From 1a6576e5f189628c9957841cd91cc0315d12856f Mon Sep 17 00:00:00 2001
From: Dave Hall <skwashd@gmail.com>
Date: Sun, 20 Oct 2024 22:43:31 +1100
Subject: [PATCH 1/2] Fix network config

---
 picofun/templates/main.tf.j2 | 14 ++++++--------
 1 file changed, 6 insertions(+), 8 deletions(-)

diff --git a/picofun/templates/main.tf.j2 b/picofun/templates/main.tf.j2
index ebf5e09..44ae854 100644
--- a/picofun/templates/main.tf.j2
+++ b/picofun/templates/main.tf.j2
@@ -44,12 +44,10 @@ data "aws_subnet" "this" {
   id = each.value
 }
 
-resource "aws_vpc_security_group" "lambda" {
-  count = length(data.aws_subnet.this) > 0 ? 1 : 0
-
+resource "aws_security_group" "lambda" {
   name        = "pf-{{ namespace }}-lambdas"
   description = "Security group for pf-{{ namespace }} lambda functions"
-  vpc_id      = data.aws_subnet.this[0].vpc_id
+  vpc_id      = data.aws_subnet.this[local.subnet_ids[0]].vpc_id
 
   tags = local.tags
 }
@@ -113,9 +111,9 @@ resource "aws_lambda_function" "this" {
   timeout          = 10
   layers           = local.layers
 {% if subnets|length > 0 %}
-  "vpc_config" {
-      security_group_ids = aws_vpc_security_group.lambda[*].id
-      subnet_ids         = data.aws_subnet.this[*].id
+  vpc_config {
+      security_group_ids = [aws_security_group.lambda.id]
+      subnet_ids         = [for subnet in data.aws_subnet.this: subnet.id]
   }
 {% endif %}
   tags = local.tags
@@ -147,7 +145,7 @@ resource "aws_iam_role_policy_attachment" "lambda_basic_execution" {
 }
 {% if subnets|length > 0 %}
 
-resource "aws_iam_role_policy_attachment" "lambda_basic_execution" {
+resource "aws_iam_role_policy_attachment" "lambda_eni_management" {
   policy_arn = "arn:aws:iam::aws:policy/service-role/AWSLambdaENIManagementAccess"
   role       = aws_iam_role.lambda.name
 }

From 2d2896649f84de4c894cfe931f7871b262419f22 Mon Sep 17 00:00:00 2001
From: Dave Hall <skwashd@gmail.com>
Date: Mon, 21 Oct 2024 02:58:38 +1100
Subject: [PATCH 2/2] Add networking to example

---
 example/.github/workflows/deploy.yaml |  2 +-
 example/extra.tf                      | 57 +++++++++++++++++++++++++++
 example/picofun.toml                  |  1 +
 3 files changed, 59 insertions(+), 1 deletion(-)

diff --git a/example/.github/workflows/deploy.yaml b/example/.github/workflows/deploy.yaml
index 59e8fba..6e3b3ee 100644
--- a/example/.github/workflows/deploy.yaml
+++ b/example/.github/workflows/deploy.yaml
@@ -32,7 +32,7 @@ jobs:
 
       - name: Run PicoFun
         id: run-picofun
-        run: pipx run --spec git+https://github.com/proactiveops/picofun --config-file picofun.toml zendesk https://developer.zendesk.com/zendesk/oas.yaml
+        run: pipx run picofun --config-file picofun.toml zendesk https://developer.zendesk.com/zendesk/oas.yaml
 
       - name: Copy Extra Terraform Files
         id: copy-extra-tf-files
diff --git a/example/extra.tf b/example/extra.tf
index 6af3b36..a357300 100644
--- a/example/extra.tf
+++ b/example/extra.tf
@@ -26,6 +26,63 @@ resource "aws_iam_role_policy_attachment" "ssm_read" {
   policy_arn = aws_iam_policy.ssm_read.arn
 }
 
+data "aws_vpc_endpoint" "cloudwatch" {
+  service_name = "com.amazonaws.us-east-1.logs"
+}
+
+# I was lazy when I set this up so all my VPCendpoints are in the same security group.
+# This is a bad idea! For real workloads you should have a security group per VPC endpoint.
+resource "aws_vpc_security_group_egress_rule" "lambda_to_cloudwatch" {
+  for_each = toset(data.aws_vpc_endpoint.cloudwatch.security_group_ids)
+
+  security_group_id = aws_security_group.lambda.id
+
+  referenced_security_group_id = each.value
+
+  from_port   = 443
+  ip_protocol = "tcp"
+  to_port     = 443
+}
+
+resource "aws_vpc_security_group_ingress_rule" "lambda_to_cloudwatch" {
+  for_each = toset(data.aws_vpc_endpoint.cloudwatch.security_group_ids)
+
+  security_group_id = each.value
+
+  referenced_security_group_id = aws_security_group.lambda.id
+
+  from_port   = 443
+  ip_protocol = "tcp"
+  to_port     = 443
+}
+
+resource "aws_vpc_security_group_egress_rule" "zendesk" {
+  # See https://developer.zendesk.com/api-reference/ticketing/account-configuration/public_ips/
+  # for getting thses IPs. I used `curl -q 'https://[my-subdomain].zendesk.com/ips' | jq -r '.ips.ingress.all | sort'`
+  # to generate the list.
+  for_each = toset([
+    "104.18.172.234/32",
+    "104.18.173.234/32",
+    "104.18.248.37/32",
+    "104.18.249.37/32",
+    "104.18.70.113/32",
+    "104.18.71.113/32",
+    "104.18.72.113/32",
+    "104.18.73.113/32",
+    "104.18.74.113/32",
+    "162.159.128.7/32",
+    "162.159.138.6/32",
+    "216.198.0.0/18",
+  ])
+
+  security_group_id = aws_security_group.lambda.id
+
+  cidr_ipv4   = each.value
+  from_port   = 443
+  ip_protocol = "tcp"
+  to_port     = 443
+}
+
 terraform {
   required_version = "~> 1.0"
   required_providers {
diff --git a/example/picofun.toml b/example/picofun.toml
index 74c4bb2..3f755e5 100644
--- a/example/picofun.toml
+++ b/example/picofun.toml
@@ -2,6 +2,7 @@ bundle = "helpers"
 iam_role_prefix = "pf-example-"
 preprocessor = "zendesk_common.preprocessor.preprocess"
 layers = ["arn:aws:lambda:us-east-1:017000801446:layer:AWSLambdaPowertoolsPythonV2:79"]
+subnets=["subnet-707a1eeloaded", "subnet-d3adb33f" , "subnet-badcafe"]
 
 [tags]
 app = "picofun-zendesk"