Merge pull request #79 from schubergphilis/update_role_arn_count

breaking: Update all execution role related variables

README.md

@@ -9,7 +9,7 @@ IMPORTANT: We do not pin modules to versions in our examples. We highly recommen
 
 | Name | Version |
 |------|---------|
-| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 0.13.0 |
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.3.0 |
 | <a name="requirement_archive"></a> [archive](#requirement\_archive) | >= 2.0.0 |
 | <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 4.9.0 |
 
@@ -24,7 +24,7 @@ IMPORTANT: We do not pin modules to versions in our examples. We highly recommen
 
 | Name | Source | Version |
 |------|--------|---------|
-| <a name="module_lambda_role"></a> [lambda\_role](#module\_lambda\_role) | github.com/schubergphilis/terraform-aws-mcaf-role | v0.3.3 |
+| <a name="module_lambda_role"></a> [lambda\_role](#module\_lambda\_role) | schubergphilis/mcaf-role/aws | ~> 0.4.0 |
 
 ## Resources
 
@@ -47,27 +47,24 @@ IMPORTANT: We do not pin modules to versions in our examples. We highly recommen
 | <a name="input_architecture"></a> [architecture](#input\_architecture) | Instruction set architecture of the Lambda function | `string` | `"x86_64"` | no |
 | <a name="input_cloudwatch_logs"></a> [cloudwatch\_logs](#input\_cloudwatch\_logs) | Whether or not to configure a CloudWatch log group | `bool` | `true` | no |
 | <a name="input_code_signing_config_arn"></a> [code\_signing\_config\_arn](#input\_code\_signing\_config\_arn) | ARN for a Code Signing Configuration | `string` | `null` | no |
-| <a name="input_create_policy"></a> [create\_policy](#input\_create\_policy) | Overrule whether the Lambda role policy has to be created | `bool` | `null` | no |
 | <a name="input_create_s3_dummy_object"></a> [create\_s3\_dummy\_object](#input\_create\_s3\_dummy\_object) | Whether or not to create a S3 dummy object | `bool` | `true` | no |
 | <a name="input_dead_letter_target_arn"></a> [dead\_letter\_target\_arn](#input\_dead\_letter\_target\_arn) | The ARN of an SNS topic or SQS queue to notify when an invocation fails | `string` | `null` | no |
 | <a name="input_description"></a> [description](#input\_description) | A description of the lambda | `string` | `""` | no |
 | <a name="input_destination_on_failure"></a> [destination\_on\_failure](#input\_destination\_on\_failure) | ARN of the destination resource for failed asynchronous invocations | `string` | `null` | no |
 | <a name="input_destination_on_success"></a> [destination\_on\_success](#input\_destination\_on\_success) | ARN of the destination resource for successful asynchronous invocations | `string` | `null` | no |
 | <a name="input_environment"></a> [environment](#input\_environment) | A map of environment variables to assign to the lambda | `map(string)` | `null` | no |
 | <a name="input_ephemeral_storage_size"></a> [ephemeral\_storage\_size](#input\_ephemeral\_storage\_size) | The size of the Lambda function Ephemeral storage | `number` | `null` | no |
+| <a name="input_execution_role"></a> [execution\_role](#input\_execution\_role) | Configuration for lambda execution IAM role | <pre>object({<br>    additional_policy_arns = optional(set(string), [])<br>    name_prefix            = optional(string)<br>    path                   = optional(string, "/")<br>    permissions_boundary   = optional(string)<br>    policy                 = optional(string)<br>  })</pre> | `{}` | no |
+| <a name="input_execution_role_custom"></a> [execution\_role\_custom](#input\_execution\_role\_custom) | Optional existing IAM role for Lambda execution. Overrides the role configured in the execution\_role variable. | <pre>object({<br>    arn = string<br>  })</pre> | `null` | no |
 | <a name="input_filename"></a> [filename](#input\_filename) | The path to the function's deployment package within the local filesystem | `string` | `null` | no |
 | <a name="input_handler"></a> [handler](#input\_handler) | The function entrypoint in your code | `string` | `"main.handler"` | no |
 | <a name="input_kms_key_arn"></a> [kms\_key\_arn](#input\_kms\_key\_arn) | The ARN of the KMS key used to encrypt the cloudwatch log group and environment variables | `string` | `null` | no |
 | <a name="input_layers"></a> [layers](#input\_layers) | List of Lambda layer ARNs to be used by the Lambda function | `list(string)` | `[]` | no |
 | <a name="input_log_retention"></a> [log\_retention](#input\_log\_retention) | Number of days to retain log events in the specified log group | `number` | `365` | no |
 | <a name="input_memory_size"></a> [memory\_size](#input\_memory\_size) | The memory size of the lambda | `number` | `null` | no |
-| <a name="input_permissions_boundary"></a> [permissions\_boundary](#input\_permissions\_boundary) | The permissions boundary to set on the role | `string` | `null` | no |
-| <a name="input_policy"></a> [policy](#input\_policy) | A valid lambda policy JSON document. This policy is used if you don't specify a role\_arn | `string` | `null` | no |
 | <a name="input_publish"></a> [publish](#input\_publish) | Whether to publish creation/change as new lambda function version | `bool` | `false` | no |
 | <a name="input_reserved_concurrency"></a> [reserved\_concurrency](#input\_reserved\_concurrency) | The amount of reserved concurrent executions for this lambda function | `number` | `null` | no |
 | <a name="input_retries"></a> [retries](#input\_retries) | Maximum number of retries for the Lambda invocation | `number` | `null` | no |
-| <a name="input_role_arn"></a> [role\_arn](#input\_role\_arn) | An optional lambda execution role | `string` | `null` | no |
-| <a name="input_role_prefix"></a> [role\_prefix](#input\_role\_prefix) | Default prefix for the role | `string` | `null` | no |
 | <a name="input_runtime"></a> [runtime](#input\_runtime) | The function runtime to use | `string` | `"python3.10"` | no |
 | <a name="input_s3_bucket"></a> [s3\_bucket](#input\_s3\_bucket) | The S3 bucket location containing the function's deployment package | `string` | `null` | no |
 | <a name="input_s3_key"></a> [s3\_key](#input\_s3\_key) | The S3 key of an object containing the function's deployment package | `string` | `null` | no |

