From 82d7b37ba497ddc70032777c6c827870ff391de0 Mon Sep 17 00:00:00 2001 From: Florian Reisinger Date: Thu, 23 Aug 2018 11:35:33 +1000 Subject: [PATCH 1/4] Allow use of existing policy --- README.md | 4 ++-- iam.tf | 17 ++++------------- variables.tf | 6 +++--- 3 files changed, 9 insertions(+), 18 deletions(-) diff --git a/README.md b/README.md index 635272c..88f342e 100644 --- a/README.md +++ b/README.md @@ -33,7 +33,7 @@ module "lambda" { // Attach a policy. attach_policy = true - policy = "${data.aws_iam_policy_document.lambda.json}" + policy_arn = "${data.aws_iam_policy.lambda.arn}" // Add a dead letter queue. attach_dead_letter_config = true @@ -77,7 +77,7 @@ function name unique per region, for example by setting | function_name | A unique name for your Lambda function (and related IAM resources) | string | - | yes | | handler | The function entrypoint in your code | string | - | yes | | memory_size | Amount of memory in MB your Lambda function can use at runtime | string | `128` | no | -| policy | An addional policy to attach to the Lambda function | string | `` | no | +| policy_arn | An addional policy (ARN) to attach to the Lambda function | string | `` | no | | reserved_concurrent_executions | The amount of reserved concurrent executions for this Lambda function | string | `0` | no | | runtime | The runtime environment for the Lambda function | string | - | yes | | source_path | The source file or directory containing your Lambda source code | string | - | yes | diff --git a/iam.tf b/iam.tf index c12717c..a02edb4 100644 --- a/iam.tf +++ b/iam.tf @@ -126,17 +126,8 @@ resource "aws_iam_policy_attachment" "network" { # Attach an additional policy if provided. -resource "aws_iam_policy" "additional" { - count = "${var.attach_policy ? 1 : 0}" - - name = "${var.function_name}" - policy = "${var.policy}" -} - -resource "aws_iam_policy_attachment" "additional" { - count = "${var.attach_policy ? 1 : 0}" - - name = "${var.function_name}" - roles = ["${aws_iam_role.lambda.name}"] - policy_arn = "${aws_iam_policy.additional.arn}" +resource "aws_iam_role_policy_attachment" "additional" { + count = "${var.attach_policy ? 1 : 0}" + role = "${aws_iam_role.lambda.name}" + policy_arn = "${var.policy_arn}" } diff --git a/variables.tf b/variables.tf index 3cc3dde..2a3874a 100644 --- a/variables.tf +++ b/variables.tf @@ -78,14 +78,14 @@ variable "tags" { default = {} } -variable "policy" { - description = "An addional policy to attach to the Lambda function" +variable "policy_arn" { + description = "An addional policy (ARN) to attach to the Lambda function" type = "string" default = "" } variable "attach_policy" { - description = "Set this to true if using the policy variable" + description = "Set this to true if using the policy_arn variable" type = "string" default = false } From 4ce5c41ea7aae411be971e58c92973022cd8ca11 Mon Sep 17 00:00:00 2001 From: Florian Reisinger Date: Wed, 17 Oct 2018 09:03:29 +1100 Subject: [PATCH 2/4] Convert change in addition. --- README.md | 4 ++++ iam.tf | 17 ++++++++++++++++- variables.tf | 14 +++++++++++++- 3 files changed, 33 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 88f342e..06ad03d 100644 --- a/README.md +++ b/README.md @@ -33,6 +33,8 @@ module "lambda" { // Attach a policy. attach_policy = true + policy = "${data.aws_iam_policy_document.lambda.json}" + attach_policy_arn = true policy_arn = "${data.aws_iam_policy.lambda.arn}" // Add a dead letter queue. @@ -70,6 +72,7 @@ function name unique per region, for example by setting |------|-------------|:----:|:-----:|:-----:| | attach_dead_letter_config | Set this to true if using the dead_letter_config variable | string | `false` | no | | attach_policy | Set this to true if using the policy variable | string | `false` | no | +| attach_policy_arn | Set this to true if using the policy_arn variable | string | `false` | no | | attach_vpc_config | Set this to