@exabugs/dynamodb-client 0.4.1 → 0.6.0

package/terraform/modules/parameter-store/README.md

@@ -0,0 +1,113 @@
+# Parameter Store Terraform Module
+
+AWS Parameter Storeを使用してアプリケーション設定を管理するTerraformモジュールです。
+
+## 概要
+
+このモジュールは、DynamoDB Clientライブラリを使用するアプリケーションの設定情報をAWS Parameter Storeで管理します。
+
+## 特徴
+
+- **Standard階層**: 標準スループット（1,000 TPS以下）では無料
+- **SecureString**: すべてのパラメータをKMS暗号化で保存
+- **AWS管理キー**: `alias/aws/ssm`を使用（月額料金なし）
+- **階層構造**: `/{project_name}/{environment}/`で環境別に管理
+- **IAMポリシー**: Admin UIとFetch Lambda用のアクセス権限を提供
+
+## 使用方法
+
+```hcl
+module "parameter_store" {
+  source = "./modules/parameter-store"
+
+  # 基本設定
+  project_name = "my-project"
+  environment  = "dev"
+  region       = "us-east-1"
+
+  # Records Lambda設定
+  records_function_url = "https://abc123.lambda-url.us-east-1.on.aws/"
+  records_function_arn = "arn:aws:lambda:us-east-1:123456789012:function:my-project-dev-records"
+
+  # Cognito設定
+  cognito_user_pool_id       = "us-east-1_ABC123DEF"
+  cognito_admin_ui_client_id = "abc123def456ghi789"
+  cognito_user_pool_domain   = "my-project-dev"
+
+  # DynamoDB設定
+  dynamodb_table_name = "my-project-dev-records"
+}
+```
+
+## パラメータ構造
+
+### アプリケーション設定 (`/app/`)
+
+- `/{project_name}/{environment}/app/records-api-url`
+- `/{project_name}/{environment}/app/admin-ui/cognito-user-pool-id`
+- `/{project_name}/{environment}/app/admin-ui/cognito-client-id`
+- `/{project_name}/{environment}/app/admin-ui/cognito-domain`
+
+### インフラ情報 (`/infra/`)
+
+- `/{project_name}/{environment}/infra/dynamodb-table-name`
+
+### Lambda情報 (`/lambda/`)
+
+- `/{project_name}/{environment}/lambda/records-function-arn`
+
+## IAMポリシー
+
+### Admin UI用ポリシー
+
+Admin UIが必要とするパラメータへの読み取り権限：
+
+```json
+{
+  "Effect": "Allow",
+  "Action": ["ssm:GetParameter", "ssm:GetParameters", "ssm:GetParametersByPath"],
+  "Resource": ["arn:aws:ssm:region:*:parameter/{project_name}/{environment}/app/*"]
+}
+```
+
+### Fetch Lambda用ポリシー
+
+Fetch Lambdaが必要とする特定パラメータへの読み取り権限：
+
+```json
+{
+  "Effect": "Allow",
+  "Action": ["ssm:GetParameter", "ssm:GetParameters"],
+  "Resource": [
+    "arn:aws:ssm:region:*:parameter/{project_name}/{environment}/app/records-api-url",
+    "arn:aws:ssm:region:*:parameter/{project_name}/{environment}/lambda/records-function-arn"
+  ]
+}
+```
+
+## 出力
+
+- `parameter_arns`: 作成されたパラメータのARN一覧
+- `parameter_names`: 作成されたパラメータの名前一覧
+- `parameter_paths`: 作成されたパラメータのパス一覧
+- `iam_policy_arns`: 作成されたIAMポリシーのARN一覧
+- `iam_policy_names`: 作成されたIAMポリシーの名前一覧
+
+## コスト
+
+- **Parameter Store Standard**: 標準スループット（1,000 TPS以下）では無料
+- **AWS管理キー**: 無料（カスタマー管理キーと異なり月額料金なし）
+- **実質的なコスト**: 通常の使用では完全に無料
+
+## セキュリティ
+
+- すべてのパラメータがKMS暗号化（SecureString）
+- IAMによる細かい権限管理
+- CloudTrailで完全な操作追跡
+- 最小権限の原則に基づくアクセス制御
+
+## 要件
+
+- Terraform >= 1.0
+- AWS Provider >= 4.0
+- 適切なAWS認証情報の設定

