Merge pull request #75 from schubergphilis/fvb/role-refactor

feature: Refactor role and policy

README.md

@@ -22,24 +22,21 @@ IMPORTANT: We do not pin modules to versions in our examples. We highly recommen
 
 ## Modules
 
-No modules.
+| Name | Source | Version |
+|------|--------|---------|
+| <a name="module_lambda_role"></a> [lambda\_role](#module\_lambda\_role) | github.com/schubergphilis/terraform-aws-mcaf-role | v0.3.3 |
 
 ## Resources
 
 | Name | Type |
 |------|------|
 | [aws_cloudwatch_log_group.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_group) | resource |
-| [aws_iam_role.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
-| [aws_iam_role_policy.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource |
-| [aws_iam_role_policy_attachment.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
-| [aws_iam_role_policy_attachment.enable_xray_daemon_write](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
 | [aws_lambda_function.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_function) | resource |
 | [aws_lambda_function_event_invoke_config.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_function_event_invoke_config) | resource |
 | [aws_s3_object.s3_dummy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_object) | resource |
 | [aws_security_group.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group) | resource |
 | [aws_vpc_security_group_egress_rule.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc_security_group_egress_rule) | resource |
 | [archive_file.dummy](https://registry.terraform.io/providers/hashicorp/archive/latest/docs/data-sources/file) | data source |
-| [aws_iam_policy_document.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_subnet.selected](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/subnet) | data source |
 
 ## Inputs
@@ -65,7 +62,7 @@ No modules.
 | <a name="input_log_retention"></a> [log\_retention](#input\_log\_retention) | Number of days to retain log events in the specified log group | `number` | `365` | no |
 | <a name="input_memory_size"></a> [memory\_size](#input\_memory\_size) | The memory size of the lambda | `number` | `null` | no |
 | <a name="input_permissions_boundary"></a> [permissions\_boundary](#input\_permissions\_boundary) | The permissions boundary to set on the role | `string` | `null` | no |
-| <a name="input_policy"></a> [policy](#input\_policy) | A valid lambda policy JSON document. Required if you don't specify a role\_arn | `string` | `null` | no |
+| <a name="input_policy"></a> [policy](#input\_policy) | A valid lambda policy JSON document. This policy is used if you don't specify a role\_arn | `string` | `null` | no |
 | <a name="input_publish"></a> [publish](#input\_publish) | Whether to publish creation/change as new lambda function version | `bool` | `false` | no |
 | <a name="input_reserved_concurrency"></a> [reserved\_concurrency](#input\_reserved\_concurrency) | The amount of reserved concurrent executions for this lambda function | `number` | `null` | no |
 | <a name="input_retries"></a> [retries](#input\_retries) | Maximum number of retries for the Lambda invocation | `number` | `null` | no |

main.tf

@@ -1,6 +1,5 @@
 locals {
   create_event_invoke_config = var.retries != null || var.destination_on_failure != null || var.destination_on_success != null ? { create : true } : {}
-  create_policy              = var.role_arn == null && (var.create_policy != null ? var.create_policy : true)
   dead_letter_config         = var.dead_letter_target_arn != null ? { create : true } : {}
   environment                = var.environment != null ? { create : true } : {}
   ephemeral_storage          = var.ephemeral_storage_size != null ? { create : true } : {}
@@ -11,34 +10,23 @@ locals {
   vpc_config                 = var.subnet_ids != null ? { create : true } : {}
 }
 
-data "aws_iam_policy_document" "default" {
-  statement {
-    actions = [
-      "sts:AssumeRole"
-    ]
-
-    principals {
-      type        = "Service"
-      identifiers = ["edgelambda.amazonaws.com", "lambda.amazonaws.com"]
-    }
-  }
-}
-
-resource "aws_iam_role" "default" {
+module "lambda_role" {
   count = var.role_arn == null ? 1 : 0
 
