/* 
  Lambda function to pull PI metrics and push to CloudWatch 
*/

/* 
  Archive the python script
*/
data "archive_file" "python_lambda_package" {
  type = "zip"
  source_file = "${path.module}/code/lambda_function.py"
  output_path = "lfx.zip"
}

/*
  Create the lamda function
*/
resource "aws_lambda_function" "pi_lambda_function" {
    function_name = "lambdaPI"    
    filename      = "lfx.zip"
    source_code_hash = data.archive_file.python_lambda_package.output_base64sha256
    role          = aws_iam_role.pi_lambda_role.arn
    runtime       = "python3.9"
    handler       = "lambda_function.lambda_handler"
    timeout       = 15
    environment {
      variables = {
        PINamespace = "${var.PINamespace}"
        RDSFilterInTags = join(";", formatlist("%s=%s", keys(var.RDSFilterInTags), values(var.RDSFilterInTags)))
      }
    }
   tracing_config {
     mode = "Active"
   }
}

/*
  Create user role for lambda function
*/
data "aws_iam_policy_document" "lambda_trust_policy" {
  statement {
    actions    = ["sts:AssumeRole"]
    effect     = "Allow"
    principals {
      type        = "Service"
      identifiers = ["lambda.amazonaws.com"]
    }
  }
}

data "aws_iam_policy_document" "lambda_policy_doc" {
  statement{
    actions= [
      "logs:CreateLogGroup"
    ]
    effect= "Allow"
    resources = ["arn:aws:logs:${var.AWSRegion}:${var.AWSAccountID}:*"]
  }
  statement{
    actions= [
      "logs:CreateLogStream",
      "logs:PutLogEvents",
    ]
    effect= "Allow"
    resources = ["arn:aws:logs:${var.AWSRegion}:${var.AWSAccountID}:log-group:/aws/lambda/lambdaPI:*"]
  }
  statement{
    actions= [
      "cloudwatch:GetMetricStatistics",
      "cloudwatch:PutMetricData",
      "logs:DescribeLogStreams",
      "logs:GetLogEvents",
      "rds:Describe*",
      "rds:ListTagsForResource",
      "rds:DescribeDBInstances"
    ]
    effect= "Allow"    
    resources = ["*"]
  }
  statement {
    actions= [
      "pi:GetDimensionKeyDetails",
      "pi:GetResourceMetadata",
      "pi:ListAvailableResourceDimensions",
      "pi:DescribeDimensionKeys",
      "pi:ListAvailableResourceMetrics",
      "pi:GetResourceMetrics"
    ]
    effect= "Allow"
    #we want to get info about all RDS databases in this account and so we are using a * under rds metrics
    #tfsec:ignore:aws-iam-no-policy-wildcards
    resources = ["arn:aws:pi:${var.AWSRegion}:${var.AWSAccountID}:metrics/rds/*"]
  }	  
}

resource "aws_iam_role" "pi_lambda_role" {
  name = "lambda-pi-role"
  assume_role_policy = data.aws_iam_policy_document.lambda_trust_policy.json
   # Attach the policy
  inline_policy {
	name = "policy-lambda-permissions"
    policy = data.aws_iam_policy_document.lambda_policy_doc.json
  }
}

/* 
  Create a lambda trigger that will run every X minutes 
*/

resource "aws_cloudwatch_event_rule" "every_minute" {
    name = "every-minute"
    description = "Fires every minute"
    schedule_expression = "rate(1 minute)"
}

resource "aws_cloudwatch_event_target" "call_pi_lambda_every_minute" {
    rule = "${aws_cloudwatch_event_rule.every_minute.name}"
    target_id = "pi_lambda_function"
    arn = "${aws_lambda_function.pi_lambda_function.arn}"
}

resource "aws_lambda_permission" "allow_cloudwatch_to_call_pi_lambda_function" {
    statement_id = "AllowExecutionFromCloudWatch"
    action = "lambda:InvokeFunction"
    function_name = "${aws_lambda_function.pi_lambda_function.function_name}"
    principal = "events.amazonaws.com"
    source_arn = "${aws_cloudwatch_event_rule.every_minute.arn}"
}