Snowflake-Labs · sfc-gh-nlele · Jun 15, 2023 · Jul 4, 2023
diff --git a/dynamodb.tf b/dynamodb.tf
@@ -1,5 +1,5 @@
 resource "aws_dynamodb_table" "geff_batch_locking_table" {
-  count        = var.create_dynamodb_table ? 1 : 0
+  count        = var.create_batch_locking_table ? 1 : 0
   name         = var.batch_locking_table_name != null ? var.batch_locking_table_name : "${local.geff_prefix}_batch_locking_table"
   billing_mode = "PAY_PER_REQUEST"
   hash_key     = "batch_id"
@@ -15,14 +15,41 @@ resource "aws_dynamodb_table" "geff_batch_locking_table" {
   }
 }
 
-data "aws_dynamodb_table" "user_managed_table" {
-  count = !var.create_dynamodb_table && var.batch_locking_table_name != null ? 1 : 0
+resource "aws_dynamodb_table" "geff_rate_limiting_table" {
+  count        = var.create_rate_limiting_table ? 1 : 0
+  name         = var.rate_limiting_table_name != null ? var.rate_limiting_table_name : "${local.geff_prefix}_rate_limiting_table"
+  billing_mode = "PAY_PER_REQUEST"
+  hash_key     = "url"
+
+  attribute {
+    name = "url"
+    type = "S"
+  }
+
+  ttl {
+    attribute_name = "ttl"
+    enabled        = true
+  }
+}
+
+data "aws_dynamodb_table" "user_managed_batch_locking_table" {
+  count = !var.create_batch_locking_table && var.batch_locking_table_name != null ? 1 : 0
   name  = var.batch_locking_table_name
 }
 
+data "aws_dynamodb_table" "user_managed_rate_limiting_table" {
+  count = !var.create_rate_limiting_table && var.rate_limiting_table_name != null ? 1 : 0
+  name  = var.rate_limiting_table_name
+}
+
 locals {
-  dynamodb_table = (
-    var.create_dynamodb_table ? aws_dynamodb_table.geff_batch_locking_table[0] :
-    var.batch_locking_table_name != null ? data.aws_dynamodb_table.user_managed_table[0] : null
+  batch_locking_table = (
+    var.create_batch_locking_table ? aws_dynamodb_table.geff_batch_locking_table[0] :
+    var.batch_locking_table_name != null ? data.aws_dynamodb_table.user_managed_batch_locking_table[0] : null
+  )
+
+  rate_limiting_table = (
+    var.create_rate_limiting_table ? aws_dynamodb_table.geff_rate_limiting_table[0] :
+    var.rate_limiting_table_name != null ? data.aws_dynamodb_table.user_managed_batch_locking_table[0] : null
   )
 }
diff --git a/examples/complete/main.tf b/examples/complete/main.tf
@@ -20,9 +20,13 @@ module "geff" {
   snowflake_integration_user_roles = var.snowflake_integration_user_roles
   geff_secret_arns                 = var.geff_secret_arns
 
-  create_dynamodb_table    = var.create_dynamodb_table
-  batch_locking_table_name = var.batch_locking_table_name
-  dynamodb_table_ttl       = var.dynamodb_table_ttl
+  create_batch_locking_table = var.create_batch_locking_table
+  batch_locking_table_name   = var.batch_locking_table_name
+  batch_locking_table_ttl    = var.batch_locking_table_ttl
+
+  create_rate_limiting_table = var.create_rate_limiting_table
+  rate_limiting_table_name   = var.rate_limiting_table_name
+  rate_limiting_table_ttl    = var.batch_locking_table_ttl
 
   providers = {
     snowflake.api_integration_role     = snowflake.api_integration_role

diff --git a/examples/complete/variables.tf b/examples/complete/variables.tf
@@ -103,21 +103,39 @@ variable "arn_format" {
   default     = "aws"
 }
 
-variable "create_dynamodb_table" {
+variable "create_batch_locking_table" {
   type        = bool
   description = "Boolean for if a DynamoDB table is to be created for batch locking."
   default     = true
 }
 
 variable "batch_locking_table_name" {
   type        = string
-  description = "DynamoDB table name for batch-locking, used either for an existing user-created table when 'create_dynamodb_table' is false, or as a table name for the module-created table when 'create_dynamodb_table' is true."
+  description = "DynamoDB table name for batch-locking, used either for an existing user-created table when 'create_batch_locking_table' is false, or as a table name for the module-created table when 'create_batch_locking_table' is true."
   default     = null
 }
 
-variable "dynamodb_table_ttl" {
+variable "batch_locking_table_ttl" {
   type        = number
-  description = "TTL for items in the dynamodb table."
+  description = "TTL for items in the batch locking DynamoDB table."
+  default     = 86400 # 1 day
+}
+
+variable "create_rate_limiting_table" {
+  type        = bool
+  description = "Boolean for if a DynamoDB table is to be created for rate limiting."
+  default     = true
+}
+
+variable "rate_limiting_table_name" {
+  type        = string
+  description = "DynamoDB table name for rate limiting, used either for an existing user-created table when 'create_rate_limiting_table' is false, or as a table name for the module-created table when 'create_rate_limiting_table' is true."
+  default     = null
+}
+
+variable "rate_limiting_table_ttl" {
+  type        = number
+  description = "TTL for items in the rate limiting DynamoDB table."
   default     = 86400 # 1 day
 }
 

