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">domain_stateful_rule_group</span> <span class="err">=</span> <span class="p">[</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"${local.template_name}-domains-sf"</span> <span class="nx">capacity</span> <span class="p">=</span> <span class="mi">100</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"Stateful rule with domain list option"</span> <span class="nx">actions</span> <span class="p">=</span> <span class="s2">"ALLOWLIST"</span> <span class="nx">protocols</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"TLS_SNI"</span><span class="p">]</span> <span class="nx">domain_list</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"placeholder.invalid"</span><span class="p">]</span> <span class="nx">rule_variables</span> <span class="p">=</span> <span class="nx">local</span><span class="p">.</span><span class="nx">nfw_rule_variables</span> <span class="nx">self_managed</span> <span class="p">=</span> <span class="kc">true</span> <span class="p">}</span> <span class="p">]</span> </code></pre> </div> <blockquote> <p>Even though it relies heavily on Suricata signatures for our core logic, I included support for Domain Lists as a secondary mechanism. This allowed us to handle simple <em>Allow-listing</em> for standard HTTP/HTTPS traffic using AWS's native FQDN filtering when the full power of Suricata's regex and header inspection wasn't required.</p> </blockquote> <h3> 5️⃣ Integrating AWS-Managed Rule Groups: </h3> <p>To round out our security posture, I wanted to leverage the threat intelligence provided by AWS. Instead of managing complex ARNs in the parent configuration, I designed the module to accept simple, human-readable names which I then programmatically converted into full ARNs.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">aws_managed_rule_group_arns</span> <span class="err">=</span> <span class="p">[</span> <span class="nx">for</span> <span class="nx">name</span> <span class="nx">in</span> <span class="nx">var</span><span class="p">.</span><span class="nx">aws_managed_rule_groups</span> <span class="err">:</span> <span class="s2">"arn:aws:network-firewall:${var.region}:aws-managed:stateful-rulegroup/${name}"</span> <span class="p">]</span> </code></pre> </div> <p>The module was purposely structured to append these AWS-managed groups (such as <code>AWSManagedRulesAnonymousIpList</code> or <code>ThreatSignaturesMalware</code>) to the end of our evaluation chain.</p> <p>By placing them after our custom Suricata and Domain List groups, I ensured that our specific business logic (our <em>Allow</em> rules) was evaluated first, while the AWS-managed groups acted as a global <em>safety-net</em> for any traffic that hadn't already been explicitly matched.</p> <h2> The Child Module: Orchestrating the Rule Groups <a></a> </h2> <p>Once I had the parent module's requirements defined, the child module (<code>tf-module-nfw</code>) translates those lists into actual AWS resources. I decided to split the responsibilities into four distinct resource types to ensure different lifecycle rules and management logic can be applied to each.</p> <p>Each <em>rule family</em> is mapped to a specific Terraform resource block:</p> <ul> <li> <code>self_managed_suricata</code> → <code>aws_networkfirewall_rule_group.sf_self_suricata</code> </li> <li> <code>extl_managed_suricata</code> → <code>aws_networkfirewall_rule_group.sf_custom_suricata</code> </li> <li>s<code>elf_managed_domainlist</code> → <code>aws_networkfirewall_rule_group.sf_self_domain_list</code> </li> <li> <code>extl_managed_domainlist</code> → <code>aws_networkfirewall_rule_group.sf_custom_domain_list</code> </li> </ul> <p>By creating separate resource blocks for <em>Self</em> (Terraform-owned) vs Custom (Externally-owned), this design provides a granular control over how Terraform interacts with the AWS API. This was the foundation for solving the <em>state-drift</em> problem: I could tell Terraform to strictly enforce the rules for the <em>Self</em> groups while essentially <em>looking the other way</em> for the <em>Custom</em> ones.</p> <h3> 1️⃣ Static Suricata — Terraform-owned: </h3> <p>For the Self-Managed resource, I designed a filter that only processes rule groups where the <code>self_managed</code> flag is set to <code>true</code>. This ensured that Terraform maintained absolute authority over these specific groups.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">resource</span> <span class="s2">"aws_networkfirewall_rule_group"</span> <span class="s2">"sf_self_suricata"</span> <span class="p">{</span> <span class="nx">for_each</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">for</span> <span class="nx">rg</span> <span class="nx">in</span> <span class="nx">var</span><span class="p">.</span><span class="nx">suricata_stateful_rule_group</span> <span class="err">:</span> <span class="nx">rg</span><span class="p">.</span><span class="nx">name</span> <span class="p">=</span><span class="err">&gt;</span> <span class="nx">rg</span> <span class="nx">if</span> <span class="nx">rg</span><span class="p">.</span><span class="nx">self_managed</span> <span class="p">}</span> <span class="nx">type</span> <span class="p">=</span> <span class="s2">"STATEFUL"</span> <span class="nx">name</span> <span class="p">=</span> <span class="nx">each</span><span class="p">.</span><span class="nx">value</span><span class="p">.</span><span class="nx">name</span> <span class="nx">description</span> <span class="p">=</span> <span class="nx">each</span><span class="p">.</span><span class="nx">value</span><span class="p">.</span><span class="nx">description</span> <span class="nx">capacity</span> <span class="p">=</span> <span class="nx">each</span><span class="p">.</span><span class="nx">value</span><span class="p">.</span><span class="nx">capacity</span> <span class="nx">rule_group</span> <span class="p">{</span> <span class="c1"># Rule variables: HOME_NET, EXTERNAL_NET, etc. </span> <span class="nx">rules_source</span> <span class="p">{</span> <span class="c1"># Static Suricata rules come from S3 → Terraform → rules_content</span> <span class="nx">rules_string</span> <span class="p">=</span> <span class="nx">each</span><span class="p">.</span><span class="nx">value</span><span class="p">.</span><span class="nx">rules_content</span> <span class="p">}</span> <span class="nx">stateful_rule_options</span> <span class="p">{</span> <span class="nx">rule_order</span> <span class="p">=</span> <span class="s2">"STRICT_ORDER"</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">lifecycle</span> <span class="p">{</span> <span class="nx">create_before_destroy</span> <span class="p">=</span> <span class="kc">true</span> <span class="p">}</span> <span class="nx">tags</span> <span class="p">=</span> <span class="nx">merge</span><span class="p">(</span><span class="nx">var</span><span class="p">.</span><span class="nx">tags</span><span class="p">)</span> <span class="p">}</span> </code></pre> </div> <p>In this block, Terraform owns everything: the rules, the metadata, and the resource lifecycle. This was my go-to choice for stable, platform-owned domains and internal network signatures.</p> <ul> <li><p><strong>The Power of <code>for_each</code> Filtering:</strong><br> By using a conditional <code>for_each</code> loop, I kept the parent module interface clean while allowing the child module to selectively manage only the <em>static</em> groups.</p></li> <li><p><strong>Enforcing STRICT_ORDER:</strong> <br> I explicitly set the rule_order to STRICT_ORDER. This was critical because it allowed me to predict exactly how packets would traverse my custom rules versus the AWS-managed ones later in the chain.</p></li> <li><p><strong>Lifecycle Management:</strong> <br> <code>create_before_destroy = true</code> is exclusively added to prevent any security <em>blind spots</em>. If a static rule group needed a replacement (like a name change due to a new hash), the new group would be provisioned before the old one is torn down.</p></li> </ul> <h3> 2️⃣ Dynamic Suricata — Externally-owned: </h3> <p>This is arguably the most important section of this entire process. For the dynamic rule groups, I implemented a resource block that specifically targets objects where <code>self_managed</code> is set to <code>false</code>. This is where the <em><strong>architectural hand-off</strong></em> occurs.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">resource</span> <span class="s2">"aws_networkfirewall_rule_group"</span> <span class="s2">"sf_custom_suricata"</span> <span class="p">{</span> <span class="nx">for_each</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">for</span> <span class="nx">rg</span> <span class="nx">in</span> <span class="nx">var</span><span class="p">.</span><span class="nx">suricata_stateful_rule_group</span> <span class="err">:</span> <span class="nx">rg</span><span class="p">.</span><span class="nx">name</span> <span class="p">=</span><span class="err">&gt;</span> <span class="nx">rg</span> <span class="nx">if</span> <span class="err">!</span><span class="nx">rg</span><span class="p">.</span><span class="nx">self_managed</span> <span class="p">}</span> <span class="nx">type</span> <span class="p">=</span> <span class="s2">"STATEFUL"</span> <span class="nx">name</span> <span class="p">=</span> <span class="nx">each</span><span class="p">.</span><span class="nx">value</span><span class="p">.</span><span class="nx">name</span> <span class="nx">description</span> <span class="p">=</span> <span class="nx">each</span><span class="p">.</span><span class="nx">value</span><span class="p">.</span><span class="nx">description</span> <span class="nx">capacity</span> <span class="p">=</span> <span class="nx">each</span><span class="p">.</span><span class="nx">value</span><span class="p">.</span><span class="nx">capacity</span> <span class="nx">rule_group</span> <span class="p">{</span> <span class="c1"># Same rule_variables block as above (HOME_NET / EXTERNAL_NET etc.)</span> <span class="nx">rules_source</span> <span class="p">{</span> <span class="c1"># Placeholder Suricata, just to create the group.</span> <span class="nx">rules_string</span> <span class="p">=</span> <span class="nx">file</span><span class="p">(</span><span class="nx">each</span><span class="p">.</span><span class="nx">value</span><span class="p">.</span><span class="nx">rules_file</span><span class="p">)</span> <span class="p">}</span> <span class="nx">stateful_rule_options</span> <span class="p">{</span> <span class="nx">rule_order</span> <span class="p">=</span> <span class="s2">"STRICT_ORDER"</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">lifecycle</span> <span class="p">{</span> <span class="nx">create_before_destroy</span> <span class="p">=</span> <span class="kc">true</span> <span class="nx">ignore_changes</span> <span class="p">=</span> <span class="p">[</span> <span class="c1"># Lambda will take ownership of the rules_string</span> <span class="nx">rule_group</span><span class="p">[</span><span class="mi">0</span><span class="p">].</span><span class="nx">rules_source</span><span class="p">[</span><span class="mi">0</span><span class="p">].</span><span class="nx">rules_string</span><span class="p">,</span> <span class="p">]</span> <span class="p">}</span> <span class="nx">tags</span> <span class="p">=</span> <span class="nx">merge</span><span class="p">(</span><span class="nx">var</span><span class="p">.</span><span class="nx">tags</span><span class="p">)</span> <span class="p">}</span> </code></pre> </div> <p><strong>The <em>Secret Sauce</em>:</strong> <code>lifecycle.ignore_changes</code><br> The real magic happens in the lifecycle block - configuring Terraform in this manner establishes a clear lifecycle for dynamic security rules.</p> <p><strong>Creation:</strong> Terraform provisions the rule group <em>container</em> using the high capacity that I defined (8,000 units) and populates it with a basic Suricata placeholder file to satisfy the AWS API.</p> <p><strong>Delegation:</strong> Once the resource exists, ownership of the <code>rules_string</code> attribute is effectively transferred to the external automation.</p> <p><strong>Coexistence:</strong> Because of the <code>ignore_changes</code> directive, Terraform will no longer attempt to <em>correct</em> or revert the rules during subsequent plan or apply cycles.</p> <p>This approach is what allowed me to safely call <code>UpdateRuleGroup</code> from a Lambda function (which is covered in <a href="https://dev.to/santanu_das/automating-externally-managed-stateful-rule-groups-in-aws-network-firewall-using-terraform-54b4">Part 2</a>) without triggering a state-drift fight. Terraform manages the infrastructure shell, while the Lambda manages the security intelligence.</p> <h3> 3️⃣ Domainlist Rule Groups: </h3> <p>The exact same blueprint has followed there for Domain List rule groups. Mirroring the logic used for Suricata ensures the module remains predictable and easy to maintain.</p> <p>These are split into two distinct resources:</p> <ul> <li> <strong><code>sf_self_domain_list</code>:</strong> The Terraform-owned resource for static, code-defined FQDNs.</li> <li> <strong><code>sf_custom_domain_list</code>:</strong> The externally-owned resource for dynamic lists.</li> </ul> <p>These are handled in an identical fashion to the Suricata groups—utilizing the <code>self_managed</code> flag to trigger either a strict management cycle or a <em>handoff</em> to external automation via <code>ignore_changes</code>.</p> <p>The most important takeaway here isn't the resource type itself, but these groups are now prepared to participate in the unified ordering mechanism, which is the final piece of the puzzle.</p> <h2> Building the Final Stateful Rule Group Order <a></a> </h2> <p>This approach transforms the design into an elegant, structured solution rather than an ad-hoc one. By leveraging Terraform locals, a scattered set of resources is transformed into a strictly ordered pipeline.</p> <p>The child module utilizes a three-step logic:</p> <ol> <li> <strong>Map the Categories:</strong> The ARNs of all created resources are grouped tinto a structured map.</li> <li> <strong>Flatten by Priority:</strong> Those groups are then reordered and flattened based on the stateful_rule_group_order list provided by the parent.</li> <li> <strong>Inject AWS Intelligence:</strong> The AWS-managed ARNs are appended as the final elements.</li> </ol> <h3> The Transformation Logic: </h3> <p>Here is how I handled that data transformation using HCL:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">locals</span> <span class="p">{</span> <span class="c1"># 1. Categorize rule-group ARNs into logical families</span> <span class="nx">sf_rule_group_arns</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">self_managed_suricata</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">for</span> <span class="nx">KV</span> <span class="nx">in</span> <span class="nx">var</span><span class="p">.</span><span class="nx">suricata_stateful_rule_group</span> <span class="err">:</span> <span class="nx">KV</span><span class="p">.</span><span class="nx">name</span> <span class="p">=</span><span class="err">&gt;</span> <span class="nx">aws_networkfirewall_rule_group</span><span class="p">.</span><span class="nx">sf_self_suricata</span><span class="p">[</span><span class="nx">KV</span><span class="p">.</span><span class="nx">name</span><span class="p">].</span><span class="nx">arn</span> <span class="nx">if</span> <span class="nx">KV</span><span class="p">.</span><span class="nx">self_managed</span> <span class="p">}</span> <span class="nx">extl_managed_suricata</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">for</span> <span class="nx">KV</span> <span class="nx">in</span> <span class="nx">var</span><span class="p">.</span><span class="nx">suricata_stateful_rule_group</span> <span class="err">:</span> <span class="nx">KV</span><span class="p">.</span><span class="nx">name</span> <span class="p">=</span><span class="err">&gt;</span> <span class="nx">aws_networkfirewall_rule_group</span><span class="p">.</span><span class="nx">sf_custom_suricata</span><span class="p">[</span><span class="nx">KV</span><span class="p">.</span><span class="nx">name</span><span class="p">].</span><span class="nx">arn</span> <span class="nx">if</span> <span class="err">!</span><span class="nx">KV</span><span class="p">.</span><span class="nx">self_managed</span> <span class="p">}</span> <span class="nx">self_managed_domainlist</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">for</span> <span class="nx">KV</span> <span class="nx">in</span> <span class="nx">var</span><span class="p">.</span><span class="nx">domain_stateful_rule_group</span> <span class="err">:</span> <span class="nx">KV</span><span class="p">.</span><span class="nx">name</span> <span class="p">=</span><span class="err">&gt;</span> <span class="nx">aws_networkfirewall_rule_group</span><span class="p">.</span><span class="nx">sf_self_domain_list</span><span class="p">[</span><span class="nx">KV</span><span class="p">.</span><span class="nx">name</span><span class="p">].</span><span class="nx">arn</span> <span class="nx">if</span> <span class="nx">KV</span><span class="p">.</span><span class="nx">self_managed</span> <span class="p">}</span> <span class="nx">extl_managed_domainlist</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">for</span> <span class="nx">KV</span> <span class="nx">in</span> <span class="nx">var</span><span class="p">.</span><span class="nx">domain_stateful_rule_group</span> <span class="err">:</span> <span class="nx">KV</span><span class="p">.</span><span class="nx">name</span> <span class="p">=</span><span class="err">&gt;</span> <span class="nx">aws_networkfirewall_rule_group</span><span class="p">.</span><span class="nx">sf_custom_domain_list</span><span class="p">[</span><span class="nx">KV</span><span class="p">.</span><span class="nx">name</span><span class="p">].</span><span class="nx">arn</span> <span class="nx">if</span> <span class="err">!</span><span class="nx">KV</span><span class="p">.</span><span class="nx">self_managed</span> <span class="p">}</span> <span class="p">}</span> <span class="c1"># 2. Flatten categories using the parent’s</span> <span class="nx">stateful_rule_group_order</span> <span class="nx">stateful_group_arns</span> <span class="p">=</span> <span class="nx">concat</span><span class="p">(</span> <span class="nx">concat</span><span class="p">([</span> <span class="nx">for</span> <span class="nx">key</span> <span class="nx">in</span> <span class="nx">var</span><span class="p">.</span><span class="nx">stateful_rule_group_order</span> <span class="err">:</span> <span class="nx">values</span><span class="p">(</span><span class="nx">local</span><span class="p">.</span><span class="nx">sf_rule_group_arns</span><span class="p">[</span><span class="nx">key</span><span class="p">])</span> <span class="p">]...),</span> <span class="c1"># then, tack on AWS-managed rule groups</span> <span class="nx">var</span><span class="p">.</span><span class="nx">aws_managed_rule_group_arns</span><span class="p">,</span> <span class="p">)</span> <span class="p">}</span> </code></pre> </div> <h3> The Final Policy: </h3> <p>With a flat, ordered list of ARNs established, applying them to the firewall policy becomes a straightforward process. I then used a dynamic block to ensure the policy stayed updated whenever the list changed.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">resource</span> <span class="s2">"aws_networkfirewall_firewall_policy"</span> <span class="s2">"this"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"${var.prefix}-policy-${var.firewall_name}"</span> <span class="nx">firewall_policy</span> <span class="p">{</span> <span class="nx">stateless_default_actions</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"aws:${var.stateless_default_actions}"</span><span class="p">]</span> <span class="nx">stateless_fragment_default_actions</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"aws:${var.stateless_fragment_default_actions}"</span><span class="p">]</span> <span class="c1">## Stateless Rule Group Reference</span> <span class="nx">dynamic</span> <span class="s2">"stateless_rule_group_reference"</span> <span class="p">{</span> <span class="nx">for_each</span> <span class="p">=</span> <span class="nx">local</span><span class="p">.</span><span class="nx">stateless_group_arns</span> <span class="nx">content</span> <span class="p">{</span> <span class="c1"># Priority is sequentially as per index in stateless_rule_group list</span> <span class="nx">priority</span> <span class="p">=</span> <span class="nx">index</span><span class="p">(</span> <span class="nx">local</span><span class="p">.</span><span class="nx">stateless_group_arns</span><span class="p">,</span> <span class="nx">stateless_rule_group_reference</span><span class="p">.</span><span class="nx">value</span> <span class="p">)</span> <span class="err">+</span> <span class="mi">11</span> <span class="nx">resource_arn</span> <span class="p">=</span> <span class="nx">stateless_rule_group_reference</span><span class="p">.</span><span class="nx">value</span> <span class="p">}</span> <span class="p">}</span> <span class="c1"># stateless config omitted</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <h3> The Resulting Impact: </h3> <p>This modular architecture yields three major wins:</p> <ul> <li> <strong>Centralized Control:</strong> The parent module uses one simple variable to dictate the entire evaluation sequence.</li> <li> <strong>True Reusability:</strong> The child module is now a generic engine that can be easily dropped into any service, account, or environment.</li> <li> <strong>Future-Proofing:</strong> New categories (such as an external domain feed) can be added seamlessly without requiring a refactor of the parent module's core logic.</li> </ul> <h2> Lessons Learned (Part 1) <a></a> </h2> <p>Building this architecture was a journey that reinforced several core principles of cloud networking and Infrastructure-as-Code. Here is what I took away from the experience:</p> <p><strong>1️⃣ Separation of Concerns is Mandatory</strong><br> I realized early on that pushing every single rule through a Terraform pipeline is a recipe for frustration once you reach high-velocity, frequently changing lists. Splitting our firewall into Static (TF-owned) and Dynamic (Externally-owned) rule groups created a much healthier, more predictable management pattern.</p> <p><strong>2️⃣ The Danger of <em>Joint Custody</em></strong><br> One of my biggest takeaways was that Terraform and Lambda must never share ownership of a single attribute. If both tools think they are allowed to modify the rules_string, you will spend your life resolving state drift. By using separate resources (sf_self_* vs. sf_custom_*) and leveraging ignore_changes, I established a clean hand-off that kept our pipelines green.</p> <p><strong>3️⃣ Null Values are Not <em>Empty</em></strong><br> When defining input objects with optional fields like rules_content and rules_file, I found it's easy to accidentally treat a null value as "present." I had to ensure my module logic explicitly tested for null rather than just checking if a key existed, preventing several silent deployment failures.</p> <p><strong>4️⃣ Explicit Ordering is Worth the Overhead</strong><br> The <code>stateful_rule_group_order</code> list might seem like extra configuration at first, but it completely removed the ambiguity from our security posture. In an environment that combines custom Suricata signatures, FQDN filters, and AWS-managed threat intel, knowing exactly which rule fires first is critical for both security and troubleshooting.</p> <h2> What’s Coming in Part-2 <a></a> </h2> <p>While we’ve built the infrastructure "shell" and enforced the ordering logic, the "Externally Managed" part of this architecture is where the automation truly comes to life.</p> <p>In the next post, I’ll deep-dive into the Delivery Mechanism, featuring:</p> <ul> <li> <strong>The Rule-Engine Lambda:</strong> How I built a function to read tenant_hosts.json from S3 and dynamically expand base domains into full Suricata SNI rules.</li> <li> <strong>Concurrency &amp; Safety:</strong> How to handle the UpdateRuleGroup API safely using the required UpdateToken to prevent race conditions.</li> <li> <strong>Security &amp; Identity:</strong> Managing cross-account access via S3 bucket policies and KMS key permissions.</li> <li> <strong>Observability:</strong> Implementing Microsoft Teams notifications that include: <ul> <li> <strong>Diff Analysis:</strong> Clearly showing which hosts were added or removed.</li> <li> <strong>Smart Truncation:</strong> Handling long lists gracefully so notifications remain readable.</li> <li> <strong>Status Cards:</strong> Visual Green (Success) and Red (Failure) indicators for immediate feedback.</li> </ul> </li> </ul> <p>That’s where the <em>Self-Service</em> aspect of our firewall becomes a reality. </p> <blockquote> <p><em>While I tried my best to ensure the accuracy of the code snippets provided; feel free to reach out in the comments below or via <a href="https://www.linkedin.com/in/santanu-das-32a80a40/" rel="noopener noreferrer">LinkedIn</a> if you spot any discrepancies or have questions regarding the implementation</em>.</p> </blockquote> <p>See you in <a href="https://dev.to/santanu_das/automating-externally-managed-stateful-rule-groups-in-aws-network-firewall-using-terraform-54b4">Part 2</a>!</p> terraform devops awsnetworkfirewall infrastructureascode Santanu Das Wed, 14 Jan 2026 12:20:43 +0000 https://forem.com/santanu_das/bootstrapping-aurora-rds-databases-using-lambda-and-terraform-part-3-bif https://forem.com/santanu_das/bootstrapping-aurora-rds-databases-using-lambda-and-terraform-part-3-bif <blockquote> <p><strong>TL;DR</strong><br> <em>We wrap our bootstrap logic in an AWS <strong>Step Functions</strong> workflow to transition from a manual script to an automated platform capability. By leveraging <strong>EventBridge</strong> and <strong>CloudTrail</strong>, we create an event-driven loop that detects infrastructure changes and reconciles the database state automatically—achieving a production-ready deployment with <strong>zero manual intervention</strong></em>.</p> </blockquote> <h2> Table of Contents </h2> <ul> <li>The Architecture</li> <li> Implementation <ul> <li>Root Module</li> <li>Child Module</li> </ul> </li> <li>Validation</li> <li>Conclusion</li> </ul> <h2> Orchestrating with AWS Step Functions </h2> <p>In <a href="https://dev.to/santanu_das/bootstrapping-aurora-rds-databases-using-lambda-and-terraform-part-1-493h">Part 1</a>, we identified the problem: Terraform is great for infrastructure, but poor for database state management. In <a href="https://dev.to/santanu_das/bootstrapping-aurora-rds-databases-using-lambda-and-terraform-part-2-29i3">Part 2</a>, we built the solution: A "driver-less" Lambda function that uses the <strong>Aurora Data API</strong> to perform secure, idempotent bootstrap operations.</p> <p>Now, we face the final hurdle - A Lambda function sitting in the console is just a tool: To make it a platform capability, we need to wrap it in a workflow that handles retries, provides visibility, and allows for controlled execution.</p> <p>In this final part, we explore how to orchestrate that bootstrap logic using AWS Step Functions. It does not replace migrations, schema management, or application workflows — only control when the bootstrap Lambda needs to run.</p> <h2>  The Architecture: The State Machine <a></a> </h2> <p>I designed the state machine that treats the Lambda as a <em>Worker</em>. The State Machine itself acts as the <em>Manager</em>, responsible for:</p> <ul> <li>Input Validation: Ensuring the target cluster exists.</li> <li>Task Execution: Invoking the Bootstrap Lambda.</li> <li>Error Handling: Managing retries and catching failures.</li> </ul> <h3> The <em>Working</em>-flow </h3> <p>It's an <strong>Event-Driven Architecture</strong> (EDA) that automatically triggers the bootstrap workflow whenever Terraform updates the Lambda function configuration or code, as below:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>Terraform Apply ↓ AWS Lambda APIs <span class="o">(</span>CreateFunction / UpdateFunctionCode<span class="o">)</span> ↓ AWS CloudTrail <span class="o">(</span>Records the Management Event<span class="o">)</span> ↓ Amazon EventBridge <span class="o">(</span>Matches Rule: <span class="nb">source</span><span class="o">=</span><span class="s2">"aws.lambda"</span><span class="o">)</span> ↓ EventBridge assumes the EventBridge IAM role ↓ AWS Step Functions <span class="o">(</span>Triggered via IAM Role<span class="o">)</span> ↓ Bootstrap Lambda <span class="o">(</span>Executes Idempotent Logic<span class="o">)</span> ↓ Bootstrap Lambda runs </code></pre> </div> <p>For this to work effectively, EventBridge Rule pattern should look for specific API calls to avoid misfires. I filtered (using <code>{prefix:..}</code> matching) for:</p> <ul> <li>CreateFunction20150331 (New deployments)</li> <li>UpdateFunctionCode20150331v2 (Code changes)</li> <li>UpdateFunctionConfiguration20150331v2 (Env var/Config changes)</li> </ul> <p>This ensures the database bootstrap runs exactly when the code or configuration (like a new DB name in Env Vars) changes.</p> <h2> Implementation: Infrastructure as Code <a></a> </h2> <p>Consistent with our IaC principles, the State Machine is provisioned via Terraform, while its workflow logic is defined using the <strong>Amazon States Language</strong> (ASL). The implementation follows a modular architecture, splitting responsibilities between the <em>root</em> (security &amp; orchestration) and <em>child</em> (application logic) modules.</p> <h3> Terraform Resources - Root module <a></a> </h3> <p>1️⃣ Creates one SFN execution role (<em>states.amazonaws.com</em>) with:</p> <ul> <li>RDS cluster actions (start/stop/modify/describe/snapshot) scoped to <code>module.db_cluster[KY].arn</code> </li> <li> <code>lambda:InvokeFunction</code> scoped to the installer Lambdas</li> <li>CloudWatch Logs delivery permissions (CreateLogDelivery, PutResourcePolicy, etc.) on * </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># ----------------------------------------------------------</span> <span class="c1"># IAM role for Step-Function</span> <span class="c1"># ----------------------------------------------------------</span> <span class="nx">resource</span> <span class="s2">"aws_iam_role"</span> <span class="s2">"air_sfn"</span> <span class="p">{</span> <span class="nx">count</span> <span class="p">=</span> <span class="nx">length</span><span class="p">(</span><span class="nx">local</span><span class="p">.</span><span class="nx">sfn_db_engines</span><span class="p">)</span> <span class="err">&gt;</span> <span class="mi">0</span> <span class="err">?</span> <span class="mi">1</span> <span class="err">:</span> <span class="mi">0</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"${local.template_name}-sfn-Role"</span> <span class="nx">assume_role_policy</span> <span class="p">=</span> <span class="nx">jsonencode</span><span class="p">({</span> <span class="nx">Version</span> <span class="p">=</span> <span class="s2">"2012-10-17"</span> <span class="nx">Statement</span> <span class="p">=</span> <span class="p">[{</span> <span class="nx">Effect</span> <span class="p">=</span> <span class="s2">"Allow"</span> <span class="nx">Principal</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">Service</span> <span class="p">=</span> <span class="s2">"states.amazonaws.com"</span> <span class="p">}</span> <span class="nx">Action</span> <span class="p">=</span> <span class="s2">"sts:AssumeRole"</span> <span class="p">}]</span> <span class="p">})</span> <span class="nx">tags</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">Name</span> <span class="p">=</span> <span class="s2">"${local.template_name}-sfn-Role"</span> <span class="nx">Module</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">tf_module_name</span><span class="p">,</span> <span class="nx">Resource</span> <span class="p">=</span> <span class="s2">"aws_iam_role.air_sfn"</span><span class="p">,</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">data</span> <span class="s2">"aws_iam_policy_document"</span> <span class="s2">"aipd_sfn"</span> <span class="p">{</span> <span class="nx">statement</span> <span class="p">{</span> <span class="nx">sid</span> <span class="p">=</span> <span class="s2">"AllowLambdaInvoke"</span> <span class="nx">effect</span> <span class="p">=</span> <span class="s2">"Allow"</span> <span class="nx">actions</span> <span class="p">=</span> <span class="p">[</span> <span class="s2">"lambda:GetFunction"</span><span class="p">,</span> <span class="s2">"lambda:GetFunctionConfiguration"</span><span class="p">,</span> <span class="s2">"lambda:InvokeFunction"</span><span class="p">,</span> <span class="p">]</span> <span class="nx">resources</span> <span class="p">=</span> <span class="p">[</span> <span class="nx">for</span> <span class="nx">KY</span> <span class="nx">in</span> <span class="nx">local</span><span class="p">.</span><span class="nx">sfn_db_engines</span> <span class="err">:</span> <span class="nx">module</span><span class="p">.</span><span class="nx">db_cluster</span><span class="p">[</span><span class="nx">KY</span><span class="p">].</span><span class="nx">lfn_resource_arn</span> <span class="p">]</span> <span class="p">}</span> <span class="nx">statement</span> <span class="p">{</span> <span class="nx">sid</span> <span class="p">=</span> <span class="s2">"AllowCloudWatchLogs"</span> <span class="nx">effect</span> <span class="p">=</span> <span class="s2">"Allow"</span> <span class="nx">actions</span> <span class="p">=</span> <span class="p">[</span> <span class="s2">"logs:CreateLogDelivery"</span><span class="p">,</span> <span class="s2">"logs:GetLogDelivery"</span><span class="p">,</span> <span class="s2">"logs:UpdateLogDelivery"</span><span class="p">,</span> <span class="s2">"logs:DeleteLogDelivery"</span><span class="p">,</span> <span class="s2">"logs:DescribeLogGroups"</span><span class="p">,</span> <span class="s2">"logs:DescribeResourcePolicies"</span><span class="p">,</span> <span class="s2">"logs:GetLogDelivery"</span><span class="p">,</span> <span class="s2">"logs:ListLogDeliveries"</span><span class="p">,</span> <span class="s2">"logs:PutLogEvents"</span><span class="p">,</span> <span class="s2">"logs:PutResourcePolicy"</span><span class="p">,</span> <span class="s2">"logs:UpdateLogDelivery"</span><span class="p">,</span> <span class="p">]</span> <span class="nx">resources</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"*"</span><span class="p">]</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">resource</span> <span class="s2">"aws_iam_role_policy"</span> <span class="s2">"airp_sfn"</span> <span class="p">{</span> <span class="nx">count</span> <span class="p">=</span> <span class="nx">length</span><span class="p">(</span><span class="nx">local</span><span class="p">.</span><span class="nx">sfn_db_engines</span><span class="p">)</span> <span class="err">&gt;</span> <span class="mi">0</span> <span class="err">?</span> <span class="mi">1</span> <span class="err">:</span> <span class="mi">0</span> <span class="nx">role</span> <span class="p">=</span> <span class="nx">aws_iam_role</span><span class="p">.</span><span class="nx">air_sfn</span><span class="p">[</span><span class="mi">0</span><span class="p">].</span><span class="nx">id</span> <span class="nx">policy</span> <span class="p">=</span> <span class="nx">data</span><span class="p">.</span><span class="nx">aws_iam_policy_document</span><span class="p">.</span><span class="nx">aipd_sfn</span><span class="p">.</span><span class="nx">json</span> <span class="p">}</span> <span class="c1"># ----------------------------------------------------------</span> <span class="c1"># IAM role: EventBridge → Step Functions</span> <span class="c1"># ----------------------------------------------------------</span> <span class="nx">resource</span> <span class="s2">"aws_iam_role"</span> <span class="s2">"air_eb_sfn"</span> <span class="p">{</span> <span class="nx">count</span> <span class="p">=</span> <span class="nx">length</span><span class="p">(</span><span class="nx">local</span><span class="p">.</span><span class="nx">sfn_db_engines</span><span class="p">)</span> <span class="err">&gt;</span> <span class="mi">0</span> <span class="err">?</span> <span class="mi">1</span> <span class="err">:</span> <span class="mi">0</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"${local.template_name}-eb-sfn-Role"</span> <span class="nx">assume_role_policy</span> <span class="p">=</span> <span class="nx">jsonencode</span><span class="p">({</span> <span class="nx">Version</span> <span class="p">=</span> <span class="s2">"2012-10-17"</span> <span class="nx">Statement</span> <span class="p">=</span> <span class="p">[{</span> <span class="nx">Effect</span> <span class="p">=</span> <span class="s2">"Allow"</span> <span class="nx">Principal</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">Service</span> <span class="p">=</span> <span class="s2">"events.amazonaws.com"</span> <span class="p">}</span> <span class="nx">Action</span> <span class="p">=</span> <span class="s2">"sts:AssumeRole"</span> <span class="p">}]</span> <span class="p">})</span> <span class="nx">tags</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">Name</span> <span class="p">=</span> <span class="s2">"${local.template_name}-eb-sfn-Role"</span> <span class="nx">Module</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">tf_module_name</span><span class="p">,</span> <span class="nx">Resource</span> <span class="p">=</span> <span class="s2">"aws_iam_role.air_eb_sfn"</span><span class="p">,</span> <span class="p">}</span> <span class="p">}</span> <span class="c1">// Policy: allow states:StartExecution</span> <span class="nx">data</span> <span class="s2">"aws_iam_policy_document"</span> <span class="s2">"aipd_eb_sfn"</span> <span class="p">{</span> <span class="nx">statement</span> <span class="p">{</span> <span class="nx">effect</span> <span class="p">=</span> <span class="s2">"Allow"</span> <span class="nx">actions</span> <span class="p">=</span> <span class="p">[</span> <span class="s2">"states:StartExecution"</span> <span class="p">]</span> <span class="nx">resources</span> <span class="p">=</span> <span class="p">[</span> <span class="nx">for</span> <span class="nx">KY</span> <span class="nx">in</span> <span class="nx">local</span><span class="p">.</span><span class="nx">sfn_db_engines</span> <span class="err">:</span> <span class="nx">module</span><span class="p">.</span><span class="nx">sfn_machine</span><span class="p">[</span><span class="nx">KY</span><span class="p">].</span><span class="nx">arn</span> <span class="p">]</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">resource</span> <span class="s2">"aws_iam_role_policy"</span> <span class="s2">"airp_eb_sfn"</span> <span class="p">{</span> <span class="nx">count</span> <span class="p">=</span> <span class="nx">length</span><span class="p">(</span><span class="nx">local</span><span class="p">.</span><span class="nx">sfn_db_engines</span><span class="p">)</span> <span class="err">&gt;</span> <span class="mi">0</span> <span class="err">?</span> <span class="mi">1</span> <span class="err">:</span> <span class="mi">0</span> <span class="nx">role</span> <span class="p">=</span> <span class="nx">aws_iam_role</span><span class="p">.</span><span class="nx">air_eb_sfn</span><span class="p">[</span><span class="mi">0</span><span class="p">].</span><span class="nx">id</span> <span class="nx">policy</span> <span class="p">=</span> <span class="nx">data</span><span class="p">.</span><span class="nx">aws_iam_policy_document</span><span class="p">.</span><span class="nx">aipd_eb_sfn</span><span class="p">.</span><span class="nx">json</span> <span class="p">}</span> </code></pre> </div> <p>2️⃣ Creates one EventBridge → SFN role (<code>events.amazonaws.com</code>) with:</p> <ul> <li>states:StartExecution scoped to the child module SFN ARNs (<code>module.sfn_machine[KY].arn</code>)</li> <li>Instantiates module <code>sfn_machine</code> per engine via <code>local.sfn_db_engines</code> </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># ----------------------------------------------------------</span> <span class="c1"># AWS Step-function</span> <span class="c1"># ----------------------------------------------------------</span> <span class="nx">module</span> <span class="s2">"sfn_machine"</span> <span class="p">{</span> <span class="nx">for_each</span> <span class="p">=</span> <span class="nx">toset</span><span class="p">(</span><span class="nx">local</span><span class="p">.</span><span class="nx">sfn_db_engines</span><span class="p">)</span> <span class="nx">source</span> <span class="p">=</span> <span class="s2">"./services//sfn"</span> <span class="nx">lambda_function_arn</span> <span class="p">=</span> <span class="nx">module</span><span class="p">.</span><span class="nx">db_cluster</span><span class="p">[</span><span class="nx">each</span><span class="p">.</span><span class="nx">key</span><span class="p">].</span><span class="nx">lfn_resource_arn</span> <span class="nx">name_prefix</span> <span class="p">=</span> <span class="nx">join</span><span class="p">(</span><span class="s2">"-"</span><span class="p">,</span> <span class="p">[</span> <span class="nx">replace</span><span class="p">(</span><span class="nx">local</span><span class="p">.</span><span class="nx">template_name</span><span class="p">,</span> <span class="s2">"/-[^-]+$/"</span><span class="p">,</span> <span class="s2">""</span><span class="p">),</span> <span class="nx">each</span><span class="p">.</span><span class="nx">key</span> <span class="p">])</span> <span class="nx">eb_role_arn</span> <span class="p">=</span> <span class="nx">aws_iam_role</span><span class="p">.</span><span class="nx">air_eb_sfn</span><span class="p">[</span><span class="mi">0</span><span class="p">].</span><span class="nx">arn</span> <span class="nx">sfn_role_arn</span> <span class="p">=</span> <span class="nx">aws_iam_role</span><span class="p">.</span><span class="nx">air_sfn</span><span class="p">[</span><span class="mi">0</span><span class="p">].</span><span class="nx">arn</span> <span class="nx">extra_tags</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">Resource</span> <span class="p">=</span> <span class="s2">"module.sfn_machine"</span> <span class="nx">Module</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">tf_module_name</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <h3> Terraform Resources - Child module <a></a> </h3> <p>1️⃣ Creates the state machine:</p> <ul> <li>arn:aws:states:::lambda:invoke</li> <li>FunctionName = var.lambda_function_arn</li> <li>CW logs enabled to <code>/aws/stepfunctions/${var.name_prefix}-bootstrap</code> </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># ----------------------------------------------------------</span> <span class="c1"># Step Function Resource</span> <span class="c1"># ----------------------------------------------------------</span> <span class="nx">resource</span> <span class="s2">"aws_sfn_state_machine"</span> <span class="s2">"this"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"${var.name_prefix}-bootstrap"</span> <span class="nx">role_arn</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">sfn_role_arn</span> <span class="nx">definition</span> <span class="p">=</span> <span class="nx">jsonencode</span><span class="p">({</span> <span class="nx">Comment</span> <span class="p">=</span> <span class="s2">"DB / User bootstrap orchestration"</span> <span class="nx">StartAt</span> <span class="p">=</span> <span class="s2">"InvokeBootstrapLambda"</span> <span class="nx">States</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">InvokeBootstrapLambda</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">Type</span> <span class="p">=</span> <span class="s2">"Task"</span> <span class="nx">Resource</span> <span class="p">=</span> <span class="s2">"arn:aws:states:::lambda:invoke"</span> <span class="nx">Parameters</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">FunctionName</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">lambda_function_arn</span> <span class="nx">Payload</span> <span class="p">=</span> <span class="p">{}</span> <span class="p">}</span> <span class="nx">Retry</span> <span class="p">=</span> <span class="p">[{</span> <span class="nx">ErrorEquals</span> <span class="p">=</span> <span class="p">[</span> <span class="s2">"Lambda.ServiceException"</span><span class="p">,</span> <span class="s2">"Lambda.TooManyRequestsException"</span> <span class="p">]</span> <span class="nx">IntervalSeconds</span> <span class="p">=</span> <span class="mi">5</span> <span class="nx">MaxAttempts</span> <span class="p">=</span> <span class="mi">3</span> <span class="nx">BackoffRate</span> <span class="p">=</span> <span class="mf">2.0</span> <span class="p">}]</span> <span class="nx">End</span> <span class="p">=</span> <span class="kc">true</span> <span class="p">}</span> <span class="p">}</span> <span class="p">})</span> <span class="nx">logging_configuration</span> <span class="p">{</span> <span class="nx">level</span> <span class="p">=</span> <span class="s2">"ALL"</span> <span class="nx">include_execution_data</span> <span class="p">=</span> <span class="kc">true</span> <span class="nx">log_destination</span> <span class="p">=</span> <span class="s2">"${aws_cloudwatch_log_group.sfn_logs.arn}:*"</span> <span class="p">}</span> <span class="nx">tags</span> <span class="p">=</span> <span class="nx">merge</span><span class="p">(</span> <span class="nx">var</span><span class="p">.