true if using the vpc_config variable | string | `false` | no | | dead_letter_config | Dead letter configuration for the Lambda function | map | `` | no | | description | Description of what your Lambda function does | string | `Managed by Terraform` | no | @@ -77,6 +80,7 @@ function name unique per region, for example by setting | function_name | A unique name for your Lambda function (and related IAM resources) | string | - | yes | | handler | The function entrypoint in your code | string | - | yes | | memory_size | Amount of memory in MB your Lambda function can use at runtime | string | `128` | no | +| policy | An addional policy to attach to the Lambda function | string | `` | no | | policy_arn | An addional policy (ARN) to attach to the Lambda function | string | `` | no | | reserved_concurrent_executions | The amount of reserved concurrent executions for this Lambda function | string | `0` | no | | runtime | The runtime environment for the Lambda function | string | - | yes | diff --git a/iam.tf b/iam.tf index a02edb4..59c80ce 100644 --- a/iam.tf +++ b/iam.tf @@ -127,7 +127,22 @@ resource "aws_iam_policy_attachment" "network" { # Attach an additional policy if provided. resource "aws_iam_role_policy_attachment" "additional" { - count = "${var.attach_policy ? 1 : 0}" + count = "${var.attach_policy_arn ? 1 : 0}" role = "${aws_iam_role.lambda.name}" policy_arn = "${var.policy_arn}" } + +resource "aws_iam_policy" "additional" { + count = "${var.attach_policy ? 1 : 0}" + + name = "${var.function_name}" + policy = "${var.policy}" +} + +resource "aws_iam_policy_attachment" "additional" { + count = "${var.attach_policy ? 1 : 0}" + + name = "${var.function_name}" + roles = ["${aws_iam_role.lambda.name}"] + policy_arn = "${aws_iam_policy.additional.arn}" +} diff --git a/variables.tf b/variables.tf index 2a3874a..aa8749a 100644 --- a/variables.tf +++ b/variables.tf @@ -84,8 +84,20 @@ variable "policy_arn" { default = "" } -variable "attach_policy" { +variable "policy" { + description = "An addional policy to attach to the Lambda function" + type = "string" + default = "" +} + +variable "attach_policy_arn" { description = "Set this to true if using the policy_arn variable" type = "string" default = false } + +variable "attach_policy" { + description = "Set this to true if using the policy variable" + type = "string" + default = false +} From 735bd5a0b5cf65a3250ebbff5e02c01620bad271 Mon Sep 17 00:00:00 2001 From: Florian Reisinger Date: Thu, 18 Oct 2018 09:09:28 +1100 Subject: [PATCH 3/4] Refactor policy_arn to list; Add invoke_arn to module output. --- iam.tf | 12 ++++++------ outputs.tf | 5 +++++ variables.tf | 18 ++++++++---------- 3 files changed, 19 insertions(+), 16 deletions(-) diff --git a/iam.tf b/iam.tf index 59c80ce..cd770d5 100644 --- a/iam.tf +++ b/iam.tf @@ -126,12 +126,6 @@ resource "aws_iam_policy_attachment" "network" { # Attach an additional policy if provided. -resource "aws_iam_role_policy_attachment" "additional" { - count = "${var.attach_policy_arn ? 1 : 0}" - role = "${aws_iam_role.lambda.name}" - policy_arn = "${var.policy_arn}" -} - resource "aws_iam_policy" "additional" { count = "${var.attach_policy ? 1 : 0}" @@ -146,3 +140,9 @@ resource "aws_iam_policy_attachment" "additional" { roles = ["${aws_iam_role.lambda.name}"] policy_arn = "${aws_iam_policy.additional.arn}" } + +resource "aws_iam_role_policy_attachment" "additional_arn" { + count = "${var.policy_arn_count}" + role = "${aws_iam_role.lambda.name}" + policy_arn = "${var.policy_arns[count.index]}" +} diff --git a/outputs.tf b/outputs.tf index c187b69..9e1080a 100644 --- a/outputs.tf +++ b/outputs.tf @@ -3,6 +3,11 @@ output "function_arn" { value = "${element(concat(aws_lambda_function.lambda.*.arn, aws_lambda_function.lambda_with_dl.*.arn, aws_lambda_function.lambda_with_vpc.*.arn, aws_lambda_function.lambda_with_dl_and_vpc.