package/terraform/modules/parameter-store/iam.tf

@@ -0,0 +1,59 @@
+# Parameter Store アクセス用IAMポリシー
+
+# Admin UI用Parameter Store読み取りポリシー
+resource "aws_iam_policy" "admin_ui_parameter_read" {
+  name        = "${var.project_name}-${var.environment}-admin-ui-parameter-read"
+  description = "Admin UI用Parameter Store読み取り権限"
+
+  policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [
+      {
+        Effect = "Allow"
+        Action = [
+          "ssm:GetParameter",
+          "ssm:GetParameters",
+          "ssm:GetParametersByPath"
+        ]
+        Resource = [
+          "arn:aws:ssm:${var.region}:*:parameter/${var.project_name}/${var.environment}/app/*"
+        ]
+      }
+    ]
+  })
+
+  tags = {
+    Environment = var.environment
+    ManagedBy   = "terraform"
+    Purpose     = "admin-ui-parameter-access"
+  }
+}
+
+# Fetch Lambda用Parameter Store読み取りポリシー
+resource "aws_iam_policy" "fetch_lambda_parameter_read" {
+  name        = "${var.project_name}-${var.environment}-fetch-lambda-parameter-read"
+  description = "Fetch Lambda用Parameter Store読み取り権限"
+
+  policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [
+      {
+        Effect = "Allow"
+        Action = [
+          "ssm:GetParameter",
+          "ssm:GetParameters"
+        ]
+        Resource = [
+          "arn:aws:ssm:${var.region}:*:parameter/${var.project_name}/${var.environment}/app/records-api-url",
+          "arn:aws:ssm:${var.region}:*:parameter/${var.project_name}/${var.environment}/lambda/records-function-arn"
+        ]
+      }
+    ]
+  })
+
+  tags = {
+    Environment = var.environment
+    ManagedBy   = "terraform"
+    Purpose     = "fetch-lambda-parameter-access"
+  }
+}

package/terraform/modules/parameter-store/main.tf

@@ -0,0 +1,105 @@
+# Parameter Store モジュール
+# AWS Parameter Store を使用してアプリケーション設定を管理
+
+# Parameter Store設定の共通変数
+locals {
+  parameter_tier = "Standard"     # Standard階層を使用（実質無料）
+  parameter_type = "SecureString" # すべてSecureStringで統一
+  # AWS管理キー（alias/aws/ssm）を使用（カスタマー管理キーは禁止）
+}
+
+# Records Lambda Function URL
+resource "aws_ssm_parameter" "app_records_api_url" {
+  name  = "/${var.project_name}/${var.environment}/app/records-api-url"
+  type  = local.parameter_type
+  tier  = local.parameter_tier
+  value = var.records_function_url
+
+  description = "Records Lambda Function URL"
+
+  tags = {
+    Environment = var.environment
+    ManagedBy   = "terraform"
+    Category    = "app-config"
+  }
+}
+
+# Cognito User Pool ID for Admin UI
+resource "aws_ssm_parameter" "app_admin_ui_cognito_user_pool_id" {
+  name  = "/${var.project_name}/${var.environment}/app/admin-ui/cognito-user-pool-id"
+  type  = local.parameter_type
+  tier  = local.parameter_tier
+  value = var.cognito_user_pool_id
+
+  description = "Cognito User Pool ID for Admin UI"
+
+  tags = {
+    Environment = var.environment
+    ManagedBy   = "terraform"
+    Category    = "app-config"
+  }
+}
+
+# Cognito Client ID for Admin UI
+resource "aws_ssm_parameter" "app_admin_ui_cognito_client_id" {
+  name  = "/${var.project_name}/${var.environment}/app/admin-ui/cognito-client-id"
+  type  = local.parameter_type
+  tier  = local.parameter_tier
+  value = var.cognito_admin_ui_client_id
+
+  description = "Cognito Client ID for Admin UI"
+
+  tags = {
+    Environment = var.environment
+    ManagedBy   = "terraform"
+    Category    = "app-config"
+  }
+}
+
+# Cognito Domain for Admin UI
+resource "aws_ssm_parameter" "app_admin_ui_cognito_domain" {
+  name  = "/${var.project_name}/${var.environment}/app/admin-ui/cognito-domain"
+  type  = local.parameter_type
+  tier  = local.parameter_tier
+  value = "${var.cognito_user_pool_domain}.auth.${var.region}.amazoncognito.com"
+
+  description = "Cognito Domain for Admin UI"
+
+  tags = {
+    Environment = var.environment
+    ManagedBy   = "terraform"
+    Category    = "app-config"
+  }
+}
+
+# DynamoDB Table Name
+resource "aws_ssm_parameter" "infra_dynamodb_table_name" {
+  name  = "/${var.project_name}/${var.environment}/infra/dynamodb-table-name"
+  type  = local.parameter_type
+  tier  = local.parameter_tier
+  value = var.dynamodb_table_name
+
+  description = "DynamoDB Table Name"
+
+  tags = {
+    Environment = var.environment
+    ManagedBy   = "terraform"
+    Category    = "infra-info"
+  }
+}
+
+# Records Lambda Function ARN
+resource "aws_ssm_parameter" "lambda_records_function_arn" {
+  name  = "/${var.project_name}/${var.environment}/lambda/records-function-arn"
+  type  = local.parameter_type
+  tier  = local.parameter_tier
+  value = var.records_function_arn
+
+  description = "Records Lambda Function ARN"
+
+  tags = {
+    Environment = var.environment
+    ManagedBy   = "terraform"
+    Category    = "lambda-info"
+  }
+}