</span><span class="nx">extra_tags</span><span class="p">,</span> <span class="p">{</span> <span class="nx">Name</span> <span class="p">=</span> <span class="s2">"${var.name_prefix}-bootstrap"</span> <span class="nx">SubResource</span> <span class="p">=</span> <span class="s2">"aws_sfn_state_machine.db_bootstrap"</span> <span class="p">}</span> <span class="p">)</span> <span class="p">}</span> <span class="c1">// CW logs</span> <span class="nx">resource</span> <span class="s2">"aws_cloudwatch_log_group"</span> <span class="s2">"sfn_logs"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"/aws/stepfunctions/${var.name_prefix}-bootstrap"</span> <span class="nx">retention_in_days</span> <span class="p">=</span> <span class="mi">14</span> <span class="p">}</span> </code></pre> </div> <p>2️⃣ Creates the EventBridge rule that works reliably:</p> <ul> <li><code>source = ["aws.lambda"]</code></li> <li><code>detail-type = ["AWS API Call via CloudTrail"]</code></li> <li>eventName prefix match for both: <ul> <li> UpdateFunctionCode*</li> <li> UpdateFunctionConfiguration*</li> </ul> </li> <li>Filters <code>requestParameters.functionName</code> with both forms: <ul> <li>the full ARN: <code>var.lambda_function_arn</code> </li> <li>short name extracted via <code>regex("[^:]+$", var.lambda_function_arn)</code> </li> </ul> </li> <li>Creates the EventBridge target: <ul> <li>Starts the SFN with an input_transformer payload containing account/region/event_id/time/function_name </li> </ul> </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># ----------------------------------------------------------</span> <span class="c1"># EventBridge rule: detect Lambda code updates</span> <span class="c1"># ----------------------------------------------------------</span> <span class="nx">resource</span> <span class="s2">"aws_cloudwatch_event_rule"</span> <span class="s2">"lambda_code_update"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"${var.name_prefix}-lambda-update"</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"Trigger SFN when bootstrap Lambda code is updated"</span> <span class="nx">event_pattern</span> <span class="p">=</span> <span class="nx">jsonencode</span><span class="p">({</span> <span class="nx">source</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"aws.lambda"</span><span class="p">]</span> <span class="s2">"detail-type"</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"AWS API Call via CloudTrail"</span><span class="p">]</span> <span class="nx">detail</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">eventSource</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"lambda.amazonaws.com"</span><span class="p">]</span> <span class="nx">eventName</span> <span class="p">=</span> <span class="p">[</span> <span class="p">{</span> <span class="s2">"prefix"</span> <span class="err">:</span> <span class="s2">"UpdateFunctionCode"</span> <span class="p">},</span> <span class="p">{</span> <span class="s2">"prefix"</span> <span class="err">:</span> <span class="s2">"UpdateFunctionConfiguration"</span> <span class="p">}</span> <span class="p">]</span> <span class="c1"># without this, all the SFNs will keep triggering</span> <span class="nx">requestParameters</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">functionName</span> <span class="p">=</span> <span class="p">[</span> <span class="nx">var</span><span class="p">.</span><span class="nx">lambda_function_arn</span><span class="p">,</span> <span class="nx">regex</span><span class="p">(</span><span class="s2">"[^:]+$"</span><span class="p">,</span> <span class="nx">var</span><span class="p">.</span><span class="nx">lambda_function_arn</span><span class="p">),</span> <span class="p">]</span> <span class="p">}</span> <span class="p">}</span> <span class="p">})</span> <span class="p">}</span> <span class="nx">resource</span> <span class="s2">"aws_cloudwatch_event_target"</span> <span class="s2">"lambda_update_to_sfn"</span> <span class="p">{</span> <span class="nx">rule</span> <span class="p">=</span> <span class="nx">aws_cloudwatch_event_rule</span><span class="p">.</span><span class="nx">lambda_code_update</span><span class="p">.</span><span class="nx">name</span> <span class="nx">target_id</span> <span class="p">=</span> <span class="s2">"start-${var.name_prefix}-bootstrap"</span> <span class="nx">arn</span> <span class="p">=</span> <span class="nx">aws_sfn_state_machine</span><span class="p">.</span><span class="nx">this</span><span class="p">.</span><span class="nx">arn</span> <span class="nx">role_arn</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">eb_role_arn</span> <span class="nx">retry_policy</span> <span class="p">{</span> <span class="nx">maximum_retry_attempts</span> <span class="p">=</span> <span class="mi">0</span> <span class="nx">maximum_event_age_in_seconds</span> <span class="p">=</span> <span class="mi">60</span> <span class="p">}</span> <span class="c1"># Optional - To capture the "Silent" error </span> <span class="nx">dead_letter_config</span> <span class="p">{</span> <span class="nx">arn</span> <span class="p">=</span> <span class="nx">aws_sqs_queue</span><span class="p">.</span><span class="nx">eb_dlq</span><span class="p">.</span><span class="nx">arn</span> <span class="p">}</span> <span class="nx">input_transformer</span> <span class="p">{</span> <span class="nx">input_paths</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">update_fn</span> <span class="p">=</span> <span class="s2">"$.detail.requestParameters.functionName"</span> <span class="nx">event_id</span> <span class="p">=</span> <span class="s2">"$.id"</span><span class="p">,</span> <span class="nx">region</span> <span class="p">=</span> <span class="s2">"$.region"</span> <span class="nx">account</span> <span class="p">=</span> <span class="s2">"$.account"</span> <span class="nx">time</span> <span class="p">=</span> <span class="s2">"$.time"</span> <span class="p">}</span> <span class="nx">input_template</span> <span class="p">=</span> <span class="o">&lt;&lt;-</span><span class="no">EOF</span><span class="sh"> { "account": &lt;account&gt;, "action": "AUTO_BOOTSTRAP", "aws_region": &lt;region&gt;, "event_id": &lt;event_id&gt;, "event_time": &lt;time&gt;, "function_name": &lt;update_fn&gt;, "trigger": "lambda-code-update" } </span><span class="no"> EOF </span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <blockquote> <p>Setting up the automated trigger was a classic <em>cat-and-mouse</em> engineering challenge. The real complexity was correctly mapping the CloudTrail metadata into a format the State Machine understands. I spent significant time fine-tuning the <code>input_transformer</code> logic — navigating through the JSON paths to ensure that the specific Lambda updates correctly extracted the payload, needed to kick off the bootstrap. Those were the only parameters worked for me; anything more added to it, was stopping the <em>trigger</em> on the next run.</p> </blockquote> <p>3️⃣ Adds an SQS DLQ and queue policy allowing EventBridge to SendMessage for that rule (optional)<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># ----------------------------------------------------------</span> <span class="c1"># SQS: Dead-letter queue redrive</span> <span class="c1"># ----------------------------------------------------------</span> <span class="nx">resource</span> <span class="s2">"aws_sqs_queue"</span> <span class="s2">"eb_dlq"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"${var.name_prefix}-eb-dlq"</span> <span class="p">}</span> <span class="nx">resource</span> <span class="s2">"aws_sqs_queue_policy"</span> <span class="s2">"dlq_policy"</span> <span class="p">{</span> <span class="nx">queue_url</span> <span class="p">=</span> <span class="nx">aws_sqs_queue</span><span class="p">.</span><span class="nx">eb_dlq</span><span class="p">.</span><span class="nx">id</span> <span class="nx">policy</span> <span class="p">=</span> <span class="nx">jsonencode</span><span class="p">({</span> <span class="nx">Version</span> <span class="p">=</span> <span class="s2">"2012-10-17"</span> <span class="nx">Statement</span> <span class="p">=</span> <span class="p">[{</span> <span class="nx">Effect</span> <span class="p">=</span> <span class="s2">"Allow"</span> <span class="nx">Principal</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">Service</span> <span class="p">=</span> <span class="s2">"events.amazonaws.com"</span> <span class="p">}</span> <span class="nx">Action</span> <span class="p">=</span> <span class="s2">"sqs:SendMessage"</span> <span class="nx">Resource</span> <span class="p">=</span> <span class="nx">aws_sqs_queue</span><span class="p">.</span><span class="nx">eb_dlq</span><span class="p">.</span><span class="nx">arn</span> <span class="nx">Condition</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">ArnEquals</span> <span class="p">=</span> <span class="p">{</span> <span class="s2">"aws:SourceArn"</span> <span class="err">:</span> <span class="nx">aws_cloudwatch_event_rule</span><span class="p">.</span><span class="nx">lambda_code_update</span><span class="p">.</span><span class="nx">arn</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}]</span> <span class="p">})</span> <span class="p">}</span> </code></pre> </div> <h2> Validation: The Orchestration in Action <a></a> </h2> <p>Once the EventBridge rule triggers the workflow, the progress can be monitored in real-time. The Step Functions' <strong>Executions</strong> console provides the list of <em>Failed</em> and <em>Successful</em> executions, as shown below:</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fomohp3fqnke74pzrddap.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fomohp3fqnke74pzrddap.png" alt="State Machine Executions" width="800" height="235"></a></p> <p>Beyond the high-level list, the console also allows us to drill down into the specific input and output of the bootstrap Lambda, where you can see exactly how the CloudTrail event was mapped into the parameters that drove the database creation.</p> <h2> Conclusion: An automated Database Platform <a></a> </h2> <p>That brings us to the end of Part 3. We have successfully transformed our bootstrap Lambda into a robust, event-driven platform capability that triggers automatically whenever our infrastructure changes. By orchestrating this with AWS Step Functions, we’ve also gained the visibility, retries, and auditability needed for our environment. It's now a complete, driver-less solution that ensures our Aurora databases are initialized and ready the moment they are provisioned - and most importantly, without any manual intervention.</p> <h2> In This Series </h2> <ul> <li>Part 1: Architectural foundation and engineering basics.</li> <li>Part 2: Deep dive into Lambda implementation and IAM-based access.</li> <li>Part 3: Orchestrating workflows and Execution using AWS Step Functions.</li> </ul> aws stepfunctions eventbridge devops Santanu Das Sun, 11 Jan 2026 14:25:10 +0000 https://forem.com/santanu_das/bootstrapping-aurora-rds-databases-using-lambda-and-terraform-part-2-29i3 https://forem.com/santanu_das/bootstrapping-aurora-rds-databases-using-lambda-and-terraform-part-2-29i3 <blockquote> <p><strong>TL;DR</strong><br> <em>We move from theory to implementation by building a <strong>zero-dependency Python Lambda</strong> function. By leveraging the <strong>Aurora Data</strong> API, we eliminate the need for heavy SQL drivers, VPC-peering, or static credentials</em>.</p> </blockquote> <h2> Table Of Contents </h2> <ul> <li> The Solution <ul> <li>Strategic Benefits</li> </ul> </li> <li>Core Design Concepts</li> <li>Aurora Data API</li> <li> The Code Structure <ul> <li>Lambda Files</li> <li>Components</li> </ul> </li> <li> Implementation &amp; Code <ul> <li>Terraform Layer</li> <li>Lambda Finction-Code</li> </ul> </li> <li> Day-Zero Readiness <ul> <li>Verification</li> <li>Validation</li> </ul> </li> </ul> <p>In <a href="https://dev.to/santanu_das/bootstrapping-aurora-rds-databases-using-lambda-and-terraform-part-1-493h">Part-1</a>, we explored the inherent <a href="https://dev.to/santanu_das/bootstrapping-aurora-rds-databases-using-lambda-and-terraform-part-1-493h#01">challenges</a> of managing post-deployment database state and user privileges within a declarative IaC workflow. In this article, we shift from problem to implementation, detailing a solution that provides a robust, scalable alternative for platform teams.</p> <h2> The Solution: Decoupling via Purpose-Built Lambda <a></a> </h2> <p>The core of this architecture is the establishment of a clear execution boundary. By offloading database mutation logic to an AWS Lambda function, we decouple the <em>state of the infrastructure</em> from the <em>state of the database</em>.</p> <ul> <li><p><strong>Terraform’s Responsibility:</strong> Operates as the orchestrator, provisioning the Aurora cluster and Lambda function while injecting necessary metadata (endpoints, ARNs, and engine types).</p></li> <li><p><strong>Lambda’s Responsibility:</strong> Acts as the execution engine, performing engine-specific logic (MySQL/PostgreSQL), enforcing role-based access control (RBAC), and managing IAM-based authentication.</p></li> </ul> <h3> Strategic Benefits <a></a> </h3> <ul> <li><p><strong>True Idempotency:</strong> Unlike complex Terraform providers that can drift, the Lambda logic is procedural and testable, allowing for safe re-runs without impacting infrastructure integrity.</p></li> <li><p><strong>Hardened Security:</strong> The design eliminates the need for static administrative passwords, leveraging AWS IAM Database Authentication for all bootstrap operations.</p></li> <li><p><strong>Architectural Purity:</strong> Terraform remains purely declarative, focused on infrastructure lifecycle, while the Lambda handles the "Day 1" platform bootstrapping as a discrete capability.</p></li> </ul> <p>This deep-dive focuses on the structural internals of the Lambda—exploring the design decisions that ensure maintainability and engine parity while keeping the footprint minimal.</p> <h2> Core Design Concepts &amp; Requirements <a></a> </h2> <p>To ensure a seamless handoff between infrastructure and application, the bootstrap Lambda was built around the following core requirements:</p> <ul> <li><p><strong>Passwordless Database Operations:</strong> Eliminates the need for static credentials or secret rotation by utilizing native AWS authentication.</p></li> <li><p><strong>IAM/Token-Based Access:</strong> Leverages short-lived IAM database tokens for all administrative actions, ensuring a secure and auditable connection lifecycle.</p></li> <li><p><strong>Zero Developer Friction:</strong> The entire process is transparent to application teams; databases and roles are provisioned automatically without manual intervention.</p></li> <li><p><strong>Multi-Tenant Support:</strong> A single execution can manage multiple database schemas and user roles, mapping complex requirements to a unified configuration.</p></li> <li><p><strong>Day-Zero Readiness:</strong> Ensures that the database environment is fully initialized and accessible the moment the Aurora cluster enters the available state.</p></li> </ul> <h2> The <em>Secret Sauce</em>: Aurora Data API <a></a> </h2> <p>One of the biggest hurdles in building a lightweight Lambda for database bootstrapping is the dependency on database drivers. Python’s standard library does not include native drivers for MySQL or PostgreSQL.</p> <p>Typically, this forces platform engineers into a <em>dependency trap</em>, implementing either:</p> <ul> <li> <strong>Lambda Layers:</strong> Adding overhead for versioning and binary compatibility.</li> </ul> <p>Or</p> <ul> <li> <strong>Container Images:</strong> Introducing complex build pipelines and increasing the security blast radius.</li> </ul> <p>We solved this by enabling the Aurora Data API. This design choice is the cornerstone of the Lambda's simplicity:</p> <ul> <li><p><strong>Pure AWS SDK:</strong> The Lambda interacts with the database via standard boto3 calls. If the Lambda environment has the AWS SDK, it has everything it needs to execute SQL.</p></li> <li><p><strong>No Drivers Required:</strong> By sending SQL commands over HTTPS via the Data API, we eliminated the need for psycopg2, pymysql, or any other external binaries.</p></li> <li><p><strong>Simplified Networking:</strong> The Data API handles the connection pooling and overhead, allowing the Lambda to remain "stateless" and extremely fast to cold-start.</p></li> </ul> <p>By treating the database as an API endpoint rather than a traditional socket connection, we achieved a <strong>zero-dependency deployment artifact</strong>. This makes the bootstrap process more auditable, easier to maintain, and significantly more resilient to environment drift. </p> <p>Implementing this modern connectivity model required only a single configuration change within the <a href="https://dev.to/santanu_das/bootstrapping-aurora-rds-databases-using-lambda-and-terraform-part-1-493h#03">chlid-module</a>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># Enabling native IAM authentication within the Aurora cluster</span> <span class="nx">iam_database_authentication_enabled</span> <span class="err">=</span> <span class="kc">true</span> </code></pre> </div> <h2> The Modular Code Structure <a></a> </h2> <p>The Lambda’s internal structure is designed for clarity and extensibility. Rather than a monolithic script, the codebase is partitioned into functional layers. This ensures that adding support for a new engine or modifying authentication logic doesn't disrupt the core execution flow.</p> <h3> File Structure <a></a> </h3> <p>The project follows a flat, purposeful directory layout:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>./lambda ├── __init__.py ├── db_config.py <span class="c"># Environment-to-Runtime mapping</span> ├── db_helper.py <span class="c"># Core SQL logic and engine-specific functions</span> ├── mysql_installer.py <span class="c"># MySQL execution workflow</span> └── pgsql_installer.py <span class="c"># PostgreSQL execution workflow</span> </code></pre> </div> <h3> Component Responsibilities <a></a> </h3> <ul> <li><p><code>db_config.py</code> (The Configuration Layer): This module acts as the bridge between Terraform and Python. It ingest cluster-specific environment variables — such as cluster identifiers, engine types, and database names—and validates them before execution begins.</p></li> <li><p><code>db_helper.py</code> (The Logic Library): This is the "brain" of the operation. It contains the granular, engine-specific functions required to verify and mutate state. By centralizing functions like mysql_user_exists and pgsql_create_db here, we ensure that the logic is reusable and easy to unit test.</p></li> <li><p><code>*_installer.py</code> (The Workflow Orchestrators): These files represent the high-level workflows for each engine. An installer imports the necessary primitives from the helper and executes them in a logical sequence.<br> e.g. <em>Check if DB exists</em> → <em>Create if missing</em> → <em>Assign privileges</em>.</p></li> </ul> <blockquote> <p>Although the bootstrap flow is shared, MySQL and PostgreSQL differ fundamentally in ownership, role semantics, and grant models — which is why installers are intentionally split.</p> </blockquote> <p>The helper functions are designed to accept a generic <code>execute_fn</code>. This allows us to swap the underlying execution engine — such as switching from a standard driver to the Aurora Data API — without rewriting the core business logic.</p> <h2> The Blueprint: Implementation &amp; Code <a></a> </h2> <p>With the architectural boundaries defined, now we will look at the implementation. This section provides the <em>Copy-Paste</em> ready code to stand up the bootstrap utility.</p> <h3> IaC: The Terraform Layer <a></a> </h3> <p>1️⃣ Every AWS Lambda function needs permission to interact with other AWS infrastructure resources within your account. These permissions are set via an AWS IAM Role that required to interact with the <strong>Aurora Data API</strong>. The creation of the execution role and the specific IAM policies are part of the <a href="https://dev.to/santanu_das/bootstrapping-aurora-rds-databases-using-lambda-and-terraform-part-1-493h#04">root-module</a>; the rule ARN then supplied to the lambda-function.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># ----------------------------------------------------------</span> <span class="c1"># IAM role Lambda-function</span> <span class="c1"># ----------------------------------------------------------</span> <span class="nx">resource</span> <span class="s2">"aws_iam_role"</span> <span class="s2">"air_lfn"</span> <span class="p">{</span> <span class="nx">for_each</span> <span class="p">=</span> <span class="p">(</span> <span class="nx">anytrue</span><span class="p">(</span><span class="nx">values</span><span class="p">(</span><span class="nx">local</span><span class="p">.</span><span class="nx">service_enabled</span><span class="p">))</span> <span class="err">?</span> <span class="nx">toset</span><span class="p">([</span><span class="nx">var</span><span class="p">.</span><span class="nx">service_name</span><span class="p">])</span> <span class="err">:</span> <span class="p">[]</span> <span class="p">)</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"${local.template_name}-lambda-Role"</span> <span class="nx">assume_role_policy</span> <span class="p">=</span> <span class="nx">jsonencode</span><span class="p">({</span> <span class="nx">Version</span> <span class="p">=</span> <span class="s2">"2012-10-17"</span> <span class="nx">Statement</span> <span class="p">=</span> <span class="p">[{</span> <span class="nx">Effect</span> <span class="p">=</span> <span class="s2">"Allow"</span> <span class="nx">Principal</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">Service</span> <span class="p">=</span> <span class="s2">"lambda.amazonaws.com"</span> <span class="p">}</span> <span class="nx">Action</span> <span class="p">=</span> <span class="s2">"sts:AssumeRole"</span> <span class="p">}]</span> <span class="p">})</span> <span class="p">}</span> <span class="c1"># ----------------------------------------------------------</span> <span class="c1"># Lambda role-policy document and attachment</span> <span class="c1"># ----------------------------------------------------------</span> <span class="nx">data</span> <span class="s2">"aws_iam_policy_document"</span> <span class="s2">"aipd_lfn"</span> <span class="p">{</span> <span class="nx">for_each</span> <span class="p">=</span> <span class="p">(</span> <span class="nx">anytrue</span><span class="p">(</span><span class="nx">values</span><span class="p">(</span><span class="nx">local</span><span class="p">.</span><span class="nx">service_enabled</span><span class="p">))</span> <span class="err">?</span> <span class="nx">toset</span><span class="p">([</span><span class="nx">var</span><span class="p">.</span><span class="nx">service_name</span><span class="p">])</span> <span class="err">:</span> <span class="p">[]</span> <span class="p">)</span> <span class="nx">statement</span> <span class="p">{</span> <span class="nx">sid</span> <span class="p">=</span> <span class="s2">"RDSDataAPI"</span> <span class="nx">effect</span> <span class="p">=</span> <span class="s2">"Allow"</span> <span class="nx">actions</span> <span class="p">=</span> <span class="p">[</span> <span class="s2">"rds-data:ExecuteStatement"</span><span class="p">,</span> <span class="s2">"rds-data:BatchExecuteStatement"</span> <span class="p">]</span> <span class="nx">resources</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"*"</span><span class="p">]</span> <span class="p">}</span> <span class="nx">statement</span> <span class="p">{</span> <span class="nx">sid</span> <span class="p">=</span> <span class="s2">"DescribeCluster"</span> <span class="nx">effect</span> <span class="p">=</span> <span class="s2">"Allow"</span> <span class="nx">actions</span> <span class="p">=</span> <span class="p">[</span> <span class="s2">"rds:DescribeDBClusters"</span> <span class="p">]</span> <span class="nx">resources</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"*"</span><span class="p">]</span> <span class="p">}</span> <span class="nx">statement</span> <span class="p">{</span> <span class="nx">sid</span> <span class="p">=</span> <span class="s2">"ReadDBSecret"</span> <span class="nx">effect</span> <span class="p">=</span> <span class="s2">"Allow"</span> <span class="nx">actions</span> <span class="p">=</span> <span class="p">[</span> <span class="s2">"secretsmanager:GetSecretValue"</span> <span class="p">]</span> <span class="nx">resources</span> <span class="p">=</span> <span class="p">[</span> <span class="nx">for</span> <span class="nx">DB</span> <span class="nx">in</span> <span class="nx">keys</span><span class="p">(</span><span class="nx">local</span><span class="p">.</span><span class="nx">db_profiles</span><span class="p">)</span> <span class="err">:</span> <span class="nx">module</span><span class="p">.</span><span class="nx">db_cluster</span><span class="p">[</span><span class="nx">DB</span><span class="p">].</span><span class="nx">master_user_secret_arn</span> <span class="p">]</span> <span class="p">}</span> <span class="nx">statement</span> <span class="p">{</span> <span class="nx">sid</span> <span class="p">=</span> <span class="s2">"LambdaLogging"</span> <span class="nx">effect</span> <span class="p">=</span> <span class="s2">"Allow"</span> <span class="nx">actions</span> <span class="p">=</span> <span class="p">[</span> <span class="s2">"logs:CreateLogGroup"</span><span class="p">,</span> <span class="s2">"logs:CreateLogStream"</span><span class="p">,</span> <span class="s2">"logs:PutLogEvents"</span> <span class="p">]</span> <span class="nx">resources</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"arn:aws:logs:*:*:*"</span><span class="p">]</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">resource</span> <span class="s2">"aws_iam_role_policy"</span> <span class="s2">"airp_lfn"</span> <span class="p">{</span> <span class="nx">for_each</span> <span class="p">=</span> <span class="p">(</span> <span class="nx">anytrue</span><span class="p">(</span><span class="nx">values</span><span class="p">(</span><span class="nx">local</span><span class="p">.</span><span class="nx">service_enabled</span><span class="p">))</span> <span class="err">?</span> <span class="nx">toset</span><span class="p">([</span><span class="nx">var</span><span class="p">.</span><span class="nx">service_name</span><span class="p">])</span> <span class="err">:</span> <span class="p">[]</span> <span class="p">)</span> <span class="nx">role</span> <span class="p">=</span> <span class="nx">aws_iam_role</span><span class="p">.</span><span class="nx">air_lfn</span><span class="p">[</span><span class="nx">each</span><span class="p">.</span><span class="nx">value</span><span class="p">].</span><span class="nx">id</span> <span class="nx">policy</span> <span class="p">=</span> <span class="nx">data</span><span class="p">.</span><span class="nx">aws_iam_policy_document</span><span class="p">.</span><span class="nx">aipd_lfn</span><span class="p">[</span><span class="nx">each</span><span class="p">.</span><span class="nx">value</span><span class="p">].</span><span class="nx">json</span> <span class="p">}</span> </code></pre> </div> <p>2️⃣ Next, we define AWS infrastructure resources, which I included as part of the <a href="https://dev.to/santanu_das/bootstrapping-aurora-rds-databases-using-lambda-and-terraform-part-1-493h#03">child module</a>. The following Terraform configuration automatically packages the Python source into a ZIP archive and provisions the Lambda function, along with its execution role and granular IAM policies.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># ---------------------------------------------------------</span> <span class="c1"># Lambda function to manage BDs</span> <span class="c1"># ---------------------------------------------------------</span> <span class="nx">data</span> <span class="s2">"archive_file"</span> <span class="s2">"daf_lambda"</span> <span class="p">{</span> <span class="nx">for_each</span> <span class="p">=</span> <span class="p">(</span> <span class="nx">var</span><span class="p">.</span><span class="nx">enable_db_managment</span> <span class="err">?</span> <span class="p">{</span> <span class="p">(</span><span class="nx">var</span><span class="p">.</span><span class="nx">db_profile</span><span class="p">.</span><span class="nx">engine_type</span><span class="p">)</span> <span class="p">=</span> <span class="kc">true</span> <span class="p">}</span> <span class="err">:</span> <span class="p">{}</span> <span class="p">)</span> <span class="nx">type</span> <span class="p">=</span> <span class="s2">"zip"</span> <span class="nx">output_path</span> <span class="p">=</span> <span class="s2">"${path.module}/${each.key}-lambda.zip"</span> <span class="nx">source</span> <span class="p">{</span> <span class="nx">content</span> <span class="p">=</span> <span class="nx">file</span><span class="p">(</span><span class="s2">"${path.module}/lambda/__init__.py"</span><span class="p">)</span> <span class="nx">filename</span> <span class="p">=</span> <span class="s2">"__init__.py"</span> <span class="p">}</span> <span class="nx">source</span> <span class="p">{</span> <span class="nx">content</span> <span class="p">=</span> <span class="nx">file</span><span class="p">(</span><span class="s2">"${path.module}/lambda/db_config.py"</span><span class="p">)</span> <span class="nx">filename</span> <span class="p">=</span> <span class="s2">"db_config.py"</span> <span class="p">}</span> <span class="nx">source</span> <span class="p">{</span> <span class="nx">content</span> <span class="p">=</span> <span class="nx">file</span><span class="p">(</span><span class="s2">"${path.module}/lambda/db_helper.py"</span><span class="p">)</span> <span class="nx">filename</span> <span class="p">=</span> <span class="s2">"db_helper.py"</span> <span class="p">}</span> <span class="nx">source</span> <span class="p">{</span> <span class="nx">content</span> <span class="p">=</span> <span class="nx">file</span><span class="p">(</span><span class="s2">"${path.module}/lambda/${each.key}_installer.py"</span><span class="p">)</span> <span class="nx">filename</span> <span class="p">=</span> <span class="s2">"db_installer.py"</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">resource</span> <span class="s2">"aws_lambda_function"</span> <span class="s2">"db_installer"</span> <span class="p">{</span> <span class="nx">for_each</span> <span class="p">=</span> <span class="p">(</span> <span class="nx">var</span><span class="p">.</span><span class="nx">enable_db_managment</span> <span class="err">?</span> <span class="p">{</span> <span class="p">(</span><span class="nx">var</span><span class="p">.</span><span class="nx">db_profile</span><span class="p">.</span><span class="nx">engine_type</span><span class="p">)</span> <span class="p">=</span> <span class="kc">true</span> <span class="p">}</span> <span class="err">:</span> <span class="p">{}</span> <span class="p">)</span> <span class="nx">function_name</span> <span class="p">=</span> <span class="s2">"${var.name_prefix}-${each.key}-installer"</span> <span class="nx">role</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">lambda_service_role</span> <span class="c1">#&lt;-- comes from root-module</span> <span class="nx">runtime</span> <span class="p">=</span> <span class="s2">"python3.12"</span> <span class="nx">handler</span> <span class="p">=</span> <span class="s2">"db_installer.handler"</span> <span class="nx">timeout</span> <span class="p">=</span> <span class="mi">30</span> <span class="nx">memory_size</span> <span class="p">=</span> <span class="mi">256</span> <span class="nx">filename</span> <span class="p">=</span> <span class="nx">data</span><span class="p">.</span><span class="nx">archive_file</span><span class="p">.</span><span class="nx">daf_lambda</span><span class="p">[</span><span class="nx">each</span><span class="p">.</span><span class="nx">key</span><span class="p">].</span><span class="nx">output_path</span> <span class="nx">source_code_hash</span> <span class="p">=</span> <span class="nx">data</span><span class="p">.</span><span class="nx">archive_file</span><span class="p">.</span><span class="nx">daf_lambda</span><span class="p">[</span><span class="nx">each</span><span class="p">.</span><span class="nx">key</span><span class="p">].</span><span class="nx">output_base64sha256</span> <span class="nx">environment</span> <span class="p">{</span> <span class="c1">#&lt;-- feeds db_config.py</span> <span class="nx">variables</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">CLUSTER_ARN</span> <span class="p">=</span> <span class="nx">module</span><span class="p">.</span><span class="nx">cluster</span><span class="p">.</span><span class="nx">cluster_arn</span> <span class="nx">DATABASES</span> <span class="p">=</span> <span class="nx">jsonencode</span><span class="p">(</span><span class="nx">var</span><span class="p">.</span><span class="nx">db_profile</span><span class="p">.</span><span class="nx">databases</span><span class="p">)</span> <span class="nx">DB_ENGINE</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">db_profile</span><span class="p">.</span><span class="nx">engine</span> <span class="nx">DB_USER_HOST</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">db_profile</span><span class="p">.</span><span class="nx">dbs_user_host</span> <span class="nx">DB_USER_NAME</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">db_profile</span><span class="p">.</span><span class="nx">database_user</span> <span class="nx">ENGINE_TYPE</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">db_profile</span><span class="p">.</span><span class="nx">engine_type</span> <span class="nx">SECRET_ARN</span> <span class="p">=</span> <span class="nx">local</span><span class="p">.</span><span class="nx">secret_arn</span> <span class="c1"># default databases</span> <span class="nx">DEFAULT_DB</span> <span class="p">=</span> <span class="p">(</span> <span class="nx">var</span><span class="p">.</span><span class="nx">db_profile</span><span class="p">.</span><span class="nx">engine</span> <span class="p">==</span> <span class="s2">"aurora-mysql"</span> <span class="err">?</span> <span class="s2">"mysql"</span> <span class="err">:</span> <span class="s2">"postgres"</span> <span class="p">)</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">tags</span> <span class="p">=</span> <span class="nx">merge</span><span class="p">(</span> <span class="nx">var</span><span class="p">.</span><span class="nx">extra_tags</span><span class="p">,</span> <span class="p">{</span> <span class="nx">Name</span> <span class="p">=</span> <span class="s2">"${var.name_prefix}-db-installer"</span> <span class="nx">SubResource</span> <span class="p">=</span> <span class="s2">"aws_lambda_function.db_installer"</span> <span class="p">}</span> <span class="p">)</span> <span class="p">}</span> </code></pre> </div> <h3> The Logic: Python Lambda Code <a></a> </h3> <p>Here is how the Python components interact. The key is the db_helper.py, which leverages the Data API to execute SQL without traditional drivers.</p> <p>1️⃣ <strong><code>db_config.py</code> - The Configuration Layer</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># db_config.py </span> <span class="kn">import</span> <span class="n">os</span> <span class="kn">import</span> <span class="n">json</span> <span class="kn">from</span> <span class="n">dataclasses</span> <span class="kn">import</span> <span class="n">dataclass</span> <span class="k">def</span> <span class="nf">_require_env</span><span class="p">(</span><span class="n">name</span><span class="p">:</span> <span class="nb">str</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="nb">str</span><span class="p">:</span> <span class="k">try</span><span class="p">:</span> <span class="k">return</span> <span class="n">os</span><span class="p">.</span><span class="n">environ</span><span class="p">[</span><span class="n">name</span><span class="p">]</span> <span class="k">except</span> <span class="nb">KeyError</span><span class="p">:</span> <span class="k">raise</span> <span class="nc">RuntimeError</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">Missing required environment variable: </span><span class="si">{</span><span class="n">name</span><span class="si">}</span><span class="sh">"</span><span class="p">)</span> <span class="nd">@dataclass</span><span class="p">(</span><span class="n">frozen</span><span class="o">=</span><span class="bp">True</span><span class="p">)</span> <span class="k">class</span> <span class="nc">Config</span><span class="p">:</span> <span class="n">cluster_arn</span><span class="p">:</span> <span class="nb">str</span> <span class="n">databases</span><span class="p">:</span> <span class="nb">list</span><span class="p">[</span><span class="nb">str</span><span class="p">]</span> <span class="n">db_engine</span><span class="p">:</span> <span class="nb">str</span> <span class="n">db_host</span><span class="p">:</span> <span class="nb">str</span> <span class="n">db_user</span><span class="p">:</span> <span class="nb">str</span> <span class="n">default_db</span><span class="p">:</span> <span class="nb">str</span> <span class="n">engine_type</span><span class="p">:</span> <span class="nb">str</span> <span class="n">secret_arn</span><span class="p">:</span> <span class="nb">str</span> <span class="n">CONFIG</span> <span class="o">=</span> <span class="nc">Config</span><span class="p">(</span> <span class="n">cluster_arn</span> <span class="o">=</span> <span class="nf">_require_env</span><span class="p">(</span><span class="sh">"</span><span class="s">CLUSTER_ARN</span><span class="sh">"</span><span class="p">),</span> <span class="n">databases</span> <span class="o">=</span> <span class="n">json</span><span class="p">.</span><span class="nf">loads</span><span class="p">(</span><span class="nf">_require_env</span><span class="p">(</span><span class="sh">"</span><span class="s">DATABASES</span><span class="sh">"</span><span class="p">)),</span> <span class="n">db_engine</span> <span class="o">=</span> <span class="nf">_require_env</span><span class="p">(</span><span class="sh">"</span><span class="s">DB_ENGINE</span><span class="sh">"</span><span class="p">),</span> <span class="n">db_host</span> <span class="o">=</span> <span class="nf">_require_env</span><span class="p">(</span><span class="sh">"</span><span class="s">DB_USER_HOST</span><span class="sh">"</span><span class="p">),</span> <span class="n">db_user</span> <span class="o">=</span> <span class="nf">_require_env</span><span class="p">(</span><span class="sh">"</span><span class="s">DB_USER_NAME</span><span class="sh">"</span><span class="p">),</span> <span class="n">default_db</span> <span class="o">=</span> <span class="n">os</span><span class="p">.</span><span class="n">environ</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">DEFAULT_DB</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">postgres</span><span class="sh">"</span><span class="p">),</span> <span class="n">engine_type</span> <span class="o">=</span> <span class="nf">_require_env</span><span class="p">(</span><span class="sh">"</span><span class="s">ENGINE_TYPE</span><span class="sh">"</span><span class="p">),</span> <span class="n">secret_arn</span> <span class="o">=</span> <span class="nf">_require_env</span><span class="p">(</span><span class="sh">"</span><span class="s">SECRET_ARN</span><span class="sh">"</span><span class="p">),</span> <span class="p">)</span> </code></pre> </div> <p>2️⃣ <strong><code>db_helper.py</code> - The Engine Logic</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># db_helper.py </span> <span class="kn">from</span> <span class="n">db_config</span> <span class="kn">import</span> <span class="n">CONFIG</span> <span class="n">db_user</span> <span class="o">=</span> <span class="n">CONFIG</span><span class="p">.</span><span class="n">db_user</span> <span class="n">db_host</span> <span class="o">=</span> <span class="n">CONFIG</span><span class="p">.</span><span class="n">db_host</span> <span class="n">default_db</span> <span class="o">=</span> <span class="n">CONFIG</span><span class="p">.</span><span class="n">default_db</span> <span class="c1"># ========================================================== # MySQL (IAM auth) # ========================================================== </span> <span class="k">def</span> <span class="nf">mysql_user_exists</span><span class="p">(</span><span class="n">execute_fn</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="nb">bool</span><span class="p">:</span> <span class="n">resp</span> <span class="o">=</span> <span class="nf">execute_fn</span><span class="p">(</span> <span class="sa">f</span><span class="sh">"</span><span class="s">SELECT 1 FROM mysql.user WHERE user = </span><span class="sh">'</span><span class="si">{</span><span class="n">db_user</span><span class="si">}</span><span class="sh">'"</span><span class="p">,</span> <span class="n">default_db</span><span class="p">,</span> <span class="p">)</span> <span class="k">return</span> <span class="nf">len</span><span class="p">(</span><span class="n">resp</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">records</span><span class="sh">"</span><span class="p">,</span> <span class="p">[]))</span> <span class="o">&gt;</span> <span class="mi">0</span> <span class="k">def</span> <span class="nf">mysql_create_user</span><span class="p">(</span><span class="n">execute_fn</span><span class="p">):</span> <span class="k">if</span> <span class="nf">mysql_user_exists</span><span class="p">(</span><span class="n">execute_fn</span><span class="p">):</span> <span class="nf">print</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">[SKIP] MySQL user exists: </span><span class="si">{</span><span class="n">db_user</span><span class="si">}</span><span class="s">@</span><span class="si">{</span><span class="n">db_host</span><span class="si">}</span><span class="sh">"</span><span class="p">)</span> <span class="k">return</span> <span class="nf">print</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">[CREATE] MySQL user: </span><span class="si">{</span><span class="n">db_user</span><span class="si">}</span><span class="s">@</span><span class="si">{</span><span class="n">db_host</span><span class="si">}</span><span class="sh">"</span><span class="p">)</span> <span class="nf">execute_fn</span><span class="p">(</span> <span class="sa">f</span><span class="sh">"""</span><span class="s"> CREATE USER </span><span class="sh">'</span><span class="si">{</span><span class="n">db_user</span><span class="si">}</span><span class="sh">'</span><span class="s">@</span><span class="sh">'</span><span class="si">{</span><span class="n">db_host</span><span class="si">}</span><span class="sh">'</span><span class="s"> IDENTIFIED WITH AWSAuthenticationPlugin AS </span><span class="sh">'</span><span class="s">RDS</span><span class="sh">'</span><span class="s"> </span><span class="sh">"""</span><span class="p">,</span> <span class="n">default_db</span><span class="p">,</span> <span class="p">)</span> <span class="k">def</span> <span class="nf">mysql_grant_privileges</span><span class="p">(</span><span class="n">execute_fn</span><span class="p">,</span> <span class="n">db</span><span class="p">:</span> <span class="nb">str</span><span class="p">):</span> <span class="nf">print</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">[GRANT] MySQL privileges: </span><span class="si">{</span><span class="n">db_user</span><span class="si">}</span><span class="s">@</span><span class="si">{</span><span class="n">db_host</span><span class="si">}</span><span class="s"> → </span><span class="si">{</span><span class="n">db</span><span class="si">}</span><span class="sh">"</span><span class="p">)</span> <span class="nf">execute_fn</span><span class="p">(</span> <span class="sa">f</span><span class="sh">"</span><span class="s">GRANT ALL PRIVILEGES ON `</span><span class="si">{</span><span class="n">db</span><span class="si">}</span><span class="s">`.* TO </span><span class="sh">'</span><span class="si">{</span><span class="n">db_user</span><span class="si">}</span><span class="sh">'</span><span class="s">@</span><span class="sh">'</span><span class="si">{</span><span class="n">db_host</span><span class="si">}</span><span class="sh">'"</span><span class="p">,</span> <span class="n">default_db</span><span class="p">,</span> <span class="p">)</span> <span class="k">def</span> <span class="nf">mysql_list_granted_dbs</span><span class="p">(</span><span class="n">execute_fn</span><span class="p">,</span> <span class="n">user</span><span class="p">:</span> <span class="nb">str</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="nb">set</span><span class="p">[</span><span class="nb">str</span><span class="p">]:</span> <span class="n">sql</span> <span class="o">=</span> <span class="sh">"""</span><span class="s"> SELECT DISTINCT DB FROM mysql.db WHERE User = :user </span><span class="sh">"""</span> <span class="n">resp</span> <span class="o">=</span> <span class="nf">execute_fn</span><span class="p">(</span> <span class="n">sql</span><span class="p">,</span> <span class="n">database</span><span class="o">=</span><span class="sh">"</span><span class="s">mysql</span><span class="sh">"</span><span class="p">,</span> <span class="n">params</span><span class="o">=</span><span class="p">{</span><span class="sh">"</span><span class="s">user</span><span class="sh">"</span><span class="p">:</span> <span class="n">user</span><span class="p">},</span> <span class="p">)</span> <span class="n">records</span> <span class="o">=</span> <span class="n">resp</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">records</span><span class="sh">"</span><span class="p">,</span> <span class="p">[])</span> <span class="k">return</span> <span class="p">{</span> <span class="n">row</span><span class="p">[</span><span class="mi">0</span><span class="p">][</span><span class="sh">"</span><span class="s">stringValue</span><span class="sh">"</span><span class="p">]</span> <span class="k">for</span> <span class="n">row</span> <span class="ow">in</span> <span class="n">records</span> <span class="k">if</span> <span class="n">row</span> <span class="ow">and</span> <span class="sh">"</span><span class="s">stringValue</span><span class="sh">"</span> <span class="ow">in</span> <span class="n">row</span><span class="p">[</span><span class="mi">0</span><span class="p">]</span> <span class="p">}</span> <span class="k">def</span> <span class="nf">mysql_revoke_db</span><span class="p">(</span><span class="n">execute_fn</span><span class="p">,</span> <span class="n">user</span><span class="p">:</span> <span class="nb">str</span><span class="p">,</span> <span class="n">host</span><span class="p">:</span> <span class="nb">str</span><span class="p">,</span> <span class="n">db</span><span class="p">:</span> <span class="nb">str</span><span class="p">):</span> <span class="n">sql</span> <span class="o">=</span> <span class="sa">f</span><span class="sh">"</span><span class="s">REVOKE ALL PRIVILEGES ON `</span><span class="si">{</span><span class="n">db</span><span class="si">}</span><span class="s">`.