From 35aee988110bb4bb5537db330e39dad0489da7b8 Mon Sep 17 00:00:00 2001 From: Frank van Boven Date: Tue, 23 Apr 2024 12:01:06 +0200 Subject: [PATCH 1/5] Refactor role and policy --- main.tf | 78 ++++++++++++++++++++++++---------------------------- outputs.tf | 2 +- variables.tf | 6 ---- 3 files changed, 37 insertions(+), 49 deletions(-) diff --git a/main.tf b/main.tf index 4baf964..1674edd 100644 --- a/main.tf +++ b/main.tf @@ -1,6 +1,5 @@ locals { create_event_invoke_config = var.retries != null || var.destination_on_failure != null || var.destination_on_success != null ? { create : true } : {} - create_policy = var.role_arn == null && (var.create_policy != null ? var.create_policy : true) dead_letter_config = var.dead_letter_target_arn != null ? { create : true } : {} environment = var.environment != null ? { create : true } : {} ephemeral_storage = var.ephemeral_storage_size != null ? { create : true } : {} @@ -11,34 +10,23 @@ locals { vpc_config = var.subnet_ids != null ? { create : true } : {} } -data "aws_iam_policy_document" "default" { - statement { - actions = [ - "sts:AssumeRole" - ] - - principals { - type = "Service" - identifiers = ["edgelambda.amazonaws.com", "lambda.amazonaws.com"] - } - } -} - -resource "aws_iam_role" "default" { +module "lambda_role" { count = var.role_arn == null ? 1 : 0 - name = join("-", compact([var.role_prefix, "LambdaRole", var.name])) - assume_role_policy = data.aws_iam_policy_document.default.json - permissions_boundary = var.permissions_boundary - tags = var.tags -} - -resource "aws_iam_role_policy" "default" { - count = local.create_policy && var.policy != null ? 1 : 0 - - name = "LambdaRole-${var.name}" - role = aws_iam_role.default[0].id - policy = var.policy + source = "github.com/schubergphilis/terraform-aws-mcaf-role?ref=v0.3.3" + name = join("-", compact([var.role_prefix, "LambdaRole", var.name])) + create_policy = true + permissions_boundary = var.permissions_boundary + postfix = false + principal_identifiers = ["edgelambda.amazonaws.com", "lambda.amazonaws.com"] + principal_type = "Service" + role_policy = var.policy + tags = var.tags + + policy_arns = compact([ + var.cloudwatch_logs ? "arn:aws:iam::aws:policy/service-role/AWSLambda${local.execution_type}ExecutionRole" : null, + var.tracing_config_mode != null ? "arn:aws:iam::aws:policy/AWSXRayDaemonWriteAccess" : null, + ]) } resource "aws_cloudwatch_log_group" "default" { @@ -50,20 +38,6 @@ resource "aws_cloudwatch_log_group" "default" { tags = var.tags } -resource "aws_iam_role_policy_attachment" "default" { - count = local.create_policy && var.cloudwatch_logs ? 1 : 0 - - role = aws_iam_role.default[0].id - policy_arn = "arn:aws:iam::aws:policy/service-role/AWSLambda${local.execution_type}ExecutionRole" -} - -resource "aws_iam_role_policy_attachment" "enable_xray_daemon_write" { - count = local.create_policy && var.tracing_config_mode != null ? 1 : 0 - - role = aws_iam_role.default[0].id - policy_arn = "arn:aws:iam::aws:policy/AWSXRayDaemonWriteAccess" -} - data "aws_subnet" "selected" { count = var.subnet_ids != null ? 1 : 0 @@ -166,7 +140,7 @@ resource "aws_lambda_function" "default" { memory_size = var.memory_size publish = var.publish reserved_concurrent_executions = var.reserved_concurrency - role = var.role_arn != null ? var.role_arn : aws_iam_role.default[0].arn + role = var.role_arn != null ? var.role_arn : module.lambda_role[0].arn runtime = var.runtime s3_bucket = var.s3_bucket s3_key = var.s3_key @@ -216,3 +190,23 @@ resource "aws_lambda_function" "default" { } } } + +moved { + from = aws_iam_role_policy.default[0] + to = module.lambda_role[0].aws_iam_role_policy.default[0] +} + +moved { + from = aws_iam_role.default[0] + to = module.lambda_role[0].aws_iam_role.default +} + +moved { + from = aws_iam_role_policy_attachment.default[0] + to = module.lambda_role[0].aws_iam_role_policy_attachment.default["arn:aws:iam::aws:policy/service-role/AWSLambdaVPCAccessExecutionRole"] +} + +moved { + from = aws_iam_role_policy_attachment.enable_xray_daemon_write[0] + to = module.lambda_role[0].aws_iam_role_policy_attachment.default["arn:aws:iam::aws:policy/AWSXRayDaemonWriteAccess"] +} diff --git a/outputs.tf b/outputs.tf index 04ae1dc..ca018b3 100644 --- a/outputs.tf +++ b/outputs.tf @@ -19,7 +19,7 @@ output "qualified_arn" { } output "role_arn" { - value = var.role_arn != null ? var.role_arn : aws_iam_role.default[0].arn + value = var.role_arn != null ? var.role_arn : module.lambda_role[0].arn description = "ARN of the lambda execution role" } diff --git a/variables.tf b/variables.tf index 25356b2..3ac7c91 100644 --- a/variables.tf +++ b/variables.tf @@ -21,12 +21,6 @@ variable "code_signing_config_arn" { description = "ARN for a Code Signing Configuration" } -variable "create_policy" { - type = bool - default = null - description = "Overrule whether the Lambda role policy has to be created" -} - variable "create_s3_dummy_object" { type = bool default = true From bc33e4f45a3fd7401fbd9214f5e6c513f06d8df9 Mon Sep 17 00:00:00 2001 From: Frank van Boven Date: Tue, 23 Apr 2024 12:08:24 +0200 Subject: [PATCH 2/5] Move moved statements --- main.tf | 20 -------------------- moved.tf | 19 +++++++++++++++++++ 2 files changed, 19 insertions(+), 20 deletions(-) create mode 100644 moved.tf diff --git a/main.tf b/main.tf index 1674edd..77f757a 100644 --- a/main.tf +++ b/main.tf @@ -190,23 +190,3 @@ resource "aws_lambda_function" "default" { } } } - -moved { - from = aws_iam_role_policy.default[0] - to = module.lambda_role[0].aws_iam_role_policy.default[0] -} - -moved { - from = aws_iam_role.default[0] - to = module.lambda_role[0].aws_iam_role.default -} - -moved { - from = aws_iam_role_policy_attachment.default[0] - to = module.lambda_role[0].aws_iam_role_policy_attachment.default["arn:aws:iam::aws:policy/service-role/AWSLambdaVPCAccessExecutionRole"] -} - -moved { - from = aws_iam_role_policy_attachment.enable_xray_daemon_write[0] - to = module.lambda_role[0].aws_iam_role_policy_attachment.default["arn:aws:iam::aws:policy/AWSXRayDaemonWriteAccess"] -} diff --git a/moved.tf b/moved.tf new file mode 100644 index 0000000..3149c1c --- /dev/null +++ b/moved.tf @@ -0,0 +1,19 @@ +moved { + from = aws_iam_role_policy.default[0] + to = module.lambda_role[0].aws_iam_role_policy.default[0] +} + +moved { + from = aws_iam_role.default[0] + to = module.lambda_role[0].aws_iam_role.default +} + +moved { + from = aws_iam_role_policy_attachment.default[0] + to = module.lambda_role[0].aws_iam_role_policy_attachment.default["arn:aws:iam::aws:policy/service-role/AWSLambdaVPCAccessExecutionRole"] +} + +moved { + from = aws_iam_role_policy_attachment.enable_xray_daemon_write[0] + to = module.lambda_role[0].aws_iam_role_policy_attachment.default["arn:aws:iam::aws:policy/AWSXRayDaemonWriteAccess"] +} From 1f8777e77763cd8b6784cbfb1c2653bb755d5c05 Mon Sep 17 00:00:00 2001 From: Frank van Boven Date: Tue, 23 Apr 2024 13:07:24 +0200 Subject: [PATCH 3/5] Reintroduce create_policy --- main.tf | 2 +- variables.tf | 6 ++++++ 2 files changed, 7 insertions(+), 1 deletion(-) diff --git a/main.tf b/main.tf index 77f757a..35bf24e 100644 --- a/main.tf +++ b/main.tf @@ -15,7 +15,7 @@ module "lambda_role" { source = "github.com/schubergphilis/terraform-aws-mcaf-role?ref=v0.3.3" name = join("-", compact([var.role_prefix, "LambdaRole", var.name])) - create_policy = true + create_policy = var.create_policy permissions_boundary = var.permissions_boundary postfix = false principal_identifiers = ["edgelambda.amazonaws.com", "lambda.amazonaws.com"] diff --git a/variables.tf b/variables.tf index 3ac7c91..25356b2 100644 --- a/variables.tf +++ b/variables.tf @@ -21,6 +21,12 @@ variable "code_signing_config_arn" { description = "ARN for a Code Signing Configuration" } +variable "create_policy" { + type = bool + default = null + description = "Overrule whether the Lambda role policy has to be created" +} + variable "create_s3_dummy_object" { type = bool default = true From 8f41ae8248998499d392b9e6d9089e3a0df5fa7a Mon Sep 17 00:00:00 2001 From: Frank van Boven Date: Tue, 23 Apr 2024 13:31:42 +0200 Subject: [PATCH 4/5] Tweak variable description --- variables.