diff --git a/examples/complete/versions.tf b/examples/complete/versions.tf
@@ -1,5 +1,5 @@
 terraform {
-  required_version = "~> 1.4.6"
+  required_version = "~> 1.3.4"
 
   required_providers {
     aws = {

diff --git a/iam.tf b/iam.tf
@@ -210,10 +210,10 @@ resource "aws_iam_policy_attachment" "geff_lambda_vpc_policy_attachment" {
 # -----------------------------------------------------------------------------
 # 4. Policy for the DynamoDB table to be used as a backend for batch locking
 # -----------------------------------------------------------------------------
-resource "aws_iam_policy" "dynamodb_table_policy" {
-  count = var.create_dynamodb_table || var.batch_locking_table_name != null ? 1 : 0
+resource "aws_iam_policy" "batch_locking_dynamodb_table_policy" {
+  count = var.create_batch_locking_table || var.batch_locking_table_name != null ? 1 : 0
 
-  name = "${local.geff_prefix}-dynamodb-table-policy"
+  name = "${local.geff_prefix}-batch-locking-dynamodb-table-policy"
   policy = jsonencode({
     Version = "2012-10-17"
     Statement = [
@@ -223,15 +223,44 @@ resource "aws_iam_policy" "dynamodb_table_policy" {
           "dynamodb:PutItem"
         ]
         Effect   = "Allow"
-        Resource = try(local.dynamodb_table.arn, null)
+        Resource = try(local.batch_locking_table.arn, null)
       }
     ]
   })
 }
 
+
 resource "aws_iam_role_policy_attachment" "dynamodb_table_policy_attachment" {
-  count = var.create_dynamodb_table || var.batch_locking_table_name != null ? 1 : 0
+  count = var.create_batch_locking_table || var.batch_locking_table_name != null ? 1 : 0
+
+  role       = aws_iam_role.geff_lambda_assume_role.name
+  policy_arn = aws_iam_policy.batch_locking_dynamodb_table_policy[0].arn
+}
+
+
+resource "aws_iam_policy" "rate_limiting_dynamodb_table_policy" {
+  count = var.create_rate_limiting_table || var.rate_limiting_table_name != null ? 1 : 0
+
+  name = "${local.geff_prefix}-rate-limiting-dynamodb-table-policy"
+  policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [
+      {
+        Action = [
+          "dynamodb:GetItem",
+          "dynamodb:PutItem",
+          "dynamodb:UpdateItem"
+        ]
+        Effect   = "Allow"
+        Resource = try(local.rate_limiting_table.arn, null)
+      }
+    ]
+  })
+}
+
+resource "aws_iam_role_policy_attachment" "rate_limiting_dynamodb_table_policy_attachment" {
+  count = var.create_rate_limiting_table || var.rate_limiting_table_name != null ? 1 : 0
 
   role       = aws_iam_role.geff_lambda_assume_role.name
-  policy_arn = aws_iam_policy.dynamodb_table_policy[0].arn
+  policy_arn = aws_iam_policy.rate_limiting_dynamodb_table_policy[0].arn
 }
diff --git a/lambda.tf b/lambda.tf
@@ -25,8 +25,10 @@ resource "aws_lambda_function" "geff_lambda" {
     variables = {
       GEFF_DSN            = var.geff_dsn
       SENTRY_DRIVER_DSN   = var.sentry_driver_dsn
-      DYNAMODB_TABLE_NAME = try(local.dynamodb_table.name, null)
-      DYNAMODB_TABLE_TTL  = var.dynamodb_table_ttl
+      BATCH_LOCKING_TABLE_NAME = try(local.batch_locking_table.name, null)
+      BATCH_LOCKING_TABLE_TTL  = var.batch_locking_table_ttl
+      RATE_LIMITING_TABLE_NAME = try(local.rate_limiting_table.name, null)
+      RATE_LIMITING_TABLE_TTL  = var.rate_limiting_table_ttl
     }
   }
 

diff --git a/variables.tf b/variables.tf
@@ -94,21 +94,39 @@ variable "arn_format" {
   default     = "aws"
 }
 
-variable "create_dynamodb_table" {
+variable "create_batch_locking_table" {
   type        = bool
   description = "Boolean for if a DynamoDB table is to be created for batch locking."
   default     = true
 }
 
 variable "batch_locking_table_name" {
   type        = string
-  description = "DynamoDB table name for batch-locking, used either for an existing user-created table when 'create_dynamodb_table' is false, or as a table name for the module-created table when 'create_dynamodb_table' is true."
+  description = "DynamoDB table name for batch-locking, used either for an existing user-created table when 'create_batch_locking_table' is false, or as a table name for the module-created table when 'create_batch_locking_table' is true."
   default     = null
 }
 
-variable "dynamodb_table_ttl" {
+variable "batch_locking_table_ttl" {
   type        = number
-  description = "TTL for items in the dynamodb table."
+  description = "TTL for items in the batch locking DynamoDB table."
+  default     = 86400 # 1 day
+}
+
+variable "create_rate_limiting_table" {
+  type        = bool
+  description = "Boolean for if a DynamoDB table is to be created for rate limiting."
+  default     = true
+}
+
+variable "rate_limiting_table_name" {
+  type        = string
+  description = "DynamoDB table name for rate limiting, used either for an existing user-created table when 'create_rate_limiting_table' is false, or as a table name for the module-created table when 'create_rate_limiting_table' is true."
+  default     = null
+}
+
+variable "rate_limiting_table_ttl" {
+  type        = number
+  description = "TTL for items in the rate limiting DynamoDB table."
   default     = 86400 # 1 day
 }