* FROM </span><span class="sh">'</span><span class="si">{</span><span class="n">user</span><span class="si">}</span><span class="sh">'</span><span class="s">@</span><span class="sh">'</span><span class="si">{</span><span class="n">host</span><span class="si">}</span><span class="sh">'"</span> <span class="nf">execute_fn</span><span class="p">(</span><span class="n">sql</span><span class="p">,</span> <span class="n">database</span><span class="o">=</span><span class="sh">"</span><span class="s">mysql</span><span class="sh">"</span><span class="p">)</span> <span class="c1"># ========================================================== # PostgreSQL (IAM auth) # ========================================================== </span> <span class="k">def</span> <span class="nf">pgsql_db_exists</span><span class="p">(</span><span class="n">execute_fn</span><span class="p">,</span> <span class="n">db</span><span class="p">:</span> <span class="nb">str</span><span class="p">,</span> <span class="n">default_db</span><span class="p">:</span> <span class="nb">str</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="nb">bool</span><span class="p">:</span> <span class="n">resp</span> <span class="o">=</span> <span class="nf">execute_fn</span><span class="p">(</span> <span class="sa">f</span><span class="sh">"</span><span class="s">SELECT 1 FROM pg_database WHERE datname = </span><span class="sh">'</span><span class="si">{</span><span class="n">db</span><span class="si">}</span><span class="sh">'"</span><span class="p">,</span> <span class="n">default_db</span><span class="p">,</span> <span class="p">)</span> <span class="k">return</span> <span class="nf">len</span><span class="p">(</span><span class="n">resp</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">records</span><span class="sh">"</span><span class="p">,</span> <span class="p">[]))</span> <span class="o">&gt;</span> <span class="mi">0</span> <span class="k">def</span> <span class="nf">pgsql_create_app_role</span><span class="p">(</span><span class="n">execute_fn</span><span class="p">,</span> <span class="n">app_role</span><span class="p">:</span> <span class="nb">str</span><span class="p">,</span> <span class="n">default_db</span><span class="p">:</span> <span class="nb">str</span><span class="p">):</span> <span class="n">resp</span> <span class="o">=</span> <span class="nf">execute_fn</span><span class="p">(</span> <span class="sa">f</span><span class="sh">"</span><span class="s">SELECT 1 FROM pg_roles WHERE rolname = </span><span class="sh">'</span><span class="si">{</span><span class="n">app_role</span><span class="si">}</span><span class="sh">'"</span><span class="p">,</span> <span class="n">default_db</span><span class="p">,</span> <span class="p">)</span> <span class="k">if</span> <span class="nf">len</span><span class="p">(</span><span class="n">resp</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">records</span><span class="sh">"</span><span class="p">,</span> <span class="p">[]))</span> <span class="o">==</span> <span class="mi">0</span><span class="p">:</span> <span class="nf">print</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">[CREATE] PostgreSQL app role: </span><span class="si">{</span><span class="n">app_role</span><span class="si">}</span><span class="sh">"</span><span class="p">)</span> <span class="nf">execute_fn</span><span class="p">(</span> <span class="sa">f</span><span class="sh">'</span><span class="s">CREATE ROLE </span><span class="sh">"</span><span class="si">{</span><span class="n">app_role</span><span class="si">}</span><span class="sh">"</span><span class="s"> NOLOGIN</span><span class="sh">'</span><span class="p">,</span> <span class="n">default_db</span><span class="p">,</span> <span class="p">)</span> <span class="k">else</span><span class="p">:</span> <span class="nf">print</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">[SKIP] PostgreSQL role exists: </span><span class="si">{</span><span class="n">app_role</span><span class="si">}</span><span class="sh">"</span><span class="p">)</span> <span class="nf">execute_fn</span><span class="p">(</span> <span class="sa">f</span><span class="sh">'</span><span class="s">ALTER ROLE </span><span class="sh">"</span><span class="si">{</span><span class="n">app_role</span><span class="si">}</span><span class="sh">"</span><span class="s"> LOGIN</span><span class="sh">'</span><span class="p">,</span> <span class="n">default_db</span><span class="p">,</span> <span class="p">)</span> <span class="nf">execute_fn</span><span class="p">(</span> <span class="sa">f</span><span class="sh">'</span><span class="s">GRANT rds_iam TO </span><span class="sh">"</span><span class="si">{</span><span class="n">app_role</span><span class="si">}</span><span class="sh">"'</span><span class="p">,</span> <span class="n">default_db</span><span class="p">,</span> <span class="p">)</span> <span class="k">def</span> <span class="nf">pgsql_create_db</span><span class="p">(</span><span class="n">execute_fn</span><span class="p">,</span> <span class="n">db</span><span class="p">:</span> <span class="nb">str</span><span class="p">,</span> <span class="n">default_db</span><span class="p">:</span> <span class="nb">str</span><span class="p">):</span> <span class="nf">execute_fn</span><span class="p">(</span> <span class="sa">f</span><span class="sh">'</span><span class="s">CREATE DATABASE </span><span class="sh">"</span><span class="si">{</span><span class="n">db</span><span class="si">}</span><span class="sh">"'</span><span class="p">,</span> <span class="n">default_db</span><span class="p">,</span> <span class="p">)</span> <span class="k">def</span> <span class="nf">pgsql_grant_privileges</span><span class="p">(</span> <span class="n">execute_fn</span><span class="p">,</span> <span class="n">db</span><span class="p">:</span> <span class="nb">str</span><span class="p">,</span> <span class="n">app_role</span><span class="p">:</span> <span class="nb">str</span><span class="p">,</span> <span class="p">):</span> <span class="nf">print</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">[GRANT] PostgreSQL access: </span><span class="si">{</span><span class="n">app_role</span><span class="si">}</span><span class="s"> → </span><span class="si">{</span><span class="n">db</span><span class="si">}</span><span class="sh">"</span><span class="p">)</span> <span class="c1"># DB-level access </span> <span class="nf">execute_fn</span><span class="p">(</span> <span class="sa">f</span><span class="sh">'</span><span class="s">GRANT CONNECT, TEMP ON DATABASE </span><span class="sh">"</span><span class="si">{</span><span class="n">db</span><span class="si">}</span><span class="sh">"</span><span class="s"> TO </span><span class="sh">"</span><span class="si">{</span><span class="n">app_role</span><span class="si">}</span><span class="sh">"'</span><span class="p">,</span> <span class="sh">"</span><span class="s">postgres</span><span class="sh">"</span><span class="p">,</span> <span class="p">)</span> <span class="c1"># Schema access </span> <span class="nf">execute_fn</span><span class="p">(</span> <span class="sa">f</span><span class="sh">'</span><span class="s">GRANT USAGE ON SCHEMA public TO </span><span class="sh">"</span><span class="si">{</span><span class="n">app_role</span><span class="si">}</span><span class="sh">"'</span><span class="p">,</span> <span class="n">db</span><span class="p">,</span> <span class="p">)</span> <span class="c1"># Explicit table grants (NO silent no-op) </span> <span class="n">resp</span> <span class="o">=</span> <span class="nf">execute_fn</span><span class="p">(</span> <span class="sh">"""</span><span class="s"> SELECT quote_ident(n.nspname) || </span><span class="sh">'</span><span class="s">.</span><span class="sh">'</span><span class="s"> || quote_ident(c.relname) FROM pg_class c JOIN pg_namespace n ON n.oid = c.relnamespace WHERE n.nspname = </span><span class="sh">'</span><span class="s">public</span><span class="sh">'</span><span class="s"> AND c.relkind = </span><span class="sh">'</span><span class="s">r</span><span class="sh">'</span><span class="s"> </span><span class="sh">"""</span><span class="p">,</span> <span class="n">db</span><span class="p">,</span> <span class="p">)</span> <span class="k">for</span> <span class="n">r</span> <span class="ow">in</span> <span class="n">resp</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">records</span><span class="sh">"</span><span class="p">,</span> <span class="p">[]):</span> <span class="n">table</span> <span class="o">=</span> <span class="n">r</span><span class="p">[</span><span class="mi">0</span><span class="p">][</span><span class="sh">"</span><span class="s">stringValue</span><span class="sh">"</span><span class="p">]</span> <span class="nf">execute_fn</span><span class="p">(</span> <span class="sa">f</span><span class="sh">'</span><span class="s">GRANT SELECT, INSERT, UPDATE, DELETE ON TABLE </span><span class="si">{</span><span class="n">table</span><span class="si">}</span><span class="s"> TO </span><span class="sh">"</span><span class="si">{</span><span class="n">app_role</span><span class="si">}</span><span class="sh">"'</span><span class="p">,</span> <span class="n">db</span><span class="p">,</span> <span class="p">)</span> <span class="c1"># Sequences </span> <span class="nf">execute_fn</span><span class="p">(</span> <span class="sa">f</span><span class="sh">'''</span><span class="s"> GRANT USAGE, SELECT, UPDATE ON ALL SEQUENCES IN SCHEMA public TO </span><span class="sh">"</span><span class="si">{</span><span class="n">app_role</span><span class="si">}</span><span class="sh">"</span><span class="s"> </span><span class="sh">'''</span><span class="p">,</span> <span class="n">db</span><span class="p">,</span> <span class="p">)</span> <span class="c1"># Future objects (mandatory) </span> <span class="nf">execute_fn</span><span class="p">(</span> <span class="sa">f</span><span class="sh">'''</span><span class="s"> ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT SELECT, INSERT, UPDATE, DELETE ON TABLES TO </span><span class="sh">"</span><span class="si">{</span><span class="n">app_role</span><span class="si">}</span><span class="sh">"</span><span class="s"> </span><span class="sh">'''</span><span class="p">,</span> <span class="n">db</span><span class="p">,</span> <span class="p">)</span> <span class="nf">execute_fn</span><span class="p">(</span> <span class="sa">f</span><span class="sh">'''</span><span class="s"> ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT USAGE, SELECT, UPDATE ON SEQUENCES TO </span><span class="sh">"</span><span class="si">{</span><span class="n">app_role</span><span class="si">}</span><span class="sh">"</span><span class="s"> </span><span class="sh">'''</span><span class="p">,</span> <span class="n">db</span><span class="p">,</span> <span class="p">)</span> </code></pre> </div> <p>3️⃣ <strong><code>mysql_installer.py</code> - mySQL Orchestrator</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># mysql_installer.py </span> <span class="kn">import</span> <span class="n">boto3</span> <span class="kn">from</span> <span class="n">botocore.exceptions</span> <span class="kn">import</span> <span class="n">ClientError</span> <span class="kn">from</span> <span class="n">db_config</span> <span class="kn">import</span> <span class="n">CONFIG</span> <span class="kn">from</span> <span class="n">db_helper</span> <span class="kn">import</span> <span class="p">(</span> <span class="n">mysql_create_user</span><span class="p">,</span> <span class="n">mysql_grant_privileges</span><span class="p">,</span> <span class="n">mysql_list_granted_dbs</span><span class="p">,</span> <span class="n">mysql_revoke_db</span><span class="p">,</span> <span class="p">)</span> <span class="c1">#&lt;-- loads only mySQL specific functions </span> <span class="n">rds_data</span> <span class="o">=</span> <span class="n">boto3</span><span class="p">.</span><span class="nf">client</span><span class="p">(</span><span class="sh">"</span><span class="s">rds-data</span><span class="sh">"</span><span class="p">)</span> <span class="n">rds_ctrl</span> <span class="o">=</span> <span class="n">boto3</span><span class="p">.</span><span class="nf">client</span><span class="p">(</span><span class="sh">"</span><span class="s">rds</span><span class="sh">"</span><span class="p">)</span> <span class="k">def</span> <span class="nf">_assert_cluster_available</span><span class="p">():</span> <span class="sh">"""</span><span class="s"> Ensure the Aurora cluster exists and is in </span><span class="sh">'</span><span class="s">available</span><span class="sh">'</span><span class="s"> state. Step Function should normally guarantee this, but this keeps the Lambda safe when invoked manually. </span><span class="sh">"""</span> <span class="n">cluster_id</span> <span class="o">=</span> <span class="n">CONFIG</span><span class="p">.</span><span class="n">cluster_arn</span><span class="p">.</span><span class="nf">split</span><span class="p">(</span><span class="sh">"</span><span class="s">:</span><span class="sh">"</span><span class="p">)[</span><span class="o">-</span><span class="mi">1</span><span class="p">]</span> <span class="k">try</span><span class="p">:</span> <span class="n">resp</span> <span class="o">=</span> <span class="n">rds_ctrl</span><span class="p">.</span><span class="nf">describe_db_clusters</span><span class="p">(</span> <span class="n">DBClusterIdentifier</span><span class="o">=</span><span class="n">cluster_id</span> <span class="p">)</span> <span class="k">except</span> <span class="n">ClientError</span> <span class="k">as</span> <span class="n">e</span><span class="p">:</span> <span class="k">raise</span> <span class="nc">RuntimeError</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">Failed to describe cluster: </span><span class="si">{</span><span class="n">e</span><span class="si">}</span><span class="sh">"</span><span class="p">)</span> <span class="n">status</span> <span class="o">=</span> <span class="n">resp</span><span class="p">[</span><span class="sh">"</span><span class="s">DBClusters</span><span class="sh">"</span><span class="p">][</span><span class="mi">0</span><span class="p">][</span><span class="sh">"</span><span class="s">Status</span><span class="sh">"</span><span class="p">]</span> <span class="k">if</span> <span class="n">status</span> <span class="o">!=</span> <span class="sh">"</span><span class="s">available</span><span class="sh">"</span><span class="p">:</span> <span class="k">raise</span> <span class="nc">RuntimeError</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">Cluster not ready (status=</span><span class="si">{</span><span class="n">status</span><span class="si">}</span><span class="s">)</span><span class="sh">"</span><span class="p">)</span> <span class="nf">print</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">Aurora cluster is available: </span><span class="si">{</span><span class="n">cluster_id</span><span class="si">}</span><span class="sh">"</span><span class="p">)</span> <span class="k">def</span> <span class="nf">_execute</span><span class="p">(</span><span class="n">sql</span><span class="p">:</span> <span class="nb">str</span><span class="p">,</span> <span class="n">database</span><span class="p">:</span> <span class="nb">str</span><span class="p">,</span> <span class="n">params</span><span class="p">:</span> <span class="nb">dict</span> <span class="o">|</span> <span class="bp">None</span> <span class="o">=</span> <span class="bp">None</span><span class="p">):</span> <span class="n">kwargs</span> <span class="o">=</span> <span class="p">{</span> <span class="sh">"</span><span class="s">resourceArn</span><span class="sh">"</span><span class="p">:</span> <span class="n">CONFIG</span><span class="p">.</span><span class="n">cluster_arn</span><span class="p">,</span> <span class="sh">"</span><span class="s">secretArn</span><span class="sh">"</span><span class="p">:</span> <span class="n">CONFIG</span><span class="p">.</span><span class="n">secret_arn</span><span class="p">,</span> <span class="sh">"</span><span class="s">database</span><span class="sh">"</span><span class="p">:</span> <span class="n">database</span><span class="p">,</span> <span class="sh">"</span><span class="s">sql</span><span class="sh">"</span><span class="p">:</span> <span class="n">sql</span><span class="p">,</span> <span class="p">}</span> <span class="k">if</span> <span class="n">params</span><span class="p">:</span> <span class="n">kwargs</span><span class="p">[</span><span class="sh">"</span><span class="s">parameters</span><span class="sh">"</span><span class="p">]</span> <span class="o">=</span> <span class="p">[</span> <span class="p">{</span><span class="sh">"</span><span class="s">name</span><span class="sh">"</span><span class="p">:</span> <span class="n">k</span><span class="p">,</span> <span class="sh">"</span><span class="s">value</span><span class="sh">"</span><span class="p">:</span> <span class="p">{</span><span class="sh">"</span><span class="s">stringValue</span><span class="sh">"</span><span class="p">:</span> <span class="nf">str</span><span class="p">(</span><span class="n">v</span><span class="p">)}}</span> <span class="k">for</span> <span class="n">k</span><span class="p">,</span> <span class="n">v</span> <span class="ow">in</span> <span class="n">params</span><span class="p">.</span><span class="nf">items</span><span class="p">()</span> <span class="p">]</span> <span class="k">return</span> <span class="n">rds_data</span><span class="p">.</span><span class="nf">execute_statement</span><span class="p">(</span><span class="o">**</span><span class="n">kwargs</span><span class="p">)</span> <span class="c1"># ------------------------- # MySQL helpers # ------------------------- </span><span class="k">def</span> <span class="nf">_mysql_db_exists</span><span class="p">(</span><span class="n">db</span><span class="p">:</span> <span class="nb">str</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="nb">bool</span><span class="p">:</span> <span class="n">resp</span> <span class="o">=</span> <span class="nf">_execute</span><span class="p">(</span> <span class="sa">f</span><span class="sh">"</span><span class="s">SHOW DATABASES LIKE </span><span class="sh">'</span><span class="si">{</span><span class="n">db</span><span class="si">}</span><span class="sh">'"</span><span class="p">,</span> <span class="n">CONFIG</span><span class="p">.</span><span class="n">default_db</span><span class="p">,</span> <span class="p">)</span> <span class="k">return</span> <span class="nf">bool</span><span class="p">(</span><span class="n">resp</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">records</span><span class="sh">"</span><span class="p">))</span> <span class="k">def</span> <span class="nf">_mysql_create_db</span><span class="p">(</span><span class="n">db</span><span class="p">:</span> <span class="nb">str</span><span class="p">):</span> <span class="k">if</span> <span class="nf">_mysql_db_exists</span><span class="p">(</span><span class="n">db</span><span class="p">):</span> <span class="nf">print</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">[SKIP] MySQL database already exists: </span><span class="si">{</span><span class="n">db</span><span class="si">}</span><span class="sh">"</span><span class="p">)</span> <span class="k">return</span> <span class="nf">_execute</span><span class="p">(</span> <span class="sa">f</span><span class="sh">"</span><span class="s">CREATE DATABASE `</span><span class="si">{</span><span class="n">db</span><span class="si">}</span><span class="s">` CHARACTER SET utf8mb4</span><span class="sh">"</span><span class="p">,</span> <span class="n">CONFIG</span><span class="p">.</span><span class="n">default_db</span><span class="p">,</span> <span class="p">)</span> <span class="nf">print</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">[OK] Created MySQL database: </span><span class="si">{</span><span class="n">db</span><span class="si">}</span><span class="sh">"</span><span class="p">)</span> <span class="k">def</span> <span class="nf">_cleanup_stale_mysql_grants</span><span class="p">(</span><span class="n">execute_fn</span><span class="p">):</span> <span class="n">desired</span> <span class="o">=</span> <span class="nf">set</span><span class="p">(</span><span class="n">CONFIG</span><span class="p">.</span><span class="n">databases</span><span class="p">)</span> <span class="n">granted</span> <span class="o">=</span> <span class="nf">mysql_list_granted_dbs</span><span class="p">(</span><span class="n">execute_fn</span><span class="p">,</span> <span class="n">CONFIG</span><span class="p">.</span><span class="n">db_user</span><span class="p">)</span> <span class="n">stale</span> <span class="o">=</span> <span class="n">granted</span> <span class="o">-</span> <span class="n">desired</span> <span class="k">for</span> <span class="n">db</span> <span class="ow">in</span> <span class="nf">sorted</span><span class="p">(</span><span class="n">stale</span><span class="p">):</span> <span class="nf">print</span><span class="p">(</span> <span class="sa">f</span><span class="sh">"</span><span class="s">[CLEANUP] Revoking stale grants: </span><span class="sh">"</span> <span class="sa">f</span><span class="sh">"</span><span class="si">{</span><span class="n">CONFIG</span><span class="p">.</span><span class="n">db_user</span><span class="si">}</span><span class="s">@</span><span class="si">{</span><span class="n">CONFIG</span><span class="p">.</span><span class="n">db_host</span><span class="si">}</span><span class="s"> → </span><span class="si">{</span><span class="n">db</span><span class="si">}</span><span class="sh">"</span> <span class="p">)</span> <span class="nf">mysql_revoke_db</span><span class="p">(</span> <span class="n">execute_fn</span><span class="p">,</span> <span class="n">CONFIG</span><span class="p">.</span><span class="n">db_user</span><span class="p">,</span> <span class="n">CONFIG</span><span class="p">.</span><span class="n">db_host</span><span class="p">,</span> <span class="n">db</span><span class="p">,</span> <span class="p">)</span> <span class="c1"># ------------------------- # Lambda entrypoint # ------------------------- </span><span class="k">def</span> <span class="nf">handler</span><span class="p">(</span><span class="n">event</span><span class="p">,</span> <span class="n">context</span><span class="p">):</span> <span class="nf">print</span><span class="p">(</span><span class="sh">"</span><span class="s">Starting Aurora database bootstrap</span><span class="sh">"</span><span class="p">)</span> <span class="nf">print</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">Engine : </span><span class="si">{</span><span class="n">CONFIG</span><span class="p">.</span><span class="n">db_engine</span><span class="si">}</span><span class="sh">"</span><span class="p">)</span> <span class="nf">print</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">Databases : </span><span class="si">{</span><span class="n">CONFIG</span><span class="p">.</span><span class="n">databases</span><span class="si">}</span><span class="sh">"</span><span class="p">)</span> <span class="c1"># Explicit no-op behavior </span> <span class="k">if</span> <span class="ow">not</span> <span class="n">CONFIG</span><span class="p">.</span><span class="n">databases</span><span class="p">:</span> <span class="nf">print</span><span class="p">(</span><span class="sh">"</span><span class="s">No databases defined — skipping bootstrap</span><span class="sh">"</span><span class="p">)</span> <span class="k">return</span> <span class="p">{</span> <span class="sh">"</span><span class="s">status</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">skipped</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">reason</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">no_databases</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">engine</span><span class="sh">"</span><span class="p">:</span> <span class="n">CONFIG</span><span class="p">.</span><span class="n">db_engine</span><span class="p">,</span> <span class="p">}</span> <span class="nf">_assert_cluster_available</span><span class="p">()</span> <span class="k">if</span> <span class="n">CONFIG</span><span class="p">.</span><span class="n">db_engine</span> <span class="o">==</span> <span class="sh">"</span><span class="s">aurora-mysql</span><span class="sh">"</span><span class="p">:</span> <span class="nf">_cleanup_stale_mysql_grants</span><span class="p">(</span><span class="n">_execute</span><span class="p">)</span> <span class="nf">mysql_create_user</span><span class="p">(</span><span class="n">_execute</span><span class="p">)</span> <span class="k">for</span> <span class="n">db</span> <span class="ow">in</span> <span class="n">CONFIG</span><span class="p">.</span><span class="n">databases</span><span class="p">:</span> <span class="nf">_mysql_create_db</span><span class="p">(</span><span class="n">db</span><span class="p">)</span> <span class="nf">mysql_grant_privileges</span><span class="p">(</span><span class="n">_execute</span><span class="p">,</span> <span class="n">db</span><span class="p">)</span> <span class="k">else</span><span class="p">:</span> <span class="k">raise</span> <span class="nc">ValueError</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">Unsupported DB engine: </span><span class="si">{</span><span class="n">CONFIG</span><span class="p">.</span><span class="n">db_engine</span><span class="si">}</span><span class="sh">"</span><span class="p">)</span> <span class="nf">print</span><span class="p">(</span><span class="sh">"</span><span class="s">Database bootstrap completed successfully</span><span class="sh">"</span><span class="p">)</span> <span class="k">return</span> <span class="p">{</span> <span class="sh">"</span><span class="s">status</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">ok</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">engine</span><span class="sh">"</span><span class="p">:</span> <span class="n">CONFIG</span><span class="p">.</span><span class="n">db_engine</span><span class="p">,</span> <span class="sh">"</span><span class="s">databases</span><span class="sh">"</span><span class="p">:</span> <span class="n">CONFIG</span><span class="p">.</span><span class="n">databases</span><span class="p">,</span> <span class="p">}</span> </code></pre> </div> <p>4️⃣ <strong><code>pgsql_installer.py</code> - pgSQL Orchestrator</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># pgsql_installer.py </span> <span class="kn">import</span> <span class="n">boto3</span> <span class="kn">from</span> <span class="n">botocore.exceptions</span> <span class="kn">import</span> <span class="n">ClientError</span> <span class="kn">from</span> <span class="n">db_config</span> <span class="kn">import</span> <span class="n">CONFIG</span> <span class="kn">from</span> <span class="n">db_helper</span> <span class="kn">import</span> <span class="p">(</span> <span class="n">pgsql_db_exists</span><span class="p">,</span> <span class="n">pgsql_create_app_role</span><span class="p">,</span> <span class="n">pgsql_create_db</span><span class="p">,</span> <span class="n">pgsql_grant_privileges</span><span class="p">,</span> <span class="p">)</span> <span class="c1">#&lt;-- loads only pgSQL specific functions </span> <span class="n">rds_data</span> <span class="o">=</span> <span class="n">boto3</span><span class="p">.</span><span class="nf">client</span><span class="p">(</span><span class="sh">"</span><span class="s">rds-data</span><span class="sh">"</span><span class="p">)</span> <span class="n">rds_ctrl</span> <span class="o">=</span> <span class="n">boto3</span><span class="p">.</span><span class="nf">client</span><span class="p">(</span><span class="sh">"</span><span class="s">rds</span><span class="sh">"</span><span class="p">)</span> <span class="c1"># ========================================================== # PgSQL helper functions # ========================================================== </span><span class="k">def</span> <span class="nf">_assert_cluster_available</span><span class="p">():</span> <span class="k">try</span><span class="p">:</span> <span class="n">resp</span> <span class="o">=</span> <span class="n">rds_ctrl</span><span class="p">.</span><span class="nf">describe_db_clusters</span><span class="p">(</span> <span class="n">DBClusterIdentifier</span><span class="o">=</span><span class="n">CONFIG</span><span class="p">.</span><span class="n">cluster_arn</span> <span class="p">)</span> <span class="k">except</span> <span class="n">ClientError</span> <span class="k">as</span> <span class="n">e</span><span class="p">:</span> <span class="k">raise</span> <span class="nc">RuntimeError</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">Failed to describe DB cluster: </span><span class="si">{</span><span class="n">e</span><span class="si">}</span><span class="sh">"</span><span class="p">)</span> <span class="n">status</span> <span class="o">=</span> <span class="n">resp</span><span class="p">[</span><span class="sh">"</span><span class="s">DBClusters</span><span class="sh">"</span><span class="p">][</span><span class="mi">0</span><span class="p">][</span><span class="sh">"</span><span class="s">Status</span><span class="sh">"</span><span class="p">]</span> <span class="k">if</span> <span class="n">status</span> <span class="o">!=</span> <span class="sh">"</span><span class="s">available</span><span class="sh">"</span><span class="p">:</span> <span class="k">raise</span> <span class="nc">RuntimeError</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">DB cluster not available (status=</span><span class="si">{</span><span class="n">status</span><span class="si">}</span><span class="s">)</span><span class="sh">"</span><span class="p">)</span> <span class="k">def</span> <span class="nf">_execute</span><span class="p">(</span><span class="n">sql</span><span class="p">:</span> <span class="nb">str</span><span class="p">,</span> <span class="n">database</span><span class="p">:</span> <span class="nb">str</span><span class="p">):</span> <span class="k">return</span> <span class="n">rds_data</span><span class="p">.</span><span class="nf">execute_statement</span><span class="p">(</span> <span class="n">resourceArn</span><span class="o">=</span><span class="n">CONFIG</span><span class="p">.</span><span class="n">cluster_arn</span><span class="p">,</span> <span class="n">secretArn</span><span class="o">=</span><span class="n">CONFIG</span><span class="p">.</span><span class="n">secret_arn</span><span class="p">,</span> <span class="n">database</span><span class="o">=</span><span class="n">database</span><span class="p">,</span> <span class="n">sql</span><span class="o">=</span><span class="n">sql</span><span class="p">,</span> <span class="p">)</span> <span class="c1"># ========================================================== # Lambda handler entrypoint # ========================================================== </span><span class="k">def</span> <span class="nf">handler</span><span class="p">(</span><span class="n">event</span><span class="p">,</span> <span class="n">context</span><span class="p">):</span> <span class="nf">print</span><span class="p">(</span><span class="sh">"</span><span class="s">Starting PostgreSQL database bootstrap</span><span class="sh">"</span><span class="p">)</span> <span class="nf">_assert_cluster_available</span><span class="p">()</span> <span class="n">app_role</span> <span class="o">=</span> <span class="n">CONFIG</span><span class="p">.</span><span class="n">db_user</span> <span class="n">default_db</span> <span class="o">=</span> <span class="n">CONFIG</span><span class="p">.</span><span class="n">default_db</span> <span class="c1"># 1. App role (LOGIN + rds_iam) </span> <span class="nf">pgsql_create_app_role</span><span class="p">(</span><span class="n">_execute</span><span class="p">,</span> <span class="n">app_role</span><span class="p">,</span> <span class="n">default_db</span><span class="p">)</span> <span class="c1"># 2. Databases + grants </span> <span class="k">for</span> <span class="n">db</span> <span class="ow">in</span> <span class="n">CONFIG</span><span class="p">.</span><span class="n">databases</span><span class="p">:</span> <span class="k">if</span> <span class="nf">pgsql_db_exists</span><span class="p">(</span><span class="n">_execute</span><span class="p">,</span> <span class="n">db</span><span class="p">,</span> <span class="n">default_db</span><span class="p">):</span> <span class="nf">print</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">[SKIP] PostgreSQL DB already exists: </span><span class="si">{</span><span class="n">db</span><span class="si">}</span><span class="sh">"</span><span class="p">)</span> <span class="k">else</span><span class="p">:</span> <span class="nf">print</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">[CREATE] PostgreSQL DB: </span><span class="si">{</span><span class="n">db</span><span class="si">}</span><span class="sh">"</span><span class="p">)</span> <span class="nf">pgsql_create_db</span><span class="p">(</span><span class="n">_execute</span><span class="p">,</span> <span class="n">db</span><span class="p">,</span> <span class="n">default_db</span><span class="p">)</span> <span class="nf">pgsql_grant_privileges</span><span class="p">(</span> <span class="n">_execute</span><span class="p">,</span> <span class="n">db</span><span class="p">,</span> <span class="n">app_role</span><span class="p">,</span> <span class="p">)</span> <span class="nf">print</span><span class="p">(</span><span class="sh">"</span><span class="s">PostgreSQL database bootstrap completed successfully</span><span class="sh">"</span><span class="p">)</span> <span class="k">return</span> <span class="p">{</span> <span class="sh">"</span><span class="s">status</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">ok</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">engine</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">aurora-postgresql</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">databases</span><span class="sh">"</span><span class="p">:</span> <span class="n">CONFIG</span><span class="p">.</span><span class="n">databases</span><span class="p">,</span> <span class="p">}</span> </code></pre> </div> <h2> The Outcome: Day-Zero Readiness <a></a> </h2> <p>With this implementation, we have successfully established a Day-Zero capability that operates as a native extension of the infrastructure pipeline. By offloading state mutation to a specialized Lambda function, we ensure that the database is not just <em>available</em>, but fully initialized and ready for application consumption the moment the Terraform run completes.</p> <h3> Deployment Verification <a></a> </h3> <p>Following a successful terragrunt apply, the bootstrap functions are deployed as distinct platform primitives within your AWS environment. These functions remain idle until invoked by your orchestration layer, ensuring they consume no compute resources outside of active bootstrap windows.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fzpieka6yykew30xpxqqv.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fzpieka6yykew30xpxqqv.png" alt="lambda-function in AWS console" width="450" height="366"></a></p> <h3> Validating the Execution Flow <a></a> </h3> <p>To verify the integration between the Lambda, the Aurora Data API, and the RDS cluster, you can perform a manual execution test. By invoking the function with a standard event payload, the Lambda will execute its "check-before-create" logic across the cluster.</p> <p>A successful execution (as shown in the console logs below) confirms that the IAM permissions, networking via the Data API, and the engine-specific logic are all functioning as a cohesive unit.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fifkah3jm5jv1m5npbh5u.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fifkah3jm5jv1m5npbh5u.png" alt="lambda test execution report" width="800" height="244"></a></p> <p>In Part 3, we will explore how to integrate these functions into a controlled AWS Step Functions workflow. This move will provide us with platform-level visibility, auditable execution history, and the ability to run on-demand bootstraps—all while keeping our deployment pipeline entirely script-free.</p> <h2> In This Series </h2> <ul> <li>Part 1: Architectural foundation and engineering basics.</li> <li>Part 2: Deep dive into Lambda implementation and IAM-based access.</li> <li>Part 3: Orchestrating workflows and Execution using AWS Step Functions.</li> </ul> lambda aws rds devops Santanu Das Sat, 10 Jan 2026 23:42:54 +0000 https://forem.com/santanu_das/bootstrapping-aurora-rds-databases-using-lambda-and-terraform-part-1-493h https://forem.com/santanu_das/bootstrapping-aurora-rds-databases-using-lambda-and-terraform-part-1-493h <blockquote> <p><strong>TL;DR</strong><br> <em>Terraform can create an Aurora cluster, but it cannot safely manage databases, users, or grants. This series shows how we decouple infrastructure provisioning from database bootstrapping using Lambda — and later, Step Functions — without breaking Terraform’s declarative model</em>.</p> </blockquote> <h2> Table Of Contents </h2> <ul> <li>The Problems</li> <li> Cluster Creation <ul> <li>Child Module</li> <li>Root Module</li> <li>YAML DataSet</li> <li>Local Variables</li> <li>Input Variables</li> </ul> </li> </ul> <h2> The Problems <a></a> </h2> <h3> Terraform’s Limitations </h3> <p>While Terraform is ideal for provisioning Aurora clusters, it is poorly suited for managing database-level objects because:</p> <ul> <li><p><strong>Limited Scope:</strong> It can only create one initial database; it cannot manage multiple databases, complex ownership models, or granular IAM-based access.</p></li> <li><p><strong>State Conflict:</strong> Managing SQL internals within Terraform leads to brittle plans, partial failures, and irreversible drift.</p></li> <li><p><strong>Risk:</strong> Running SQL during terraform apply creates tight coupling between infrastructure and runtime data, increasing operational risk.</p></li> </ul> <h3> The Manual Gap </h3> <p>Although it's able to provision the cluster and an initial database in minutes, it leaves behind an operational vacuum. Once the cluster is <em>live</em>, the engineering team is frequently forced into a manual waiting game:</p> <ul> <li><p><strong>Access Stagnation:</strong> The cluster exists, but there are no application-specific users.</p></li> <li><p><strong>Security Hurdles:</strong> A platform engineer must manually log in to configure IAM authentication and map roles to database users.</p></li> <li><p><strong>Permission Complexity:</strong> Defining granular Read/Write privileges, schema ownership, and grant structures becomes a ticket-driven manual task.</p></li> <li><p><strong>Developer Friction:</strong> Application developers sit idle until the tasks above are completed because the <em>Initial Database</em> provided by AWS lacks the schema-level management required for actual deployment. </p></li> </ul> <p>This creates a bottleneck where infrastructure is automated, but the database remains unusable until a human intervenes to bridge the gap between a cloud resource and a functional data store.</p> <p>This post outlines a platform engineering approach to bootstrapping Amazon Aurora databases, arguing that database internals should be decoupled from Terraform state.</p> <blockquote> <p><em>Terraform’s responsibility ends when the cluster becomes reachable.<br> Everything beyond that point is runtime behavior, not infrastructure state.</em></p> </blockquote> <h2> The Cluster Basics <a></a> </h2> <p>While this post isn't a deep dive into cluster creation itself, I will cover the essential infrastructure components to provide context for <a href="https://dev.to/santanu_das/bootstrapping-aurora-rds-databases-using-lambda-and-terraform-part-2-29i3">Part 2</a>. My implementation utilizes the standard <a href="https://dev.toterraform-aws-rds-aurora">terraform-aws-rds-aurora</a> module, wrapped within a custom child module to meet our specific requirements.</p> <h3> Child Module <a></a> </h3> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">module</span> <span class="s2">"cluster"</span> <span class="p">{</span> <span class="nx">source</span> <span class="p">=</span> <span class="s2">"terraform-aws-modules/rds-aurora/aws"</span> <span class="nx">version</span> <span class="p">=</span> <span class="s2">"10.0.2"</span> <span class="c1">#&lt;-- latest at the time of writing </span> <span class="nx">name</span> <span class="p">=</span> <span class="nx">local</span><span class="p">.</span><span class="nx">cluster_name</span> <span class="nx">engine</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">db_profile</span><span class="p">.</span><span class="nx">engine</span> <span class="nx">engine_mode</span> <span class="p">=</span> <span class="s2">"provisioned"</span> <span class="c1">#&lt;-- NOT cluster-type</span> <span class="nx">engine_version</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">db_profile</span><span class="p">.</span><span class="nx">engine_version</span> <span class="nx">storage_encrypted</span> <span class="p">=</span> <span class="kc">true</span> <span class="nx">enable_http_endpoint</span> <span class="p">=</span> <span class="nx">anytrue</span><span class="p">([</span> <span class="nx">var</span><span class="p">.</span><span class="nx">enable_db_managment</span><span class="p">,</span> <span class="nx">var</span><span class="p">.</span><span class="nx">data_api_enabled</span> <span class="p">])</span> <span class="nx">master_username</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">master_uname</span> <span class="nx">manage_master_user_password</span> <span class="p">=</span> <span class="kc">true</span> <span class="nx">master_user_secret_kms_key_id</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">kms_key_id</span> <span class="nx">manage_master_user_password_rotation</span> <span class="p">=</span> <span class="kc">true</span> <span class="nx">master_user_password_rotate_immediately</span> <span class="p">=</span> <span class="kc">true</span> <span class="nx">master_user_password_rotation_schedule_expression</span> <span class="p">=</span> <span class="s2">"rate(21 days)"</span> <span class="nx">vpc_id</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">vpc_id</span> <span class="nx">db_subnet_group_name</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">subnet_group_name</span> <span class="nx">security_group_ingress_rules</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">for</span> <span class="nx">ci</span><span class="p">,</span> <span class="nx">dr</span> <span class="nx">in</span> <span class="nx">var</span><span class="p">.</span><span class="nx">ingress_cidr_blocks</span> <span class="err">:</span> <span class="s2">"cidr${ci}"</span> <span class="p">=</span><span class="err">&gt;</span> <span class="p">{</span> <span class="nx">cidr_ipv4</span> <span class="p">=</span> <span class="nx">dr</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">cluster_monitoring_interval</span> <span class="p">=</span> <span class="mi">60</span> <span class="nx">cluster_parameter_group</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="nx">local</span><span class="p">.</span><span class="nx">cluster_name</span> <span class="nx">family</span> <span class="p">=</span> <span class="nx">local</span><span class="p">.</span><span class="nx">db_engine_family</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"${local.cluster_name} cluster parameter group"</span> <span class="nx">parameters</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">cluster_parameter_group_parameters</span> <span class="p">}</span> <span class="nx">db_parameter_group</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="nx">local</span><span class="p">.</span><span class="nx">cluster_name</span> <span class="nx">family</span> <span class="p">=</span> <span class="nx">local</span><span class="p">.</span><span class="nx">db_engine_family</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"${local.cluster_name} Database parameter group"</span> <span class="nx">parameters</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">db_parameter_group_parameters</span> <span class="p">}</span> <span class="nx">apply_immediately</span> <span class="p">=</span> <span class="kc">true</span> <span class="nx">deletion_protection</span> <span class="p">=</span> <span class="kc">true</span> <span class="nx">skip_final_snapshot</span> <span class="p">=</span> <span class="kc">true</span> <span class="c1"># ----------------------------------------------</span> <span class="c1"># Only required for Serverless V2 clusters</span> <span class="c1"># ----------------------------------------------</span> <span class="nx">serverlessv2_scaling_configuration</span> <span class="p">=</span> <span class="p">(</span> <span class="nx">var</span><span class="p">.</span><span class="nx">cluster_type</span> <span class="p">==</span> <span class="s2">"serverless"</span> <span class="p">)</span> <span class="err">?</span> <span class="p">{</span> <span class="nx">min_capacity</span> <span class="p">=</span> <span class="mi">2</span> <span class="nx">max_capacity</span> <span class="p">=</span> <span class="mi">10</span> <span class="p">}</span> <span class="err">:</span> <span class="kc">null</span> <span class="nx">cluster_instance_class</span> <span class="p">=</span> <span class="p">(</span> <span class="nx">var</span><span class="p">.</span><span class="nx">cluster_type</span> <span class="p">==</span> <span class="s2">"serverless"</span> <span class="p">)</span> <span class="err">?</span> <span class="s2">"db.serverless"</span> <span class="err">:</span> <span class="nx">var</span><span class="p">.</span><span class="nx">db_profile</span><span class="p">.</span><span class="nx">instance_class</span> <span class="c1"># ----------------------------------------------</span> <span class="c1"># Based on the number of AZs, it creates</span> <span class="c1"># 1x RW-instance &amp; 1x RO-inatance per AZ</span> <span class="c1"># ----------------------------------------------</span> <span class="nx">instances</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">cluster_type</span> <span class="p">==</span> <span class="s2">"serverless"</span> <span class="err">?</span> <span class="p">{</span> <span class="nx">for</span> <span class="nx">ix</span><span class="p">,</span> <span class="nx">az</span> <span class="nx">in</span> <span class="nx">concat</span><span class="p">(</span><span class="nx">var</span><span class="p">.</span><span class="nx">aws_zones</span><span class="p">,</span> <span class="p">[</span><span class="nx">join</span><span class="p">(</span><span class="s2">""</span><span class="p">,</span> <span class="nx">var</span><span class="p">.