package/terraform/modules/parameter-store/outputs.tf

@@ -0,0 +1,58 @@
+# Parameter Store モジュール出力
+
+# Parameter Store ARNs
+output "parameter_arns" {
+  description = "作成されたParameter StoreパラメータのARN一覧"
+  value = {
+    records_api_url      = aws_ssm_parameter.app_records_api_url.arn
+    cognito_user_pool_id = aws_ssm_parameter.app_admin_ui_cognito_user_pool_id.arn
+    cognito_client_id    = aws_ssm_parameter.app_admin_ui_cognito_client_id.arn
+    cognito_domain       = aws_ssm_parameter.app_admin_ui_cognito_domain.arn
+    dynamodb_table_name  = aws_ssm_parameter.infra_dynamodb_table_name.arn
+    records_function_arn = aws_ssm_parameter.lambda_records_function_arn.arn
+  }
+}
+
+# Parameter Store Names
+output "parameter_names" {
+  description = "作成されたParameter Storeパラメータの名前一覧"
+  value = {
+    records_api_url      = aws_ssm_parameter.app_records_api_url.name
+    cognito_user_pool_id = aws_ssm_parameter.app_admin_ui_cognito_user_pool_id.name
+    cognito_client_id    = aws_ssm_parameter.app_admin_ui_cognito_client_id.name
+    cognito_domain       = aws_ssm_parameter.app_admin_ui_cognito_domain.name
+    dynamodb_table_name  = aws_ssm_parameter.infra_dynamodb_table_name.name
+    records_function_arn = aws_ssm_parameter.lambda_records_function_arn.name
+  }
+}
+
+# Parameter Store Paths (same as names)
+output "parameter_paths" {
+  description = "作成されたParameter Storeパラメータのパス一覧"
+  value = {
+    records_api_url      = aws_ssm_parameter.app_records_api_url.name
+    cognito_user_pool_id = aws_ssm_parameter.app_admin_ui_cognito_user_pool_id.name
+    cognito_client_id    = aws_ssm_parameter.app_admin_ui_cognito_client_id.name
+    cognito_domain       = aws_ssm_parameter.app_admin_ui_cognito_domain.name
+    dynamodb_table_name  = aws_ssm_parameter.infra_dynamodb_table_name.name
+    records_function_arn = aws_ssm_parameter.lambda_records_function_arn.name
+  }
+}
+
+# IAM Policy ARNs
+output "iam_policy_arns" {
+  description = "作成されたIAMポリシーのARN一覧"
+  value = {
+    admin_ui_parameter_read     = aws_iam_policy.admin_ui_parameter_read.arn
+    fetch_lambda_parameter_read = aws_iam_policy.fetch_lambda_parameter_read.arn
+  }
+}
+
+# IAM Policy Names
+output "iam_policy_names" {
+  description = "作成されたIAMポリシーの名前一覧"
+  value = {
+    admin_ui_parameter_read     = aws_iam_policy.admin_ui_parameter_read.name
+    fetch_lambda_parameter_read = aws_iam_policy.fetch_lambda_parameter_read.name
+  }
+}

package/terraform/modules/parameter-store/variables.tf

@@ -0,0 +1,46 @@
+# Parameter Store モジュール変数定義
+
+variable "project_name" {
+  description = "プロジェクト名"
+  type        = string
+}
+
+variable "environment" {
+  description = "環境識別子（dev, stg, prd）"
+  type        = string
+}
+
+variable "region" {
+  description = "AWSリージョン"
+  type        = string
+}
+
+variable "records_function_url" {
+  description = "Records Lambda Function URL"
+  type        = string
+}
+
+variable "cognito_user_pool_id" {
+  description = "Cognito User Pool ID"
+  type        = string
+}
+
+variable "cognito_admin_ui_client_id" {
+  description = "Admin UI用Cognito App Client ID"
+  type        = string
+}
+
+variable "cognito_user_pool_domain" {
+  description = "Cognito User Pool Domain"
+  type        = string
+}
+
+variable "dynamodb_table_name" {
+  description = "DynamoDB Table Name"
+  type        = string
+}
+
+variable "records_function_arn" {
+  description = "Records Lambda Function ARN"
+  type        = string
+}

package/terraform/variables.tf

@@ -36,6 +36,11 @@ variable "cognito_client_id" {
   default     = ""
 }
 
+variable "cognito_user_pool_domain" {
+  description = "Cognito User Pool Domain"
+  type        = string
+}
+
 variable "log_retention_days" {
   description = "CloudWatch Logsの保持期間（日数）"
   type        = number