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/variables.tf b/variables.tf index 25356b2..e31986e 100644 --- a/variables.tf +++ b/variables.tf @@ -119,7 +119,7 @@ variable "permissions_boundary" { variable "policy" { type = string default = null - description = "A valid lambda policy JSON document. Required if you don't specify a role_arn" + description = "A valid lambda policy JSON document. This policy is used if you don't specify a role_arn" } variable "publish" { From 924877c97821b23649ebc8bb0ed156e62ed9f119 Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" Date: Tue, 23 Apr 2024 11:32:10 +0000 Subject: [PATCH 5/5] docs(readme): update module usage --- README.md | 11 ++++------- 1 file changed, 4 insertions(+), 7 deletions(-) diff --git a/README.md b/README.md index 6e6af84..c07b639 100644 --- a/README.md +++ b/README.md @@ -22,24 +22,21 @@ IMPORTANT: We do not pin modules to versions in our examples. We highly recommen ## Modules -No modules. +| Name | Source | Version | +|------|--------|---------| +| [lambda\_role](#module\_lambda\_role) | github.com/schubergphilis/terraform-aws-mcaf-role | v0.3.3 | ## Resources | Name | Type | |------|------| | [aws_cloudwatch_log_group.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_group) | resource | -| [aws_iam_role.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource | -| [aws_iam_role_policy.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource | -| [aws_iam_role_policy_attachment.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource | -| [aws_iam_role_policy_attachment.enable_xray_daemon_write](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource | | [aws_lambda_function.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_function) | resource | | [aws_lambda_function_event_invoke_config.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_function_event_invoke_config) | resource | | [aws_s3_object.s3_dummy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_object) | resource | | [aws_security_group.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group) | resource | | [aws_vpc_security_group_egress_rule.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc_security_group_egress_rule) | resource | | [archive_file.dummy](https://registry.terraform.io/providers/hashicorp/archive/latest/docs/data-sources/file) | data source | -| [aws_iam_policy_document.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | | [aws_subnet.selected](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/subnet) | data source | ## Inputs @@ -65,7 +62,7 @@ No modules. | [log\_retention](#input\_log\_retention) | Number of days to retain log events in the specified log group | `number` | `365` | no | | [memory\_size](#input\_memory\_size) | The memory size of the lambda | `number` | `null` | no | | [permissions\_boundary](#input\_permissions\_boundary) | The permissions boundary to set on the role | `string` | `null` | no | -| [policy](#input\_policy) | A valid lambda policy JSON document. Required if you don't specify a role\_arn | `string` | `null` | no | +| [policy](#input\_policy) | A valid lambda policy JSON document. This policy is used if you don't specify a role\_arn | `string` | `null` | no | | [publish](#input\_publish) | Whether to publish creation/change as new lambda function version | `bool` | `false` | no | | [reserved\_concurrency](#input\_reserved\_concurrency) | The amount of reserved concurrent executions for this lambda function | `number` | `null` | no | | [retries](#input\_retries) | Maximum number of retries for the Lambda invocation | `number` | `null` | no |