</span><span class="nx">aws_zones</span><span class="p">)])</span> <span class="err">:</span> <span class="s2">"${var.db_profile.engine_type}${ix + 1}"</span> <span class="p">=</span><span class="err">&gt;</span> <span class="p">{}</span> <span class="p">}</span> <span class="err">:</span> <span class="nx">merge</span><span class="p">(</span> <span class="p">{</span> <span class="s2">"0rw"</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">instance_class</span> <span class="p">=</span> <span class="nx">lookup</span><span class="p">(</span> <span class="nx">var</span><span class="p">.</span><span class="nx">db_profile</span><span class="p">,</span> <span class="s2">"rw_instance_class"</span><span class="p">,</span> <span class="nx">var</span><span class="p">.</span><span class="nx">db_profile</span><span class="p">.</span><span class="nx">instance_class</span> <span class="p">)</span> <span class="p">}</span> <span class="p">},</span> <span class="p">{</span> <span class="nx">for</span> <span class="nx">ix</span><span class="p">,</span> <span class="nx">az</span> <span class="nx">in</span> <span class="nx">var</span><span class="p">.</span><span class="nx">aws_zones</span> <span class="err">:</span> <span class="s2">"${ix + 1}ro"</span> <span class="p">=</span><span class="err">&gt;</span> <span class="p">{</span> <span class="nx">instance_class</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">db_profile</span><span class="p">.</span><span class="nx">instance_class</span> <span class="p">}</span> <span class="p">}</span> <span class="p">)</span> <span class="c1">#create_cloudwatch_log_group = true</span> <span class="nx">enabled_cloudwatch_logs_exports</span> <span class="p">=</span> <span class="p">(</span> <span class="nx">var</span><span class="p">.</span><span class="nx">db_profile</span><span class="p">.</span><span class="nx">engine</span> <span class="p">==</span> <span class="s2">"aurora-mysql"</span> <span class="err">?</span> <span class="p">[</span> <span class="s2">"audit"</span><span class="p">,</span> <span class="s2">"error"</span><span class="p">,</span> <span class="s2">"general"</span><span class="p">,</span> <span class="s2">"slowquery"</span><span class="p">,</span> <span class="p">]</span> <span class="err">:</span> <span class="p">(</span> <span class="nx">var</span><span class="p">.</span><span class="nx">db_profile</span><span class="p">.</span><span class="nx">engine</span> <span class="p">==</span> <span class="s2">"aurora-postgresql"</span> <span class="err">?</span> <span class="p">[</span><span class="s2">"postgresql"</span><span class="p">]</span> <span class="err">:</span> <span class="p">[]</span> <span class="p">)</span> <span class="p">)</span> <span class="nx">iam_database_authentication_enabled</span> <span class="p">=</span> <span class="kc">true</span> <span class="c1">#&lt;-- MUST be true</span> <span class="nx">tags</span> <span class="p">=</span> <span class="nx">merge</span><span class="p">(</span> <span class="nx">var</span><span class="p">.</span><span class="nx">extra_tags</span><span class="p">,</span> <span class="p">{</span> <span class="nx">Name</span> <span class="p">=</span> <span class="nx">local</span><span class="p">.</span><span class="nx">cluster_name</span> <span class="nx">SubResource</span> <span class="p">=</span> <span class="s2">"module.cluster"</span> <span class="p">}</span> <span class="p">)</span> <span class="p">}</span> </code></pre> </div> <ul> <li><p><strong>Engine Mode Ambiguity:</strong> When deploying Aurora <em>Serverless v2</em>, it is important to note that the engine_mode must be set to provisioned. Unlike Serverless v1, v2 operates under the provisioned framework to allow for better scaling and feature parity.</p></li> <li><p><strong>Log Group Conflicts:</strong> Avoid setting <code>create_cloudwatch_log_group = true</code> within the module. In many Aurora configurations, AWS automatically creates the log group as soon as logging is enabled; if Terraform attempts to create it simultaneously, the deployment will fail due to a naming conflict.</p></li> </ul> <h3> Root Module <a></a> </h3> <p>In the root-module, it just referrenced like this:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">module</span> <span class="s2">"db_cluster"</span> <span class="p">{</span> <span class="nx">for_each</span> <span class="p">=</span> <span class="nx">anytrue</span><span class="p">(</span><span class="nx">values</span><span class="p">(</span><span class="nx">local</span><span class="p">.</span><span class="nx">service_enabled</span><span class="p">))</span> <span class="err">?</span> <span class="nx">tomap</span><span class="p">(</span><span class="nx">local</span><span class="p">.</span><span class="nx">db_profiles</span><span class="p">)</span> <span class="err">:</span> <span class="p">{}</span> <span class="nx">source</span> <span class="p">=</span> <span class="s2">"./services//aurora"</span> <span class="nx">aws_zones</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">aws_zones</span> <span class="nx">cluster_type</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">cluster_type</span> <span class="nx">db_profile</span> <span class="p">=</span> <span class="nx">each</span><span class="p">.</span><span class="nx">value</span> <span class="c1">#&lt;-- details below</span> <span class="nx">ingress_cidr_blocks</span> <span class="p">=</span> <span class="nx">distinct</span><span class="p">(</span><span class="nx">local</span><span class="p">.</span><span class="nx">static_route_cidrs</span><span class="p">)</span> <span class="nx">name_prefix</span> <span class="p">=</span> <span class="nx">replace</span><span class="p">(</span><span class="nx">local</span><span class="p">.</span><span class="nx">template_name</span><span class="p">,</span> <span class="s2">"/-[^-]+$/"</span><span class="p">,</span> <span class="s2">""</span><span class="p">)</span> <span class="nx">kms_key_id</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">kms_master_key_arn</span> <span class="nx">subnet_group_name</span> <span class="p">=</span> <span class="nx">aws_db_subnet_group</span><span class="p">.</span><span class="nx">default</span><span class="p">[</span><span class="nx">var</span><span class="p">.</span><span class="nx">service_name</span><span class="p">].</span><span class="nx">name</span> <span class="nx">vpc_id</span> <span class="p">=</span> <span class="nx">local</span><span class="p">.</span><span class="nx">my_vpc_info</span><span class="p">.</span><span class="nx">id</span> <span class="nx">cluster_parameter_group_parameters</span> <span class="p">=</span> <span class="nx">lookup</span><span class="p">(</span> <span class="nx">local</span><span class="p">.</span><span class="nx">cluster_parameters</span><span class="p">,</span> <span class="nx">each</span><span class="p">.</span><span class="nx">key</span><span class="p">,</span> <span class="p">[]</span> <span class="p">)</span> <span class="nx">db_parameter_group_parameters</span> <span class="p">=</span> <span class="nx">lookup</span><span class="p">(</span> <span class="nx">local</span><span class="p">.</span><span class="nx">db_parameters</span><span class="p">,</span> <span class="nx">each</span><span class="p">.</span><span class="nx">key</span><span class="p">,</span> <span class="p">[]</span> <span class="p">)</span> <span class="nx">dns_host_prefix</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">dns_name_prefix</span> <span class="nx">dns_hosted_zone_id</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">dns_hosted_zone_id</span> <span class="nx">enable_db_managment</span> <span class="p">=</span> <span class="nx">each</span><span class="p">.</span><span class="nx">value</span><span class="p">.</span><span class="nx">enable_db_managment</span> <span class="nx">lambda_service_role</span> <span class="p">=</span> <span class="nx">aws_iam_role</span><span class="p">.</span><span class="nx">air_lfn</span><span class="p">[</span><span class="nx">var</span><span class="p">.</span><span class="nx">service_name</span><span class="p">].</span><span class="nx">arn</span> <span class="nx">extra_tags</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">Resource</span> <span class="p">=</span> <span class="s2">"module.db_cluster"</span> <span class="nx">Module</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">tf_module_name</span> <span class="s2">"${var.eks_access_tag}"</span> <span class="p">=</span> <span class="kc">true</span> <span class="p">}</span> <span class="cm">/* master_uname = var.dbs_master_user */</span> <span class="p">}</span> </code></pre> </div> <blockquote> <p>While the <code>name_prefix</code> can be customized to any string, I utilize a standardized naming structure to maintain consistency across the platform. By using <code>local.template_name</code>, I construct a prefix following the pattern <code>&lt;env&gt;&lt;acc&gt;-&lt;vpc_name&gt;-&lt;service_name&gt;</code>, which ensures resources are easily identifiable and organized.</p> </blockquote> <h3> Data set <a></a> </h3> <p>I leverage <a href="https://terragrunt.gruntwork.io/" rel="noopener noreferrer">Terragrunt</a> to orchestrate our deployments. Below are the specific input variables and configurations I defined as the source of truth for the Aurora cluster:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">cluster_type</span><span class="pi">:</span> <span class="s">serverless</span> <span class="c1">#&lt;-- or provisioned</span> <span class="na">db_clusters</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">mysql</span> <span class="pi">-</span> <span class="s">pgsql</span> <span class="c1"># </span> <span class="na">db_profile</span><span class="pi">:</span> <span class="na">default</span><span class="pi">:</span> <span class="na">allocated_storage</span><span class="pi">:</span> <span class="m">20</span> <span class="na">auto_stop</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">autoscaling_enabled</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">autoscaling_max_size</span><span class="pi">:</span> <span class="m">3</span> <span class="na">autoscaling_min_size</span><span class="pi">:</span> <span class="m">1</span> <span class="na">database_user</span><span class="pi">:</span> <span class="s">zenapp-iam-user</span> <span class="na">enable_db_managment</span><span class="pi">:</span> <span class="kc">true</span> <span class="c1">#&lt;-- required for part2</span> <span class="na">instance_class</span><span class="pi">:</span> <span class="s">db.t4g.small</span> <span class="na">max_allocated_storage</span><span class="pi">:</span> <span class="m">0</span> <span class="na">multi_az</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">mysql</span><span class="pi">:</span> <span class="na">enabled</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">database_port</span><span class="pi">:</span> <span class="m">3306</span> <span class="na">engine</span><span class="pi">:</span> <span class="s">aurora-mysql</span> <span class="na">engine_version</span><span class="pi">:</span> <span class="s1">'</span><span class="s">8.0'</span> <span class="na">databases</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">my-database1</span> <span class="pi">-</span> <span class="s">my-database2</span> <span class="na">pgsql</span><span class="pi">:</span> <span class="na">enabled</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">database_port</span><span class="pi">:</span> <span class="m">5432</span> <span class="na">engine</span><span class="pi">:</span> <span class="s">aurora-postgresql</span> <span class="na">engine_version</span><span class="pi">:</span> <span class="m">17</span> <span class="na">databases</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">pg-database1</span> <span class="pi">-</span> <span class="s">pg-database2</span> <span class="c1">#</span> <span class="na">cluster_parameter_group</span><span class="pi">:</span> <span class="na">mysql</span><span class="pi">:</span> <span class="na">family</span><span class="pi">:</span> <span class="s">aurora-mysql8.0</span> <span class="na">description</span><span class="pi">:</span> <span class="s1">'</span><span class="s">MySQL</span><span class="nv"> </span><span class="s">Aurora</span><span class="nv"> </span><span class="s">Cluster</span><span class="nv"> </span><span class="s">Parameters'</span> <span class="na">immediate</span><span class="pi">:</span> <span class="na">innodb_lock_wait_timeout</span><span class="pi">:</span> <span class="m">60</span> <span class="na">log_bin_trust_function_creators</span><span class="pi">:</span> <span class="m">1</span> <span class="na">long_query_time</span><span class="pi">:</span> <span class="m">1</span> <span class="na">max_allowed_packet</span><span class="pi">:</span> <span class="m">67108864</span> <span class="na">require_secure_transport</span><span class="pi">:</span> <span class="s1">'</span><span class="s">ON'</span> <span class="na">slow_query_log</span><span class="pi">:</span> <span class="m">1</span> <span class="na">time_zone</span><span class="pi">:</span> <span class="s">UTC</span> <span class="na">wait_timeout</span><span class="pi">:</span> <span class="m">28800</span> <span class="na">pending-reboot</span><span class="pi">:</span> <span class="na">aurora_parallel_query</span><span class="pi">:</span> <span class="m">0</span> <span class="na">binlog_checksum</span><span class="pi">:</span> <span class="s">NONE</span> <span class="na">binlog_format</span><span class="pi">:</span> <span class="s">ROW</span> <span class="na">log_output</span><span class="pi">:</span> <span class="s">FILE</span> <span class="na">max_connections</span><span class="pi">:</span> <span class="s">LEAST({DBInstanceClassMemory/12582912},5000)</span> <span class="na">tls_version</span><span class="pi">:</span> <span class="s">TLSv1.2</span> <span class="na">pgsql</span><span class="pi">:</span> <span class="na">family</span><span class="pi">:</span> <span class="s">aurora-postgresql17</span> <span class="na">description</span><span class="pi">:</span> <span class="s1">'</span><span class="s">PostgreSQL</span><span class="nv"> </span><span class="s">Aurora</span><span class="nv"> </span><span class="s">Cluster</span><span class="nv"> </span><span class="s">Parameters'</span> <span class="na">immediate</span><span class="pi">:</span> <span class="na">deadlock_timeout</span><span class="pi">:</span> <span class="m">1000</span> <span class="na">idle_in_transaction_session_timeout</span><span class="pi">:</span> <span class="m">600000</span> <span class="na">log_lock_waits</span><span class="pi">:</span> <span class="m">1</span> <span class="na">log_min_duration_statement</span><span class="pi">:</span> <span class="m">2000</span> <span class="na">log_statement</span><span class="pi">:</span> <span class="s">ddl</span> <span class="na">pending-reboot</span><span class="pi">:</span> <span class="na">log_line_prefix</span><span class="pi">:</span> <span class="s1">'</span><span class="s">%t:%r:%u@%d:[%p]:'</span> <span class="na">max_connections</span><span class="pi">:</span> <span class="s">LEAST({DBInstanceClassMemory/9531392},5000)</span> <span class="na">rds.force_ssl</span><span class="pi">:</span> <span class="m">1</span> <span class="na">shared_preload_libraries</span><span class="pi">:</span> <span class="s">pg_stat_statements</span> <span class="na">timezone</span><span class="pi">:</span> <span class="s">UTC</span> <span class="na">track_activity_query_size</span><span class="pi">:</span> <span class="m">2048</span> <span class="c1">#</span> <span class="na">db_parameter_group</span><span class="pi">:</span> <span class="na">mysql</span><span class="pi">:</span> <span class="na">family</span><span class="pi">:</span> <span class="s">aurora-mysql8.0</span> <span class="na">description</span><span class="pi">:</span> <span class="s1">'</span><span class="s">MySQL</span><span class="nv"> </span><span class="s">DB</span><span class="nv"> </span><span class="s">parameters'</span> <span class="na">immediate</span><span class="pi">:</span> <span class="na">connect_timeout</span><span class="pi">:</span> <span class="m">60</span> <span class="na">general_log</span><span class="pi">:</span> <span class="m">0</span> <span class="na">log_bin_trust_function_creators</span><span class="pi">:</span> <span class="m">1</span> <span class="na">slow_query_log</span><span class="pi">:</span> <span class="m">1</span> <span class="na">pending-reboot</span><span class="pi">:</span> <span class="na">performance_schema</span><span class="pi">:</span> <span class="m">1</span> <span class="na">pgsql</span><span class="pi">:</span> <span class="na">family</span><span class="pi">:</span> <span class="s">postgresql16</span> <span class="na">description</span><span class="pi">:</span> <span class="s1">'</span><span class="s">PostgreSQL</span><span class="nv"> </span><span class="s">DB</span><span class="nv"> </span><span class="s">parameters'</span> <span class="na">immediate</span><span class="pi">:</span> <span class="na">default_statistics_target</span><span class="pi">:</span> <span class="m">100</span> <span class="na">maintenance_work_mem</span><span class="pi">:</span> <span class="m">131072</span> <span class="na">random_page_cost</span><span class="pi">:</span> <span class="m">1.1</span> <span class="na">temp_buffers</span><span class="pi">:</span> <span class="m">16384</span> <span class="na">work_mem</span><span class="pi">:</span> <span class="m">8192</span> </code></pre> </div> <blockquote> <p>Aurora configuration updates are governed by two apply-methods: <code>immediate</code> and <code>pending-reboot</code>. These settings apply to both Cluster and DB parameter groups, but the engine — particularly PostgreSQL — is notoriously strict about how these classifications are handled. After extensive trial and error to avoid unexpected downtime or deployment friction, I’ve settled on the categorized list above as a stable, battle-tested baseline for platform environments.</p> </blockquote> <h3> Local Variables <a></a> </h3> <p>I utilized <code>locals {....}</code> block to normalize the dataset, ensuring direct compatibility with the terraform-aws-rds-aurora module. The key transformations are outlined below:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">locals</span> <span class="p">{</span> <span class="p">....</span> <span class="nx">service_enabled</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">for</span> <span class="nx">DB</span> <span class="nx">in</span> <span class="nx">var</span><span class="p">.</span><span class="nx">db_clusters</span> <span class="err">:</span> <span class="nx">DB</span> <span class="p">=</span><span class="err">&gt;</span> <span class="nx">var</span><span class="p">.</span><span class="nx">service_enabled</span> <span class="err">&amp;&amp;</span> <span class="nx">tobool</span><span class="p">(</span> <span class="nx">local</span><span class="p">.</span><span class="nx">db_profiles</span><span class="p">[</span><span class="nx">DB</span><span class="p">].</span><span class="nx">enabled</span> <span class="p">)</span> <span class="nx">if</span> <span class="nx">contains</span><span class="p">(</span><span class="nx">keys</span><span class="p">(</span><span class="nx">local</span><span class="p">.</span><span class="nx">db_profiles</span><span class="p">),</span> <span class="nx">DB</span><span class="p">)</span> <span class="p">}</span> <span class="c1"># ---------------------------------------------</span> <span class="c1"># Decesion making and conditional resource</span> <span class="c1"># creation happens from the values from here</span> <span class="c1"># ---------------------------------------------</span> <span class="nx">db_profiles</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">for</span> <span class="nx">DB</span> <span class="nx">in</span> <span class="nx">var</span><span class="p">.</span><span class="nx">db_clusters</span> <span class="err">:</span> <span class="nx">DB</span> <span class="p">=</span><span class="err">&gt;</span> <span class="nx">merge</span><span class="p">(</span> <span class="nx">var</span><span class="p">.</span><span class="nx">db_profile</span><span class="p">.</span><span class="nx">default</span><span class="p">,</span> <span class="p">{</span> <span class="nx">for</span> <span class="nx">K1</span><span class="p">,</span> <span class="nx">V1</span> <span class="nx">in</span> <span class="nx">var</span><span class="p">.</span><span class="nx">db_profile</span><span class="p">[</span><span class="nx">DB</span><span class="p">]</span> <span class="err">:</span> <span class="nx">K1</span> <span class="p">=</span><span class="err">&gt;</span> <span class="nx">V1</span> <span class="nx">if</span> <span class="nx">V1</span> <span class="err">!</span><span class="p">=</span> <span class="kc">null</span> <span class="p">},</span> <span class="p">{</span> <span class="nx">dbs_user_host</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">eks_base_cidr</span> <span class="err">!</span><span class="p">=</span> <span class="kc">null</span> <span class="err">?</span> <span class="nx">join</span><span class="p">(</span><span class="s2">"."</span><span class="p">,</span> <span class="p">[</span> <span class="nx">replace</span><span class="p">(</span><span class="nx">var</span><span class="p">.</span><span class="nx">eks_base_cidr</span><span class="p">,</span> <span class="s2">"/</span><span class="err">\\</span><span class="s2">.[^./]+</span><span class="err">\\</span><span class="s2">/</span><span class="err">\\</span><span class="s2">d+$/"</span><span class="p">,</span> <span class="s2">""</span><span class="p">),</span> <span class="s2">"%"</span><span class="p">,</span> <span class="p">])</span> <span class="err">:</span> <span class="s2">"%"</span> <span class="nx">engine_type</span> <span class="p">=</span> <span class="nx">DB</span> <span class="p">}</span> <span class="p">)</span> <span class="nx">if</span> <span class="nx">contains</span><span class="p">(</span><span class="nx">keys</span><span class="p">(</span><span class="nx">var</span><span class="p">.</span><span class="nx">db_profile</span><span class="p">),</span> <span class="nx">DB</span><span class="p">)</span> <span class="err">&amp;&amp;</span> <span class="nx">var</span><span class="p">.</span><span class="nx">db_profile</span><span class="p">[</span><span class="nx">DB</span><span class="p">].</span><span class="nx">enabled</span> <span class="p">}</span> <span class="c1">#</span> <span class="nx">db_parameters</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">for</span> <span class="nx">DB</span> <span class="nx">in</span> <span class="nx">var</span><span class="p">.</span><span class="nx">db_clusters</span> <span class="err">:</span> <span class="nx">DB</span> <span class="p">=</span><span class="err">&gt;</span> <span class="nx">flatten</span><span class="p">([</span> <span class="nx">for</span> <span class="nx">K1</span><span class="p">,</span> <span class="nx">V1</span> <span class="nx">in</span> <span class="p">{</span> <span class="nx">immediate</span> <span class="p">=</span> <span class="nx">merge</span><span class="p">(</span> <span class="nx">try</span><span class="p">(</span><span class="nx">var</span><span class="p">.</span><span class="nx">db_parameter_group</span><span class="p">[</span><span class="s2">"default"</span><span class="p">].</span><span class="nx">immediate</span><span class="p">,</span> <span class="p">{}),</span> <span class="nx">try</span><span class="p">(</span><span class="nx">var</span><span class="p">.</span><span class="nx">db_parameter_group</span><span class="p">[</span><span class="nx">DB</span><span class="p">].</span><span class="nx">immediate</span><span class="p">,</span> <span class="p">{})</span> <span class="p">)</span> <span class="nx">pending-reboot</span> <span class="p">=</span> <span class="nx">merge</span><span class="p">(</span> <span class="nx">try</span><span class="p">(</span><span class="nx">var</span><span class="p">.</span><span class="nx">db_parameter_group</span><span class="p">[</span><span class="s2">"default"</span><span class="p">][</span><span class="s2">"pending-reboot"</span><span class="p">],</span> <span class="p">{}),</span> <span class="nx">try</span><span class="p">(</span><span class="nx">var</span><span class="p">.</span><span class="nx">db_parameter_group</span><span class="p">[</span><span class="nx">DB</span><span class="p">][</span><span class="s2">"pending-reboot"</span><span class="p">],</span> <span class="p">{})</span> <span class="p">)</span> <span class="p">}</span> <span class="err">:</span> <span class="p">[</span> <span class="nx">for</span> <span class="nx">K2</span><span class="p">,</span> <span class="nx">V2</span> <span class="nx">in</span> <span class="nx">V1</span> <span class="err">:</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="nx">K2</span> <span class="nx">value</span> <span class="p">=</span> <span class="nx">try</span><span class="p">(</span><span class="nx">tonumber</span><span class="p">(</span><span class="nx">V2</span><span class="p">),</span> <span class="nx">V2</span><span class="p">)</span> <span class="nx">apply_method</span> <span class="p">=</span> <span class="nx">K1</span> <span class="p">}</span> <span class="p">]</span> <span class="p">])</span> <span class="nx">if</span> <span class="nx">contains</span><span class="p">(</span><span class="nx">keys</span><span class="p">(</span><span class="nx">local</span><span class="p">.</span><span class="nx">db_profiles</span><span class="p">),</span> <span class="nx">DB</span><span class="p">)</span> <span class="p">}</span> <span class="c1">#</span> <span class="nx">cluster_parameters</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">for</span> <span class="nx">DB</span> <span class="nx">in</span> <span class="nx">var</span><span class="p">.</span><span class="nx">db_clusters</span> <span class="err">:</span> <span class="nx">DB</span> <span class="p">=</span><span class="err">&gt;</span> <span class="nx">flatten</span><span class="p">([</span> <span class="nx">for</span> <span class="nx">K1</span><span class="p">,</span> <span class="nx">V1</span> <span class="nx">in</span> <span class="p">{</span> <span class="nx">immediate</span> <span class="p">=</span> <span class="nx">merge</span><span class="p">(</span> <span class="nx">try</span><span class="p">(</span><span class="nx">var</span><span class="p">.</span><span class="nx">cluster_parameter_group</span><span class="p">[</span><span class="s2">"default"</span><span class="p">].</span><span class="nx">immediate</span><span class="p">,</span> <span class="p">{}),</span> <span class="nx">try</span><span class="p">(</span><span class="nx">var</span><span class="p">.</span><span class="nx">cluster_parameter_group</span><span class="p">[</span><span class="nx">DB</span><span class="p">].</span><span class="nx">immediate</span><span class="p">,</span> <span class="p">{})</span> <span class="p">)</span> <span class="nx">pending-reboot</span> <span class="p">=</span> <span class="nx">merge</span><span class="p">(</span> <span class="nx">try</span><span class="p">(</span><span class="nx">var</span><span class="p">.</span><span class="nx">cluster_parameter_group</span><span class="p">[</span><span class="s2">"default"</span><span class="p">][</span><span class="s2">"pending-reboot"</span><span class="p">],</span> <span class="p">{}),</span> <span class="nx">try</span><span class="p">(</span><span class="nx">var</span><span class="p">.</span><span class="nx">cluster_parameter_group</span><span class="p">[</span><span class="nx">DB</span><span class="p">][</span><span class="s2">"pending-reboot"</span><span class="p">],</span> <span class="p">{})</span> <span class="p">)</span> <span class="p">}</span> <span class="err">:</span> <span class="p">[</span> <span class="nx">for</span> <span class="nx">K2</span><span class="p">,</span> <span class="nx">V2</span> <span class="nx">in</span> <span class="nx">V1</span> <span class="err">:</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="nx">K2</span><span class="p">,</span> <span class="nx">value</span> <span class="p">=</span> <span class="nx">try</span><span class="p">(</span><span class="nx">tonumber</span><span class="p">(</span><span class="nx">V2</span><span class="p">),</span> <span class="nx">V2</span><span class="p">),</span> <span class="nx">apply_method</span> <span class="p">=</span> <span class="nx">K1</span> <span class="p">}</span> <span class="p">]</span> <span class="p">])</span> <span class="nx">if</span> <span class="nx">contains</span><span class="p">(</span><span class="nx">keys</span><span class="p">(</span><span class="nx">local</span><span class="p">.</span><span class="nx">db_profiles</span><span class="p">),</span> <span class="nx">DB</span><span class="p">)</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <h3> Input Variable Defination <a></a> </h3> <p>Just for the completeness, these are the Terraform variables, to ingest the configuration from the Terragrunt YAML dataset:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">variable</span> <span class="s2">"cluster_type"</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">string</span> <span class="nx">default</span> <span class="p">=</span> <span class="s2">"serverless"</span> <span class="nx">description</span> <span class="p">=</span> <span class="o">&lt;&lt;-</span><span class="no">EOT</span><span class="sh"> The deployment mode for the Aurora Cluster Valid value is 'serverless' or 'provisioned'. </span><span class="no"> EOT </span> <span class="nx">validation</span> <span class="p">{</span> <span class="nx">condition</span> <span class="p">=</span> <span class="nx">contains</span><span class="p">(</span> <span class="p">[</span><span class="s2">"serverless"</span><span class="p">,</span> <span class="s2">"provisioned"</span><span class="p">],</span> <span class="nx">var</span><span class="p">.</span><span class="nx">cluster_type</span> <span class="p">)</span> <span class="nx">error_message</span> <span class="p">=</span> <span class="o">&lt;&lt;-</span><span class="no">EOT</span><span class="sh"> The cluster_type must be either 'serverless' or 'provisioned'. </span><span class="no"> EOT </span> <span class="p">}</span> <span class="p">}</span> <span class="nx">variable</span> <span class="s2">"cluster_parameter_group"</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">map</span><span class="p">(</span><span class="nx">object</span><span class="p">({</span> <span class="nx">family</span> <span class="p">=</span> <span class="nx">optional</span><span class="p">(</span><span class="nx">string</span><span class="p">,</span> <span class="kc">null</span><span class="p">)</span> <span class="nx">description</span> <span class="p">=</span> <span class="nx">optional</span><span class="p">(</span><span class="nx">string</span><span class="p">,</span> <span class="kc">null</span><span class="p">)</span> <span class="nx">immediate</span> <span class="p">=</span> <span class="nx">optional</span><span class="p">(</span><span class="nx">map</span><span class="p">(</span><span class="nx">string</span><span class="p">),</span> <span class="p">{})</span> <span class="nx">pending-reboot</span> <span class="p">=</span> <span class="nx">optional</span><span class="p">(</span><span class="nx">map</span><span class="p">(</span><span class="nx">string</span><span class="p">),</span> <span class="p">{})</span> <span class="p">}))</span> <span class="nx">default</span> <span class="p">=</span> <span class="p">{}</span> <span class="nx">description</span> <span class="p">=</span> <span class="o">&lt;&lt;-</span><span class="no">EOT</span><span class="sh"> Configuration for RDS Cluster Parameter Groups (applies to the entire Aurora cluster). Use this to manage engine-specific settings that affect all instances in the cluster. Key attributes: - family: The engine family (e.g., 'aurora-postgresql15'). - description: A custom description for the parameter group. - immediate: A map of parameters to apply immediately without a reboot (static and dynamic). - pending-reboot: A map of parameters that require a manual reboot to take effect. </span><span class="no"> EOT </span><span class="p">}</span> <span class="nx">variable</span> <span class="s2">"db_parameter_group"</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">map</span><span class="p">(</span><span class="nx">object</span><span class="p">({</span> <span class="nx">family</span> <span class="p">=</span> <span class="nx">optional</span><span class="p">(</span><span class="nx">string</span><span class="p">,</span> <span class="kc">null</span><span class="p">)</span> <span class="nx">description</span> <span class="p">=</span> <span class="nx">optional</span><span class="p">(</span><span class="nx">string</span><span class="p">,</span> <span class="kc">null</span><span class="p">)</span> <span class="nx">immediate</span> <span class="p">=</span> <span class="nx">optional</span><span class="p">(</span><span class="nx">map</span><span class="p">(</span><span class="nx">string</span><span class="p">),</span> <span class="p">{})</span> <span class="nx">pending-reboot</span> <span class="p">=</span> <span class="nx">optional</span><span class="p">(</span><span class="nx">map</span><span class="p">(</span><span class="nx">string</span><span class="p">),</span> <span class="p">{})</span> <span class="p">}))</span> <span class="nx">default</span> <span class="p">=</span> <span class="p">{}</span> <span class="nx">description</span> <span class="p">=</span> <span class="o">&lt;&lt;-</span><span class="no">EOT</span><span class="sh"> Configuration for RDS DB Parameter Groups (applies to individual DB instances). Use this for settings that can vary between the primary and replica instances. Key attributes: - family: The engine family (e.g., 'aurora-postgresql15'). - description: A custom description for the parameter group. - immediate: A map of parameters to apply immediately via the AWS API. - pending-reboot: A map of parameters that will only apply after the instance is rebooted. </span><span class="no"> EOT </span><span class="p">}</span> <span class="nx">variable</span> <span class="s2">"db_profile"</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">map</span><span class="p">(</span><span class="nx">object</span><span class="p">({</span> <span class="nx">allocated_storage</span> <span class="p">=</span> <span class="nx">optional</span><span class="p">(</span><span class="nx">number</span><span class="p">,</span> <span class="mi">20</span><span class="p">)</span> <span class="nx">auto_stop</span> <span class="p">=</span> <span class="nx">optional</span><span class="p">(</span><span class="nx">bool</span><span class="p">,</span> <span class="kc">false</span><span class="p">)</span> <span class="nx">autoscaling_enabled</span> <span class="p">=</span> <span class="nx">optional</span><span class="p">(</span><span class="nx">bool</span><span class="p">,</span> <span class="kc">true</span><span class="p">)</span> <span class="nx">autoscaling_max_size</span> <span class="p">=</span> <span class="nx">optional</span><span class="p">(</span><span class="nx">number</span><span class="p">,</span> <span class="mi">3</span><span class="p">)</span> <span class="nx">autoscaling_min_size</span> <span class="p">=</span> <span class="nx">optional</span><span class="p">(</span><span class="nx">number</span><span class="p">,</span> <span class="mi">1</span><span class="p">)</span> <span class="nx">database_port</span> <span class="p">=</span> <span class="nx">optional</span><span class="p">(</span><span class="nx">number</span><span class="p">,</span> <span class="mi">5432</span><span class="p">)</span> <span class="nx">database_user</span> <span class="p">=</span> <span class="nx">optional</span><span class="p">(</span><span class="nx">string</span><span class="p">)</span> <span class="nx">enabled</span> <span class="p">=</span> <span class="nx">optional</span><span class="p">(</span><span class="nx">bool</span><span class="p">,</span> <span class="kc">false</span><span class="p">)</span> <span class="nx">engine</span> <span class="p">=</span> <span class="nx">optional</span><span class="p">(</span><span class="nx">string</span><span class="p">,</span> <span class="kc">null</span><span class="p">)</span> <span class="nx">engine_version</span> <span class="p">=</span> <span class="nx">optional</span><span class="p">(</span><span class="nx">string</span><span class="p">,</span> <span class="kc">null</span><span class="p">)</span> <span class="nx">databases</span> <span class="p">=</span> <span class="nx">optional</span><span class="p">(</span><span class="nx">list</span><span class="p">(</span><span class="nx">string</span><span class="p">),</span> <span class="p">[])</span> <span class="nx">enable_db_managment</span> <span class="p">=</span> <span class="nx">optional</span><span class="p">(</span><span class="nx">bool</span><span class="p">,</span> <span class="kc">true</span><span class="p">)</span> <span class="nx">instance_class</span> <span class="p">=</span> <span class="nx">optional</span><span class="p">(</span><span class="nx">string</span><span class="p">,</span> <span class="s2">"db.t4g.small"</span><span class="p">)</span> <span class="nx">max_allocated_storage</span> <span class="p">=</span> <span class="nx">optional</span><span class="p">(</span><span class="nx">number</span><span class="p">,</span> <span class="mi">0</span><span class="p">)</span> <span class="nx">multi_az</span> <span class="p">=</span> <span class="nx">optional</span><span class="p">(</span><span class="nx">bool</span><span class="p">,</span> <span class="kc">true</span><span class="p">)</span> <span class="nx">rw_instance_class</span> <span class="p">=</span> <span class="nx">optional</span><span class="p">(</span><span class="nx">string</span><span class="p">,</span> <span class="s2">"db.t4g.small"</span><span class="p">)</span> <span class="p">}))</span> <span class="nx">description</span> <span class="p">=</span> <span class="o">&lt;&lt;-</span><span class="no">EOT</span><span class="sh"> A map of database profile objects used to define one or more database clusters/instances. Key attributes: - allocated_storage: Initial disk size in GB (Default: 20). - auto_stop: Whether to automatically stop the instance during idle hours to save costs. - autoscaling_enabled: Enables horizontal or vertical scaling for the DB instances. - database_port: The network port for database connections (Default: 5432 for PostgreSQL). - database_user: The name of the application-user for the database. - engine/engine_version: Specific RDS engine type (e.g., 'aurora-postgresql') and its version. - databases: A list of specific database schemas to create within the cluster. - instance_class/rw_instance_class: The hardware specifications of DB instances (Default: db.t4g.small). - multi_az: If true, deploys a standby instance in a different Availability Zone for High Availability. </span><span class="no"> EOT </span><span class="p">}</span> </code></pre> </div> <p>This concludes the foundational setup for the Aurora cluster and our specific Terraform approach. With the infrastructure in place, we have a stable platform to build upon. In <a href="https://dev.to/santanu_das/bootstrapping-aurora-rds-databases-using-lambda-and-terraform-part-2-29i3">Part 2</a>, we will dive into the Lambda implementation and explore how to consume the outputs from this module to drive the database bootstrapping process.</p> <blockquote> <p><em>This approach is primarily aimed at platform and infrastructure teams managing shared Aurora clusters across multiple services and environments</em>.</p> </blockquote> <h2> In This Series </h2> <ul> <li>Part 1: Architectural foundation and engineering basics.</li> <li>Part 2: Deep dive into Lambda implementation and IAM-based access.</li> <li>Part 3: Orchestrating workflows and Execution using AWS Step Functions.</li> </ul> terraform aws aurora devops Santanu Das Fri, 14 Nov 2025 19:20:15 +0000 https://forem.com/santanu_das/trigger-aws-codepipeline-from-a-cross-account-s3-upload-using-eventbridge-iam-roles-185d https://forem.com/santanu_das/trigger-aws-codepipeline-from-a-cross-account-s3-upload-using-eventbridge-iam-roles-185d <h2> Table Of Contents </h2> <ul> <li>Overview</li> <li>Source Account</li> <li>Target Account</li> <li>The Result</li> <li>Conclusion</li> <li>Upcoming</li> </ul> <p>Being in a <a href="https://dev.to/santanu_das/building-a-scalable-aws-multi-account-environment-with-control-tower-terraform-aft-and-scp-2kf8">multi-account</a> AWS environment, you quickly realize that while business domains are neatly isolated into separate accounts, real-world workloads often need to interact across those boundaries.</p> <p>Recently, one of our app teams needed to trigger a platform pipeline whenever their EKS app uploaded a file to an S3 bucket. A simple ask - right? But in our world, that means messaging platform-team and waiting for them to push the magic “Run Pipeline” button, as there was no seamless way to trigger that workflow across accounts from S3. Hence, we are here today. </p> <p>In this post, I’ll show how we eliminated that friction and built a clean, fully automated cross-account, S3 → CodePipeline trigger using AWS-native services.</p> <h2> Architectural Overview <a></a> </h2> <p>This is the sample accounts scenario:</p> <ul> <li> <strong>Account-A</strong> (source) - will call it <strong>ACA</strong>, has the S3 bucket</li> <li> <strong>Account-B</strong> (Target) - will call it <strong>ACB</strong>, runs the PipeLine</li> </ul> <p>Here, We will build a cross-account trigger, where:</p> <ul> <li> <strong>ACA</strong> detects the <em>S3 update</em> event</li> <li> <strong>ACA</strong> fires an EventBridge rule</li> <li>EventBridge <strong>assumes a role in ACB</strong> </li> <li>The role has permission to <strong>start the CodePipeline</strong> execution</li> <li> <strong>ACB</strong> runs the pipeline</li> </ul> <p>Here is the simple flow-diagram:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> ┌──────────────────────────────────────────────────────────┐ │ ACCOUNT A <span class="o">(</span>Source<span class="o">)</span> │ │ │ │ ┌────────────────────────────────────────────────────┐ │ CodeCommit / │ │ EventBridge Rule │ │ ECR / S3 →─────▶│ │ <span class="o">(</span>Repo state change / image push / object put<span class="o">)</span> │ │ etc. │ └────────────────────────────────────────────────────┘ │ │ │ │ │ ▼ │ │ ┌──────────────────────────────────────┐ │ │ │ EventBridge Target │ │ │ │ - Uses IAM role <span class="k">in </span>Account A │ │ │ │ with sts:AssumeRole permission │ │ │ └──────────────────────────────────────┘ │ │ │ <span class="o">(</span>sts:AssumeRole<span class="o">)</span> │ └──────────────────────────┼───────────────────────────────┘ │ ▼ ┌──────────────────────────────────────────────────────────┐ │ ACCOUNT B <span class="o">(</span>Pipeline<span class="o">)</span> │ │ │ │ ┌────────────────────────────────────────────────────┐ │ │ │ IAM Role: cross-account-pipeline-start │ │ │ │ - Trusts Account A │ │ │ │ - Allows: codepipeline:StartPipelineExecution │ │ │ └────────────────────────────────────────────────────┘ │ │ │ │ │ ▼ │ │ ┌────────────────────────────────────────────────────┐ │ │ │ AWS CodePipeline │ │ │ │ <span class="o">(</span>Build/Test/Deploy Pipeline<span class="o">)</span> │ │ │ └────────────────────────────────────────────────────┘ │ │ │ └──────────────────────────────────────────────────────────┘ </code></pre> </div> <p>There are resources to be created on the both sides. This can be done going to the individual account and deploy locally. Or, if there is any cross-account role configured, it can be done from one account as well. </p> <p>In my case, as the S3 bucket (that used by EKS app to upload/update the file) was pre-created from <strong>ACB</strong> (as part of account vending process), I did everything from there. In that way, it was managed end-to-end from platform-managment side.</p> <h2> In Source Account - ACA <a></a> </h2> <p>This where we will create the:</p> <ul> <li>S3 bucket (with the Object/File inside), </li> <li>Assume Role/policy for EventBridge to do <code>PutEvents</code> </li> <li>EventBridge Rule and Target to forward the <em>event</em> to <strong>ACB</strong> bus</li> </ul> <blockquote> <p>1️⃣ <strong>NOTE:</strong><br> <code>provider = aws.eksapp</code> is optional.<br> As I’m running all ACA-side resources <em>from the ACB account</em>, so <code>aws.eksapp</code> is simply a provider alias pointing Terraform to the ACA account (where the EKS app actually runs). <br> It's not needed, if deploying from within ACA directly.</p> <p>2️⃣ <strong>NOTE:</strong><br> <code>for_each = local.cdp_svc_enabled ? toset([var.service_name]) : []</code> is just an On/Off switch for this entire set of resources.<br> When <code>local.cdp_svc_enabled</code> is <code>false</code>, none of the cross-account trigger infrastructure gets created.<br> Handy for conditional deployments or environment-specific setups.</p> </blockquote> <p>Now, tet’s break it down step-by-step.</p> <h4> 1️⃣ Create the S3 bucket </h4> <p>This step is optional for this process; assuming you already have a bucket - mentioning here just for the completeness. Feel free to use your usual way of creating bucket.