Skip to content

Commit

Permalink
Add support for declaring simple lambda permissions in-module (#69)
Browse files Browse the repository at this point in the history
  • Loading branch information
jpalomaki authored Aug 22, 2024
1 parent b9923cf commit 670c7fa
Show file tree
Hide file tree
Showing 5 changed files with 48 additions and 0 deletions.
2 changes: 2 additions & 0 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -130,6 +130,7 @@ Available targets:
| [aws_iam_role_policy_attachment.vpc_access](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
| [aws_iam_role_policy_attachment.xray](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
| [aws_lambda_function.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_function) | resource |
| [aws_lambda_permission.invoke_function](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_permission) | resource |
| [aws_caller_identity.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
| [aws_iam_policy_document.assume_role_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
| [aws_iam_policy_document.ssm](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
Expand Down Expand Up @@ -163,6 +164,7 @@ Available targets:
| <a name="input_image_config"></a> [image\_config](#input\_image\_config) | The Lambda OCI [image configurations](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_function#image_config)<br> block with three (optional) arguments:<br> - *entry\_point* - The ENTRYPOINT for the docker image (type `list(string)`).<br> - *command* - The CMD for the docker image (type `list(string)`).<br> - *working\_directory* - The working directory for the docker image (type `string`). | `any` | `{}` | no |
| <a name="input_image_uri"></a> [image\_uri](#input\_image\_uri) | The ECR image URI containing the function's deployment package. Conflicts with filename, s3\_bucket, s3\_key, and s3\_object\_version. | `string` | `null` | no |
| <a name="input_inline_iam_policy"></a> [inline\_iam\_policy](#input\_inline\_iam\_policy) | Inline policy document (JSON) to attach to the lambda role | `string` | `null` | no |
| <a name="input_invoke_function_permissions"></a> [invoke\_function\_permissions](#input\_invoke\_function\_permissions) | Defines which external source(s) can invoke this function (action 'lambda:InvokeFunction'). Attributes map to those of https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_permission. NOTE: to keep things simple, we only expose a subset of said attributes. If a more complex configuration is needed, declare the necessary lambda permissions outside of this module | <pre>list(object({<br> principal = string<br> source_arn = string<br> }))</pre> | `[]` | no |
| <a name="input_kms_key_arn"></a> [kms\_key\_arn](#input\_kms\_key\_arn) | Amazon Resource Name (ARN) of the AWS Key Management Service (KMS) key that is used to encrypt environment variables.<br> If this configuration is not provided when environment variables are in use, AWS Lambda uses a default service key.<br> If this configuration is provided when environment variables are not in use, the AWS Lambda API does not save this<br> configuration and Terraform will show a perpetual difference of adding the key. To fix the perpetual difference,<br> remove this configuration. | `string` | `""` | no |
| <a name="input_label_key_case"></a> [label\_key\_case](#input\_label\_key\_case) | Controls the letter case of the `tags` keys (label names) for tags generated by this module.<br>Does not affect keys of tags passed in via the `tags` input.<br>Possible values: `lower`, `title`, `upper`.<br>Default value: `title`. | `string` | `null` | no |
| <a name="input_label_order"></a> [label\_order](#input\_label\_order) | The order in which the labels (ID elements) appear in the `id`.<br>Defaults to ["namespace", "environment", "stage", "name", "attributes"].<br>You can omit any of the 6 labels ("tenant" is the 6th), but at least one must be present. | `list(string)` | `null` | no |
Expand Down
4 changes: 4 additions & 0 deletions docs/terraform.md
Original file line number Diff line number Diff line change
Expand Up @@ -25,13 +25,15 @@
|------|------|
| [aws_iam_policy.ssm](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
| [aws_iam_role.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
| [aws_iam_role_policy.inline](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource |
| [aws_iam_role_policy_attachment.cloudwatch_insights](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
| [aws_iam_role_policy_attachment.cloudwatch_logs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
| [aws_iam_role_policy_attachment.custom](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
| [aws_iam_role_policy_attachment.ssm](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
| [aws_iam_role_policy_attachment.vpc_access](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
| [aws_iam_role_policy_attachment.xray](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
| [aws_lambda_function.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_function) | resource |
| [aws_lambda_permission.invoke_function](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_permission) | resource |
| [aws_caller_identity.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
| [aws_iam_policy_document.assume_role_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
| [aws_iam_policy_document.ssm](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
Expand Down Expand Up @@ -64,6 +66,8 @@
| <a name="input_id_length_limit"></a> [id\_length\_limit](#input\_id\_length\_limit) | Limit `id` to this many characters (minimum 6).<br>Set to `0` for unlimited length.<br>Set to `null` for keep the existing setting, which defaults to `0`.<br>Does not affect `id_full`. | `number` | `null` | no |
| <a name="input_image_config"></a> [image\_config](#input\_image\_config) | The Lambda OCI [image configurations](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_function#image_config)<br> block with three (optional) arguments:<br> - *entry\_point* - The ENTRYPOINT for the docker image (type `list(string)`).<br> - *command* - The CMD for the docker image (type `list(string)`).<br> - *working\_directory* - The working directory for the docker image (type `string`). | `any` | `{}` | no |
| <a name="input_image_uri"></a> [image\_uri](#input\_image\_uri) | The ECR image URI containing the function's deployment package. Conflicts with filename, s3\_bucket, s3\_key, and s3\_object\_version. | `string` | `null` | no |
| <a name="input_inline_iam_policy"></a> [inline\_iam\_policy](#input\_inline\_iam\_policy) | Inline policy document (JSON) to attach to the lambda role | `string` | `null` | no |
| <a name="input_invoke_function_permissions"></a> [invoke\_function\_permissions](#input\_invoke\_function\_permissions) | Defines which external source(s) can invoke this function (action 'lambda:InvokeFunction'). Attributes map to those of https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_permission. NOTE: to keep things simple, we only expose a subset of said attributes. If a more complex configuration is needed, declare the necessary lambda permissions outside of this module | <pre>list(object({<br> principal = string<br> source_arn = string<br> }))</pre> | `[]` | no |
| <a name="input_kms_key_arn"></a> [kms\_key\_arn](#input\_kms\_key\_arn) | Amazon Resource Name (ARN) of the AWS Key Management Service (KMS) key that is used to encrypt environment variables.<br> If this configuration is not provided when environment variables are in use, AWS Lambda uses a default service key.<br> If this configuration is provided when environment variables are not in use, the AWS Lambda API does not save this<br> configuration and Terraform will show a perpetual difference of adding the key. To fix the perpetual difference,<br> remove this configuration. | `string` | `""` | no |
| <a name="input_label_key_case"></a> [label\_key\_case](#input\_label\_key\_case) | Controls the letter case of the `tags` keys (label names) for tags generated by this module.<br>Does not affect keys of tags passed in via the `tags` input.<br>Possible values: `lower`, `title`, `upper`.<br>Default value: `title`. | `string` | `null` | no |
| <a name="input_label_order"></a> [label\_order](#input\_label\_order) | The order in which the labels (ID elements) appear in the `id`.<br>Defaults to ["namespace", "environment", "stage", "name", "attributes"].<br>You can omit any of the 6 labels ("tenant" is the 6th), but at least one must be present. | `list(string)` | `null` | no |
Expand Down
25 changes: 25 additions & 0 deletions examples/complete/main.tf
Original file line number Diff line number Diff line change
Expand Up @@ -103,7 +103,32 @@ module "lambda" {
}
JSON