*.arn), 0)}" } +output "function_invoke_arn" { + description = "The ARN of the Lambda function" + value = "${element(concat(aws_lambda_function.lambda.*.invoke_arn, aws_lambda_function.lambda_with_dl.*.invoke_arn, aws_lambda_function.lambda_with_vpc.*.invoke_arn, aws_lambda_function.lambda_with_dl_and_vpc.*.invoke_arn), 0)}" +} + output "function_name" { description = "The name of the Lambda function" value = "${element(concat(aws_lambda_function.lambda.*.function_name, aws_lambda_function.lambda_with_dl.*.function_name, aws_lambda_function.lambda_with_vpc.*.function_name, aws_lambda_function.lambda_with_dl_and_vpc.*.function_name), 0)}" diff --git a/variables.tf b/variables.tf index aa8749a..47d83cb 100644 --- a/variables.tf +++ b/variables.tf @@ -78,11 +78,15 @@ variable "tags" { default = {} } -variable "policy_arn" { - description = "An addional policy (ARN) to attach to the Lambda function" - type = "string" - default = "" +variable "policy_arns" { + description = "Addional policies (ARNs) to attach to the Lambda function." + type = "list" + default = [] } +variable "policy_arn_count" { + description = "The number of policies to expect in the policy_arns list. Note: required due to known Terraform issues: https://github.com/hashicorp/terraform/issues/17421" +} + variable "policy" { description = "An addional policy to attach to the Lambda function" @@ -90,12 +94,6 @@ variable "policy" { default = "" } -variable "attach_policy_arn" { - description = "Set this to true if using the policy_arn variable" - type = "string" - default = false -} - variable "attach_policy" { description = "Set this to true if using the policy variable" type = "string" From 694dccba221530df69570bde649f37414d58f890 Mon Sep 17 00:00:00 2001 From: Florian Reisinger Date: Thu, 21 Feb 2019 08:14:05 +1100 Subject: [PATCH 4/4] Fix additional policies attachment --- iam.tf | 21 +++------------------ variables.tf | 17 +---------------- 2 files changed, 4 insertions(+), 34 deletions(-) diff --git a/iam.tf b/iam.tf index 8f385c0..9e87385 100644 --- a/iam.tf +++ b/iam.tf @@ -134,25 +134,10 @@ resource "aws_iam_policy_attachment" "network" { policy_arn = "${aws_iam_policy.network.arn}" } -# Attach an additional policy if provided. +# Attach an additional policies if provided. -resource "aws_iam_policy" "additional" { - count = "${var.attach_policy ? 1 : 0}" - - name = "${var.function_name}" - policy = "${var.policy}" -} - -resource "aws_iam_policy_attachment" "additional" { - count = "${var.attach_policy ? 1 : 0}" - - name = "${var.function_name}" - roles = ["${aws_iam_role.lambda.name}"] - policy_arn = "${aws_iam_policy.additional.arn}" -} - -resource "aws_iam_role_policy_attachment" "additional_arn" { - count = "${var.policy_arn_count}" +resource "aws_iam_role_policy_attachment" "additional" { + count = "${local.policy_arn_count}" role = "${aws_iam_role.lambda.name}" policy_arn = "${var.policy_arns[count.index]}" } diff --git a/variables.tf b/variables.tf index 7cb794d..2e1aa8d 100644 --- a/variables.tf +++ b/variables.tf @@ -95,22 +95,6 @@ variable "policy_arns" { type = "list" default = [] } -variable "policy_arn_count" { - description = "The number of policies to expect in the policy_arns list. Note: required due to known Terraform issues: https://github.com/hashicorp/terraform/issues/17421" -} - - -variable "policy" { - description = "An addional policy to attach to the Lambda function" - type = "string" - default = "" -} - -variable "attach_policy" { - description = "Set this to true if using the policy variable" - type = "string" - default = false -} variable "enable_cloudwatch_logs" { description = "Set this to false to disable logging your Lambda output to CloudWatch Logs" @@ -133,4 +117,5 @@ variable "lambda_at_edge" { locals { publish = "${var.lambda_at_edge ? true : var.publish}" timeout = "${var.lambda_at_edge ? min(var.timeout, 5) : var.timeout}" + policy_arn_count = "${length(var.policy_arns)}" }