-  name                 = join("-", compact([var.role_prefix, "LambdaRole", var.name]))
-  assume_role_policy   = data.aws_iam_policy_document.default.json
-  permissions_boundary = var.permissions_boundary
-  tags                 = var.tags
-}
-
-resource "aws_iam_role_policy" "default" {
-  count = local.create_policy && var.policy != null ? 1 : 0
-
-  name   = "LambdaRole-${var.name}"
-  role   = aws_iam_role.default[0].id
-  policy = var.policy
+  source                = "github.com/schubergphilis/terraform-aws-mcaf-role?ref=v0.3.3"
+  name                  = join("-", compact([var.role_prefix, "LambdaRole", var.name]))
+  create_policy         = var.create_policy
+  permissions_boundary  = var.permissions_boundary
+  postfix               = false
+  principal_identifiers = ["edgelambda.amazonaws.com", "lambda.amazonaws.com"]
+  principal_type        = "Service"
+  role_policy           = var.policy
+  tags                  = var.tags
+
+  policy_arns = compact([
+    var.cloudwatch_logs ? "arn:aws:iam::aws:policy/service-role/AWSLambda${local.execution_type}ExecutionRole" : null,
+    var.tracing_config_mode != null ? "arn:aws:iam::aws:policy/AWSXRayDaemonWriteAccess" : null,
+  ])
 }
 
 resource "aws_cloudwatch_log_group" "default" {
@@ -50,20 +38,6 @@ resource "aws_cloudwatch_log_group" "default" {
   tags              = var.tags
 }
 
-resource "aws_iam_role_policy_attachment" "default" {
-  count = local.create_policy && var.cloudwatch_logs ? 1 : 0
-
-  role       = aws_iam_role.default[0].id
-  policy_arn = "arn:aws:iam::aws:policy/service-role/AWSLambda${local.execution_type}ExecutionRole"
-}
-
-resource "aws_iam_role_policy_attachment" "enable_xray_daemon_write" {
-  count = local.create_policy && var.tracing_config_mode != null ? 1 : 0
-
-  role       = aws_iam_role.default[0].id
-  policy_arn = "arn:aws:iam::aws:policy/AWSXRayDaemonWriteAccess"
-}
-
 data "aws_subnet" "selected" {
   count = var.subnet_ids != null ? 1 : 0
 
@@ -166,7 +140,7 @@ resource "aws_lambda_function" "default" {
   memory_size                    = var.memory_size
   publish                        = var.publish
   reserved_concurrent_executions = var.reserved_concurrency
-  role                           = var.role_arn != null ? var.role_arn : aws_iam_role.default[0].arn
+  role                           = var.role_arn != null ? var.role_arn : module.lambda_role[0].arn
   runtime                        = var.runtime
   s3_bucket                      = var.s3_bucket
   s3_key                         = var.s3_key

moved.tf

@@ -0,0 +1,19 @@
+moved {
+  from = aws_iam_role_policy.default[0]
+  to   = module.lambda_role[0].aws_iam_role_policy.default[0]
+}
+
+moved {
+  from = aws_iam_role.default[0]
+  to   = module.lambda_role[0].aws_iam_role.default
+}
+
+moved {
+  from = aws_iam_role_policy_attachment.default[0]
+  to   = module.lambda_role[0].aws_iam_role_policy_attachment.default["arn:aws:iam::aws:policy/service-role/AWSLambdaVPCAccessExecutionRole"]
+}
+
+moved {
+  from = aws_iam_role_policy_attachment.enable_xray_daemon_write[0]
+  to   = module.lambda_role[0].aws_iam_role_policy_attachment.default["arn:aws:iam::aws:policy/AWSXRayDaemonWriteAccess"]
+}

outputs.tf

@@ -19,7 +19,7 @@ output "qualified_arn" {
 }
 
 output "role_arn" {
-  value       = var.role_arn != null ? var.role_arn : aws_iam_role.default[0].arn
+  value       = var.role_arn != null ? var.role_arn : module.lambda_role[0].arn
   description = "ARN of the lambda execution role"
 }
 

variables.tf

@@ -119,7 +119,7 @@ variable "permissions_boundary" {
 variable "policy" {
   type        = string
   default     = null
-  description = "A valid lambda policy JSON document. Required if you don't specify a role_arn"
+  description = "A valid lambda policy JSON document. This policy is used if you don't specify a role_arn"
 }
 
 variable "publish" {