invoke_function_permissions = [
{
principal = "s3.amazonaws.com"
source_arn = join("", aws_s3_bucket.example[*].arn)
}
]

context = module.this.context

depends_on = [aws_iam_policy.inside]
}

resource "aws_s3_bucket" "example" {
count = local.enabled ? 1 : 0
}

resource "aws_s3_bucket_notification" "example" {
count = local.enabled ? 1 : 0

bucket = aws_s3_bucket.example[0].id
lambda_function {
lambda_function_arn = module.lambda.arn
events = ["s3:ObjectCreated:*"]
}
# Lambda permissions must be created prior to setting up the notification
depends_on = [
module.lambda
]
}
8 changes: 8 additions & 0 deletions lambda-permissions.tf
Original file line number Diff line number Diff line change
@@ -0,0 +1,8 @@
resource "aws_lambda_permission" "invoke_function" {
for_each = local.enabled ? { for i, permission in var.invoke_function_permissions : i => permission } : {}

action = "lambda:InvokeFunction"
function_name = aws_lambda_function.this[0].function_name
principal = each.value.principal
source_arn = each.value.source_arn
}
9 changes: 9 additions & 0 deletions variables.tf
Original file line number Diff line number Diff line change
Expand Up @@ -245,3 +245,12 @@ variable "inline_iam_policy" {
description = "Inline policy document (JSON) to attach to the lambda role"
default = null
}

variable "invoke_function_permissions" {
type = list(object({
principal = string
source_arn = string
}))
description = "Defines which external source(s) can invoke this function (action 'lambda:InvokeFunction'). Attributes map to those of https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_permission. NOTE: to keep things simple, we only expose a subset of said attributes. If a more complex configuration is needed, declare the necessary lambda permissions outside of this module"
default = []
}

0 comments on commit 670c7fa

Please sign in to comment.