</p> <h4> 2️⃣ Enable notification from S3 bucket </h4> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># ----------------------------------------------------------</span> <span class="c"># Ensure bucket sends events to EventBridge</span> <span class="c"># ----------------------------------------------------------</span> resource <span class="s2">"aws_s3_bucket_notification"</span> <span class="s2">"eb_xacc"</span> <span class="o">{</span> for_each <span class="o">=</span> local.cdp_svc_enabled ? toset<span class="o">([</span>var.service_name]<span class="o">)</span> : <span class="o">[]</span> bucket <span class="o">=</span> module.app_bucket[each.value].name eventbridge <span class="o">=</span> <span class="nb">true </span>provider <span class="o">=</span> aws.eksapp <span class="o">}</span> </code></pre> </div> <h4> 3️⃣ Assume Role for EventBridge </h4> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># ----------------------------------------------------------</span> <span class="c"># Role for EB to assume to PutEvents to ACB bus</span> <span class="c"># ----------------------------------------------------------</span> resource <span class="s2">"aws_iam_role"</span> <span class="s2">"eb_forward"</span> <span class="o">{</span> for_each <span class="o">=</span> local.cdp_svc_enabled ? toset<span class="o">([</span>var.service_name]<span class="o">)</span> : <span class="o">[]</span> name <span class="o">=</span> <span class="s2">"</span><span class="k">${</span><span class="nv">local</span><span class="p">.template_name</span><span class="k">}</span><span class="s2">-xacc-s3eb-Role"</span> assume_role_policy <span class="o">=</span> jsonencode<span class="o">({</span> Version <span class="o">=</span> <span class="s2">"2012-10-17"</span>, Statement <span class="o">=</span> <span class="o">[{</span> Effect <span class="o">=</span> <span class="s2">"Allow"</span>, Principal <span class="o">=</span> <span class="o">{</span> <span class="s2">"Service"</span> : <span class="s2">"events.amazonaws.com"</span> <span class="o">}</span>, Action <span class="o">=</span> <span class="o">[</span><span class="s2">"sts:AssumeRole"</span><span class="o">]</span> <span class="o">}]</span> <span class="o">})</span> provider <span class="o">=</span> aws.eksapp <span class="o">}</span> resource <span class="s2">"aws_iam_role_policy"</span> <span class="s2">"eb_forward"</span> <span class="o">{</span> for_each <span class="o">=</span> local.cdp_svc_enabled ? toset<span class="o">([</span>var.service_name]<span class="o">)</span> : <span class="o">[]</span> role <span class="o">=</span> aws_iam_role.eb_forward[each.value].id policy <span class="o">=</span> jsonencode<span class="o">({</span> Version <span class="o">=</span> <span class="s2">"2012-10-17"</span>, Statement <span class="o">=</span> <span class="o">[{</span> Effect <span class="o">=</span> <span class="s2">"Allow"</span>, Action <span class="o">=</span> <span class="s2">"events:PutEvents"</span>, Resource <span class="o">=</span> module.pipeline[each.value].event_bus.arn <span class="o">}]</span> <span class="o">})</span> provider <span class="o">=</span> aws.eksapp <span class="o">}</span> </code></pre> </div> <h4> 4️⃣ Capture the S3-bucket event, when file updates </h4> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># ----------------------------------------------------------</span> <span class="c"># Events Capture and forward to ACB bus</span> <span class="c"># ----------------------------------------------------------</span> resource <span class="s2">"aws_cloudwatch_event_rule"</span> <span class="s2">"eb_xacc"</span> <span class="o">{</span> for_each <span class="o">=</span> local.cdp_svc_enabled ? toset<span class="o">([</span>var.service_name]<span class="o">)</span> : <span class="o">[]</span> name <span class="o">=</span> <span class="s2">"</span><span class="k">${</span><span class="nv">local</span><span class="p">.template_name</span><span class="k">}</span><span class="s2">-xacc"</span> description <span class="o">=</span> <span class="s2">"Forward S3 Object Created events to ACB event bus"</span> provider <span class="o">=</span> aws.eksapp event_pattern <span class="o">=</span> jsonencode<span class="o">({</span> <span class="nb">source</span> <span class="o">=</span> <span class="o">[</span><span class="s2">"aws.s3"</span><span class="o">]</span>, detail-type <span class="o">=</span> <span class="o">[</span><span class="s2">"Object Created"</span><span class="o">]</span>, detail <span class="o">=</span> <span class="o">{</span> bucket <span class="o">=</span> <span class="o">{</span> name <span class="o">=</span> <span class="o">[</span>module.app_bucket[each.value].name] <span class="o">}</span>, object <span class="o">=</span> <span class="o">{</span> key <span class="o">=</span> <span class="o">[</span> <span class="o">{</span> prefix <span class="o">=</span> data.aws_s3_object.aso_file[each.value].key <span class="o">}</span> <span class="o">]</span> <span class="o">}</span> <span class="o">}</span> <span class="o">})</span> <span class="o">}</span> <span class="c"># ----------------------------------------------------------</span> <span class="c"># Target = ACB account event bus</span> <span class="c"># ----------------------------------------------------------</span> resource <span class="s2">"aws_cloudwatch_event_target"</span> <span class="s2">"eb_xacc"</span> <span class="o">{</span> for_each <span class="o">=</span> local.cdp_svc_enabled ? toset<span class="o">([</span>var.service_name]<span class="o">)</span> : <span class="o">[]</span> rule <span class="o">=</span> aws_cloudwatch_event_rule.eb_xacc[each.value].name arn <span class="o">=</span> module.pipeline[each.value].event_bus.arn role_arn <span class="o">=</span> aws_iam_role.eb_forward[each.value].arn provider <span class="o">=</span> aws.eksapp <span class="o">}</span> </code></pre> </div> <h2> In Target Account – ACB <a></a> </h2> <p>This is where all the action actually happens — the CodePipeline lives here, the event bus lives here, and this is the account that ACA ultimately needs to poke to start the pipeline.</p> <p>Here, we’ll configure:</p> <ul> <li>Accept the forwarded EventBridge event</li> <li>Create the IAM Role that EventBridge will assume</li> <li>Give it permission to start the pipeline</li> <li>Set up the CodePipeline start trigger</li> <li>And wire everything to the event bus that ACA sends into</li> </ul> <p>Let’s wlak it through step-by-step.</p> <h4> 1️⃣ Create an EventBridge Event Bus </h4> <p>If you already have a centralized event bus — great!! You probably then have something like this:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>event_bus <span class="o">=</span> <span class="o">{</span> arn <span class="o">=</span> aws_cloudwatch_event_bus.cdp_bus.arn name <span class="o">=</span> aws_cloudwatch_event_bus.cdp_bus.name <span class="o">}</span> </code></pre> </div> <p>If not, here’s the minimal setup to get one. I used a dedicated one.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># ----------------------------------------------------------</span> <span class="c"># Custom bus to receive events from INC account</span> <span class="c"># ----------------------------------------------------------</span> resource <span class="s2">"aws_cloudwatch_event_bus"</span> <span class="s2">"s3_trigger"</span> <span class="o">{</span> name <span class="o">=</span> <span class="s2">"</span><span class="k">${</span><span class="nv">var</span><span class="p">.name_prefix</span><span class="k">}</span><span class="s2">-cdp-s3-trigger"</span> <span class="o">}</span> </code></pre> </div> <p>This is the bus ACA will forward events into.</p> <h4>  2️⃣ Create the IAM Role that EventBridge will Assume </h4> <p>Unlike some other cross-account setup, where the other AWS account ID assumes a role, this uses the <strong>EventBridge service principal</strong> to assume this role.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># ----------------------------------------------------------</span> <span class="c"># EventBridge Assume-Role</span> <span class="c"># ----------------------------------------------------------</span> // Role-policy data <span class="s2">"aws_iam_policy_document"</span> <span class="s2">"s3_trigger"</span> <span class="o">{</span> statement <span class="o">{</span> actions <span class="o">=</span> <span class="o">[</span><span class="s2">"sts:AssumeRole"</span><span class="o">]</span> principals <span class="o">{</span> <span class="nb">type</span> <span class="o">=</span> <span class="s2">"Service"</span> identifiers <span class="o">=</span> <span class="o">[</span><span class="s2">"events.amazonaws.com"</span><span class="o">]</span> <span class="o">}</span> <span class="o">}</span> <span class="o">}</span> // Role resource <span class="s2">"aws_iam_role"</span> <span class="s2">"s3_trigger"</span> <span class="o">{</span> name <span class="o">=</span> <span class="s2">"</span><span class="k">${</span><span class="nv">var</span><span class="p">.name_prefix</span><span class="k">}</span><span class="s2">-s3eb-Role"</span> assume_role_policy <span class="o">=</span> data.aws_iam_policy_document.s3_trigger.json <span class="o">}</span> </code></pre> </div> <h4> 3️⃣ Give that role permission to start the CodePipeline </h4> <p>This is the second half of the trust chain — once EventBridge assumes the role above, it must be allowed to start the CodePipeline(s):<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># ----------------------------------------------------------</span> <span class="c"># EventBridge start-pipeline policy</span> <span class="c"># ----------------------------------------------------------</span> resource <span class="s2">"aws_iam_role_policy"</span> <span class="s2">"s3_trigger"</span> <span class="o">{</span> name <span class="o">=</span> <span class="s2">"</span><span class="k">${</span><span class="nv">var</span><span class="p">.name_prefix</span><span class="k">}</span><span class="s2">-s3eb-policy"</span> role <span class="o">=</span> aws_iam_role.s3_trigger.id policy <span class="o">=</span> jsonencode<span class="o">({</span> Version <span class="o">=</span> <span class="s2">"2012-10-17"</span>, Statement <span class="o">=</span> <span class="o">[</span> <span class="o">{</span> Effect <span class="o">=</span> <span class="s2">"Allow"</span>, Action <span class="o">=</span> <span class="o">[</span><span class="s2">"codepipeline:StartPipelineExecution"</span><span class="o">]</span>, Resource <span class="o">=</span> <span class="o">[</span> <span class="k">for </span>br <span class="k">in </span>local.repo_branches : module.auto_build[br].cdp_resource_arn <span class="o">]</span> <span class="o">}</span> <span class="o">]</span> <span class="o">})</span> <span class="o">}</span> </code></pre> </div> <p>A few things to call out (for clarity):</p> <ul> <li>It supports triggering multiple pipelines via <code>local.repo_branches</code> </li> <li>The pipeline resource ARNs come from <code>module.auto_build</code> directly, which actually builds the pipeline, without using any wildcards</li> <li>Allowed only very minimum IAM permission (<code>StartPipelineExecution</code>)</li> </ul> <h4> 4️⃣ Allow the Trigger Account (ACA) to PutEvents </h4> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># ----------------------------------------------------------</span> <span class="c"># Allow ACA account to PutEvents on this bus</span> <span class="c"># ----------------------------------------------------------</span> resource <span class="s2">"aws_cloudwatch_event_permission"</span> <span class="s2">"s3_trigger"</span> <span class="o">{</span> event_bus_name <span class="o">=</span> aws_cloudwatch_event_bus.s3_trigger.name principal <span class="o">=</span> var.trigger_acc_id action <span class="o">=</span> <span class="s2">"events:PutEvents"</span> statement_id <span class="o">=</span> <span class="s2">"AllowIncToPutEvents"</span> <span class="o">}</span> </code></pre> </div> <p>Here, <code>var.trigger_acc_id</code> is the <strong>ACA</strong> account ID that is allowed to send events into this bus.</p> <h4> 5️⃣ EventBridge Rule + Target </h4> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># ----------------------------------------------------------</span> <span class="c"># EB rule: trigger CodePipeline on S3 Object Created</span> <span class="c"># ----------------------------------------------------------</span> resource <span class="s2">"aws_cloudwatch_event_rule"</span> <span class="s2">"s3_trigger"</span> <span class="o">{</span> name <span class="o">=</span> <span class="s2">"</span><span class="k">${</span><span class="nv">var</span><span class="p">.name_prefix</span><span class="k">}</span><span class="s2">-s3-trigger"</span> event_bus_name <span class="o">=</span> aws_cloudwatch_event_bus.s3_trigger.name description <span class="o">=</span> <span class="s2">"Trigger CodePipeline when object is created in </span><span class="k">${</span><span class="nv">var</span><span class="p">.trigger_bucket</span><span class="k">}</span><span class="s2">"</span> event_pattern <span class="o">=</span> jsonencode<span class="o">({</span> <span class="nb">source</span> <span class="o">=</span> <span class="o">[</span><span class="s2">"aws.s3"</span><span class="o">]</span>, detail-type <span class="o">=</span> <span class="o">[</span><span class="s2">"Object Created"</span><span class="o">]</span>, detail <span class="o">=</span> <span class="o">{</span> bucket <span class="o">=</span> <span class="o">{</span> name <span class="o">=</span> <span class="o">[</span>var.trigger_bucket] <span class="o">}</span>, object <span class="o">=</span> <span class="o">{</span> key <span class="o">=</span> <span class="o">[{</span> prefix <span class="o">=</span> var.trigger_prefix <span class="o">}]</span> <span class="o">}</span> <span class="o">}</span> <span class="o">})</span> <span class="o">}</span> <span class="c"># ----------------------------------------------------------</span> <span class="c"># EB target: link S3-trigger to all pipelines</span> <span class="c"># ----------------------------------------------------------</span> resource <span class="s2">"aws_cloudwatch_event_target"</span> <span class="s2">"s3_trigger"</span> <span class="o">{</span> for_each <span class="o">=</span> toset<span class="o">(</span>local.repo_branches<span class="o">)</span> rule <span class="o">=</span> aws_cloudwatch_event_rule.s3_trigger.name event_bus_name <span class="o">=</span> aws_cloudwatch_event_bus.s3_trigger.name target_id <span class="o">=</span> <span class="s2">"trigger-</span><span class="k">${</span><span class="nv">each</span><span class="p">.key</span><span class="k">}</span><span class="s2">"</span> arn <span class="o">=</span> module.auto_build[each.key].cdp_resource_arn role_arn <span class="o">=</span> aws_iam_role.s3_trigger.arn <span class="o">}</span> output <span class="s2">"auto_build"</span> <span class="o">{</span> value <span class="o">=</span> module.auto_build <span class="o">}</span> output <span class="s2">"event_bus"</span> <span class="o">{</span> value <span class="o">=</span> <span class="o">{</span> name <span class="o">=</span> aws_cloudwatch_event_bus.s3_trigger.name arn <span class="o">=</span> aws_cloudwatch_event_bus.s3_trigger.arn role_arn <span class="o">=</span> aws_iam_role.s3_trigger.arn <span class="o">}</span> <span class="o">}</span> </code></pre> </div> <p>The rule matches the forwarded S3 events on the custom bus, and the target uses the <code>s3_trigger</code> role to start the appropriate pipeline for each branch.</p> <h2> The Result <a></a> </h2> <p>And that’s it — the full cross-account flow stitched together end-to-end.<br> Here’s what the final architecture looks like, visually:<br> <a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F1qxr72e0fmebblykhiy0.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F1qxr72e0fmebblykhiy0.png" alt="Cross-Account S3 Trigger" width="441" height="517"></a></p> <h2> Conclusion <a></a> </h2> <p>Cross-account automation is one of the trickiest parts of AWS CI/CD — especially in a multi-account setup where teams are isolated by design. But with this pattern in place, the entire S3 → EventBridge → CodePipeline workflow now flows cleanly across accounts:</p> <ul> <li>ACA captures the S3 object update </li> <li>ACA forwards the event to ACB </li> <li>ACB’s custom event bus receives it </li> <li>ACB’s EventBridge rule assumes a dedicated “start-pipeline” role </li> <li>That role starts exactly the pipeline(s) it should — nothing more</li> </ul> <p>And just like that, the whole process runs automatically, without Slack/Teams pings, without waiting for that to be happend, and most importantly — <strong>without <em>the pipeline humans</em> in the loop at all</strong> 😛</p> <blockquote> <p>Event-driven. Cross-account. Zero friction.</p> </blockquote> <h2> Next: A Real-Life Example <a></a> </h2> <p>In the next episode, we’ll revisit the real reason this whole setup was needed in the first place — and walk through how we used this exact cross-account trigger to solve a very real, very everyday operational problem.</p> aws terraform eventbridge cicd Santanu Das Fri, 07 Nov 2025 15:18:23 +0000 https://forem.com/santanu_das/automating-executive-ready-aws-cost-optimization-finops-reports-11oo https://forem.com/santanu_das/automating-executive-ready-aws-cost-optimization-finops-reports-11oo <h2> Table Of Contents </h2> <ul> <li>Overview</li> <li>AWS Cost Reporter</li> <li>Prerequisites</li> <li>Dependencies</li> <li>Getting Started</li> <li>Running the Reporter</li> <li>Inside the Report</li> <li>Future Improvements</li> <li>Closing Thoughts</li> <li>Next Step</li> </ul> <p>In <a href="https://dev.to/santanu_das/automate-your-aws-cost-audits-and-cut-cloud-waste-4gmp">Episode 1</a>, we talked about how I came up with the idea of developing an automated pipeline that runs cost audits across AWS accounts and produces detailed JSON summaries. Those outputs are well-suited for automation and further analysis but are not ideal for executive or financial reviews, apart from those <code>Top-5 Services Summary</code> at the end. </p> <h2> 🧭 Overview <a></a> </h2> <p>This episode demonstrates how raw audit data can be converted into a structured, presentation-ready report that everyone can understand, using a Python-based automation tool that converts raw AWS Cost Audit (ACA) outputs into structured, executive-ready DOCX reports.<br> It demonstrates how ACR (<strong>A</strong>WS <strong>C</strong>ost <strong>R</strong>eporter) processes audit data, embeds cost-distribution charts, and generates comprehensive reports with a single command.<br> The post also outlines a macOS-safe installation workflow, integration with the main audit script, and a sample output report designed for leadership and FinOps reviews.<br> By the end, readers will understand how ACR extends the ACA toolkit from automated data collection to automated cost communication.</p> <h2> 💡 Enter the AWS Cost Reporter <a></a> </h2> <p>AWS Cost Reporter is a lightweight, finops-ready tool that consolidates cost drivers, EC2 rightsizing insights, storage and network findings, and visual summaries in a single, shareable document. <br> This is the final stage in our cost-optimization workflow:</p> <ul> <li> <strong>AWS Cost Audit</strong> → gathers and analyzes usage.</li> <li> <strong>AWS Cost Reporter</strong> → summarizes, visualizes, and delivers it.</li> </ul> <p>The resulting report provides an at-a-glance view of cost distribution, optimization opportunities, and key recommendations, ready for presentation to stakeholders or leadership teams.</p> <blockquote> <p>Automation delivers value only when insights can be clearly communicated. </p> </blockquote> <h2> 🧱 Prerequisites <a></a> </h2> <p>Before generating ACR (AWS Cost Reporter) report, ensure that the environment running the audit meets the following requirements:</p> <h4> AWS Cost Audit (ACA) Toolkit </h4> <ul> <li>ACA (AWS Cost Audit) <a href="https://github.com/dsantanu/aws-cost-audit/releases/tag/v4.6.0" rel="noopener noreferrer">v4.6.0</a> or above</li> <li>A <a href="https://dev.to/santanu_das/automate-your-aws-cost-audits-and-cut-cloud-waste-4gmp#08">completed audit run</a> producing output files such as: <ul> <li>cost-by-service.json</li> <li>ec2-instances.json</li> <li>rds-instances.json</li> <li>ebs-volumes.json</li> <li>s3-*-size.json</li> <li>route53-cost.json</li> <li>elastic-ips.json</li> <li>and related data</li> </ul> </li> </ul> <h4> System Requirements </h4> <ul> <li>Python 3.9 or higher (Python 3.12 recommended)</li> <li>Approximately 200 MB of free disk space for dependencies and report generation</li> <li>Internet access for the initial dependency installation</li> </ul> <h2> ⚙️ Installing Dependencies <a></a> </h2> <p>The AWS Cost Reporter (ACR) relies on a small set of Python libraries to process data, generate documents, and create visual summaries. These dependencies can be installed system-wide on macOS or Linux using either Homebrew Python, pip[3] or a virtual environment.</p> <p>The following external libraries are used by The Reporter:</p> <ul> <li> <code>matplotlib</code> – for chart creation</li> <li> <code>numpy</code> – for numerical operations</li> <li> <code>pandas</code> – for data parsing and aggregation</li> <li> <code>python-docx</code> – for (.docx) report generation</li> </ul> <blockquote> <p>ℹ️ As <a href="https://peps.python.org/pep-0668/" rel="noopener noreferrer">PEP-668</a> introduced <a href="https://packaging.python.org/en/latest/specifications/externally-managed-environments/#externally-managed-environments" rel="noopener noreferrer">externally managed environments</a> to Python packaging and as it's now pretty much applied everywhere to stop the conflicts between OS package managers and Python-specific package management tools like pip, you may encounter an <code>× This environment is externally managed</code> message when using pip.</p> </blockquote> <h3> 🐧 On Linux </h3> <p>Most (if not all) of the popular distributions comes with Python3 install as default, so just check the version to be sure. </p> <h4> 1️⃣ Check Python3 version </h4> <p>On my fairly updated Ubuntu v24.04, I see this:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>python3 <span class="nt">--version</span> <span class="c"># Python 3.12.3</span> </code></pre> </div> <h4> 2️⃣ Install Core Libraries </h4> <p>If python <em>virtual environment</em> is not an option, then best is to use distribution's package-manager to install the library globally. On Ubuntu, this will do the job:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">sudo </span>apt <span class="nb">install </span>python3-<span class="o">{</span>numpy,pandas,matplotlib<span class="o">}</span> </code></pre> </div> <h3> 🍎 On macOS </h3> <p>Because macOS also applies <a href="https://peps.python.org/pep-0668/" rel="noopener noreferrer">PEP 668</a>, restrictions to protect system Python installations, Homebrew users may encounter the same <em>externally managed environment</em> message when using pip. The following approach installs the required libraries safely if using <strong>virtual environment not an option</strong>.</p> <h4> 1️⃣ Install Python3 with Homebrew </h4> <p>(Purely optional, if you don't have it yet)<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>brew <span class="nb">install </span>python3 </code></pre> </div> <p>Confirm that the Homebrew version of Python is active:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>which python3 <span class="c"># /opt/homebrew/bin/python3</span> </code></pre> </div> <h4> 2️⃣ Install Core Libraries </h4> <p>There are two different ways to install those dependencies in macOS.</p> <ul> <li> <strong>Option 1: Allow pip to universally install user packages</strong> </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">mkdir</span> <span class="nt">-p</span> ~/Library/Application<span class="se">\ </span>Support/pip <span class="nb">echo</span> <span class="s2">"[global]</span><span class="se">\n</span><span class="s2">break-system-packages = true</span><span class="se">\n</span><span class="s2">user = true"</span> <span class="o">&gt;</span> ~/Library/Application<span class="se">\ </span>Support/pip/pip.conf </code></pre> </div> <p>Then use pip3 to install in the user-space:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>pip3 <span class="nb">install</span> <span class="o">{</span>matplotlib,numpy,pandas,python-docx<span class="o">}</span> <span class="nt">--user</span> </code></pre> </div> <ul> <li> <strong>Option 2: Temporary one-off (no config change)</strong> </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>pip3 <span class="nb">install</span> <span class="o">{</span>matplotlib,numpy,pandas,python-docx<span class="o">}</span> <span class="nt">--user</span> <span class="nt">--break-system-packages</span> </code></pre> </div> <p>⚠️ You’ll need to re-add <code>--break-system-packages</code> every time you install or upgrade something.</p> <h3> 🧪 Verify Installations </h3> <p>If all steps complete successfully, you can test the installation like this:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>python3 <span class="nt">-c</span> <span class="s2">"import docx as dx; print(dx.__version__)"</span> python3 <span class="nt">-c</span> <span class="s2">"import numpy as ny; print(ny.__version__)"</span> python3 <span class="nt">-c</span> <span class="s2">"import pandas as pd; print(pd.__version__)"</span> python3 <span class="nt">-c</span> <span class="s2">"import matplotlib as mp; print(mp.__version__)"</span> </code></pre> </div> <p>Respective version numbers should be returned.</p> <h2>  📦 Getting Started with ACR <a></a> </h2> <p>The AWS Cost Reporter (ACR) is distributed as part of the <a href="https://github.com/dsantanu/aws-cost-audit" rel="noopener noreferrer">AWS Cost Audit (ACA)</a> toolkit starting from version v4.6.0.<br> The toolkit can be downloaded directly from GitHub as a compressed archive or cloned via Git.</p> <h3>  1️⃣ Option A — Clone the Repository (recommended) </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>git clone https://github.com/dsantanu/aws-cost-audit.git <span class="nb">cd </span>aws-cost-audit </code></pre> </div> <p>This approach keeps the toolkit up to date and allows switching between tagged releases, e.g.:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>git checkout v4.6.0 </code></pre> </div> <h3> 2️⃣ Option B — Download a Release Archive </h3> <p>If Git is not available, the toolkit can also be downloaded and extracted using curl:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>curl <span class="nt">-L</span> https://github.com/dsantanu/aws-cost-audit/archive/refs/tags/v4.6.0.tar.gz <span class="nt">-o</span> aws-cost-audit-v4.6.0.tar.gz <span class="nb">tar</span> <span class="nt">-xzf</span> aws-cost-audit-v4.6.0.tar.gz <span class="nb">cd </span>aws-cost-audit-4.6.0 </code></pre> </div> <p>Once extracted, both <strong>aws-cost-audit.sh</strong> and <strong>aws_cost_reporter.py</strong> are available in the project directory.<br> The audit can then be executed directly from this location.</p> <h2>  ▶️ Running the Reporter <a></a> </h2> <p>Once the dependencies are installed and an AWS Cost Audit (ACA) run has completed, the AWS Cost Reporter (ACR) can be executed directly to generate the final DOCX report.<br> The Reporter consumes the JSON outputs produced by the audit and compiles them into a well-structured document that summarizes service costs, resource utilization, and optimization opportunities.</p> <h3> 1️⃣ Basic Usage (Standalone-run) </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>python3 aws_cost_reporter.py <span class="se">\</span> <span class="nt">--input</span> ./json-output-dir <span class="se">\</span> <span class="nt">--output</span> ./json-output-dir/audit_audit_report.docx <span class="se">\</span> <span class="nt">--charts</span> <span class="se">\</span> <span class="nt">--org</span> <span class="s2">"Awesome Technologies"</span> <span class="se">\</span> <span class="nt">--author</span> <span class="s2">"Awesome Cloud Architecture"</span> </code></pre> </div> <p>The above command reads the audit data from the specified directory (<code>--input</code>) and generates an <code>audit_audit_report.docx</code> file in the same location.<br> When the optional <code>--charts</code> flag is provided, the report also includes embedded PNG charts showing the <em>Top 5 AWS Services by Cost</em>* and <strong>Projected Savings</strong> by Optimization Category.</p> <h3> 2️⃣ Command Parameters </h3> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Parameter</th> <th>Description</th> </tr> </thead> <tbody> <tr> <td><code>--input</code></td> <td>Path to the directory containing the AWS Cost Audit output files.</td> </tr> <tr> <td><code>--output</code></td> <td>Path and filename for the generated DOCX report.</td> </tr> <tr> <td><code>--charts</code></td> <td>Optional flag to embed cost-distribution and savings charts in the report.</td> </tr> <tr> <td><code>--org</code></td> <td>Organization name displayed in the report header.</td> </tr> <tr> <td><code>--author</code></td> <td>Preparer or team name shown in the report footer.</td> </tr> </tbody> </table></div> <h3> 3️⃣ Integration with the AWS Cost Audit Toolkit </h3> <p>Beginning with ACA <a href="https://github.com/dsantanu/aws-cost-audit/releases/tag/v4.6.0" rel="noopener noreferrer">v4.6.0</a>, the Reporter can also be invoked directly from the main audit script using the new <code>--report</code> flag.<br> This enables end-to-end automation, where the cost audit and Report generation occur within a single workflow.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>bash aws-cost-audit.sh <span class="nt">-p</span> my_profile <span class="nt">--report</span> <span class="o">[</span><span class="nt">--org</span> &lt;Organization_Name&gt;] <span class="o">[</span><span class="nt">--author</span> &lt;My_Name&gt;] </code></pre> </div> <p>When executed with the <code>--report</code> option, the audit script automatically runs the Reporter using the most recent audit output folder and generates <code>AWS-Audit-Report-&lt;aws_acc_id&gt;-YYYYMMDD.docx</code> file in the same location. <code>--charts</code> option is applied by default.<br> If the Reporter script is not present, a warning message is displayed without interrupting the audit process.</p> <h2> 📊 Inside the Generated Report <a></a> </h2> <p>The AWS Cost Reporter (ACR) produces a structured DOCX document designed for both technical and non-technical audiences.<br> Each section of the report highlights a specific dimension of cost optimization, using tables, charts, and clear textual summaries.</p> <h3>  1️⃣ Report Structure Overview </h3> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Section</th> <th>Description</th> </tr> </thead> <tbody> <tr> <td><strong>Key Insights at a Glance</strong></td> <td>Summarizes the most significant findings such as top cost drivers, idle EC2 instances, unattached volumes, and S3 usage.</td> </tr> <tr> <td><strong>Executive Summary</strong></td> <td>Provides a narrative overview of overall cloud spend and optimization potential across services.</td> </tr> <tr> <td><strong>Compute (EC2) Analysis</strong></td> <td>Details EC2 utilization, rightsizing recommendations, and cost implications of downsizing.</td> </tr> <tr> <td><strong>Savings Plan Efficiency</strong></td> <td>Highlights coverage and utilization metrics if Savings Plan data is included in the audit.</td> </tr> <tr> <td><strong>Storage (EBS + S3)</strong></td> <td>Lists unattached EBS volumes, gp2 to gp3 migration candidates, and top S3 buckets by storage size.</td> </tr> <tr> <td><strong>Networking &amp; Load Balancing</strong></td> <td>Summarizes NAT gateway usage, load balancer inventory, and optimization recommendations.</td> </tr> <tr> <td><strong>DNS &amp; IP Optimization</strong></td> <td>Provides Route 53 and Elastic IP insights with duplicate records, TTL checks, and cost breakdowns.</td> </tr> <tr> <td><strong>Governance &amp; Observability</strong></td> <td>Recommends tag enforcement, logging policies, and governance best practices.</td> </tr> <tr> <td><strong>Prioritized Remediation Plan</strong></td> <td>Presents a tabular action plan mapping potential savings against estimated implementation effort.</td> </tr> <tr> <td><strong>Appendix — Methodology &amp; Data Validity</strong></td> <td>Documents how the data was collected and clarifies the boundaries of analysis.</td> </tr> </tbody> </table></div> <h3>  2️⃣ Embedded Charts </h3> <p>When executed with the --charts flag, the report includes two embedded PNG visualizations:</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Chart</th> <th>Purpose</th> </tr> </thead> <tbody> <tr> <td><strong>Top 5 Services by Cost (USD)</strong></td> <td>Displays a pie chart summarizing the five largest cost contributors in the account.</td> </tr> <tr> <td><strong>Projected Savings by Optimization Category</strong></td> <td>Shows a bar chart estimating savings potential from rightsizing, storage optimization, and governance improvements.</td> </tr> </tbody> </table></div> <p>Both charts are placed contextually within the report:</p> <ul> <li>The Top 5 Services chart appears immediately after the Key Insights at a Glance section.</li> <li>The Projected Savings chart follows the Prioritized Remediation Plan, visually connecting recommended actions to potential impact.</li> </ul> <h3> 3️⃣ Example Output Summary </h3> <p>An example excerpt from a generated report may include:</p> <blockquote> <ul> <li>Key Insights at a Glance <ul> <li>Top Cost Driver: EC2 (~$5,298/month)</li> <li>EC2 Fleet: 23 instances, 16 idle candidates</li> <li>Storage: 31 gp2 → gp3 migrations recommended</li> <li>RDS: 3 instances detected, none Multi-AZ</li> <li>Networking: 5 NAT Gateways, 14 Elastic IPs (3 unattached)</li> </ul> </li> </ul> </blockquote> <p>This summary provides a quick snapshot of the organization’s cloud posture, highlighting both current spend and potential optimization opportunities.</p> <h3> 4️⃣ Sample Report Preview </h3> <p><a href="https://github.com/dsantanu/aws-cost-audit/blob/main/ACR_Report_Sample.pdf" rel="noopener noreferrer"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F5oawbo4m9va2jtnrdf08.png" alt="Preview of AWS Cost Report" width="800" height="427"></a></p> <h2> 🚀 Future Improvements <a></a> </h2> <p>The current release of the AWS Cost Reporter (v1.1.0) establishes a stable foundation for generating clear, data-driven cost optimization reports.<br> Future iterations will focus on enhancing customization, usability, and integration within the broader AWS Cost Audit (ACA) suite.</p> <p>Planned areas of development include:</p> <ul> <li><p><strong>Enhanced Visual Styling</strong><br> Improved font consistency, layout spacing, and visual alignment with Zenler’s brand palette for professional-grade presentations.</p></li> <li><p><strong>Branded Cover Page and Metadata</strong><br> Optional front page featuring organization logo, report metadata, and generation parameters for executive distribution.</p></li> <li><p><strong>Configurable Report Sections</strong><br> Ability to enable or disable specific sections (e.g., EC2, Storage, Networking) from the command line for faster targeted reporting.</p></li> <li><p><strong>Trend Visualization and Savings Tracking</strong><br> Graphical representation of cost trends and realized savings across multiple audit periods.</p></li> <li><p><strong>Multi-Format Output</strong><br> Support for generating reports in both DOCX and PDF formats directly from the CLI.</p></li> <li><p><strong>CSV/XLSX Export Integration</strong><br> Parallel tabular data export to simplify follow-up analysis in Excel or BI dashboards.</p></li> </ul> <p>These enhancements aim to make ACR not just a reporting utility but a complete FinOps communication layer—bridging raw analytics and executive insights.</p> <h2> 🏁 Closing Thoughts <a></a> </h2> <p>The AWS Cost Reporter (ACR) completes the final stage of the report generation pipeline introduced in <a href="https://dev.to/santanu_das/automate-your-aws-cost-audits-and-cut-cloud-waste-4gmp">Episode 1</a>. <br> What began as a command-line audit tool now produces polished, presentation-ready reports that clearly communicate both cloud spend and optimization potential.</p> <p>By turning complex JSON data into a single, structured document—with contextual charts, actionable insights, and clear recommendations—the Reporter bridges the gap between technical analysis and business visibility.<br> The result is a faster feedback loop for FinOps teams and decision-makers alike.</p> <p>Organizations using the AWS Cost Audit (ACA) toolkit can now automate not only cost discovery but also cost storytelling—presenting findings that are ready for immediate executive review.</p> <h2> 🪜 Next Step - Toward Full Automation <a></a> </h2> <p>In the next installment, we will see how this toolkit can evolve toward a fully automated workflow, where audit execution, report generation, and distribution occur without manual intervention.<br> Future versions of the AWS Cost Audit (ACA) and AWS Cost Reporter (ACR) will include support for scheduled execution along with automated report delivery. These enhancements will enable organizations to keep stakeholders informed of their latest AWS cost insights—hands-free and on schedule.</p> <blockquote> <p>Next up: Episode 3 — Distribute and Collaborate: Automating Cost Report Delivery</p> </blockquote> aws finops python costoptimization Santanu Das Thu, 06 Nov 2025 12:50:14 +0000 https://forem.com/santanu_das/automate-your-aws-cost-audits-and-cut-cloud-waste-4gmp https://forem.com/santanu_das/automate-your-aws-cost-audits-and-cut-cloud-waste-4gmp <h2> Table Of Contents </h2> <ul> <li>The Problem</li> <li>AWS Cost Audit</li> <li>What It Does</li> <li>Key Advantages</li> <li>The Collections</li> <li>Prerequisites</li> <li>Getting Started</li> <li>CLI Options</li> <li>Usage Examples</li> <li>Summary Report</li> <li>Top 5 Services</li> <li>FinOps Insight</li> <li>Conclusion</li> <li>Next Episode</li> </ul> <p>The other day, a friend of mine was complaining that every month, their AWS bill is landing like a small novel: hundreds of line items, multiple accounts, and no clear picture of why costs changed. <br> Manually digging through the Cost Explorer, various EC2 dashboards, Route 53 pages etc. was slow and very error-prone.</p> <p>So, I started thinking, what it takes to build a modular AWS Cost Audit script to collect and summarize cost and usage data automatically. That experiment grew into a reusable FinOps toolkit for cloud teams, which is lightweight, transparent, and CI/CD-friendly.</p> <h2> 🧭 The <em>Cost</em> Problem in AWS <a></a> </h2> <p>AWS gives incredible flexibility — but that also makes it easy to overspend. Idle EC2 instances, forgotten EBS volumes, over-provisioned RDS databases, and cross-region data transfers quietly add up. Even with native tools like Cost Explorer and AWS Budgets, many teams struggle to:</p> <ul> <li>Continuously monitor all resources across accounts</li> <li>Correlate costs with resource usage</li> <li>Identify optimization opportunities fast enough</li> </ul> <blockquote> <p>Cloud waste isn’t just a finance problem — it’s an <strong>engineering visibility shortfall</strong>.</p> </blockquote> <h2> 💡 Enter the AWS Cost Audit <a></a> </h2> <p>AWS Cost Audit is a lightweight, automation-ready toolkit that helps you take control of your AWS spend — without complex dashboards or heavy FinOps platforms.</p> <p>It bridges the gap between AWS billing data and actionable cost insights, complements FinOps principles by enabling shared visibility and data-driven decisions.</p> <p>It helps teams to:</p> <ul> <li>Shift from reactive cost reviews to proactive optimization</li> <li>Democratize cloud spending data — not just finance’s job</li> <li>Build a culture of accountability across DevOps, engineering, and product</li> </ul> <blockquote> <p>This isn’t about policing cost — it’s about <strong>empowering smarter usage</strong>.</p> </blockquote> <h2> ⚙️ What It Does <a></a> </h2> <ul> <li>Audits AWS environment for unused or idle resources</li> <li>Summarizes spend by service, region, and tag</li> <li>Highlights cost anomalies and trends</li> <li>Generates clear, CLI-based reports for visibility or CI integration</li> <li>Helps teams adopt FinOps practices without adding overhead</li> </ul> <h2> 🚀 Key Advantages <a></a> </h2> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Benefits</th> <th>Helps with...</th> </tr> </thead> <tbody> <tr> <td>Immediate cost visibility</td> <td>Understanding what’s costing you the most</td> </tr> <tr> <td>Zero external dependencies</td> <td>Works via CLI, with minimal setup</td> </tr> <tr> <td>Multi-account awareness</td> <td>Analyze organization-wide cost patterns</td> </tr> <tr> <td>Automation-friendly</td> <td>Integrate into CI/CD or cron jobs for continuous insights</td> </tr> <tr> <td>FinOps-ready insights</td> <td>Perfect for monthly cost reviews or reporting</td> </tr> </tbody> </table></div> <h2> 📊 What this Script Collects <a></a> </h2> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>AWS Service</th> <th>Data Collected</th> <th>Why It Matters</th> </tr> </thead> <tbody> <tr> <td><strong>EC2</strong></td> <td>Instances + 7-day CPU avg</td> <td>Find underutilized compute</td> </tr> <tr> <td><strong>RDS</strong></td> <td>DB list + Multi-AZ flag</td> <td>Detect over-redundant DBs</td> </tr> <tr> <td><strong>EBS</strong></td> <td>Volumes + size</td> <td>Spot unattached/idle disks</td> </tr> <tr> <td><strong>S3</strong></td> <td>Bucket inventory + metrics</td> <td>Track object-store sprawl</td> </tr> <tr> <td><strong>Route 53</strong></td> <td>Zones, records, cost</td> <td>Simplify redundant DNS</td> </tr> <tr> <td><strong>Elastic IP</strong></td> <td>Allocation + attachment state</td> <td>Catch idle IPs billed hourly</td> </tr> <tr> <td><strong>Tags</strong></td> <td>Key/value compliance</td> <td>Attribute spend correctly</td> </tr> <tr> <td><strong>Compute Optimizer</strong></td> <td>Enrollment state</td> <td>Enable rightsizing insights</td> </tr> </tbody> </table></div> <p>All collectors talk directly to AWS CLI and write JSON into a timestamped output directory.</p> <h2>  🧱 Prerequisites <a></a> </h2> <ul> <li>An active AWS account with Cost Explorer enabled.</li> <li>AWS CLI installed and configured with credentials that have the following permissions: <ul> <li>ce:GetCostAndUsage*</li> <li>ce:GetSavingsPlansUtilization*</li> <li>ec2:Describe*</li> <li>rds:Describe*</li> <li>s3:List*</li> <li>cloudwatch:GetMetricStatistics</li> <li>tag:GetResources</li> </ul> </li> <li>Bash 3.2+, macOS or Linux</li> <li> <code>jq</code>, <code>wc</code>, <code>tar</code>, <code>date</code> (GNU or BSD)</li> <li>Optional (colors): <code>tput</code> </li> </ul> <h2> ⚡ Getting Started <a></a> </h2> <p>AWS Cost Audit is simple to try out — no dependencies, just a single script; can be done in one of these two ways.</p> <h4>  1️⃣ Easy installation using <code>cURL</code>: </h4> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>curl <span class="nt">-sSL</span> https://raw.githubusercontent.com/dsantanu/aws-cost-audit/main/aws-cost-audit.sh <span class="nt">-o</span> aws-cost-audit.sh bash aws-cost-audit.sh <span class="nt">-h</span> </code></pre> </div> <h4> 2️⃣ Or, if you prefer <code>git clone</code>: </h4> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>git clone https://github.com/dsantanu/aws-cost-audit.git <span class="nb">cd </span>aws-cost-audit bash aws-cost-audit.sh <span class="nt">-h</span> </code></pre> </div> <p>Git Repo: <a href="https://github.com/dsantanu/aws-cost-audit" rel="noopener noreferrer">AWS Cost Audit</a></p> <h2> 🧩 CLI Options <a></a> </h2> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>Usage: aws-cost-audit.sh <span class="o">[</span>options] General options: <span class="nt">-p</span>, <span class="nt">--profile</span> &lt;name&gt; AWS CLI profile <span class="o">(</span>default: default<span class="o">)</span> <span class="nt">-o</span>, <span class="nt">--out</span> &lt;file&gt; Output tar.gz filename default: aws-cost-audit-YYYYMMDD.tgz <span class="nt">-d</span>, <span class="nt">--dest</span> &lt;<span class="nb">dir</span><span class="o">&gt;</span> Output directory <span class="o">(</span>default: ./<span class="o">)</span> <span class="nt">-r</span>, <span class="nt">--report</span> Generate executive FinOps report <span class="nt">-s</span>, <span class="nt">--summary</span> Generate only text/JSON summary report <span class="o">(</span>Ignotes all other collector options<span class="o">)</span> <span class="nt">-u</span>, <span class="nt">--author</span> Name of the report generator <span class="nt">-z</span>, <span class="nt">--org</span> Name of the Organization <span class="nt">-h</span>, <span class="nt">--help</span> Show this <span class="nb">help </span>message Selective collectors: <span class="nt">--all</span> Run all collectors <span class="o">(</span>default<span class="o">)</span> <span class="nt">--dns</span> Route 53 <span class="o">(</span>zones/records/cost<span class="o">)</span> <span class="nt">--ec2</span> EC2 inventory + CPU metrics <span class="nt">--eip</span> Elastic IPs <span class="o">(</span>addresses + cost<span class="o">)</span> <span class="nt">--eks</span> EKs + NodeGroups <span class="nt">--rds</span> RDS inventory <span class="nt">--cost</span> Cost Explorer summaries <span class="nt">--tags</span> Resource tags <span class="nt">--network</span> EKS + networking resources <span class="nt">--storage</span> EBS + S3 <span class="nt">--optimizer</span> Compute Optimizer enrollment check Example: aws-cost-audit.sh <span class="nt">-p</span> prod <span class="nt">-d</span> outputs <span class="nt">--ec2</span> <span class="nt">--dns</span> </code></pre> </div> <h2> 🧪 Usage Examples <a></a> </h2> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Run full audit</span> bash aws-cost-audit.sh <span class="o">[</span><span class="nt">--all</span><span class="o">]</span> <span class="c"># Use diffrent AWS profile</span> bash aws-cost-audit.sh <span class="nt">-p</span> &lt;my-other-profile&gt; <span class="c"># Summary-only mode on existing data</span> bash aws-cost-audit.sh <span class="nt">-s</span> <span class="c"># Generate results to diffrent location</span> bash aws-cost-audit.sh <span class="nt">-d</span> /tmp/aca-outputs-2025-11-06 <span class="c"># Focus on DNS + EIPs only</span> bash aws-cost-audit.sh <span class="nt">--dns</span> <span class="nt">--eip</span> </code></pre> </div> <h2> 🧾 Summary Report <a></a> </h2> <p>Here’s what AWS Cost Audit produces at the end of each run — a quick summary highlighting your top cost drivers:</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fpfz9zx5pgixmjs150tz5.jpg" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fpfz9zx5pgixmjs150tz5.jpg" alt="Top5 Services" width="800" height="321"></a></p> <h2> 📈 Top 5 Services Breakdown <a></a> </h2> <p>Behind the scenes, this summary is generated from AWS Cost Explorer data using the <a href="https://docs.aws.amazon.com/aws-cost-management/latest/APIReference/API_GetCostAndUsage.html" rel="noopener noreferrer">ce:GetCostAndUsage</a> API. It aggregates the last 30 days of spend, grouped by AWS service and account (if using AWS Organizations). The logic is straightforward:</p> <ul> <li>Pull spend data by service.</li> <li>Sort by descending cost.</li> <li>Display the top 5 contributors to your total AWS bill.</li> </ul> <p>This helps teams instantly see where their money is going — without logging into the console or building reports manually.</p> <h2> 💰 Turning Data Into FinOps Insight <a></a> </h2> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Insight</th> <th>Example</th> </tr> </thead> <tbody> <tr> <td><strong>Rightsizing</strong></td> <td>Identify EC2/RDS instances with low CPU or IOPS usage.