UPGRADING.md

@@ -1,17 +1,39 @@
 # Upgrading Notes
 
-This document captures breaking changes.
+This document captures required refactoring on your part when upgrading to a module version that contains breaking changes.
+
+
+## Upgrading to v2.0.0
+
+### Variables (v2.0.0)
+
+The following variables have been replaced:
+
+* `permissions_boundary` → `execution_role.permissions_boundary`
+* `policy` → `execution_role.policy`
+* `role_arn` → `execution_role_custom.arn`
+* `role_prefix` → `execution_role.name_prefix`
+
+The following variables have been introduced:
+
+* `execution_role.additional_policy_arns`. Add additional policy arns to the execution role.
+* `execution_role.path`. Customizable role path.
+
+The following variables have been removed:
+
+* `create_policy`. This variable is not deemed necessary anymore, creating the policy is controlled by providing an `execution_role.policy`.
+
 
 ## Upgrading to v1.0.0
 
-### Behaviour
+### Behaviour (v1.0.0)
 
 The need to provide a `providers = { aws.lambda = aws }` argument has been removed. When using v1.0.0 or higher the provider will simply default to aws and if a different provider is needed, one can be provisioned by passing down `providers = { aws = aws.lambda }`.
 
-### Variables
+### Variables (v1.0.0)
 
 The following variable defaults have been modified:
 
-- `log_retention` -> default: `365` (previous: `14`). In order to comply with AWS Security Hub control CloudWatch.16.
-- `runtime` -> default: `python3.10` (previous: `python3.9`)
-- `tags` -> default: `{}` (previous: ``). We recommend to set tags on the specified AWS provider.
+* `log_retention` → default: `365` (previous: `14`). In order to comply with AWS Security Hub control CloudWatch.16.
+* `runtime` → default: `python3.10` (previous: `python3.9`).
+* `tags` → default: `{}` (previous: ``). We recommend to set tags on the specified AWS provider.

examples/basic/versions.tf

@@ -1,5 +1,5 @@
 terraform {
-  required_version = ">= 0.13.0"
+  required_version = ">= 1.3.0"
 
   required_providers {
     aws = {

examples/role/main.tf

@@ -0,0 +1,22 @@
+provider "aws" {
+  region = "eu-west-1"
+}
+
+data "aws_iam_policy_document" "lambda_iam_policy" {
+  statement {
+    sid       = "EC2DescribeRegionsAccess"
+    actions   = ["ec2:DescribeRegions"]
+    resources = ["*"]
+  }
+}
+
+module "lambda" {
+  source = "../.."
+
+  name = "example"
+
+  execution_role = {
+    path   = "/custom/"
+    policy = data.aws_iam_policy_document.lambda_iam_policy.json
+  }
+}

examples/role/versions.tf

@@ -0,0 +1,14 @@
+terraform {
+  required_version = ">= 1.3.0"
+
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = ">= 4.9.0"
+    }
+    archive = {
+      source  = "hashicorp/archive"
+      version = ">= 2.0.0"
+    }
+  }
+}

main.tf

@@ -11,22 +11,24 @@ locals {
 }
 
 module "lambda_role" {
-  count = length(compact([var.role_arn])) == 0 ? 1 : 0
+  count = var.execution_role_custom == null ? 1 : 0
 
