HCP Packer webhook handler for AWS

Implements a handler for HCP Packer webhook events for AWS AMIs, using an API Gateway and Lambda function.

Currently handles the following HCP Packer events:

Completed iteration: adds tags to the AMI(s) with HCP Packer metadata
Revoked iteration: deprecates the AMI(s) and adds the revocation reason as a tag
Restored iteration: cancels the AMI deprecation and removes the tags added by the revoked handler
Deleted iteration: deregisters the AMI(s) and deletes the associated snapshots

Credit to Grant Orchard in the HashiCorp Field CTO org for this starting point.

Prerequisites

An AWS account with credentials sufficient to create the resources in this config. Refer to the Authentication and Configuration guide in the AWS provider docs.
An HCP service account (organization or project level) to bootstrap the configuration. The "Admin" role is required to create a new project-level service account for the handler to use.
A key for the above service account set in HCP_CLIENT_ID and HCP_CLIENT_SECRET environment variables to authenticate the hcp provider. If a project-level service account is used, HCP_PROJECT_ID is also required. Refer to the Authenticate with HCP guide in the HCP provider docs.

Apply this Terraform configuration to create the webhook handler resources.
Access the Webhooks page in your HCP project settings to verify the webhook was created and is enabled.
Run a new Packer build; you should see the webhook fire after the iteration completes; the new AMI should have several HCPPacker* tags added.

Name	Description	Type	Default	Required
api_gateway_logging_level	Log level for API Gateway execution logging.	`string`	`"ERROR"`	no
enable_api_gateway_logging	Whether to enable API Gateway logging.	`bool`	`false`	no
hcp_webhook_description	Description for the HCP webhook.	`string`	`"Handler for AWS image events"`	no
hcp_webhook_name	Name for the HCP webhook.	`string`	`"AWS-Handler"`	no
log_retention_days	Number of days to retain CloudWatch logs.	`number`	`14`	no
region	The AWS region to use.	`string`	n/a	yes

Name	Description
hcp_webhook_resource_name	API resource name of the HCP notification webhook.
webhook_url	API Gateway URL of the webhook handler in AWS.

Name	Type
aws_api_gateway_deployment.webhook	resource
aws_api_gateway_integration.webhook	resource
aws_api_gateway_method.webhook	resource
aws_api_gateway_method_settings.webhook	resource
aws_api_gateway_resource.webhook	resource
aws_api_gateway_rest_api.webhook	resource
aws_api_gateway_stage.webhook	resource
aws_cloudwatch_log_group.webhook_api_gateway	resource
aws_cloudwatch_log_group.webhook_function	resource
aws_iam_role.lambda_execution_role	resource
aws_lambda_function.webhook	resource
aws_lambda_permission.apigw_lambda	resource
aws_secretsmanager_secret.hcp_credential	resource
aws_secretsmanager_secret.hmac_token	resource
aws_secretsmanager_secret_version.hcp_credential	resource
aws_secretsmanager_secret_version.hmac_token	resource
hcp_notifications_webhook.aws	resource
hcp_project_iam_binding.webhook	resource
hcp_service_principal.webhook	resource
hcp_service_principal_key.webhook	resource
random_password.hmac_token	resource
archive_file.webhook_lambda	data source
aws_iam_policy_document.lambda_assume_role	data source
aws_iam_policy_document.lambda_get_secrets	data source
aws_iam_policy_document.lambda_manage_ami	data source
hcp_organization.current	data source
hcp_project.current	data source