</td> </tr> <tr> <td><strong>Idle cleanup</strong></td> <td>Find unattached EBS volumes or EIPs incurring hourly cost.</td> </tr> <tr> <td><strong>DNS optimization</strong></td> <td>Consolidate individual A-records via ALB aliases.</td> </tr> <tr> <td><strong>Tag hygiene</strong></td> <td>Detect untagged resources blocking cost allocation.</td> </tr> </tbody> </table></div> <p>This bridges the gap between raw AWS data and actionable FinOps decisions — without external tools, which provides:</p> <ul> <li> <strong>Visibility</strong> – instant service-level cost breakdowns.</li> <li> <strong>Repeatability</strong> – same data set every run; perfect for monthly reviews.</li> <li> <strong>Actionability</strong> – directly links metrics to optimization opportunities.</li> <li> <strong>Autonomy</strong> – no third-party SaaS dependency or hidden API costs.</li> </ul> <p>Integrate it into CI/CD or cron, and we have a continuous cloud-cost observability loop.</p> <h2> 🏁 Conclusion <a></a> </h2> <blockquote> <p>Cloud cost optimization doesn’t have to be complicated — it just needs visibility.</p> </blockquote> <p>Automating cost visibility with <strong>AWS Cost Audit</strong>, teams can see where money is going, act quickly, and embed FinOps thinking into everyday operations.<br> With a few hundred lines of well-structured Bash and the AWS CLI, we now produce clear, auditable reports every run — no spreadsheets, no guesswork.</p> <p>If your team wrestles with growing AWS costs, start small, automate what you can, and evolve like we did. Transparency is the first step to optimization.</p> <h2> 🪜 Next Step - FinOps Report <a></a> </h2> <p>In the next episode, we’ll explore how to take the generated audit reports and transform them into a beautifully formatted Microsoft Word report — ready for FinOps review meetings and executive summaries.</p> <blockquote> <p>Next up: <a href="https://dev.to/santanu_das/automating-executive-ready-aws-cost-optimization-finops-reports-11oo#10">Episode 2</a> — Automating Executive-Ready AWS Cost Optimization FinOps Reports</p> </blockquote> aws finops costoptimization bash Santanu Das Tue, 28 Oct 2025 22:07:15 +0000 https://forem.com/santanu_das/building-a-scalable-aws-multi-account-environment-with-control-tower-terraform-aft-and-scp-2kf8 https://forem.com/santanu_das/building-a-scalable-aws-multi-account-environment-with-control-tower-terraform-aft-and-scp-2kf8 <h2> Table Of Contents </h2> <ul> <li>Overview</li> <li>Organizational Structure</li> <li>Regional Strategy</li> <li>Conceptual Flow</li> <li>Multi-Region Setup</li> <li>CT &amp; AFT Integration</li> <li>Services Strategy</li> <li>Governance &amp; Security</li> <li>SCP Guardrails</li> <li>Control Layers</li> <li>Deployment Workflow</li> <li>Future Enhancements</li> </ul> <p>Managing multiple AWS accounts securely and consistently is one of the hardest challenges in modern cloud architecture. In this guide, we’ll walk through how to build a scalable, governed AWS environment using Control Tower, Account Factory for Terraform (AFT), and Service Control Policies (SCPs), which is loosely based on <a href="https://www.zenler.com" rel="noopener noreferrer">Zenler</a>'s multi-account organization structure. </p> <h2> Overview <a></a> </h2> <p>This document outlines the AWS account structure, governance, and control strategy used across our organization. We'll talk about how these three layers — Control Tower (govern), AFT (automate), and SCPs (enforce) — work together to provide an enterprise-grade foundation for compliance, security, and automated multi-account landing zone — aligning with AWS Well-Architected and CIS Benchmarks. This is the same model many large AWS customers use to keep their landing zones predictable and audit-ready while letting individual teams move fast with Terraform.</p> <p>Below is an illustrative AWS Organization layout<br> <a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F34pt8phmqkubjs61oif0.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F34pt8phmqkubjs61oif0.png" alt="Multi-account Organization Layout" width="800" height="349"></a></p> <h2> Organizational Structure <a></a> </h2> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>OU</th> <th>Description</th> <th>Primary Accounts</th> </tr> </thead> <tbody> <tr> <td><strong>Security OU</strong></td> <td>Core compliance and security monitoring</td> <td> <code>Log Archive</code>, <code>Audit</code> </td> </tr> <tr> <td><strong>Internal OU</strong></td> <td>Shared platform services and IAM root</td> <td> <code>Shared Services</code>, <code>IAM/Root</code> </td> </tr> <tr> <td><strong>NPR Networking OU</strong></td> <td>Non-Production networking environment</td> <td> <code>Internal Workload</code>, <code>External Workload</code> </td> </tr> <tr> <td><strong>PRD Networking OU</strong></td> <td>Production networking environment</td> <td> <code>Internal Workload</code>, <code>External Workload</code> </td> </tr> <tr> <td><strong>Deprecated OU</strong></td> <td>Legacy accounts (no new workloads)</td> <td>Various (read-only)</td> </tr> </tbody> </table></div> <h2> Regional Strategy <a></a> </h2> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Component</th> <th>Region</th> <th>Rationale</th> </tr> </thead> <tbody> <tr> <td><strong>IAM Identity Center (SSO)</strong></td> <td><code>us-east-1</code></td> <td>Global endpoint for AWS SSO and Organizations</td> </tr> <tr> <td><strong>Control Tower Management Account</strong></td> <td> <code>us-east-1</code> backend</td> <td>Required by AWS</td> </tr> <tr> <td><strong>All Member Accounts</strong></td> <td> <code>eu-west-2</code> (London)</td> <td>Primary data residency &amp; workload region</td> </tr> <tr> <td><strong>Backup / DR</strong></td> <td> <code>eu-west-1</code> (Ireland)</td> <td>Optional failover region</td> </tr> </tbody> </table></div> <h2> Conceptual Flow Diagram <a></a> </h2> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> ┌──────────────────────────────────────────────┐ │ Management Account │ │ <span class="o">(</span>AWS Organizations + Control Tower + AFT<span class="o">)</span> │ └──────────────────────────────────────────────┘ │ ┌──────────────────────────────────────────────┐ │ Control Tower Landing Zone │ │ • Security OU <span class="o">(</span>LogArchive + Audit<span class="o">)</span> │ │ • Creates baseline guardrails <span class="o">(</span>AWS-managed<span class="o">)</span> │ │ • Delegates to AFT <span class="k">for </span>account provisioning │ └──────────────────────────────────────────────┘ │ Management Acct <span class="o">(</span>us-east-1<span class="o">)</span> ┌────────────────────┴────────────────────┐ │ │ ┌──────────────────────────────┐ ┌──────────────────────────────┐ │ Account Factory <span class="k">for </span>TF <span class="o">(</span>AFT<span class="o">)</span> │ │ AWS Organizations <span class="o">(</span>Org Root<span class="o">)</span> │ │ • GitOps: account requests │ │ • OU hierarchy <span class="o">(</span>SEC, INT, │ │ • Customizations pipelines │ │ NPR, PRD, DEPRECATED<span class="o">)</span> │ │ • Baselines, tagging, roles │ │ • SCPs attached per OU │ └──────────────────────────────┘ └──────────────────────────────┘ │ │ │ │ │ ┌────────────────────────────────────────┐ │ │ SCP layer <span class="o">(</span>Preventive Guardrails<span class="o">)</span> │ │ │ • Enforced at Org root / OU level │ │ │ • Deny/allow APIs before IAM evaluated │ │ │ • Prevents config drift or unsafe ops │ │ └────────────────────────────────────────┘ │ ┌────────┴─────────┐ │ Enrolled Account │ │ <span class="o">(</span>e.g. Internal, │ │ NPR, PRD, etc.<span class="o">)</span> │ └──────────────────┘ </code></pre> </div> <h2> Why Setup Multi-Region <a></a> </h2> <p>Like a lot of many others, we also started with everything in one region — but as soon as you deploy Control Tower, IAM Identity Center, and multi-account governance, regional separation becomes not just practical but recommended.</p> <p>Here’s why I kept our management &amp; identity layer in <strong>us-east-1</strong> and our workloads in <strong>eu-west-2</strong>, following the best practice:</p> <h4> 1️⃣ AWS Global Service Dependencies </h4> <p>Some services, like AWS Organizations, Control Tower, and IAM Identity Center (SSO) — are global by design but physically anchored in <code>us-east-1</code>. Running these components in their native region (if possible and allowed) ensures:</p> <ul> <li>Full feature compatibility (some CT/AFT APIs only run in N. Virginia)</li> <li>Stable upgrades when AWS releases new landing zone versions</li> <li>Reduced orchestration latency for service-managed controls and SCPs</li> </ul> <blockquote> <p>Control Tower’s orchestration backend always executes from us-east-1, even if your governed regions are elsewhere. Keeping the management plane in there prevents drift or control sync issues.</p> </blockquote> <h4> 2️⃣ Regional Data Residency and Compliance </h4> <p>Our workloads stay in <code>eu-west-2</code> (London), which:</p> <ul> <li>Meets UK data sovereignty requirements</li> <li>Keeps PII (Personally Identifiable Information), audit logs, and business data physically in-region</li> <li>Aligns with GDPR and UK government guidelines for cloud workloads</li> </ul> <p>This gives us the best of both worlds:</p> <ul> <li>Control and governance (global layer in us-east-1)</li> <li>Data and workload residency (EU region)</li> </ul> <h4> 3️⃣ Reduced Blast Radius </h4> <p>By splitting control and data planes:</p> <ul> <li>Security incidents in workload accounts cannot impact IAM or Organizations configuration.</li> <li>SCPs and AFT pipelines stay isolated in the management plane, away from operational workloads.</li> <li>Compliance tooling (Config, GuardDuty, Security Hub) in the Audit account can observe EU workloads without touching identity infrastructure.</li> </ul> <h4> 4️⃣ Disaster Recovery and Fault Isolation </h4> <p>If the EU region faces an outage, our:</p> <ol> <li>SSO / IAM Identity Center</li> <li>Control Tower orchestration</li> <li>AFT pipelines</li> </ol> <p>…still remain operational in <code>us-east-1</code>, enabling us to recover or redeploy without waiting for the EU region to recover.</p> <p>That’s a significant operational advantage for regulated workloads and CI/CD pipelines.</p> <h4> 5️⃣ Aligned with AWS Multi-Account Reference Architecture </h4> <p>AWS explicitly recommends:</p> <ul> <li>Global management and identity region (us-east-1)</li> <li>Regional landing zones for workloads</li> </ul> <p>This pattern is described in the AWS Multi-Account Landing Zone reference architecture, and most enterprise Control Tower deployments follow the same approach.</p> <h2> Control Tower &amp; AFT Integration <a></a> </h2> <h3> Landing Zone </h3> <ul> <li>Deployed via AWS Control Tower in the management account.</li> <li>Establishes: <ul> <li>AWS Organizations</li> <li>Log Archive and Audit accounts</li> <li>Baseline guardrails (AWS-managed)</li> </ul> </li> </ul> <h3> Account Factory for Terraform (AFT) </h3> <ul> <li>Provides GitOps-based account lifecycle management.</li> <li>Each account is provisioned using Terraform pipelines that: <ul> <li>Enroll the account in Control Tower</li> <li>Apply OU-specific baselines (e.g., Config, logging)</li> <li>Tag accounts automatically</li> </ul> </li> <li>AFT runs in its own AFT Management Account.</li> </ul> <h3> Account Hierarchy Diagram </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>Management Account ├── AWS Control Tower <span class="o">(</span>Landing Zone<span class="o">)</span> ├── AFT Pipelines <span class="o">(</span>Account Factory <span class="k">for </span>Terraform<span class="o">)</span> └── AWS Organizations <span class="o">(</span>Root OU<span class="o">)</span> ├── Security OU ├── Internal OU ├── NPR Networking OU ├── PRD Networking OU └── Deprecated OU </code></pre> </div> <h2> Networking &amp; Shared Services Strategy <a></a> </h2> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Service</th> <th>Owning Account</th> <th>Scope</th> <th>Sharing Mechanism</th> </tr> </thead> <tbody> <tr> <td><strong>Transit Gateway (TGW)</strong></td> <td>Internal Comms (per env)</td> <td>Environment-specific</td> <td>AWS RAM (within the env)</td> </tr> <tr> <td><strong>Internet Gateway (IGW)</strong></td> <td>External Comms (per env)</td> <td>Environment-specific</td> <td>Single point of entry - not shared</td> </tr> <tr> <td><strong>NAT Gateway (NGW)</strong></td> <td>Shared Services</td> <td>Cross-environment</td> <td>Single point of exit - not shared</td> </tr> <tr> <td><strong>Network Firewall (NFW)</strong></td> <td>Shared Services</td> <td>Cross-environment</td> <td>AWS RAM + TGW routing</td> </tr> <tr> <td><strong>VPC Endpoint Services</strong></td> <td>Shared Services</td> <td>Org-wide</td> <td>Route53 Reslover</td> </tr> </tbody> </table></div> <h2> Governance &amp; Security Controls <a></a> </h2> <p>Governance is enforced using <strong>three layers</strong>:</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Layer</th> <th>Type</th> <th>Enforcement Mechanism</th> </tr> </thead> <tbody> <tr> <td>Preventive</td> <td><strong>Service Control Policies (SCPs)</strong></td> <td>AWS Organizations</td> </tr> <tr> <td>Detective</td> <td><strong>Config / Security Hub / GuardDuty</strong></td> <td>Audit account</td> </tr> <tr> <td>Proactive</td> <td><strong>CloudFormation Hooks / AFT Customizations</strong></td> <td>Terraform baselines</td> </tr> </tbody> </table></div> <h2> Core SCP Pack (Preventive Guardrails) <a></a> </h2> <h3> 1️⃣ Deny Root User Access </h3> <p>Prevents use of root credentials in any account.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"Sid"</span><span class="p">:</span><span class="w"> </span><span class="s2">"DenyRootUser"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Effect"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Deny"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Action"</span><span class="p">:</span><span class="w"> </span><span class="s2">"*"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Resource"</span><span class="p">:</span><span class="w"> </span><span class="s2">"*"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Condition"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"StringLike"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"aws:PrincipalArn"</span><span class="p">:</span><span class="w"> </span><span class="s2">"arn:aws:iam::*:root"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <h3> 2️⃣ Restrict Regions (EU + us-east-1) </h3> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"Sid"</span><span class="p">:</span><span class="w"> </span><span class="s2">"DenyOutsideApprovedRegionsExceptIdentity"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Effect"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Deny"</span><span class="p">,</span><span class="w"> </span><span class="nl">"NotAction"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="s2">"iam:*"</span><span class="p">,</span><span class="s2">"organizations:*"</span><span class="p">,</span><span class="s2">"route53:*"</span><span class="p">,</span><span class="s2">"sso:*"</span><span class="p">,</span><span class="s2">"support:*"</span><span class="w"> </span><span class="p">],</span><span class="w"> </span><span class="nl">"Resource"</span><span class="p">:</span><span class="w"> </span><span class="s2">"*"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Condition"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"StringNotEquals"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"aws:RequestedRegion"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">"eu-west-1"</span><span class="p">,</span><span class="w"> </span><span class="s2">"eu-west-2"</span><span class="p">,</span><span class="w"> </span><span class="s2">"us-east-1"</span><span class="p">]</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <h3> 3️⃣ Deny Unapproved Network Creation </h3> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"Sid"</span><span class="p">:</span><span class="w"> </span><span class="s2">"DenyUnapprovedNetworking"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Effect"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Deny"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Action"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="s2">"ec2:CreateInternetGateway"</span><span class="p">,</span><span class="s2">"ec2:AttachInternetGateway"</span><span class="p">,</span><span class="w"> </span><span class="s2">"ec2:CreateNatGateway"</span><span class="p">,</span><span class="s2">"ec2:CreateVpcPeeringConnection"</span><span class="p">,</span><span class="w"> </span><span class="s2">"ec2:CreateTransitGateway"</span><span class="p">,</span><span class="s2">"ec2:DeleteTransitGateway"</span><span class="w"> </span><span class="p">],</span><span class="w"> </span><span class="nl">"Resource"</span><span class="p">:</span><span class="w"> </span><span class="s2">"*"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <h3> 4️⃣ Restrict Service Creation </h3> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Resource</th> <th>Allowed Account(s)</th> <th>SCP Condition</th> </tr> </thead> <tbody> <tr> <td>TGW (Transit Gateway)</td> <td>Internal Comms (PRD/NPR)</td> <td> <code>aws:PrincipalAccount</code> = INC IDs</td> </tr> <tr> <td>IGW (Internet Gateway)</td> <td>External Comms (PRD/NPR)</td> <td> <code>aws:PrincipalAccount</code> = EXC IDs</td> </tr> <tr> <td>NFW (Network Firewall)</td> <td>Shared Services</td> <td> <code>aws:PrincipalAccount</code> = SSV ID</td> </tr> <tr> <td>NGW (NAT Gateway)</td> <td>Shared Services</td> <td> <code>aws:PrincipalAccount</code> = SSV ID</td> </tr> <tr> <td>VPC Endpoint Services</td> <td>Shared Services</td> <td> <code>aws:PrincipalAccount</code> = SSV ID</td> </tr> </tbody> </table></div> <h3> 5️⃣ Tag Enforcement </h3> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"Sid"</span><span class="p">:</span><span class="w"> </span><span class="s2">"RequireStandardTags"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Effect"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Deny"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Action"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">"ec2:RunInstances"</span><span class="p">,</span><span class="s2">"rds:CreateDBInstance"</span><span class="p">,</span><span class="s2">"s3:CreateBucket"</span><span class="p">],</span><span class="w"> </span><span class="nl">"Resource"</span><span class="p">:</span><span class="w"> </span><span class="s2">"*"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Condition"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"Null"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"aws:RequestTag/Environment"</span><span class="p">:</span><span class="w"> </span><span class="s2">"true"</span><span class="p">,</span><span class="w"> </span><span class="nl">"aws:RequestTag/Owner"</span><span class="p">:</span><span class="w"> </span><span class="s2">"true"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <h3> 6️⃣ Deny Org Tampering </h3> <p>Protects core logging and control-plane resources<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"Sid"</span><span class="p">:</span><span class="w"> </span><span class="s2">"DenyOrgTampering"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Effect"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Deny"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Action"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="s2">"organizations:LeaveOrganization"</span><span class="p">,</span><span class="w"> </span><span class="s2">"cloudtrail:StopLogging"</span><span class="p">,</span><span class="w"> </span><span class="s2">"config:StopConfigurationRecorder"</span><span class="w"> </span><span class="p">],</span><span class="w"> </span><span class="nl">"Resource"</span><span class="p">:</span><span class="w"> </span><span class="s2">"*"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <h3> 7️⃣ Deprecated OU Policy </h3> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"Sid"</span><span class="p">:</span><span class="w"> </span><span class="s2">"DenyNewCreates"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Effect"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Deny"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Action"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">"*"</span><span class="p">],</span><span class="w"> </span><span class="nl">"Resource"</span><span class="p">:</span><span class="w"> </span><span class="s2">"*"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Condition"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"StringEquals"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"aws:ResourceTag/Environment"</span><span class="p">:</span><span class="w"> </span><span class="s2">"deprecated"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <h2> Control Layers Explained <a></a> </h2> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Layer</th> <th>Description</th> <th>Managed By</th> </tr> </thead> <tbody> <tr> <td><strong>Control Tower</strong></td> <td>Creates baseline governance (OU, guardrails, log archive, audit)</td> <td>AWS</td> </tr> <tr> <td><strong>AFT</strong></td> <td>Automates account provisioning, tagging, baseline controls</td> <td>Platform team</td> </tr> <tr> <td><strong>SCPs</strong></td> <td>Prevent actions that violate org standards (region, network, security)</td> <td>Org root</td> </tr> <tr> <td><strong>Delegated Security Accounts</strong></td> <td>Detect &amp; monitor compliance (Config, GuardDuty)</td> <td>Security team</td> </tr> </tbody> </table></div> <h2> Deployment Workflow <a></a> </h2> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Step</th> <th>Action</th> <th>Tool</th> </tr> </thead> <tbody> <tr> <td>1</td> <td>Enable Control Tower (Landing Zone)</td> <td>Console / CLI</td> </tr> <tr> <td>2</td> <td>Bootstrap AFT management</td> <td>Terraform</td> </tr> <tr> <td>3</td> <td>Create OUs + SCPs</td> <td>Terraform</td> </tr> <tr> <td>4</td> <td>Submit account requests via AFT</td> <td>GitOps</td> </tr> <tr> <td>5</td> <td>Apply OU-specific baselines</td> <td>Terraform</td> </tr> <tr> <td>6</td> <td>Validate security controls</td> <td>AWS Config / Security Hub</td> </tr> <tr> <td>7</td> <td>Continuous compliance</td> <td>Detective + Proactive guardrails</td> </tr> </tbody> </table></div> <h2> Future Enhancements <a></a> </h2> <ul> <li>Add Policy Staging OU for testing new SCPs.</li> <li>Integrate Proactive Controls (CloudFormation hooks).</li> <li>Automate SCP compliance drift detection using AWS Config custom rules.</li> <li>Add organizational backup plans (AWS Backup delegated admin).</li> </ul> aws cloudarchitecture devops security Santanu Das Tue, 28 Oct 2025 01:45:16 +0000 https://forem.com/santanu_das/fluxcd-on-eks-with-irsa-for-ecr-using-terraform-4l1n https://forem.com/santanu_das/fluxcd-on-eks-with-irsa-for-ecr-using-terraform-4l1n <h2> Table Of Contents </h2> <ul> <li>The Goal</li> <li>Architecture</li> <li>End-to-End Flow</li> <li>Deployment Overview</li> <li>Terraform Implementation</li> <li>Verification</li> <li>Troubleshooting</li> <li>Security</li> <li>Change Log</li> </ul> <p>The New <a href="https://www.zenler.com" rel="noopener noreferrer">Zenler</a> is moving to a shiny new platform (at the time of this writing), where we decided to use <a href="https://fluxcd.io/" rel="noopener noreferrer">FluxCD</a> as our Continuous Delivery tool. The otherday, one of our developers reported that FluxCD suddenly stopped pulling the latest image from ECR and when I checked, I saw this error in the log:</p> <blockquote> <p>failed to configure authentication options: operation error ECR: GetAuthorizationToken, get identity: get credentials: failed to refresh cached credentials, no EC2 IMDS role found, operation error ec2imds: GetMetadata, canceled, context deadline exceeded</p> </blockquote> <p>That moment I knew the reson for the FluxCD pulling-image failure: EC2 Instance Metadata Service (IMDS) wasn't being able to retrieve credentials via the instance profile on EC2 nodes; the code attempted the default credential chain (which includes IMDS) but IMDS wasn't available/accessible; therefore, Flux didn’t have the redentials to call ECR APIs and coundn’t get the token, hence the failure!!</p> <p>As I was already using IRSA for CNI, CSI etc. I thought this is a great oppurtunity to move Flux from using IMDS to IRSA as well. This document captures my journey from the <em>thought</em> to the finishing-line, the issues I exprienced and how did I solve those to achieve the end goal.</p> <h2> 🎯 Goal <a></a> </h2> <p>Deploy FluxCD (Operator + Flux Instance) on Amazon EKS with <strong>IAM Roles for Service Accounts (IRSA)</strong>, so Flux <strong>Image Reflector/Automation</strong> can authenticate to <strong>Amazon ECR</strong> without node credentials, and auto-deploy images from ECR.</p> <h2> 🏗️ High-Level Architectural View <a></a> </h2> <p>The diagram below shows how <strong>Bitbucket</strong>, <strong>FluxCD controllers</strong>, and <strong>AWS ECR</strong> interact: Bitbucket syncs manifests to Flux controllers, which pull images securely from ECR using IRSA<br> <a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fjt5yb22sw2awdkd5d0l5.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fjt5yb22sw2awdkd5d0l5.png" alt="BB-FCD-ECR Flow" width="800" height="511"></a></p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Component</th> <th>Description</th> </tr> </thead> <tbody> <tr> <td>🧩 <code>Bitbucket Git Repo</code> </td> <td>Holds our GitOps manifests, synced by Flux Source Controller</td> </tr> <tr> <td>⚙️ <code>Flux Source Controller</code> </td> <td>Pulls manifests from that Bitbucket repo</td> </tr> <tr> <td>🧱 <code>Flux Kustomize Controller</code> </td> <td>Applies manifests to our cluster</td> </tr> <tr> <td>🔁 <code>Flux Image Automation Controller</code> </td> <td>Watches image updates and commits manifest changes back to Git</td> </tr> <tr> <td>🔍 <code>Flux Image Reflector Controller</code> </td> <td>Scans ECR for image tags and metadata</td> </tr> <tr> <td>🔐 <code>EKS OIDC Provider</code> </td> <td>Issues tokens used by IRSA authentication</td> </tr> <tr> <td>🧾 <code>STS AssumeRoleWithWebIdentity</code> </td> <td>Exchanges OIDC token for temporary IAM credentials</td> </tr> <tr> <td>🧠 <code>IRSA IAM Role</code> </td> <td>Grants scoped ECR access (read + token retrieval)</td> </tr> <tr> <td>🐳 <code>Amazon ECR Repository</code> </td> <td>Stores application images, queried by Image Reflector</td> </tr> </tbody> </table></div> <h2> 🔄 End-to-End Flow <a></a> </h2> <ol> <li>Pod starts with SA <code>image-reflector-controller</code>.</li> <li>EKS injects an OIDC web identity token.</li> <li>AWS STS exchanges it for temporary IAM creds.</li> <li>Flux Image Reflector uses them to call ECR APIs.</li> <li>Reflector lists tags → Image Automation commits new manifests → Kustomize applies updates.</li> </ol> <h2> 📦 Deployment Overview <a></a> </h2> <ul> <li> <strong>IRSA IAM role</strong> for Flux image controllers: <ul> <li>Module: <code>terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts</code> (v6.2.1)</li> <li>Trusted via your <strong>EKS OIDC provider</strong> </li> <li> <strong>Managed policy</strong> granting ECR read + <code>GetAuthorizationToken</code> </li> </ul> </li> <li> <strong>ServiceAccount annotations</strong> (Kubernetes) for: <ul> <li><code>flux-system/image-reflector-controller</code></li> <li><code>flux-system/image-automation-controller</code></li> </ul> </li> <li> <strong>Flux Operator</strong> Helm chart (v0.32.0)</li> <li> <strong>Flux Instance</strong> Helm chart (distribution v2.4.0), Git sync to your Bitbucket repo</li> </ul> <h2> ⚙️ Terraform Implementation <a></a> </h2> <h4> 1️⃣ IAM Policy for ECR (least privilege) </h4> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># ------------------------------------------------------</span> <span class="c1"># IRSA policy document</span> <span class="c1"># ------------------------------------------------------</span> <span class="nx">data</span> <span class="s2">"aws_iam_policy_document"</span> <span class="s2">"flux_ecr_read"</span> <span class="p">{</span> <span class="nx">statement</span> <span class="p">{</span> <span class="nx">sid</span> <span class="p">=</span> <span class="s2">"GetAuthTokenForECR"</span> <span class="nx">effect</span> <span class="p">=</span> <span class="s2">"Allow"</span> <span class="nx">actions</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"ecr:GetAuthorizationToken"</span><span class="p">]</span> <span class="nx">resources</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"*"</span><span class="p">]</span> <span class="p">}</span> <span class="nx">statement</span> <span class="p">{</span> <span class="nx">sid</span> <span class="p">=</span> <span class="s2">"ReadOnlyAccessToECR"</span> <span class="nx">effect</span> <span class="p">=</span> <span class="s2">"Allow"</span> <span class="nx">actions</span> <span class="p">=</span> <span class="p">[</span> <span class="s2">"ecr:BatchCheckLayerAvailability"</span><span class="p">,</span> <span class="s2">"ecr:GetDownloadUrlForLayer"</span><span class="p">,</span> <span class="s2">"ecr:BatchGetImage"</span><span class="p">,</span> <span class="s2">"ecr:DescribeImages"</span><span class="p">,</span> <span class="s2">"ecr:DescribeRepositories"</span><span class="p">,</span> <span class="s2">"ecr:ListImages"</span><span class="p">,</span> <span class="s2">"ecr:DescribeRegistry"</span><span class="p">,</span> <span class="p">]</span> <span class="nx">resources</span> <span class="p">=</span> <span class="p">[</span> <span class="s2">"arn:aws:ecr:${var.aws_region}:${var.aws_acc_id}:repository/*"</span> <span class="p">]</span> <span class="p">}</span> <span class="c1">// Render the policy document</span> <span class="nx">resource</span> <span class="s2">"aws_iam_policy"</span> <span class="s2">"flux_ecr_ro"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"${var.name_prefix}-flux-ecr-ro"</span> <span class="nx">policy</span> <span class="p">=</span> <span class="nx">data</span><span class="p">.</span><span class="nx">aws_iam_policy_document</span><span class="p">.</span><span class="nx">flux_ecr_read</span><span class="p">.</span><span class="nx">json</span> <span class="p">}</span> </code></pre> </div> <blockquote> <p>📝 Note: <strong>ecr:GetAuthorizationToken</strong> must always be unscoped (Resource="*"), since this API isn’t repository-specific<br></p> <p>⚠️ <strong>Common pitfall</strong>: Avoid something like: <code>repository/&lt;apps&gt;/*</code> — ECR isn’t hierarchical; that pattern doesn’t match e.g. <code>apps/mainapp</code> and causes <code>AccessDeniedException</code>.</p> </blockquote> <h4> 2️⃣ IRSA Role for Flux Controllers </h4> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># ------------------------------------------------------</span> <span class="c1"># Flux Image-Controller IRSA</span> <span class="c1"># ------------------------------------------------------</span> <span class="nx">module</span> <span class="s2">"flux_irsa"</span> <span class="p">{</span> <span class="nx">source</span> <span class="p">=</span> <span class="s2">"terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts"</span> <span class="nx">version</span> <span class="p">=</span> <span class="s2">"6.2.1"</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"${var.name_prefix}-flux-imgctrl-irsa"</span> <span class="nx">oidc_providers</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">automation</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">provider_arn</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">eks_oidc_provider</span> <span class="nx">namespace_service_accounts</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"flux-system:image-automation-controller"</span><span class="p">]</span> <span class="p">}</span> <span class="nx">reflector</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">provider_arn</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">eks_oidc_provider</span> <span class="nx">namespace_service_accounts</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"flux-system:image-reflector-controller"</span><span class="p">]</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">policies</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">ecr_ro</span> <span class="p">=</span> <span class="nx">aws_iam_policy</span><span class="p">.</span><span class="nx">flux_ecr_ro</span><span class="p">.</span><span class="nx">arn</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <blockquote> <p>💡 One IRSA role for both controllers simplifies management; separation is optional.</p> </blockquote> <h4> 3️⃣ Annotate Flux ServiceAccounts </h4> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># ------------------------------------------------------</span> <span class="c1"># Controller annotations for SA</span> <span class="c1"># ------------------------------------------------------</span> <span class="nx">resource</span> <span class="s2">"kubernetes_annotations"</span> <span class="s2">"flux_irsa_sa"</span> <span class="p">{</span> <span class="nx">for_each</span> <span class="p">=</span> <span class="nx">toset</span><span class="p">([</span><span class="s2">"reflector"</span><span class="p">,</span> <span class="s2">"automation"</span><span class="p">])</span> <span class="nx">api_version</span> <span class="p">=</span> <span class="s2">"v1"</span> <span class="nx">kind</span> <span class="p">=</span> <span class="s2">"ServiceAccount"</span> <span class="nx">metadata</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"image-${each.value}-controller"</span> <span class="nx">namespace</span> <span class="p">=</span> <span class="s2">"flux-system"</span> <span class="p">}</span> <span class="nx">annotations</span> <span class="p">=</span> <span class="p">{</span> <span class="s2">"eks.amazonaws.com/role-arn"</span> <span class="p">=</span> <span class="nx">module</span><span class="p">.</span><span class="nx">flux_irsa</span><span class="p">.</span><span class="nx">arn</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <h4>  4️⃣ Use of Bitbucket credential </h4> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># ------------------------------------------------------</span> <span class="c1"># FluxCD namespace</span> <span class="c1"># ------------------------------------------------------</span> <span class="nx">resource</span> <span class="s2">"kubernetes_namespace_v1"</span> <span class="s2">"flux_system"</span> <span class="p">{</span> <span class="nx">metadata</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">flux_namespace</span> <span class="nx">annotations</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">flux_namespace</span> <span class="s2">"kustomize.toolkit.fluxcd.io/ssa"</span> <span class="p">=</span> <span class="s2">"Ignore"</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">depends_on</span> <span class="p">=</span> <span class="p">[</span><span class="nx">null_resource</span><span class="p">.</span><span class="nx">kube_config</span><span class="p">]</span> <span class="nx">lifecycle</span> <span class="p">{</span> <span class="nx">ignore_changes</span> <span class="p">=</span> <span class="p">[</span> <span class="nx">metadata</span><span class="p">[</span><span class="mi">0</span><span class="p">].</span><span class="nx">labels</span><span class="p">,</span> <span class="nx">metadata</span><span class="p">.</span><span class="mi">0</span><span class="p">.</span><span class="nx">annotations</span><span class="p">,</span> <span class="p">]</span> <span class="nx">create_before_destroy</span> <span class="p">=</span> <span class="kc">false</span> <span class="p">}</span> <span class="p">}</span> <span class="c1"># ------------------------------------------------------</span> <span class="c1"># Inject BB credential</span> <span class="c1"># ------------------------------------------------------</span> <span class="nx">resource</span> <span class="s2">"kubernetes_secret_v1"</span> <span class="s2">"bb_passwd"</span> <span class="p">{</span> <span class="nx">metadata</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"bb-${var.bb_user}-passwd"</span> <span class="nx">namespace</span> <span class="p">=</span> <span class="nx">kubernetes_namespace_v1</span><span class="p">.</span><span class="nx">flux_system</span><span class="p">.</span><span class="nx">id</span> <span class="p">}</span> <span class="nx">data</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">username</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">bb_user</span> <span class="nx">password</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">bb_user_secrets</span><span class="p">.</span><span class="nx">apwd</span> <span class="p">}</span> <span class="nx">type</span> <span class="p">=</span> <span class="s2">"Opaque"</span> <span class="p">}</span> </code></pre> </div> <h4> 5️⃣ Flux Operator &amp; Flux Instance Helm releases </h4> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># ------------------------------------------------------</span> <span class="c1"># Flux Operators and Instance helm-chart</span> <span class="c1"># ------------------------------------------------------</span> <span class="nx">resource</span> <span class="s2">"helm_release"</span> <span class="s2">"flux_operator"</span> <span class="p">{</span> <span class="nx">repository</span> <span class="p">=</span> <span class="s2">"oci://ghcr.io/controlplaneio-fluxcd/charts"</span> <span class="nx">chart</span> <span class="p">=</span> <span class="s2">"flux-operator"</span> <span class="nx">version</span> <span class="p">=</span> <span class="s2">"0.32.0"</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"flux-operator"</span> <span class="nx">namespace</span> <span class="p">=</span> <span class="nx">kubernetes_namespace_v1</span><span class="p">.</span><span class="nx">flux_system</span><span class="p">.</span><span class="nx">id</span> <span class="nx">create_namespace</span> <span class="p">=</span> <span class="kc">false</span> <span class="nx">wait</span> <span class="p">=</span> <span class="kc">true</span> <span class="p">}</span> <span class="nx">resource</span> <span class="s2">"helm_release"</span> <span class="s2">"flux_instance"</span> <span class="p">{</span> <span class="nx">depends_on</span> <span class="p">=</span> <span class="p">[</span><span class="nx">helm_release</span><span class="p">.</span><span class="nx">flux_operator</span><span class="p">]</span> <span class="nx">repository</span> <span class="p">=</span> <span class="s2">"oci://ghcr.io/controlplaneio-fluxcd/charts"</span> <span class="nx">chart</span> <span class="p">=</span> <span class="s2">"flux-instance"</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"flux"</span> <span class="nx">namespace</span> <span class="p">=</span> <span class="nx">kubernetes_namespace_v1</span><span class="p">.</span><span class="nx">flux_system</span><span class="p">.</span><span class="nx">id</span> <span class="c1"># Flux components and kustomize patches</span> <span class="nx">values</span> <span class="p">=</span> <span class="p">[</span> <span class="nx">file</span><span class="p">(</span><span class="s2">"${path.module}/values/components.yaml"</span><span class="p">)</span> <span class="p">]</span> <span class="c1"># Flux distribution</span> <span class="nx">set</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"installCRDs"</span> <span class="nx">value</span> <span class="p">=</span> <span class="kc">true</span> <span class="p">}</span> <span class="nx">set</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"instance.distribution.version"</span> <span class="nx">value</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">flux_version</span> <span class="p">}</span> <span class="nx">set</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"instance.distribution.registry"</span> <span class="nx">value</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">flux_registry</span> <span class="p">}</span> <span class="c1"># Configure Flux Git sync</span> <span class="nx">set</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"instance.sync.eks"</span> <span class="nx">value</span> <span class="p">=</span> <span class="s2">"GitRepository"</span> <span class="p">}</span> <span class="nx">set</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"instance.sync.url"</span> <span class="nx">value</span> <span class="p">=</span> <span class="s2">"${var.bb_base_url}/${var.bb_flex_repo}.git"</span> <span class="p">}</span> <span class="nx">set</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"instance.sync.path"</span> <span class="nx">value</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">git_path</span> <span class="c1">#e.g. "/"</span> <span class="p">}</span> <span class="nx">set</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"instance.sync.ref"</span> <span class="nx">value</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">git_ref</span> <span class="c1">#e.g. "refs/heads/main"</span> <span class="p">}</span> <span class="nx">set</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"instance.sync.pullSecret"</span> <span class="nx">value</span> <span class="p">=</span> <span class="nx">kubernetes_secret_v1</span><span class="p">.</span><span class="nx">bb_passwd</span><span class="p">.</span><span class="nx">metadata</span><span class="p">[</span><span class="mi">0</span><span class="p">].</span><span class="nx">name</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <blockquote> <p>📝 Note: <code>installCRDs=true</code> ensures proper CRD registration before Flux Instance is applied.</p> <p>📝 Note: <code>instance.distribution.version</code> can be safely upgraded once IRSA/ECR is stable.</p> </blockquote> <h2> ✅ Verification Checklist <a></a> </h2> <h4> 1️⃣ IRSA projected token exists </h4> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kubectl <span class="nb">exec</span> <span class="nt">-n</span> flux-system deploy/image-reflector-controller <span class="nt">--</span> <span class="se">\ </span> <span class="nb">ls</span> <span class="nt">-l</span> /var/run/secrets/eks.amazonaws.com/serviceaccount total 0 lrwxrwxrwx 1 root 1337 12 Oct 27 19:49 token -&gt; ..data/token </code></pre> </div> <h3> 2️⃣ Token audience is STS </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kubectl <span class="nb">exec</span> <span class="nt">-n</span> flux-system deploy/image-reflector-controller <span class="nt">--</span> <span class="se">\</span> <span class="nb">cat</span> /var/run/secrets/eks.amazonaws.com/serviceaccount/token <span class="se">\</span> | jq <span class="nt">-R</span> <span class="s1">'split(".") | .[1] | @base64d | fromjson'</span> | jq <span class="s1">'.aud,.sub'</span> <span class="o">[</span> <span class="s2">"sts.amazonaws.com"</span> <span class="o">]</span> <span class="s2">"system:serviceaccount:flux-system:image-reflector-controller"</span> </code></pre> </div> <h3> 3️⃣ ImageRepository status </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kubectl get imagerepository <span class="nt">-n</span> flux-system mainapp <span class="nt">-o</span> yaml | yq <span class="s1">'.status.conditions'</span> <span class="o">[</span> <span class="o">{</span> <span class="s2">"lastTransitionTime"</span>: <span class="s2">"2025-10-27T18:48:23Z"</span>, <span class="s2">"message"</span>: <span class="s2">"successful scan: found 2 tags"</span>, <span class="s2">"observedGeneration"</span>: 1, <span class="s2">"reason"</span>: <span class="s2">"Succeeded"</span>, <span class="s2">"status"</span>: <span class="s2">"True"</span>, <span class="s2">"type"</span>: <span class="s2">"Ready"</span> <span class="o">}</span> <span class="o">]</span> </code></pre> </div> <h2> 🧰 Troubleshooting <a></a> </h2> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Symptom</th> <th>Probable Cause</th> <th>Fix</th> </tr> </thead> <tbody> <tr> <td><code>no EC2 IMDS role found</code></td> <td>IRSA not active or the Pod still not using it</td> <td>Annotate SA + restart pod</td> </tr> <tr> <td>Only <code>token</code> file exists</td> <td>Normal (modern IRSA token projection)</td> <td>Decode token for <code>aud: sts.amazonaws.com</code> </td> </tr> <tr> <td><code>AccessDenied: ecr:GetAuthorizationToken</code></td> <td>Role missing token permission</td> <td>Add <code>ecr:GetAuthorizationToken</code> on <code>*</code> </td> </tr> <tr> <td> <code>AccessDenied</code> on repo read</td> <td>Wrong ARN pattern</td> <td>Use exact ARN (e.g.<code>repository/&lt;prefix&gt;/&lt;app_name&gt;</code>) or allow <code>repository/*</code> </td> </tr> <tr> <td>SA annotation missing</td> <td>FluxInstance CRD type is list of strings</td> <td>Patch SAs with Terraform annotations</td> </tr> </tbody> </table></div> <h2> 🔒 Security Notes <a></a> </h2> <ul> <li>Scope ECR access to specific repositories whenever possible (e.g. <code>repository/&lt;repo&gt;</code>)</li> <li>Keep <code>ecr:GetAuthorizationToken</code> unscoped</li> <li>IRSA isolates pod access — no node IAM exposure</li> <li>Rotate IAM policies periodically and audit for unused repositories</li> </ul> <h2> 🏁 Conclusion </h2> <p>By combining FluxCD with IRSA, we’ve achieved:</p> <ul> <li>Pod-scoped ECR authentication (no IMDS dependency)</li> <li>Least-privilege IAM access</li> <li>Fully automated GitOps workflow via Terraform</li> </ul> <p>This setup ensures that your CI/CD pipeline runs natively within EKS — secure, scalable, and elegant.</p> <h2> 🕑 Change Log <a></a> </h2> <ul> <li>Operator: v0.32.0</li> <li>Flux: v2.4.0</li> <li>IAM module: v6.2.1</li> <li>Shared IRSA for image controllers</li> <li>Correct repo ARN (no nested wildcard)</li> </ul> terraform aws fluxcd eks Santanu Das Fri, 24 Oct 2025 20:17:07 +0000 https://forem.com/santanu_das/efs-data-across-multiple-eks-applications-using-terraform-3mpj https://forem.com/santanu_das/efs-data-across-multiple-eks-applications-using-terraform-3mpj <h2> Table Of Contents </h2> <ul> <li>The Problem</li> <li>The Solution</li> <li>Achievements</li> <li>Verification</li> <li>The Conclusion</li> </ul> <p>In the <a href="https://dev.to/santanu_das/integrating-amazon-efs-with-amazon-eks-using-terraform-4f5l">first part</a> of this guide, we walked through setting up Amazon EFS with Amazon EKS using Terraform — covering file system provisioning, IAM integration, and CSI driver configuration. And just after I thought we are back in business, one of the developers very proudly announce: <em><strong>This won't work for all of our apps; at least two of the apps need to share the same data directory.