terraform.aws-baseline-infra/modules/compute/ec2-instance-scheduler/main.tf

data "aws_caller_identity" "this" {}

resource "random_id" "this" {
  byte_length = 4
}

resource "aws_iam_role" "eventscheduler" {
  name = "EventSchedulerRole-${random_id.this.dec}"
  assume_role_policy = jsonencode(
    {
      "Version" : "2012-10-17",
      "Statement" : [
        {
          "Effect" : "Allow",
          "Principal" : {
            "Service" : "scheduler.amazonaws.com"
          },
          "Action" : "sts:AssumeRole"
        }
      ]
    }
  )
}

resource "aws_iam_role_policy_attachment" "default" {
  policy_arn = "arn:aws:iam::aws:policy/AmazonEventBridgeSchedulerFullAccess"
  role       = aws_iam_role.eventscheduler.name
}

resource "aws_iam_role" "this" {
  name = "lambda-startstop-ec2-${var.description}"

  assume_role_policy = jsonencode(
    {
      "Version" : "2012-10-17",
      "Statement" : [
        {
          "Effect" : "Allow",
          "Principal" : {
            "Service" : "lambda.amazonaws.com"
          },
          "Action" : "sts:AssumeRole"
        }
      ]
    }
  )
}

resource "aws_iam_role_policy" "this" {
  policy = jsonencode(
    {
      "Version" : "2012-10-17",
      "Statement" : [
        {
          "Sid" : "AllowCreationOfCloudwatchLogGroup",
          "Effect" : "Allow",
          "Action" : "logs:CreateLogGroup",
          "Resource" : "arn:aws:logs:ap-east-1:${data.aws_caller_identity.this.account_id}:*"
        },
        {
          "Sid" : "AllowWritingToCloudwatchLogGroup",
          "Effect" : "Allow",
          "Action" : [
            "logs:CreateLogStream",
            "logs:PutLogEvents"
          ],
          "Resource" : [
            "arn:aws:logs:ap-east-1:${data.aws_caller_identity.this.account_id}:log-group:/aws/lambda/*"
          ]
        },
        {
          "Sid" : "AllowStartingStoppingOfEc2Instance",
          "Action" : [
            "ec2:StopInstances",
            "ec2:StartInstances",
            "kms:CreateGrant"
          ],
          "Effect" : "Allow",
          "Resource" : "*"
        }
      ]
    }
  )
  role = aws_iam_role.this.id
  name = "LambdaExecutionPolicy"
}

resource "aws_iam_role_policy" "eventscheduler" {
  policy = jsonencode(
    {
      "Version" : "2012-10-17",
      "Statement" : [
        {
          "Sid" : "AllowInvocationOfLambdaFunction",
          "Effect" : "Allow",
          "Action" : "lambda:InvokeFunction",
          "Resource" : "*"
        }
      ]
    }
  )
  role = aws_iam_role.eventscheduler.id
  name = "LambdaInvocation"
}

resource "aws_scheduler_schedule" "start" {
  name        = "scheduled-start-of-${var.description}-instances"
  description = "Starts ${var.description} ec2 instance"
  flexible_time_window {
    mode = "OFF"
  }

  schedule_expression = var.instance-start-cron-expression

  target {
    arn      = aws_lambda_function.ec2-start-stop.arn
    role_arn = aws_iam_role.eventscheduler.arn
    input    = jsonencode({ "action" : "start" })
    retry_policy {
      maximum_event_age_in_seconds = 600
      maximum_retry_attempts = 1
    }
  }

}

resource "aws_scheduler_schedule" "stop" {
  name        = "scheduled-stop-of-${var.description}-instances"
  description = "Stops ${var.description} ec2 instance"
  flexible_time_window {
    mode = "OFF"
  }

  schedule_expression = var.instance-stop-cron-expression

  target {
    arn      = aws_lambda_function.ec2-start-stop.arn
    role_arn = aws_iam_role.eventscheduler.arn
    input    = jsonencode({ "action" : "stop" })
    retry_policy {
      maximum_event_age_in_seconds = 600
      maximum_retry_attempts = 1
    }
  }
}
#
#resource "aws_cloudwatch_event_rule" "start" {
#  name                = "scheduled-start-of-${var.description}-instances"
#  description         = "Starts automation ec2 instance"
#  schedule_expression = var.instance-start-cron-expression
#}
#
#resource "aws_cloudwatch_event_rule" "stop" {
#  name                = "scheduled-stop-of-${var.description}-instances"
#  description         = "Stops automation ec2 instance"
#  schedule_expression = var.instance-stop-cron-expression
#}
#
#resource "aws_cloudwatch_event_target" "start" {
#  rule  = aws_cloudwatch_event_rule.start.name
#  arn   = aws_lambda_function.ec2-start-stop.arn
#  input = "{\"action\": \"start\"}"
#}
#
#resource "aws_cloudwatch_event_target" "stop" {
#  rule  = aws_cloudwatch_event_rule.stop.name
#  arn   = aws_lambda_function.ec2-start-stop.arn
#  input = "{\"action\": \"stop\"}"
#}

# Lambda function for instance scheduler
data "archive_file" "lambda-package" {
  type        = "zip"
  source_file = "${path.module}/Ec2Scheduler.py"
  output_path = "lambda-package.zip"
}

resource "aws_lambda_function" "ec2-start-stop" {
  function_name    = "${var.description}-ec2-start-stop"
  filename         = data.archive_file.lambda-package.output_path
  source_code_hash = data.archive_file.lambda-package.output_base64sha256
  handler          = "Ec2Scheduler.lambda_handler"
  runtime          = "python3.12"
  role             = aws_iam_role.this.arn
  timeout          = 30
  environment {
    variables = {
      instances   = jsonencode(var.instance-ids)
    }
  }
}

resource "aws_lambda_permission" "lambda_permission" {
  statement_id  = "AllowCloudWatchToInvokeLambda"
  action        = "lambda:InvokeFunction"
  function_name = aws_lambda_function.ec2-start-stop.function_name
  principal     = "events.amazonaws.com"
}

resource "aws_cloudwatch_log_group" "this" {
  name              = "/aws/lambda/${var.description}-ec2-start-stop"
  retention_in_days = var.cloudwatchlog-retention
}