Skip to content

Commit 451ce00

Browse files
feat(Lambda): add ability to include Lambda@Edge svc in exec role
1 parent 300481e commit 451ce00

3 files changed

Lines changed: 19 additions & 9 deletions

File tree

AWS_Lambda/README.md

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -76,7 +76,7 @@ No modules.
7676
| <a name="input_description"></a> [description](#input\_description) | (Optional) The Lambda function description. | `string` | `null` | no |
7777
| <a name="input_environment_variables"></a> [environment\_variables](#input\_environment\_variables) | (Optional) Map of env vars to make accessible to the function during execution. | `map(string)` | `null` | no |
7878
| <a name="input_event_source_mapping"></a> [event\_source\_mapping](#input\_event\_source\_mapping) | (Optional) Config object to setup an event source mapping for the Lambda function.<br>This allows Lambda functions to get events from Kinesis, DynamoDB, SQS, Amazon MQ<br>and Managed Streaming for Apache Kafka (MSK). Reference documentation for these<br>arguments is available [here][var-ref-event-src-mapping]. | <pre>object({<br> enabled = optional(bool)<br> event_source_arn = optional(string)<br> filter_patterns = optional(list(string))<br> starting_position = optional(string)<br> starting_position_timestamp = optional(string) # RFC3339 timestamp<br> queues = optional(string)<br> batch_size = optional(number)<br> maximum_batching_window_in_seconds = optional(number)<br> maximum_record_age_in_seconds = optional(number)<br> maximum_retry_attempts = optional(number)<br> destination_config = optional(object({<br> on_success_dest_resource_arn = string # TODO this is not being used<br> on_failure_dest_resource_arn = optional(string)<br> }))<br> })</pre> | `null` | no |
79-
| <a name="input_execution_role"></a> [execution\_role](#input\_execution\_role) | Config object for the Lambda function's execution role. | <pre>object({<br> name = string<br> description = optional(string)<br> path = optional(string)<br> tags = optional(map(string))<br> attach_policy_arns = optional(list(string))<br> attach_policies = optional(map(<br> # map keys: IAM policy names/IDs<br> object({<br> policy_json = optional(string)<br> statements = optional(list(object({<br> sid = optional(string)<br> effect = string<br> actions = list(string)<br> resources = optional(list(string))<br> conditions = optional(map(<br> # map keys: IAM condition operators (e.g., "StringEquals", "ArnLike")<br> object({<br> key = string<br> values = list(string)<br> })<br> ))<br> })))<br> description = optional(string)<br> path = optional(string)<br> tags = optional(map(string))<br> })<br> ))<br> })</pre> | n/a | yes |
79+
| <a name="input_execution_role"></a> [execution\_role](#input\_execution\_role) | Config object for the Lambda function's execution role. | <pre>object({<br> name = string<br> description = optional(string)<br> path = optional(string)<br> tags = optional(map(string))<br> add_edge_service_principal = optional(bool, false)<br> attach_policy_arns = optional(list(string))<br> attach_policies = optional(map(<br> # map keys: IAM policy names/IDs<br> object({<br> policy_json = optional(string)<br> statements = optional(list(object({<br> sid = optional(string)<br> effect = string<br> actions = list(string)<br> resources = optional(list(string))<br> conditions = optional(map(<br> # map keys: IAM condition operators (e.g., "StringEquals", "ArnLike")<br> object({<br> key = string<br> values = list(string)<br> })<br> ))<br> })))<br> description = optional(string)<br> path = optional(string)<br> tags = optional(map(string))<br> })<br> ))<br> })</pre> | n/a | yes |
8080
| <a name="input_handler"></a> [handler](#input\_handler) | (Optional) The Lambda function handler. | `string` | `"index.handler"` | no |
8181
| <a name="input_lambda_permissions"></a> [lambda\_permissions](#input\_lambda\_permissions) | (Optional) Map of principal names to Lambda permission config objects. Gives an<br>external source (like an EventBridge Rule, SNS, or S3) permission to access the<br>Lambda function. The principals can be AWS services, like "events.amazonaws.com",<br>or AWS account IDs - any external principal that requires permission to invoke<br>the Lambda function. With "qualifier" you can optionally narrow the permission to<br>just a specific version or function alias. To ensure the permissions granted are<br>not too broad, AWS service principals must be provided with a "source\_arn"; for<br>example, if the principal is EventBridge (events.amazonaws.com), the "source\_arn"<br>would be that of the EventBridge Rule. "principal\_org\_id" can be used to provide<br>permissions to all accounts within an Organization. | <pre>map(<br> # map keys: principal names ("events.amazonaws.com", account IDs, etc.)<br> object({<br> action = string # e.g., "lambda:InvokeFunction"<br> statement_id = optional(string)<br> qualifier = optional(string) # option to specify a version or alias<br> source_account = optional(string)<br> source_arn = optional(string) # Required if principal is an AWS service<br> principal_org_id = optional(string) # Principal would be the Org root account<br> })<br> )</pre> | `{}` | no |
8282
| <a name="input_name"></a> [name](#input\_name) | The Lambda function name. | `string` | n/a | yes |

AWS_Lambda/main.Lambda_ExecRole.tf

Lines changed: 12 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -10,9 +10,18 @@ resource "aws_iam_role" "Lambda_ExecRole" {
1010
assume_role_policy = jsonencode({
1111
Version = "2012-10-17"
1212
Statement = {
13-
Effect = "Allow"
14-
Principal = { Service = "lambda.amazonaws.com" }
15-
Action = "sts:AssumeRole"
13+
Effect = "Allow"
14+
Principal = {
15+
Service = flatten([
16+
"lambda.amazonaws.com",
17+
(
18+
var.execution_role.add_edge_service_principal == true
19+
? ["edgelambda.amazonaws.com"]
20+
: []
21+
)
22+
])
23+
}
24+
Action = "sts:AssumeRole"
1625
}
1726
})
1827
}

AWS_Lambda/variables.tf

Lines changed: 6 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -60,11 +60,12 @@ variable "should_publish_new_version" {
6060
variable "execution_role" {
6161
description = "Config object for the Lambda function's execution role."
6262
type = object({
63-
name = string
64-
description = optional(string)
65-
path = optional(string)
66-
tags = optional(map(string))
67-
attach_policy_arns = optional(list(string))
63+
name = string
64+
description = optional(string)
65+
path = optional(string)
66+
tags = optional(map(string))
67+
add_edge_service_principal = optional(bool, false)
68+
attach_policy_arns = optional(list(string))
6869
attach_policies = optional(map(
6970
# map keys: IAM policy names/IDs
7071
object({

0 commit comments

Comments
 (0)