</strong></em> 🤪</p> <p>Went back to the drawing board with one subtle challenge:</p> <blockquote> <p>How do we safely share the same EFS directory between multiple EKS applications while keeping our Terraform code clean, not over-engineered, declarative, and idempotent?</p> </blockquote> <p>Eventually came up with some ideas: This article shows how did we solve that precisely — using distinct EFS access points per unique path, rather than per app, here at <a href="https://www.zenler.com" rel="noopener noreferrer">Zenler</a>.</p> <h2> ⚙️ The Problem <a></a> </h2> <p>When multiple applications each create their own EFS access point, even if they use the <em>same absolute path</em> (e.g. <code>/data/zenler-app</code>), AWS treats those as separate mount namespaces.</p> <p>That means:</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Actual EFS path</th> <th>Access Point View</th> </tr> </thead> <tbody> <tr> <td><code>/data/zenler-app/file1.txt</code></td> <td> <code>/file1.txt</code> (inside both access points)</td> </tr> <tr> <td><code>/data/zenler-app</code></td> <td> <code>/</code> (inside both access points)</td> </tr> </tbody> </table></div> <p>However, EFS does not create a shared view between two access points mounted at the same <strong>root-path</strong> unless they were both created pointing to the same inode (directory object).</p> <p>Example:</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>App</th> <th>Configured Path</th> <th>Actual Mount Namespace</th> </tr> </thead> <tbody> <tr> <td>tenant-app</td> <td><code>/data/zenler-app</code></td> <td>Isolated Access Point A</td> </tr> <tr> <td>zenler-app</td> <td><code>/data/zenler-app</code></td> <td>Isolated Access Point B</td> </tr> </tbody> </table></div> <p>That last bit is subtle: When we created the first access point, AWS created (if not already existing) the path <code>/data/zenler-app</code> and initialized it with UID/GID <code>1000:1000</code>.<br> When we created the second access point, even though we wrote the same path (<code>/data/zenler-app</code>), AWS treats that as its own isolated root handle (like a different "view" into the same filesystem), not a symbolic reference to the existing directory.</p> <p>In effect, each access point got its own <strong>chroot view</strong> that does not automatically unify — the same logical path string doesn’t mean same underlying inode reference. As a result, pods using these different access points can’t see each other’s files, because each access point’s <code>root_directory.path</code> becomes its own root scope.</p> <h2> ✅ The Solution — Access Points per Distinct Path <a></a> </h2> <p>The solution is simple but powerful: Deduplicate access points by path, so each unique EFS directory has exactly one access point.</p> <h4> 1️⃣ First - Normalize the EFS volume paths </h4> <p>Created a local variable:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">locals</span> <span class="p">{</span> <span class="nx">efs_access_points</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">for</span> <span class="nx">K2</span><span class="p">,</span> <span class="nx">V2</span> <span class="nx">in</span> <span class="nx">var</span><span class="p">.</span><span class="nx">apps_config</span> <span class="err">:</span> <span class="nx">K2</span> <span class="p">=</span><span class="err">&gt;</span> <span class="p">{</span> <span class="nx">path</span> <span class="p">=</span> <span class="p">(</span><span class="nx">V2</span><span class="p">.</span><span class="nx">efs_volume</span><span class="p">.</span><span class="nx">path</span> <span class="p">==</span> <span class="kc">null</span> <span class="err">?</span> <span class="s2">"/data/${K2}"</span> <span class="err">:</span> <span class="nx">V2</span><span class="p">.</span><span class="nx">efs_volume</span><span class="p">.</span><span class="nx">path</span><span class="p">)</span> <span class="p">}</span> <span class="nx">if</span> <span class="nx">V2</span><span class="p">.</span><span class="nx">efs_volume</span><span class="p">.</span><span class="nx">attached</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>In our setup, it outputs something like this:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="p">{</span> <span class="s2">"tenant-app"</span> <span class="p">=</span> <span class="p">{</span> <span class="s2">"path"</span> <span class="p">=</span> <span class="s2">"/data/zenler-app"</span> <span class="p">}</span> <span class="s2">"zenler-app"</span> <span class="p">=</span> <span class="p">{</span> <span class="s2">"path"</span> <span class="p">=</span> <span class="s2">"/data/zenler-app"</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <h4> 2️⃣ Create one EFS Access Point per unique path </h4> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">resource</span> <span class="s2">"aws_efs_access_point"</span> <span class="s2">"this"</span> <span class="p">{</span> <span class="nx">for_each</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">service_enabled</span> <span class="err">?</span> <span class="nx">toset</span><span class="p">(</span> <span class="nx">distinct</span><span class="p">(</span><span class="nx">concat</span><span class="p">([</span> <span class="nx">for</span> <span class="nx">KV</span> <span class="nx">in</span> <span class="nx">values</span><span class="p">(</span><span class="nx">local</span><span class="p">.</span><span class="nx">efs_access_points</span><span class="p">)</span> <span class="err">:</span> <span class="nx">values</span><span class="p">(</span><span class="nx">KV</span><span class="p">)</span> <span class="p">]...))</span> <span class="p">)</span> <span class="err">:</span> <span class="p">[]</span> <span class="nx">file_system_id</span> <span class="p">=</span> <span class="nx">aws_efs_file_system</span><span class="p">.</span><span class="nx">this</span><span class="p">[</span><span class="nx">var</span><span class="p">.</span><span class="nx">service_name</span><span class="p">].</span><span class="nx">id</span> <span class="nx">posix_user</span> <span class="p">{</span> <span class="nx">uid</span> <span class="p">=</span> <span class="mi">1000</span> <span class="nx">gid</span> <span class="p">=</span> <span class="mi">1000</span> <span class="p">}</span> <span class="nx">root_directory</span> <span class="p">{</span> <span class="nx">path</span> <span class="p">=</span> <span class="nx">each</span><span class="p">.</span><span class="nx">key</span> <span class="nx">creation_info</span> <span class="p">{</span> <span class="nx">owner_uid</span> <span class="p">=</span> <span class="mi">1000</span> <span class="nx">owner_gid</span> <span class="p">=</span> <span class="mi">1000</span> <span class="nx">permissions</span> <span class="p">=</span> <span class="s2">"0775"</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">tags</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">Name</span> <span class="p">=</span> <span class="s2">"${local.efs_template_name}ap-${replace(each.key, "</span><span class="p">/</span><span class="s2">", "</span><span class="nx">-</span><span class="s2">")}"</span> <span class="nx">Module</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">tf_module_name</span> <span class="nx">Resource</span> <span class="p">=</span> <span class="s2">"aws_efs_access_point.this"</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>Now Terraform will only create one access point per distinct directory.<br> If two apps share <code>/data/zenler-app</code>, they’ll reuse the same EFS access point automatically.</p> <h4> 3️⃣ Re-associate apps with the correct Access Point </h4> <p>Then, in <code>efs_pvs</code> module, only change the <code>efs_access_points</code> parameter to this:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># ------------------------------------------------------</span> <span class="c1"># EFS-PVS local-module reference</span> <span class="c1"># ------------------------------------------------------</span> <span class="nx">module</span> <span class="s2">"efs_pvs"</span> <span class="p">{</span> <span class="nx">source</span> <span class="p">=</span> <span class="s2">"./modules//efs_pvs"</span> <span class="nx">efs_access_points</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">for</span> <span class="nx">K1</span><span class="p">,</span> <span class="nx">V1</span> <span class="nx">in</span> <span class="nx">local</span><span class="p">.</span><span class="nx">efs_access_points</span> <span class="err">:</span> <span class="nx">K1</span> <span class="p">=</span><span class="err">&gt;</span> <span class="p">{</span> <span class="nx">apid</span> <span class="p">=</span> <span class="nx">aws_efs_access_point</span><span class="p">.</span><span class="nx">this</span><span class="p">[</span><span class="nx">V1</span><span class="p">.</span><span class="nx">path</span><span class="p">].</span><span class="nx">id</span> <span class="nx">nmsp</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">apps_config</span><span class="p">[</span><span class="nx">K1</span><span class="p">].</span><span class="nx">name_space</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">efs_dns_name</span> <span class="p">=</span> <span class="nx">aws_efs_file_system</span><span class="p">.</span><span class="nx">this</span><span class="p">.</span><span class="nx">dns_name</span> <span class="nx">efs_file_system_id</span> <span class="p">=</span> <span class="nx">aws_efs_file_system</span><span class="p">.</span><span class="nx">this</span><span class="p">.</span><span class="nx">id</span> <span class="nx">efs_name_prefix</span> <span class="p">=</span> <span class="nx">local</span><span class="p">.</span><span class="nx">efs_template_name</span> <span class="p">}</span> </code></pre> </div> <p>which will return the <em>set</em>, exactly the formatted like before (with the <code>app-name</code> as the <em>Key</em>) but the with the same <code>apid</code> for the apps need to <em>friendly</em> to each other:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="p">{</span> <span class="s2">"tenant-app"</span> <span class="p">=</span> <span class="p">{</span> <span class="s2">"apid"</span> <span class="p">=</span> <span class="s2">"fsap-08be57c06a0b1c2d4"</span> <span class="s2">"nmsp"</span> <span class="p">=</span> <span class="s2">"zenler-apps"</span> <span class="p">}</span> <span class="s2">"zenler-app"</span> <span class="p">=</span> <span class="p">{</span> <span class="s2">"apid"</span> <span class="p">=</span> <span class="s2">"fsap-08be57c06a0b1c2d4"</span> <span class="s2">"nmsp"</span> <span class="p">=</span> <span class="s2">"zenler-apps"</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>and the rest of the things in the <code>module/efs_pvs</code> stay as it is, without any change required in either <code>PersistentVolume</code> or <code>PersistentVolumeClaim</code> resource.</p> <p>And that's what actually it!! 🙌<br> (until the next call from the app teams 😬)</p> <h2> 🧠 Achievements <a></a> </h2> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Benefit</th> <th>Description</th> </tr> </thead> <tbody> <tr> <td>1️⃣ Shared access</td> <td>Multiple pods can see the same files in real time</td> </tr> <tr> <td>2️⃣ Fewer resources</td> <td>Only one AP per path instead of one per app</td> </tr> <tr> <td>3️⃣ Simpler IAM &amp; POSIX model</td> <td>Each directory has a single enforcement layer</td> </tr> <tr> <td>4️⃣ Idempotent Terraform</td> <td>Prevents churn and duplicate APs</td> </tr> <tr> <td>5️⃣ Flexible design</td> <td>Seamless unique and shared paths</td> </tr> </tbody> </table></div> <h2> 🔍 Quick Verification <a></a> </h2> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>aws efs describe-access-points <span class="nt">--file-system-id</span> &lt;fs-id&gt; kubectl <span class="nb">exec</span> <span class="nt">-it</span> pod/tenant-app <span class="nt">--</span> <span class="nb">ls</span> /mnt/efs kubectl <span class="nb">exec</span> <span class="nt">-it</span> pod/zenler-app <span class="nt">--</span> <span class="nb">ls</span> /mnt/efs </code></pre> </div> <h2> ✅ The Conclusion <a></a> </h2> <p>By deduplicating EFS access points by unique path, you can safely allow multiple EKS applications to share the same directory on Amazon EFS — without namespace conflicts or code complexity.</p> <p>This pattern keeps your Terraform configuration declarative, scalable, and ready for production.</p> eks terraform aws devops Santanu Das Thu, 23 Oct 2025 17:52:03 +0000 https://forem.com/santanu_das/automating-transit-gateway-attachment-tagging-using-eventbridge-and-lambda-10lh https://forem.com/santanu_das/automating-transit-gateway-attachment-tagging-using-eventbridge-and-lambda-10lh <h2> Table Of Contents </h2> <ul> <li>The Problem</li> <li>Underlying Issues</li> <li>Solution Overview</li> <li>Architecture Diagram</li> <li>Implementation Details</li> <li>Function Code</li> <li>IAM Requirements</li> <li>Testing Approach</li> <li>Terraform Implementation</li> <li>Conclusion</li> <li>End Result</li> <li>Troubleshooting</li> <li>Key Takeaways</li> <li>Future Enhancements</li> </ul> <p>In a multi-account AWS Organization, managing shared Transit Gateways can quickly become messy. Every account owns its own attachments — but when those attachments are created cross-account (for example, via Terraform), the TGW owner account receives untagged attachments.</p> <p>This post explains how we automated cross-account TGW attachment tagging at <a href="https://www.zenler.com" rel="noopener noreferrer">Zenler</a> using CloudTrail, EventBridge, and Lambda — ensuring TGW owner account automatically inherits the requester’s tags within seconds, when a requester VPC attaches to a shared TGW.</p> <p><strong>TL;DR</strong><br> This setup automatically copies VPC tags from the requester account to the TGW attachment in the owner account. It is fully <strong>event-driven</strong>, <strong>serverless</strong>, and scales with TGW usage — no polling or manual intervention required.</p> <h2> The Problem We <del>Have</del> Had <a></a> </h2> <p>In our multi-account AWS environment, we rely on Transit Gateway (TGW) to connect shared networking components with application VPCs. However, when a TGW attachment is created across accounts (e.g., by Terraform in a requester account), the attachment in the TGW owner account is created without tags.</p> <p>This caused several issues:</p> <ul> <li>Attachments appeared as untagged resources in the TGW owner account.</li> <li>Reporting and cost-allocation automation relying on tags failed.</li> <li>Manual tagging was error-prone and inconsistent.</li> </ul> <p>We needed an automated, cross-account, event-driven mechanism to apply consistent tags to new TGW attachments as soon as they are created or accepted.</p> <h2> Underlying Issues <a></a> </h2> <p>By default:</p> <ul> <li>The requester’s VPC tags do not propagate to the TGW attachment.</li> <li>TGW create/accept API calls are management events, recorded only in CloudTrail, not directly visible to EventBridge unless CloudTrail is integrated.</li> <li>The TGW attachment resource resides in the TGW owner account, so tagging must happen there, not in the requester’s account.</li> </ul> <h2> Solution Overview <a></a> </h2> <p>We implemented an EventBridge + Lambda automation that listens for CloudTrail management events related to TGW attachments and automatically applies tags from the requester’s VPC.<br> <a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fow42insfxv9fff3ctuyb.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fow42insfxv9fff3ctuyb.png" alt="TGW auto-tagging flow" width="800" height="1167"></a></p> <p><br><strong>Event Flow Diagram:</strong><br> <code>CloudTrail → EventBridge → Lambda → AssumeRole → Tag TGW attachment</code><br> <a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fitu0hmta5bpbd3fkbzk5.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fitu0hmta5bpbd3fkbzk5.png" alt="Event Flow" width="800" height="517"></a></p> <p><strong>Workflow Summary:</strong></p> <ul> <li>CloudTrail logs CreateTransitGatewayVpcAttachment and AcceptTransitGatewayVpcAttachment events.</li> <li>CloudTrail is configured to <strong>send events to EventBridge</strong>.</li> <li>An <strong>EventBridge</strong> rule filters TGW attachment events.</li> <li>The rule triggers a <strong>Lambda function</strong> in the TGW owner account.</li> <li>The Lambda: <ul> <li>Parses the CloudTrail event (supports both new and old formats).</li> <li>Identifies the requester account and VPC ID.</li> <li>Assumes a cross-account role into the requester account.</li> <li>Retrieves VPC tags and applies them to the TGW attachment, adding a suffix to the Name tag.</li> </ul> </li> </ul> <h2> Architecture Diagram <a></a> </h2> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fpgm7yjbcmoiws6vhw2jl.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fpgm7yjbcmoiws6vhw2jl.png" alt="TGW auto-tagging" width="800" height="533"></a></p> <h2> Implementation Details <a></a> </h2> <p>When a requester account creates a TGW VPC attachment, the TGW owner account receives the attachment resource <strong>without any inherited tags</strong>. This function then listens to <strong>CloudTrail → EventBridge events</strong>, to identify the new TGW attachment(s), and automatically applies the <strong>VPC tags</strong> from the requester’s account to the corresponding TGW attachment in the owner’s account.</p> <h3> 1️⃣ CloudTrail Configuration: </h3> <ul> <li>Multi-region trail enabled (optional, if needed).</li> <li>Management events (<code>IncludeManagementEvents = true</code>).</li> <li>Integrated with EventBridge (<code>event_bus_name = "default"</code>).</li> </ul> <h3> 2️⃣ EventBridge Rule Filter </h3> <p>The EventBridge rule filter defines which AWS <strong>CloudTrail events</strong> should trigger the Lambda function, making sure ensures it's only invoked when Transit Gateway (TGW) attachments are created or accepted — not for every EC2 API call.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"source"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">"aws.ec2"</span><span class="p">],</span><span class="w"> </span><span class="nl">"detail-type"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">"AWS API Call via CloudTrail"</span><span class="p">],</span><span class="w"> </span><span class="nl">"detail"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"eventSource"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">"ec2.amazonaws.com"</span><span class="p">],</span><span class="w"> </span><span class="nl">"eventName"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="s2">"CreateTransitGatewayVpcAttachment"</span><span class="p">,</span><span class="w"> </span><span class="s2">"AcceptTransitGatewayVpcAttachment"</span><span class="w"> </span><span class="p">]</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <h3> 3️⃣ Event Sample </h3> <p>The filter is evaluated each time CloudTrail logs a new management event and inspects each incoming event, like the one below:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"version"</span><span class="p">:</span><span class="w"> </span><span class="s2">"0"</span><span class="p">,</span><span class="w"> </span><span class="nl">"id"</span><span class="p">:</span><span class="w"> </span><span class="s2">"test-id"</span><span class="p">,</span><span class="w"> </span><span class="nl">"detail-type"</span><span class="p">:</span><span class="w"> </span><span class="s2">"AWS API Call via CloudTrail"</span><span class="p">,</span><span class="w"> </span><span class="nl">"source"</span><span class="p">:</span><span class="w"> </span><span class="s2">"aws.ec2"</span><span class="p">,</span><span class="w"> </span><span class="nl">"account"</span><span class="p">:</span><span class="w"> </span><span class="s2">"123456789012"</span><span class="p">,</span><span class="w"> </span><span class="nl">"time"</span><span class="p">:</span><span class="w"> </span><span class="s2">"2025-09-29T10:05:01Z"</span><span class="p">,</span><span class="w"> </span><span class="nl">"region"</span><span class="p">:</span><span class="w"> </span><span class="s2">"eu-west-2"</span><span class="p">,</span><span class="w"> </span><span class="nl">"resources"</span><span class="p">:</span><span class="w"> </span><span class="p">[],</span><span class="w"> </span><span class="nl">"detail"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"eventVersion"</span><span class="p">:</span><span class="w"> </span><span class="s2">"1.10"</span><span class="p">,</span><span class="w"> </span><span class="nl">"userIdentity"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"type"</span><span class="p">:</span><span class="w"> </span><span class="s2">"AWSAccount"</span><span class="p">,</span><span class="w"> </span><span class="nl">"principalId"</span><span class="p">:</span><span class="w"> </span><span class="s2">"AROA6Q5A2P2LQJEJCKFPD:aws-go-sdk-1759140300350852736"</span><span class="p">,</span><span class="w"> </span><span class="nl">"accountId"</span><span class="p">:</span><span class="w"> </span><span class="s2">"123456789012"</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"eventTime"</span><span class="p">:</span><span class="w"> </span><span class="s2">"2025-09-29T10:05:01Z"</span><span class="p">,</span><span class="w"> </span><span class="nl">"eventSource"</span><span class="p">:</span><span class="w"> </span><span class="s2">"ec2.amazonaws.com"</span><span class="p">,</span><span class="w"> </span><span class="nl">"eventName"</span><span class="p">:</span><span class="w"> </span><span class="s2">"CreateTransitGatewayVpcAttachment"</span><span class="p">,</span><span class="w"> </span><span class="nl">"awsRegion"</span><span class="p">:</span><span class="w"> </span><span class="s2">"eu-west-2"</span><span class="p">,</span><span class="w"> </span><span class="nl">"sourceIPAddress"</span><span class="p">:</span><span class="w"> </span><span class="s2">"25.xxx.xxx.xxx"</span><span class="p">,</span><span class="w"> </span><span class="nl">"userAgent"</span><span class="p">:</span><span class="w"> </span><span class="s2">"APN/1.0 HashiCorp/1.0 Terraform/1.11.0 (+https://www.terraform.io) terraform-provider-aws/6.2.0 (+https://registry.terraform.io/providers/hashicorp/aws) aws-sdk-go-v2/1.36.5 ua/2.1 os/linux lang/go#1.24.4 md/GOOS#linux md/GOARCH#arm64 api/ec2#1.229.0 m/i"</span><span class="p">,</span><span class="w"> </span><span class="nl">"requestParameters"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"CreateTransitGatewayVpcAttachmentRequest"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"Options"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"Ipv6Support"</span><span class="p">:</span><span class="w"> </span><span class="s2">"disable"</span><span class="p">,</span><span class="w"> </span><span class="nl">"ApplianceModeSupport"</span><span class="p">:</span><span class="w"> </span><span class="s2">"enable"</span><span class="p">,</span><span class="w"> </span><span class="nl">"DnsSupport"</span><span class="p">:</span><span class="w"> </span><span class="s2">"enable"</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"TransitGatewayId"</span><span class="p">:</span><span class="w"> </span><span class="s2">"tgw-87654321b6418c2bc"</span><span class="p">,</span><span class="w"> </span><span class="nl">"VpcId"</span><span class="p">:</span><span class="w"> </span><span class="s2">"vpc-34239b0b1106a01f0"</span><span class="p">,</span><span class="w"> </span><span class="nl">"TagSpecifications"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"ResourceType"</span><span class="p">:</span><span class="w"> </span><span class="s2">"transit-gateway-attachment"</span><span class="p">,</span><span class="w"> </span><span class="nl">"tag"</span><span class="p">:</span><span class="w"> </span><span class="mi">1</span><span class="p">,</span><span class="w"> </span><span class="nl">"Tag"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"Value"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Santanu Das"</span><span class="p">,</span><span class="w"> </span><span class="nl">"tag"</span><span class="p">:</span><span class="w"> </span><span class="mi">1</span><span class="p">,</span><span class="w"> </span><span class="nl">"Key"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Author"</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"Value"</span><span class="p">:</span><span class="w"> </span><span class="s2">"zenler"</span><span class="p">,</span><span class="w"> </span><span class="nl">"tag"</span><span class="p">:</span><span class="w"> </span><span class="mi">2</span><span class="p">,</span><span class="w"> </span><span class="nl">"Key"</span><span class="p">:</span><span class="w"> </span><span class="s2">"CostCentre"</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="err">....</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">]</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"SubnetIds"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"tag"</span><span class="p">:</span><span class="w"> </span><span class="mi">1</span><span class="p">,</span><span class="w"> </span><span class="nl">"content"</span><span class="p">:</span><span class="w"> </span><span class="s2">"subnet-04b7a3c2512345678"</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"tag"</span><span class="p">:</span><span class="w"> </span><span class="mi">2</span><span class="p">,</span><span class="w"> </span><span class="nl">"content"</span><span class="p">:</span><span class="w"> </span><span class="s2">"subnet-12345678017c583d0"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">]</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"responseElements"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"CreateTransitGatewayVpcAttachmentResponse"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"xmlns"</span><span class="p">:</span><span class="w"> </span><span class="s2">"http://ec2.amazonaws.com/doc/2016-11-15/"</span><span class="p">,</span><span class="w"> </span><span class="nl">"transitGatewayVpcAttachment"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"tagSet"</span><span class="p">:</span><span class="w"> </span><span class="s2">"HIDDEN_DUE_TO_SECURITY_REASONS"</span><span class="p">,</span><span class="w"> </span><span class="nl">"creationTime"</span><span class="p">:</span><span class="w"> </span><span class="s2">"2025-09-29T10:05:01.000Z"</span><span class="p">,</span><span class="w"> </span><span class="nl">"transitGatewayAttachmentId"</span><span class="p">:</span><span class="w"> </span><span class="s2">"tgw-attach-0b575dfd1fcbdbf6b"</span><span class="p">,</span><span class="w"> </span><span class="nl">"transitGatewayId"</span><span class="p">:</span><span class="w"> </span><span class="s2">"tgw-87654321b6418c2bc"</span><span class="p">,</span><span class="w"> </span><span class="nl">"vpcId"</span><span class="p">:</span><span class="w"> </span><span class="s2">"vpc-34239b0b1106a01f0"</span><span class="p">,</span><span class="w"> </span><span class="nl">"options"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"applianceModeSupport"</span><span class="p">:</span><span class="w"> </span><span class="s2">"enable"</span><span class="p">,</span><span class="w"> </span><span class="nl">"securityGroupReferencingSupport"</span><span class="p">:</span><span class="w"> </span><span class="s2">"enable"</span><span class="p">,</span><span class="w"> </span><span class="nl">"dnsSupport"</span><span class="p">:</span><span class="w"> </span><span class="s2">"enable"</span><span class="p">,</span><span class="w"> </span><span class="nl">"ipv6Support"</span><span class="p">:</span><span class="w"> </span><span class="s2">"disable"</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"state"</span><span class="p">:</span><span class="w"> </span><span class="s2">"pending"</span><span class="p">,</span><span class="w"> </span><span class="nl">"vpcOwnerId"</span><span class="p">:</span><span class="w"> </span><span class="s2">"123456789012"</span><span class="p">,</span><span class="w"> </span><span class="nl">"subnetIds"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"item"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="s2">"subnet-04b7a3c2512345678"</span><span class="p">,</span><span class="w"> </span><span class="s2">"subnet-12345678017c583d0"</span><span class="w"> </span><span class="p">]</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"requestId"</span><span class="p">:</span><span class="w"> </span><span class="s2">"11a9ce7e-1f5d-4c69-86cf-d4043309f8ad"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"requestID"</span><span class="p">:</span><span class="w"> </span><span class="s2">"11a9ce7e-1f5d-4c69-86cf-d4043309f8ad"</span><span class="p">,</span><span class="w"> </span><span class="nl">"eventID"</span><span class="p">:</span><span class="w"> </span><span class="s2">"498e93ad-edc8-415d-be8e-7420d71c4b10"</span><span class="p">,</span><span class="w"> </span><span class="nl">"readOnly"</span><span class="p">:</span><span class="w"> </span><span class="kc">false</span><span class="p">,</span><span class="w"> </span><span class="nl">"eventType"</span><span class="p">:</span><span class="w"> </span><span class="s2">"AwsApiCall"</span><span class="p">,</span><span class="w"> </span><span class="nl">"managementEvent"</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="p">,</span><span class="w"> </span><span class="nl">"recipientAccountId"</span><span class="p">:</span><span class="w"> </span><span class="s2">"123456789013"</span><span class="p">,</span><span class="w"> </span><span class="nl">"sharedEventID"</span><span class="p">:</span><span class="w"> </span><span class="s2">"facd716b-20c2-4496-9109-d10c4965bbf3"</span><span class="p">,</span><span class="w"> </span><span class="nl">"eventCategory"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Management"</span><span class="p">,</span><span class="w"> </span><span class="nl">"tlsDetails"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"tlsVersion"</span><span class="p">:</span><span class="w"> </span><span class="s2">"TLSv1.3"</span><span class="p">,</span><span class="w"> </span><span class="nl">"cipherSuite"</span><span class="p">:</span><span class="w"> </span><span class="s2">"TLS_AES_128_GCM_SHA256"</span><span class="p">,</span><span class="w"> </span><span class="nl">"clientProvidedHostHeader"</span><span class="p">:</span><span class="w"> </span><span class="s2">"ec2.eu-west-2.amazonaws.com"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <h3>  4️⃣ Lambda Function </h3> <ul> <li>Receives only those events related to TGW attachment operations.</li> <li>Handles both CreateTransitGatewayVpcAttachmentResponse and AcceptTransitGatewayVpcAttachmentResponse.</li> <li>Fallback for legacy format transitGatewayAttachment.</li> <li>Detects requester account dynamically via userIdentity.accountId.</li> <li>Cross-account role assumption for tag retrieval.</li> <li>Appends suffix to Name tag and applies in TGW owner account.</li> </ul> <h2> The Function Code <a></a> </h2> <blockquote> <p>ℹ️ The code below is written according to the event as sampled above. It may need to readjusting the part under <code># Handle new CloudTrail Create or Accept responses</code><br> </p> </blockquote> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">import</span> <span class="n">os</span> <span class="k">class</span> <span class="nc">Config</span><span class="p">:</span> <span class="k">def</span> <span class="nf">__init__</span><span class="p">(</span><span class="n">self</span><span class="p">):</span> <span class="n">self</span><span class="p">.</span><span class="n">CROSS_ROLE_NAME</span> <span class="o">=</span> <span class="n">os</span><span class="p">.</span><span class="n">environ</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">'</span><span class="s">XACC_ROLE_NAME</span><span class="sh">'</span><span class="p">,</span> <span class="sh">'</span><span class="s">xaccount-tgw-autotag-Role</span><span class="sh">'</span><span class="p">)</span> <span class="n">self</span><span class="p">.</span><span class="n">TAG_NAME_PREFIX</span> <span class="o">=</span> <span class="n">os</span><span class="p">.</span><span class="n">environ</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">'</span><span class="s">TAG_NAME_PREFIX</span><span class="sh">'</span><span class="p">,</span> <span class="sh">'</span><span class="s">TGW-Attachment</span><span class="sh">'</span><span class="p">)</span> <span class="n">self</span><span class="p">.</span><span class="n">TAG_NAME_SUFFIX</span> <span class="o">=</span> <span class="n">os</span><span class="p">.</span><span class="n">environ</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">'</span><span class="s">TAG_NAME_SUFFIX</span><span class="sh">'</span><span class="p">,</span> <span class="sh">'</span><span class="s">xacc-att</span><span class="sh">'</span><span class="p">)</span> <span class="c1"># Usage </span><span class="n">config</span> <span class="o">=</span> <span class="nc">Config</span><span class="p">()</span> <span class="o">=================================================================</span> <span class="kn">import</span> <span class="n">boto3</span> <span class="kn">import</span> <span class="n">os</span><span class="p">,</span> <span class="n">json</span><span class="p">,</span> <span class="n">logging</span> <span class="kn">from</span> <span class="n">config</span> <span class="kn">import</span> <span class="n">config</span> <span class="n">logger</span> <span class="o">=</span> <span class="n">logging</span><span class="p">.</span><span class="nf">getLogger</span><span class="p">()</span> <span class="n">logger</span><span class="p">.</span><span class="nf">setLevel</span><span class="p">(</span><span class="n">logging</span><span class="p">.</span><span class="n">INFO</span><span class="p">)</span> <span class="n">DEFAULT_NAME_PREFIX</span> <span class="o">=</span> <span class="n">config</span><span class="p">.</span><span class="n">TAG_NAME_PREFIX</span> <span class="n">NAME_TAG_SUFFIX</span> <span class="o">=</span> <span class="n">config</span><span class="p">.</span><span class="n">TAG_NAME_SUFFIX</span> <span class="n">CROSS_ROLE_NAME</span> <span class="o">=</span> <span class="n">config</span><span class="p">.</span><span class="n">CROSS_ROLE_NAME</span> <span class="k">def</span> <span class="nf">assume_role</span><span class="p">(</span><span class="n">account_id</span><span class="p">,</span> <span class="n">role_name</span><span class="p">):</span> <span class="n">sts</span> <span class="o">=</span> <span class="n">boto3</span><span class="p">.</span><span class="nf">client</span><span class="p">(</span><span class="sh">"</span><span class="s">sts</span><span class="sh">"</span><span class="p">)</span> <span class="n">role_arn</span> <span class="o">=</span> <span class="sa">f</span><span class="sh">"</span><span class="s">arn:aws:iam::</span><span class="si">{</span><span class="n">account_id</span><span class="si">}</span><span class="s">:role/</span><span class="si">{</span><span class="n">role_name</span><span class="si">}</span><span class="sh">"</span> <span class="n">logger</span><span class="p">.</span><span class="nf">info</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">Attempting to assume role </span><span class="si">{</span><span class="n">role_arn</span><span class="si">}</span><span class="sh">"</span><span class="p">)</span> <span class="k">try</span><span class="p">:</span> <span class="n">response</span> <span class="o">=</span> <span class="n">sts</span><span class="p">.</span><span class="nf">assume_role</span><span class="p">(</span> <span class="n">RoleArn</span><span class="o">=</span><span class="n">role_arn</span><span class="p">,</span> <span class="n">RoleSessionName</span><span class="o">=</span><span class="sh">"</span><span class="s">TGWAutotagSession</span><span class="sh">"</span> <span class="p">)</span> <span class="n">creds</span> <span class="o">=</span> <span class="n">response</span><span class="p">[</span><span class="sh">"</span><span class="s">Credentials</span><span class="sh">"</span><span class="p">]</span> <span class="n">assumed_session</span> <span class="o">=</span> <span class="n">boto3</span><span class="p">.</span><span class="nc">Session</span><span class="p">(</span> <span class="n">aws_access_key_id</span><span class="o">=</span><span class="n">creds</span><span class="p">[</span><span class="sh">"</span><span class="s">AccessKeyId</span><span class="sh">"</span><span class="p">],</span> <span class="n">aws_secret_access_key</span><span class="o">=</span><span class="n">creds</span><span class="p">[</span><span class="sh">"</span><span class="s">SecretAccessKey</span><span class="sh">"</span><span class="p">],</span> <span class="n">aws_session_token</span><span class="o">=</span><span class="n">creds</span><span class="p">[</span><span class="sh">"</span><span class="s">SessionToken</span><span class="sh">"</span><span class="p">],</span> <span class="p">)</span> <span class="c1"># Debug identity </span> <span class="n">identity</span> <span class="o">=</span> <span class="n">assumed_session</span><span class="p">.</span><span class="nf">client</span><span class="p">(</span><span class="sh">"</span><span class="s">sts</span><span class="sh">"</span><span class="p">).</span><span class="nf">get_caller_identity</span><span class="p">()</span> <span class="n">logger</span><span class="p">.</span><span class="nf">info</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">Assumed role identity: </span><span class="si">{</span><span class="n">identity</span><span class="si">}</span><span class="sh">"</span><span class="p">)</span> <span class="k">return</span> <span class="n">assumed_session</span> <span class="k">except</span> <span class="nb">Exception</span> <span class="k">as</span> <span class="n">e</span><span class="p">:</span> <span class="n">logger</span><span class="p">.</span><span class="nf">error</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">Failed to assume role </span><span class="si">{</span><span class="n">role_arn</span><span class="si">}</span><span class="s">: </span><span class="si">{</span><span class="nf">str</span><span class="p">(</span><span class="n">e</span><span class="p">)</span><span class="si">}</span><span class="sh">"</span><span class="p">)</span> <span class="k">raise</span> <span class="k">def</span> <span class="nf">handler</span><span class="p">(</span><span class="n">event</span><span class="p">,</span> <span class="n">context</span><span class="p">):</span> <span class="n">logger</span><span class="p">.</span><span class="nf">info</span><span class="p">(</span><span class="sh">"</span><span class="s">Received event: %s</span><span class="sh">"</span><span class="p">,</span> <span class="n">json</span><span class="p">.</span><span class="nf">dumps</span><span class="p">(</span><span class="n">event</span><span class="p">))</span> <span class="k">try</span><span class="p">:</span> <span class="n">detail</span> <span class="o">=</span> <span class="n">event</span><span class="p">[</span><span class="sh">"</span><span class="s">detail</span><span class="sh">"</span><span class="p">][</span><span class="sh">"</span><span class="s">responseElements</span><span class="sh">"</span><span class="p">]</span> <span class="c1"># Handle new CloudTrail Create or Accept responses </span> <span class="k">if</span> <span class="sh">"</span><span class="s">CreateTransitGatewayVpcAttachmentResponse</span><span class="sh">"</span> <span class="ow">in</span> <span class="n">detail</span><span class="p">:</span> <span class="n">tgw_attach</span> <span class="o">=</span> <span class="n">detail</span><span class="p">[</span><span class="sh">"</span><span class="s">CreateTransitGatewayVpcAttachmentResponse</span><span class="sh">"</span><span class="p">][</span><span class="sh">"</span><span class="s">transitGatewayVpcAttachment</span><span class="sh">"</span><span class="p">]</span> <span class="k">elif</span> <span class="sh">"</span><span class="s">AcceptTransitGatewayVpcAttachmentResponse</span><span class="sh">"</span> <span class="ow">in</span> <span class="n">detail</span><span class="p">:</span> <span class="n">tgw_attach</span> <span class="o">=</span> <span class="n">detail</span><span class="p">[</span><span class="sh">"</span><span class="s">AcceptTransitGatewayVpcAttachmentResponse</span><span class="sh">"</span><span class="p">][</span><span class="sh">"</span><span class="s">transitGatewayVpcAttachment</span><span class="sh">"</span><span class="p">]</span> <span class="c1"># Otherwise, Fallback: older CloudTrail format </span> <span class="k">elif</span> <span class="sh">"</span><span class="s">transitGatewayAttachment</span><span class="sh">"</span> <span class="ow">in</span> <span class="n">detail</span><span class="p">:</span> <span class="n">tgw_attach</span> <span class="o">=</span> <span class="n">detail</span><span class="p">[</span><span class="sh">"</span><span class="s">transitGatewayAttachment</span><span class="sh">"</span><span class="p">]</span> <span class="k">else</span><span class="p">:</span> <span class="k">raise</span> <span class="nc">KeyError</span><span class="p">(</span><span class="sh">"</span><span class="s">No recognizable TGW attachment block in event</span><span class="sh">"</span><span class="p">)</span> <span class="n">attachment_id</span> <span class="o">=</span> <span class="n">tgw_attach</span><span class="p">[</span><span class="sh">"</span><span class="s">transitGatewayAttachmentId</span><span class="sh">"</span><span class="p">]</span> <span class="n">vpc_id</span> <span class="o">=</span> <span class="n">tgw_attach</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">vpcId</span><span class="sh">"</span><span class="p">)</span> <span class="ow">or</span> <span class="n">tgw_attach</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">resourceId</span><span class="sh">"</span><span class="p">)</span> <span class="c1"># requester_account from New or fallback to Old format </span> <span class="k">if</span> <span class="sh">"</span><span class="s">userIdentity</span><span class="sh">"</span> <span class="ow">in</span> <span class="n">event</span><span class="p">[</span><span class="sh">"</span><span class="s">detail</span><span class="sh">"</span><span class="p">]</span> <span class="ow">and</span> <span class="sh">"</span><span class="s">accountId</span><span class="sh">"</span> <span class="ow">in</span> <span class="n">event</span><span class="p">[</span><span class="sh">"</span><span class="s">detail</span><span class="sh">"</span><span class="p">][</span><span class="sh">"</span><span class="s">userIdentity</span><span class="sh">"</span><span class="p">]:</span> <span class="n">requester_account</span> <span class="o">=</span> <span class="n">event</span><span class="p">[</span><span class="sh">"</span><span class="s">detail</span><span class="sh">"</span><span class="p">][</span><span class="sh">"</span><span class="s">userIdentity</span><span class="sh">"</span><span class="p">][</span><span class="sh">"</span><span class="s">accountId</span><span class="sh">"</span><span class="p">]</span> <span class="c1"># new format </span> <span class="k">else</span><span class="p">:</span> <span class="n">requester_account</span> <span class="o">=</span> <span class="n">event</span><span class="p">[</span><span class="sh">"</span><span class="s">account</span><span class="sh">"</span><span class="p">]</span> <span class="c1"># old format </span> <span class="k">except</span> <span class="nb">Exception</span> <span class="k">as</span> <span class="n">e</span><span class="p">:</span> <span class="n">logger</span><span class="p">.</span><span class="nf">error</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">Could not parse event for attachment: </span><span class="si">{</span><span class="nf">str</span><span class="p">(</span><span class="n">e</span><span class="p">)</span><span class="si">}</span><span class="sh">"</span><span class="p">)</span> <span class="k">return</span> <span class="n">logger</span><span class="p">.</span><span class="nf">info</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">Processing TGW Attachment: </span><span class="si">{</span><span class="n">attachment_id</span><span class="si">}</span><span class="s"> from account </span><span class="si">{</span><span class="n">requester_account</span><span class="si">}</span><span class="s">, VPC </span><span class="si">{</span><span class="n">vpc_id</span><span class="si">}</span><span class="sh">"</span><span class="p">)</span> <span class="c1"># Step 1: Assume requester role </span> <span class="k">try</span><span class="p">:</span> <span class="n">requester_session</span> <span class="o">=</span> <span class="nf">assume_role</span><span class="p">(</span><span class="n">requester_account</span><span class="p">,</span> <span class="n">CROSS_ROLE_NAME</span><span class="p">)</span> <span class="n">ec2_requester</span> <span class="o">=</span> <span class="n">requester_session</span><span class="p">.</span><span class="nf">client</span><span class="p">(</span><span class="sh">"</span><span class="s">ec2</span><span class="sh">"</span><span class="p">)</span> <span class="n">vpc</span> <span class="o">=</span> <span class="n">ec2_requester</span><span class="p">.</span><span class="nf">describe_vpcs</span><span class="p">(</span><span class="n">VpcIds</span><span class="o">=</span><span class="p">[</span><span class="n">vpc_id</span><span class="p">])[</span><span class="sh">"</span><span class="s">Vpcs</span><span class="sh">"</span><span class="p">][</span><span class="mi">0</span><span class="p">]</span> <span class="n">vpc_tags</span> <span class="o">=</span> <span class="n">vpc</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">Tags</span><span class="sh">"</span><span class="p">,</span> <span class="p">[])</span> <span class="n">logger</span><span class="p">.</span><span class="nf">info</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">Requester VPC tags: </span><span class="si">{</span><span class="n">vpc_tags</span><span class="si">}</span><span class="sh">"</span><span class="p">)</span> <span class="k">except</span> <span class="nb">Exception</span> <span class="k">as</span> <span class="n">e</span><span class="p">:</span> <span class="n">logger</span><span class="p">.