-  source                = "github.com/schubergphilis/terraform-aws-mcaf-role?ref=v0.3.3"
-  name                  = join("-", compact([var.role_prefix, "LambdaRole", var.name]))
-  create_policy         = var.create_policy
-  permissions_boundary  = var.permissions_boundary
+  source  = "schubergphilis/mcaf-role/aws"
+  version = "~> 0.4.0"
+
+  name                  = join("-", compact([var.execution_role.name_prefix, "LambdaRole", var.name]))
+  path                  = var.execution_role.path
+  permissions_boundary  = var.execution_role.permissions_boundary
   postfix               = false
   principal_identifiers = ["edgelambda.amazonaws.com", "lambda.amazonaws.com"]
   principal_type        = "Service"
-  role_policy           = var.policy
+  role_policy           = var.execution_role.policy
   tags                  = var.tags
 
-  policy_arns = compact([
+  policy_arns = setunion(compact([
     var.cloudwatch_logs ? "arn:aws:iam::aws:policy/service-role/AWSLambda${local.execution_type}ExecutionRole" : null,
     var.tracing_config_mode != null ? "arn:aws:iam::aws:policy/AWSXRayDaemonWriteAccess" : null,
-  ])
+  ]), var.execution_role.additional_policy_arns)
 }
 
 resource "aws_cloudwatch_log_group" "default" {
@@ -140,7 +142,7 @@ resource "aws_lambda_function" "default" {
   memory_size                    = var.memory_size
   publish                        = var.publish
   reserved_concurrent_executions = var.reserved_concurrency
-  role                           = length(compact([var.role_arn])) > 0 ? var.role_arn : module.lambda_role[0].arn
+  role                           = var.execution_role_custom != null ? var.execution_role_custom.arn : module.lambda_role[0].arn
   runtime                        = var.runtime
   s3_bucket                      = var.s3_bucket
   s3_key                         = var.s3_key

outputs.tf

@@ -19,7 +19,7 @@ output "qualified_arn" {
 }
 
 output "role_arn" {
-  value       = length(compact([var.role_arn])) > 0 ? var.role_arn : module.lambda_role[0].arn
+  value       = var.execution_role_custom != null ? var.execution_role_custom.arn : module.lambda_role[0].arn
   description = "ARN of the lambda execution role"
 }
 

variables.tf

@@ -21,12 +21,6 @@ variable "code_signing_config_arn" {
   description = "ARN for a Code Signing Configuration"
 }
 
-variable "create_policy" {
-  type        = bool
-  default     = null
-  description = "Overrule whether the Lambda role policy has to be created"
-}
-
 variable "create_s3_dummy_object" {
   type        = bool
   default     = true
@@ -69,6 +63,36 @@ variable "ephemeral_storage_size" {
   description = "The size of the Lambda function Ephemeral storage"
 }
 
+variable "execution_role" {
+  type = object({
+    additional_policy_arns = optional(set(string), [])
+    name_prefix            = optional(string)
+    path                   = optional(string, "/")
+    permissions_boundary   = optional(string)
+    policy                 = optional(string)
+  })
+  default     = {}
+  description = "Configuration for lambda execution IAM role"
+
+  validation {
+    condition     = can(regex("^/.*?/$", var.execution_role.path)) || var.execution_role.path == "/"
+    error_message = "The \"path\" must start and end with \"/\" or be \"/\"."
+  }
+}
+
+variable "execution_role_custom" {
+  type = object({
+    arn = string
+  })
+  default     = null
+  description = "Optional existing IAM role for Lambda execution. Overrides the role configured in the execution_role variable."
+
+  validation {
+    condition     = var.execution_role_custom == null || can(regex("^arn:aws:iam::[0-9]{12}:(role)/.+$", var.execution_role_custom.arn))
+    error_message = "If provided, \"arn\" must match an AWS Principal ARN"
+  }
+}
+
 variable "filename" {
   type        = string
   default     = null
@@ -110,18 +134,6 @@ variable "name" {
   description = "The name of the lambda"
 }
 
-variable "permissions_boundary" {
-  type        = string
-  default     = null
-  description = "The permissions boundary to set on the role"
-}
-
-variable "policy" {
-  type        = string
-  default     = null
-  description = "A valid lambda policy JSON document. This policy is used if you don't specify a role_arn"
-}
-
 variable "publish" {
   type        = bool
   default     = false
@@ -140,18 +152,6 @@ variable "retries" {
   description = "Maximum number of retries for the Lambda invocation"
 }
 
-variable "role_arn" {
-  type        = string
-  default     = null
-  description = "An optional lambda execution role"
-}
-
-variable "role_prefix" {
-  type        = string
-  description = "Default prefix for the role"
-  default     = null
-}
-
 variable "runtime" {
   type        = string
   default     = "python3.10"

versions.tf

@@ -1,5 +1,5 @@
 terraform {
-  required_version = ">= 0.13.0"
+  required_version = ">= 1.3.0"
 
   required_providers {
     aws = {