</span><span class="nf">error</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">Failed to fetch VPC tags from requester account </span><span class="si">{</span><span class="n">requester_account</span><span class="si">}</span><span class="s">: </span><span class="si">{</span><span class="nf">str</span><span class="p">(</span><span class="n">e</span><span class="p">)</span><span class="si">}</span><span class="sh">"</span><span class="p">)</span> <span class="k">return</span> <span class="c1"># Step 2: Build tags </span> <span class="k">if</span> <span class="n">vpc_tags</span><span class="p">:</span> <span class="n">tags_to_copy</span> <span class="o">=</span> <span class="p">[]</span> <span class="k">for</span> <span class="n">tag</span> <span class="ow">in</span> <span class="n">vpc_tags</span><span class="p">:</span> <span class="n">key</span> <span class="o">=</span> <span class="n">tag</span><span class="p">[</span><span class="sh">"</span><span class="s">Key</span><span class="sh">"</span><span class="p">]</span> <span class="n">value</span> <span class="o">=</span> <span class="n">tag</span><span class="p">[</span><span class="sh">"</span><span class="s">Value</span><span class="sh">"</span><span class="p">]</span> <span class="c1"># If it's the Name tag, add suffix </span> <span class="k">if</span> <span class="n">key</span> <span class="o">==</span> <span class="sh">"</span><span class="s">Name</span><span class="sh">"</span><span class="p">:</span> <span class="n">value</span> <span class="o">=</span> <span class="sa">f</span><span class="sh">"</span><span class="si">{</span><span class="n">value</span><span class="si">}</span><span class="s">-</span><span class="si">{</span><span class="n">NAME_TAG_SUFFIX</span><span class="si">}</span><span class="sh">"</span> <span class="n">tags_to_copy</span><span class="p">.</span><span class="nf">append</span><span class="p">({</span><span class="sh">"</span><span class="s">Key</span><span class="sh">"</span><span class="p">:</span> <span class="n">key</span><span class="p">,</span> <span class="sh">"</span><span class="s">Value</span><span class="sh">"</span><span class="p">:</span> <span class="n">value</span><span class="p">})</span> <span class="k">else</span><span class="p">:</span> <span class="n">tags_to_copy</span> <span class="o">=</span> <span class="p">[{</span><span class="sh">"</span><span class="s">Key</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">Name</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">Value</span><span class="sh">"</span><span class="p">:</span> <span class="sa">f</span><span class="sh">"</span><span class="si">{</span><span class="n">DEFAULT_NAME_PREFIX</span><span class="si">}</span><span class="s">-</span><span class="si">{</span><span class="n">vpc_id</span><span class="si">}</span><span class="sh">"</span><span class="p">}]</span> <span class="c1"># Print out final tags before applying </span> <span class="n">logger</span><span class="p">.</span><span class="nf">info</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">Final tags_to_copy for TGW attachment </span><span class="si">{</span><span class="n">attachment_id</span><span class="si">}</span><span class="s">: </span><span class="si">{</span><span class="n">tags_to_copy</span><span class="si">}</span><span class="sh">"</span><span class="p">)</span> <span class="c1"># Step 3: Apply tags in TGW owner account </span> <span class="k">try</span><span class="p">:</span> <span class="n">ec2_owner</span> <span class="o">=</span> <span class="n">boto3</span><span class="p">.</span><span class="nf">client</span><span class="p">(</span><span class="sh">"</span><span class="s">ec2</span><span class="sh">"</span><span class="p">)</span> <span class="n">ec2_owner</span><span class="p">.</span><span class="nf">create_tags</span><span class="p">(</span><span class="n">Resources</span><span class="o">=</span><span class="p">[</span><span class="n">attachment_id</span><span class="p">],</span> <span class="n">Tags</span><span class="o">=</span><span class="n">tags_to_copy</span><span class="p">)</span> <span class="n">logger</span><span class="p">.</span><span class="nf">info</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">✅ Successfully tagged TGW attachment </span><span class="si">{</span><span class="n">attachment_id</span><span class="si">}</span><span class="sh">"</span><span class="p">)</span> <span class="k">except</span> <span class="nb">Exception</span> <span class="k">as</span> <span class="n">e</span><span class="p">:</span> <span class="n">logger</span><span class="p">.</span><span class="nf">error</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">❌ Failed to tag TGW attachment </span><span class="si">{</span><span class="n">attachment_id</span><span class="si">}</span><span class="s">: </span><span class="si">{</span><span class="nf">str</span><span class="p">(</span><span class="n">e</span><span class="p">)</span><span class="si">}</span><span class="sh">"</span><span class="p">)</span> </code></pre> </div> <h3> Configuration Parameters </h3> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Variable</th> <th>Description</th> <th>Example</th> </tr> </thead> <tbody> <tr> <td><code>TAG_NAME_PREFIX</code></td> <td>Default prefix if no VPC name exists</td> <td><code>auto-tgw</code></td> </tr> <tr> <td><code>TAG_NAME_SUFFIX</code></td> <td>Suffix appended to “Name” tag</td> <td><code>-xacc-att</code></td> </tr> <tr> <td><code>CROSS_ROLE_NAME</code></td> <td>IAM role assumed in requester account</td> <td><code>TGWAutoTagCrossAccountRole</code></td> </tr> </tbody> </table></div> <h3> Core Functions </h3> <p>1️⃣ <code>assume_role(account_id, role_name)</code><br> Assumes the specified IAM role in the target account and returns a boto3 session object.</p> <p><strong>Responsibilities:</strong></p> <ul> <li>Builds role ARN dynamically: arn:aws:iam:::role/</li> <li>Uses sts.assume_role for temporary credentials.</li> <li>Returns a boto3.Session with assumed credentials.</li> </ul> <p><strong>Logging:</strong></p> <ul> <li>Logs identity confirmation from <code>sts.get_caller_identity()</code> for verification.</li> </ul> <p>2️⃣ <code>handler(event, context)</code><br> Main entry point for the Lambda function.</p> <p><strong>Primary Responsibilities:</strong></p> <ul> <li>Parse CloudTrail event for: <ul> <li>TGW Attachment ID</li> <li>VPC ID</li> <li>Requester Account ID</li> </ul> </li> <li>Assume cross-account IAM role into requester account.</li> <li>Retrieve tags from requester VPC.</li> <li>Construct tags_to_copy list.</li> <li>Apply tags to TGW attachment in the TGW owner account.</li> </ul> <h3>  Code Flow Explanation </h3> <h4> Event Parsing </h4> <p>1️⃣ Handles multiple CloudTrail formats for backward compatibility:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="k">if</span> <span class="sh">"</span><span class="s">CreateTransitGatewayVpcAttachmentResponse</span><span class="sh">"</span> <span class="ow">in</span> <span class="n">detail</span><span class="p">:</span> <span class="n">tgw_attach</span> <span class="o">=</span> <span class="n">detail</span><span class="p">[</span><span class="sh">"</span><span class="s">CreateTransitGatewayVpcAttachmentResponse</span><span class="sh">"</span><span class="p">][</span><span class="sh">"</span><span class="s">transitGatewayVpcAttachment</span><span class="sh">"</span><span class="p">]</span> <span class="k">elif</span> <span class="sh">"</span><span class="s">AcceptTransitGatewayVpcAttachmentResponse</span><span class="sh">"</span> <span class="ow">in</span> <span class="n">detail</span><span class="p">:</span> <span class="n">tgw_attach</span> <span class="o">=</span> <span class="n">detail</span><span class="p">[</span><span class="sh">"</span><span class="s">AcceptTransitGatewayVpcAttachmentResponse</span><span class="sh">"</span><span class="p">][</span><span class="sh">"</span><span class="s">transitGatewayVpcAttachment</span><span class="sh">"</span><span class="p">]</span> <span class="k">elif</span> <span class="sh">"</span><span class="s">transitGatewayAttachment</span><span class="sh">"</span> <span class="ow">in</span> <span class="n">detail</span><span class="p">:</span> <span class="c1"># legacy format </span> <span class="n">tgw_attach</span> <span class="o">=</span> <span class="n">detail</span><span class="p">[</span><span class="sh">"</span><span class="s">transitGatewayAttachment</span><span class="sh">"</span><span class="p">]</span> </code></pre> </div> <p>2️⃣ Determines <strong>requester account</strong>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="k">if</span> <span class="sh">"</span><span class="s">userIdentity</span><span class="sh">"</span> <span class="ow">in</span> <span class="n">event</span><span class="p">[</span><span class="sh">"</span><span class="s">detail</span><span class="sh">"</span><span class="p">]</span> <span class="ow">and</span> <span class="sh">"</span><span class="s">accountId</span><span class="sh">"</span> <span class="ow">in</span> <span class="n">event</span><span class="p">[</span><span class="sh">"</span><span class="s">detail</span><span class="sh">"</span><span class="p">][</span><span class="sh">"</span><span class="s">userIdentity</span><span class="sh">"</span><span class="p">]:</span> <span class="n">requester_account</span> <span class="o">=</span> <span class="n">event</span><span class="p">[</span><span class="sh">"</span><span class="s">detail</span><span class="sh">"</span><span class="p">][</span><span class="sh">"</span><span class="s">userIdentity</span><span class="sh">"</span><span class="p">][</span><span class="sh">"</span><span class="s">accountId</span><span class="sh">"</span><span class="p">]</span> <span class="k">else</span><span class="p">:</span> <span class="n">requester_account</span> <span class="o">=</span> <span class="n">event</span><span class="p">[</span><span class="sh">"</span><span class="s">account</span><span class="sh">"</span><span class="p">]</span> </code></pre> </div> <h4> Cross-Account Tag Retrieval </h4> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="n">requester_session</span> <span class="o">=</span> <span class="nf">assume_role</span><span class="p">(</span><span class="n">requester_account</span><span class="p">,</span> <span class="n">CROSS_ROLE_NAME</span><span class="p">)</span> <span class="n">ec2_requester</span> <span class="o">=</span> <span class="n">requester_session</span><span class="p">.</span><span class="nf">client</span><span class="p">(</span><span class="sh">"</span><span class="s">ec2</span><span class="sh">"</span><span class="p">)</span> <span class="n">vpc</span> <span class="o">=</span> <span class="n">ec2_requester</span><span class="p">.</span><span class="nf">describe_vpcs</span><span class="p">(</span><span class="n">VpcIds</span><span class="o">=</span><span class="p">[</span><span class="n">vpc_id</span><span class="p">])[</span><span class="sh">"</span><span class="s">Vpcs</span><span class="sh">"</span><span class="p">][</span><span class="mi">0</span><span class="p">]</span> <span class="n">vpc_tags</span> <span class="o">=</span> <span class="n">vpc</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">Tags</span><span class="sh">"</span><span class="p">,</span> <span class="p">[])</span> </code></pre> </div> <h4> Tag Construction </h4> <p>1️⃣ Adds suffix to Name tag:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="k">for</span> <span class="n">tag</span> <span class="ow">in</span> <span class="n">vpc_tags</span><span class="p">:</span> <span class="k">if</span> <span class="n">tag</span><span class="p">[</span><span class="sh">"</span><span class="s">Key</span><span class="sh">"</span><span class="p">]</span> <span class="o">==</span> <span class="sh">"</span><span class="s">Name</span><span class="sh">"</span><span class="p">:</span> <span class="n">tag</span><span class="p">[</span><span class="sh">"</span><span class="s">Value</span><span class="sh">"</span><span class="p">]</span> <span class="o">=</span> <span class="sa">f</span><span class="sh">"</span><span class="si">{</span><span class="n">tag</span><span class="p">[</span><span class="sh">'</span><span class="s">Value</span><span class="sh">'</span><span class="p">]</span><span class="si">}</span><span class="s">-</span><span class="si">{</span><span class="n">NAME_TAG_SUFFIX</span><span class="si">}</span><span class="sh">"</span> </code></pre> </div> <p>2️⃣ Fallback when no tags exist:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="n">tags_to_copy</span> <span class="o">=</span> <span class="p">[{</span><span class="sh">"</span><span class="s">Key</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">Name</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">Value</span><span class="sh">"</span><span class="p">:</span> <span class="sa">f</span><span class="sh">"</span><span class="si">{</span><span class="n">DEFAULT_NAME_PREFIX</span><span class="si">}</span><span class="s">-</span><span class="si">{</span><span class="n">vpc_id</span><span class="si">}</span><span class="sh">"</span><span class="p">}]</span> </code></pre> </div> <h2> IAM Requirements <a></a> </h2> <p><strong>TGW Owner Account (Lambda Execution Role)</strong><br> 1️⃣ MUST allow:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"Action"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="s2">"ec2:CreateTags"</span><span class="p">,</span><span class="w"> </span><span class="s2">"sts:AssumeRole"</span><span class="w"> </span><span class="p">],</span><span class="w"> </span><span class="nl">"Resource"</span><span class="p">:</span><span class="w"> </span><span class="s2">"*"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p><strong>Requester Account (Cross-Account Role)</strong><br> 1️⃣ MUST trust TGW Owner account’s Lambda role:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"Effect"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Allow"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Principal"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"AWS"</span><span class="p">:</span><span class="w"> </span><span class="s2">"arn:aws:iam::&lt;tgw-owner-account&gt;:role/&lt;lambda-exec-role&gt;"</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"Action"</span><span class="p">:</span><span class="w"> </span><span class="s2">"sts:AssumeRole"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>2️⃣ and MUST allow:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"Action"</span><span class="p">:</span><span class="w"> </span><span class="s2">"ec2:DescribeVpcs"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Resource"</span><span class="p">:</span><span class="w"> </span><span class="s2">"*"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <h2>  🧪 Testing Approach <a></a> </h2> <ul> <li>Use Lambda test console with real CloudTrail event payloads.</li> <li>Verify: <ol> <li>Event parsing logs (attachment ID, requester account, VPC ID)</li> <li>Successful assume role identity.</li> <li>Correct tag propagation in TGW console.</li> </ol> </li> </ul> <h2> Terraform Implementation <a></a> </h2> <p>The code-snippet below are purely for reference purpose. Our TF projects are bootstraped from Terragrunt and it's a modified version of copy/paste from there, which may not exactly fit in every other development environment. </p> <blockquote> <p>ℹ️ This work-flow is part of our in-house VPC module, where it does the TGW attachemnt during the VPC creation. The condition <code>var.run_acc != var.tgw_owner_acc</code> determins whether to execute the associated TF resource in the currently running_account or not. <code>provider = aws.tgw</code> switches to the TGW owner's account for the deployment</p> </blockquote> <h4> 1️⃣ Lambda Excution Role/Policy </h4> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># ------------------------------------------------------</span> <span class="c1"># Policy to attach to Lambda excution Role</span> <span class="c1"># ------------------------------------------------------</span> <span class="nx">data</span> <span class="s2">"aws_iam_policy_document"</span> <span class="s2">"tgw_owner_acc"</span> <span class="p">{</span> <span class="nx">count</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">run_acc</span> <span class="err">!</span><span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">tgw_owner_acc</span> <span class="err">?</span> <span class="mi">1</span> <span class="err">:</span> <span class="mi">0</span> <span class="nx">statement</span> <span class="p">{</span> <span class="nx">actions</span> <span class="p">=</span> <span class="p">[</span> <span class="s2">"ec2:CreateTags"</span><span class="p">,</span> <span class="s2">"ec2:DescribeTransitGatewayAttachments"</span> <span class="p">]</span> <span class="nx">effect</span> <span class="p">=</span> <span class="s2">"Allow"</span> <span class="nx">resources</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"*"</span><span class="p">]</span> <span class="nx">sid</span> <span class="p">=</span> <span class="s2">"AllowLambdaCreateTgwAttachmentTags"</span> <span class="p">}</span> <span class="nx">statement</span> <span class="p">{</span> <span class="nx">actions</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"sts:AssumeRole"</span><span class="p">]</span> <span class="nx">effect</span> <span class="p">=</span> <span class="s2">"Allow"</span> <span class="nx">resources</span> <span class="p">=</span> <span class="p">[</span><span class="nx">aws_iam_role</span><span class="p">.</span><span class="nx">tgw_this_acc</span><span class="p">[</span><span class="nx">local</span><span class="p">.</span><span class="nx">vpc_name_pfx</span><span class="p">].</span><span class="nx">arn</span><span class="p">]</span> <span class="nx">sid</span> <span class="p">=</span> <span class="s2">"AllowLambdaToAssumeRole"</span> <span class="p">}</span> <span class="p">}</span> <span class="c1">// Generate the policy from above document</span> <span class="nx">resource</span> <span class="s2">"aws_iam_policy"</span> <span class="s2">"tgw_owner_acc"</span> <span class="p">{</span> <span class="nx">for_each</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">run_acc</span> <span class="err">!</span><span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">tgw_owner_acc</span> <span class="err">?</span> <span class="nx">toset</span><span class="p">(</span> <span class="nx">values</span><span class="p">(</span><span class="nx">var</span><span class="p">.</span><span class="nx">env_tgw_info</span><span class="p">)[*].</span><span class="nx">owner_name</span> <span class="p">)</span> <span class="err">:</span> <span class="p">[]</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"${lower(each.value)}-${upper(var.run_acc)}-tgw-autotag-Policy"</span> <span class="nx">path</span> <span class="p">=</span> <span class="s2">"/"</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"IAM policy for logging from a lambda"</span> <span class="nx">policy</span> <span class="p">=</span> <span class="nx">data</span><span class="p">.</span><span class="nx">aws_iam_policy_document</span><span class="p">.</span><span class="nx">tgw_owner_acc</span><span class="p">[</span><span class="mi">0</span><span class="p">].</span><span class="nx">json</span> <span class="nx">tags</span> <span class="p">=</span> <span class="nx">merge</span><span class="p">(</span> <span class="nx">var</span><span class="p">.</span><span class="nx">extra_tags</span><span class="p">,</span> <span class="p">{</span> <span class="nx">Name</span> <span class="p">=</span> <span class="s2">"${each.value}-tgw-autotag-Policy"</span> <span class="nx">Module</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">tf_module_name</span> <span class="nx">Resource</span> <span class="p">=</span> <span class="s2">"aws_iam_policy.tgw_xacc_autotag"</span> <span class="p">}</span> <span class="p">)</span> <span class="nx">provider</span> <span class="p">=</span> <span class="nx">aws</span><span class="p">.</span><span class="nx">tgw</span> <span class="p">}</span> <span class="c1">// Attach policy to lambda excution Role</span> <span class="nx">resource</span> <span class="s2">"aws_iam_role_policy_attachment"</span> <span class="s2">"tgw_owner_acc"</span> <span class="p">{</span> <span class="nx">for_each</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">run_acc</span> <span class="err">!</span><span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">tgw_owner_acc</span> <span class="err">?</span> <span class="nx">toset</span><span class="p">(</span> <span class="nx">values</span><span class="p">(</span><span class="nx">var</span><span class="p">.</span><span class="nx">env_tgw_info</span><span class="p">)[*].</span><span class="nx">owner_name</span> <span class="p">)</span> <span class="err">:</span> <span class="p">[]</span> <span class="nx">role</span> <span class="p">=</span> <span class="s2">"${lower(each.value)}-${var.lambda_role_suffix}"</span> <span class="nx">policy_arn</span> <span class="p">=</span> <span class="nx">aws_iam_policy</span><span class="p">.</span><span class="nx">tgw_owner_acc</span><span class="p">[</span><span class="nx">each</span><span class="p">.</span><span class="nx">value</span><span class="p">].</span><span class="nx">arn</span> <span class="nx">provider</span> <span class="p">=</span> <span class="nx">aws</span><span class="p">.</span><span class="nx">tgw</span> <span class="p">}</span> </code></pre> </div> <h4> 2️⃣ IAM Role in Requester's Account </h4> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># ------------------------------------------------------</span> <span class="c1"># Local IAM role for Lambda to assume</span> <span class="c1"># ------------------------------------------------------</span> <span class="nx">resource</span> <span class="s2">"aws_iam_role"</span> <span class="s2">"tgw_this_acc"</span> <span class="p">{</span> <span class="nx">for_each</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">run_acc</span> <span class="err">!</span><span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">tgw_owner_acc</span> <span class="err">?</span> <span class="nx">toset</span><span class="p">(</span> <span class="p">[</span><span class="nx">local</span><span class="p">.</span><span class="nx">vpc_name_pfx</span><span class="p">]</span> <span class="p">)</span> <span class="err">:</span> <span class="p">[]</span> <span class="c1">#name = "${each.value}-tgw-autotag-Role"</span> <span class="nx">name</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">xacc_tgw_role_name</span> <span class="nx">assume_role_policy</span> <span class="p">=</span> <span class="nx">jsonencode</span><span class="p">({</span> <span class="nx">Version</span> <span class="p">=</span> <span class="s2">"2012-10-17"</span><span class="p">,</span> <span class="nx">Statement</span> <span class="p">=</span> <span class="p">[</span> <span class="p">{</span> <span class="nx">Effect</span> <span class="p">=</span> <span class="s2">"Allow"</span><span class="p">,</span> <span class="nx">Principal</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">AWS</span> <span class="p">=</span> <span class="p">[</span> <span class="nx">for</span> <span class="nx">ID</span> <span class="nx">in</span> <span class="nx">values</span><span class="p">(</span><span class="nx">var</span><span class="p">.</span><span class="nx">env_tgw_info</span><span class="p">)[*].</span><span class="nx">owner_id</span> <span class="err">:</span> <span class="s2">"arn:aws:iam::${ID}:root"</span> <span class="p">]</span> <span class="p">},</span> <span class="nx">Action</span> <span class="p">=</span> <span class="s2">"sts:AssumeRole"</span> <span class="p">}</span> <span class="p">]</span> <span class="p">})</span> <span class="nx">tags</span> <span class="p">=</span> <span class="nx">merge</span><span class="p">(</span> <span class="nx">var</span><span class="p">.</span><span class="nx">extra_tags</span><span class="p">,</span> <span class="p">{</span> <span class="nx">Name</span> <span class="p">=</span> <span class="s2">"${each.value}-tgw-autotag-Role"</span> <span class="nx">Module</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">tf_module_name</span> <span class="nx">Resource</span> <span class="p">=</span> <span class="s2">"aws_iam_role.tgw_xacc_autotag"</span> <span class="p">}</span> <span class="p">)</span> <span class="p">}</span> <span class="c1">//</span> <span class="nx">data</span> <span class="s2">"aws_iam_policy_document"</span> <span class="s2">"tgw_this_acc"</span> <span class="p">{</span> <span class="nx">statement</span> <span class="p">{</span> <span class="nx">actions</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"ec2:DescribeVpcs"</span><span class="p">]</span> <span class="nx">effect</span> <span class="p">=</span> <span class="s2">"Allow"</span> <span class="nx">resources</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"*"</span><span class="p">]</span> <span class="nx">sid</span> <span class="p">=</span> <span class="s2">"AllowLambdaReadOnlyVpcAccess"</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">resource</span> <span class="s2">"aws_iam_policy"</span> <span class="s2">"tgw_this_acc"</span> <span class="p">{</span> <span class="nx">for_each</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">run_acc</span> <span class="err">!</span><span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">tgw_owner_acc</span> <span class="err">?</span> <span class="nx">toset</span><span class="p">(</span> <span class="p">[</span><span class="nx">local</span><span class="p">.</span><span class="nx">vpc_name_pfx</span><span class="p">]</span> <span class="p">)</span> <span class="err">:</span> <span class="p">[]</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"${each.value}-tgw-autotag-Policy"</span> <span class="nx">path</span> <span class="p">=</span> <span class="s2">"/"</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"IAM policy for logging from a lambda"</span> <span class="nx">policy</span> <span class="p">=</span> <span class="nx">data</span><span class="p">.</span><span class="nx">aws_iam_policy_document</span><span class="p">.</span><span class="nx">tgw_this_acc</span><span class="p">.</span><span class="nx">json</span> <span class="nx">tags</span> <span class="p">=</span> <span class="nx">merge</span><span class="p">(</span> <span class="nx">var</span><span class="p">.</span><span class="nx">extra_tags</span><span class="p">,</span> <span class="p">{</span> <span class="nx">Name</span> <span class="p">=</span> <span class="s2">"${each.value}-tgw-autotag-Policy"</span> <span class="nx">Module</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">tf_module_name</span> <span class="nx">Resource</span> <span class="p">=</span> <span class="s2">"aws_iam_policy.tgw_xacc_autotag"</span> <span class="p">}</span> <span class="p">)</span> <span class="p">}</span> <span class="c1">// Attach policy to lambda Role</span> <span class="nx">resource</span> <span class="s2">"aws_iam_role_policy_attachment"</span> <span class="s2">"tgw_this_acc"</span> <span class="p">{</span> <span class="nx">for_each</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">run_acc</span> <span class="err">!</span><span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">tgw_owner_acc</span> <span class="err">?</span> <span class="nx">toset</span><span class="p">(</span> <span class="p">[</span><span class="nx">local</span><span class="p">.</span><span class="nx">vpc_name_pfx</span><span class="p">]</span> <span class="p">)</span> <span class="err">:</span> <span class="p">[]</span> <span class="nx">role</span> <span class="p">=</span> <span class="nx">aws_iam_role</span><span class="p">.</span><span class="nx">tgw_this_acc</span><span class="p">[</span><span class="nx">each</span><span class="p">.</span><span class="nx">value</span><span class="p">].</span><span class="nx">name</span> <span class="nx">policy_arn</span> <span class="p">=</span> <span class="nx">aws_iam_policy</span><span class="p">.</span><span class="nx">tgw_this_acc</span><span class="p">[</span><span class="nx">each</span><span class="p">.</span><span class="nx">value</span><span class="p">].</span><span class="nx">arn</span> <span class="p">}</span> </code></pre> </div> <h4> 3️⃣ Core Lambda Resources </h4> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># ------------------------------------------------------</span> <span class="c1"># Lambda function resource</span> <span class="c1"># ------------------------------------------------------</span> <span class="nx">data</span> <span class="s2">"archive_file"</span> <span class="s2">"tgw_autotag"</span> <span class="p">{</span> <span class="nx">count</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">run_acc</span> <span class="p">==</span> <span class="nx">var</span><span class="p">.</span><span class="nx">tgw_owner_acc</span> <span class="err">?</span> <span class="mi">1</span> <span class="err">:</span> <span class="mi">0</span> <span class="nx">type</span> <span class="p">=</span> <span class="s2">"zip"</span> <span class="nx">output_path</span> <span class="p">=</span> <span class="s2">"${path.module}/autotag_lambda.zip"</span> <span class="nx">source</span> <span class="p">{</span> <span class="nx">content</span> <span class="p">=</span> <span class="nx">file</span><span class="p">(</span><span class="s2">"${path.module}/lambda/function.py"</span><span class="p">)</span> <span class="nx">filename</span> <span class="p">=</span> <span class="s2">"function.py"</span> <span class="p">}</span> <span class="nx">source</span> <span class="p">{</span> <span class="nx">content</span> <span class="p">=</span> <span class="nx">file</span><span class="p">(</span><span class="s2">"${path.module}/lambda/config.py"</span><span class="p">)</span> <span class="nx">filename</span> <span class="p">=</span> <span class="s2">"config.py"</span> <span class="p">}</span> <span class="p">}</span> <span class="c1">// CloudWatch for Lambda function</span> <span class="nx">resource</span> <span class="s2">"aws_cloudwatch_log_group"</span> <span class="s2">"tgw_autotag"</span> <span class="p">{</span> <span class="nx">count</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">run_acc</span> <span class="p">==</span> <span class="nx">var</span><span class="p">.</span><span class="nx">tgw_owner_acc</span> <span class="err">?</span> <span class="mi">1</span> <span class="err">:</span> <span class="mi">0</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"/aws/lambda/${local.vpc_name_pfx}-tgw-autotag"</span> <span class="c1">#</span> <span class="nx">retention_in_days</span> <span class="p">=</span> <span class="mi">14</span> <span class="p">}</span> <span class="c1">// Lambda-function</span> <span class="nx">resource</span> <span class="s2">"aws_lambda_function"</span> <span class="s2">"tgw_autotag"</span> <span class="p">{</span> <span class="nx">count</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">run_acc</span> <span class="p">==</span> <span class="nx">var</span><span class="p">.</span><span class="nx">tgw_owner_acc</span> <span class="err">?</span> <span class="mi">1</span> <span class="err">:</span> <span class="mi">0</span> <span class="nx">filename</span> <span class="p">=</span> <span class="nx">data</span><span class="p">.</span><span class="nx">archive_file</span><span class="p">.</span><span class="nx">tgw_autotag</span><span class="p">[</span><span class="mi">0</span><span class="p">].</span><span class="nx">output_path</span> <span class="nx">function_name</span> <span class="p">=</span> <span class="s2">"${local.vpc_name_pfx}-tgw-autotag"</span> <span class="nx">handler</span> <span class="p">=</span> <span class="s2">"function.handler"</span> <span class="nx">role</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">acc_lambda_role_arn</span> <span class="nx">runtime</span> <span class="p">=</span> <span class="s2">"python3.12"</span> <span class="nx">timeout</span> <span class="p">=</span> <span class="mi">12</span> <span class="nx">source_code_hash</span> <span class="p">=</span> <span class="nx">data</span><span class="p">.</span><span class="nx">archive_file</span><span class="p">.</span><span class="nx">tgw_autotag</span><span class="p">[</span><span class="mi">0</span><span class="p">].</span><span class="nx">output_base64sha256</span> <span class="c1"># Advanced logging controls (optional)</span> <span class="nx">logging_config</span> <span class="p">{</span> <span class="nx">log_format</span> <span class="p">=</span> <span class="s2">"JSON"</span> <span class="nx">application_log_level</span> <span class="p">=</span> <span class="s2">"INFO"</span> <span class="nx">system_log_level</span> <span class="p">=</span> <span class="s2">"WARN"</span> <span class="p">}</span> <span class="c1"># Environment variables for config.py</span> <span class="nx">environment</span> <span class="p">{</span> <span class="nx">variables</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">TAG_NAME_PREFIX</span> <span class="p">=</span> <span class="nx">local</span><span class="p">.</span><span class="nx">vpc_name_pfx</span> <span class="nx">TAG_NAME_SUFFIX</span> <span class="p">=</span> <span class="s2">"att-xacc"</span> <span class="nx">XACC_ROLE_NAME</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">xacc_tgw_role_name</span> <span class="p">}</span> <span class="p">}</span> <span class="c1"># Direct dependency</span> <span class="nx">depends_on</span> <span class="p">=</span> <span class="p">[</span> <span class="nx">aws_cloudwatch_log_group</span><span class="p">.</span><span class="nx">tgw_autotag</span><span class="p">,</span> <span class="p">]</span> <span class="p">}</span> </code></pre> </div> <h4> 4️⃣ CW Logs Group for CloudTrail </h4> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">resource</span> <span class="s2">"aws_cloudwatch_log_group"</span> <span class="s2">"ct_tgw_autotag"</span> <span class="p">{</span> <span class="nx">count</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">run_acc</span> <span class="p">==</span> <span class="nx">var</span><span class="p">.</span><span class="nx">tgw_owner_acc</span> <span class="err">?</span> <span class="mi">1</span> <span class="err">:</span> <span class="mi">0</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"/aws/cloudtrail/${local.vpc_name_pfx}-tgw-autotag"</span> <span class="c1">#</span> <span class="nx">retention_in_days</span> <span class="p">=</span> <span class="mi">14</span> <span class="p">}</span> <span class="c1">// IAM role for CloudTrail to write to CloudWatch Logs</span> <span class="nx">resource</span> <span class="s2">"aws_iam_role"</span> <span class="s2">"ct_tgw_autotag"</span> <span class="p">{</span> <span class="nx">count</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">run_acc</span> <span class="p">==</span> <span class="nx">var</span><span class="p">.</span><span class="nx">tgw_owner_acc</span> <span class="err">?</span> <span class="mi">1</span> <span class="err">:</span> <span class="mi">0</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"${lower(var.aws_acc_name)}-cloudtrail-assume-Role"</span> <span class="nx">assume_role_policy</span> <span class="p">=</span> <span class="nx">jsonencode</span><span class="p">({</span> <span class="nx">Version</span> <span class="p">=</span> <span class="s2">"2012-10-17"</span> <span class="nx">Statement</span> <span class="p">=</span> <span class="p">[{</span> <span class="nx">Effect</span> <span class="p">=</span> <span class="s2">"Allow"</span> <span class="nx">Principal</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">Service</span> <span class="p">=</span> <span class="s2">"cloudtrail.amazonaws.com"</span> <span class="p">}</span> <span class="nx">Action</span> <span class="p">=</span> <span class="s2">"sts:AssumeRole"</span> <span class="p">}]</span> <span class="p">})</span> <span class="p">}</span> <span class="c1">//</span> <span class="nx">resource</span> <span class="s2">"aws_iam_role_policy"</span> <span class="s2">"ct_tgw_autotag"</span> <span class="p">{</span> <span class="nx">count</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">run_acc</span> <span class="p">==</span> <span class="nx">var</span><span class="p">.</span><span class="nx">tgw_owner_acc</span> <span class="err">?</span> <span class="mi">1</span> <span class="err">:</span> <span class="mi">0</span> <span class="nx">role</span> <span class="p">=</span> <span class="nx">aws_iam_role</span><span class="p">.</span><span class="nx">ct_tgw_autotag</span><span class="p">[</span><span class="mi">0</span><span class="p">].</span><span class="nx">id</span> <span class="nx">policy</span> <span class="p">=</span> <span class="nx">jsonencode</span><span class="p">({</span> <span class="nx">Version</span> <span class="p">=</span> <span class="s2">"2012-10-17"</span> <span class="nx">Statement</span> <span class="p">=</span> <span class="p">[</span> <span class="p">{</span> <span class="nx">Effect</span> <span class="p">=</span> <span class="s2">"Allow"</span> <span class="nx">Action</span> <span class="p">=</span> <span class="p">[</span> <span class="s2">"logs:CreateLogStream"</span><span class="p">,</span> <span class="s2">"logs:PutLogEvents"</span> <span class="p">]</span> <span class="nx">Resource</span> <span class="p">=</span> <span class="s2">"${aws_cloudwatch_log_group.ct_tgw_autotag[0].arn}:*"</span> <span class="p">}</span> <span class="p">]</span> <span class="p">})</span> <span class="p">}</span> </code></pre> </div> <h4> 5️⃣ CloudTrail + EventBridge Integration </h4> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">resource</span> <span class="s2">"aws_cloudtrail"</span> <span class="s2">"tgw_autotag"</span> <span class="p">{</span> <span class="nx">count</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">run_acc</span> <span class="p">==</span> <span class="nx">var</span><span class="p">.</span><span class="nx">tgw_owner_acc</span> <span class="err">?</span> <span class="mi">1</span> <span class="err">:</span> <span class="mi">0</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"${lower(var.aws_acc_name)}-tgw-attachment-trail"</span> <span class="nx">enable_logging</span> <span class="p">=</span> <span class="kc">true</span> <span class="nx">s3_bucket_name</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">svc_logging_bucket</span><span class="p">.</span><span class="nx">name</span> <span class="nx">is_multi_region_trail</span> <span class="p">=</span> <span class="kc">false</span> <span class="nx">cloud_watch_logs_group_arn</span> <span class="p">=</span> <span class="s2">"${aws_cloudwatch_log_group.ct_tgw_autotag[0].arn}:*"</span> <span class="nx">cloud_watch_logs_role_arn</span> <span class="p">=</span> <span class="nx">aws_iam_role</span><span class="p">.</span><span class="nx">ct_tgw_autotag</span><span class="p">[</span><span class="mi">0</span><span class="p">].</span><span class="nx">arn</span> <span class="nx">include_global_service_events</span> <span class="p">=</span> <span class="kc">true</span> <span class="c1"># This is the key part: enable EventBridge integration</span> <span class="nx">event_selector</span> <span class="p">{</span> <span class="nx">read_write_type</span> <span class="p">=</span> <span class="s2">"All"</span> <span class="nx">include_management_events</span> <span class="p">=</span> <span class="kc">true</span> <span class="nx">data_resource</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="s2">"AWS::Lambda::Function"</span> <span class="nx">values</span> <span class="p">=</span> <span class="p">[</span><span class="nx">aws_lambda_function</span><span class="p">.</span><span class="nx">tgw_autotag</span><span class="p">[</span><span class="mi">0</span><span class="p">].</span><span class="nx">arn</span><span class="p">]</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">tags</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">Module</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">tf_module_name</span> <span class="nx">Resource</span> <span class="p">=</span> <span class="s2">"aws_cloudtrail.tgw_autotag"</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <h4> 6️⃣ EventBridge Rule &amp; Target </h4> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">resource</span> <span class="s2">"aws_cloudwatch_event_rule"</span> <span class="s2">"acer_autotag"</span> <span class="p">{</span> <span class="nx">count</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">run_acc</span> <span class="p">==</span> <span class="nx">var</span><span class="p">.</span><span class="nx">tgw_owner_acc</span> <span class="err">?</span> <span class="mi">1</span> <span class="err">:</span> <span class="mi">0</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"${lower(var.aws_acc_name)}-tgw-attachment-created"</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"Triggers when TGW attachments are created"</span> <span class="nx">event_pattern</span> <span class="p">=</span> <span class="nx">jsonencode</span><span class="p">({</span> <span class="nx">source</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"aws.ec2"</span><span class="p">],</span> <span class="nx">detail-type</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"AWS API Call via CloudTrail"</span><span class="p">],</span> <span class="nx">detail</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">eventSource</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"ec2.amazonaws.com"</span><span class="p">],</span> <span class="nx">eventName</span> <span class="p">=</span> <span class="p">[</span> <span class="s2">"AcceptTransitGatewayVpcAttachment"</span><span class="p">,</span> <span class="s2">"CreateTransitGatewayVpcAttachment"</span><span class="p">,</span> <span class="p">]</span> <span class="p">}</span> <span class="p">})</span> <span class="p">}</span> <span class="c1">// Lambda target</span> <span class="nx">resource</span> <span class="s2">"aws_cloudwatch_event_target"</span> <span class="s2">"acet_autotag"</span> <span class="p">{</span> <span class="nx">count</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">run_acc</span> <span class="p">==</span> <span class="nx">var</span><span class="p">.</span><span class="nx">tgw_owner_acc</span> <span class="err">?</span> <span class="mi">1</span> <span class="err">:</span> <span class="mi">0</span> <span class="nx">rule</span> <span class="p">=</span> <span class="nx">aws_cloudwatch_event_rule</span><span class="p">.</span><span class="nx">acer_autotag</span><span class="p">[</span><span class="mi">0</span><span class="p">].</span><span class="nx">name</span> <span class="nx">target_id</span> <span class="p">=</span> <span class="s2">"TGWAutotagLambda"</span> <span class="nx">arn</span> <span class="p">=</span> <span class="nx">aws_lambda_function</span><span class="p">.</span><span class="nx">tgw_autotag</span><span class="p">[</span><span class="mi">0</span><span class="p">].</span><span class="nx">arn</span> <span class="p">}</span> <span class="c1">// allow EventBridge</span> <span class="nx">resource</span> <span class="s2">"aws_lambda_permission"</span> <span class="s2">"alp_autotag"</span> <span class="p">{</span> <span class="nx">count</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">run_acc</span> <span class="p">==</span> <span class="nx">var</span><span class="p">.</span><span class="nx">tgw_owner_acc</span> <span class="err">?</span> <span class="mi">1</span> <span class="err">:</span> <span class="mi">0</span> <span class="nx">statement_id</span> <span class="p">=</span> <span class="s2">"AllowExecutionFromEventBridge"</span> <span class="nx">action</span> <span class="p">=</span> <span class="s2">"lambda:InvokeFunction"</span> <span class="nx">function_name</span> <span class="p">=</span> <span class="nx">aws_lambda_function</span><span class="p">.</span><span class="nx">tgw_autotag</span><span class="p">[</span><span class="mi">0</span><span class="p">].</span><span class="nx">function_name</span> <span class="nx">principal</span> <span class="p">=</span> <span class="s2">"events.amazonaws.com"</span> <span class="nx">source_arn</span> <span class="p">=</span> <span class="nx">aws_cloudwatch_event_rule</span><span class="p">.</span><span class="nx">acer_autotag</span><span class="p">[</span><span class="mi">0</span><span class="p">].</span><span class="nx">arn</span> <span class="p">}</span> </code></pre> </div> <h2> Conclusion: The Benefits <a></a> </h2> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Benefit</th> <th>Description</th> </tr> </thead> <tbody> <tr> <td>Operational Consistency</td> <td>Ensures every TGW attachment inherits tags from its requester VPC.</td> </tr> <tr> <td>Cross-Account Governance</td> <td>Uses IAM roles and least-privilege policies to enforce separation of duties.</td> </tr> <tr> <td>Accurate Cost Allocation</td> <td>Tags align with Cost Center, Environment, and Ownership standards.</td> </tr> <tr> <td>Event-Driven Scalability</td> <td>Fully serverless; no polling or scheduled jobs.</td> </tr> <tr> <td>Future-Proof</td> <td>Handles both legacy and new CloudTrail event formats.</td> </tr> </tbody> </table></div> <h2> End Result <a></a> </h2> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fmp1laopg1ohv1956mrez.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fmp1laopg1ohv1956mrez.png" alt=" " width="800" height="693"></a></p> <blockquote> <p>The ones with <code>-att</code> are the native to the TGW owner's account and the ones with <code>-att-xacc</code> are cross-account from requesters' account. </p> </blockquote> <h2> Troubleshooting <a></a> </h2> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Error Events</th> <th>Possible Actions</th> </tr> </thead> <tbody> <tr> <td>EventBridge not triggering</td> <td>Ensure CloudTrail includes management events</td> </tr> <tr> <td>Lambda <code>AccessDenied</code> </td> <td>Verify cross-account IAM trust and attached permissions</td> </tr> <tr> <td>Attachment not tagged</td> <td>Event might arrive while TGW attachment is still in <em>pending</em>; consider adding a short delay or retry</td> </tr> </tbody> </table></div> <h2> Key Takeaways <a></a> </h2> <ul> <li>Keep CloudTrail broad; let EventBridge do the filtering.</li> <li>Enable <code>include_management_events = true</code> to catch TGW API calls.</li> <li>Always use <code>ec2.amazonaws.com</code> as the event source for TGW-related APIs.</li> <li>Avoid excluding EC2 management events unless absolutely necessary.</li> </ul> <h2> Future Enhancements <a></a> </h2> <p>As it goes, there are always some room for improvements. Those are a few things in the bucket-list to implement:</p> <ul> <li>Add SNS notifications for tagging failures.</li> <li>Extend to tag DeleteTransitGatewayVpcAttachment cleanup events.</li> <li>Integrate with AWS Service Catalog TagOptions for standardization.</li> <li>Publish metrics via CloudWatch Insights for audit reporting.</li> </ul> aws serverless terraform lambda