Add support for declaring simple lambda permissions in-module

cloudposse · Jul 8, 2024 · dc59790 · dc59790
1 parent 7e6bb30
commit dc59790
Show file tree

Hide file tree

Showing 3 changed files with 34 additions and 0 deletions.
diff --git a/examples/complete/main.tf b/examples/complete/main.tf
@@ -103,7 +103,24 @@ module "lambda" {
     }
   JSON
 
+  invoke_function_permissions = [
+    {
+      principal  = "s3.amazonaws.com"
+      source_arn = aws_s3_bucket.example.arn
+    }
+  ]
+
   context = module.this.context
 
   depends_on = [aws_iam_policy.inside]
 }
+
+resource "aws_s3_bucket" "example" {}
+
+resource "aws_s3_bucket_notification" "example" {
+  bucket = aws_s3_bucket.example.id
+  lambda_function {
+    lambda_function_arn = module.lambda.arn
+    events              = ["s3:ObjectCreated:*"]
+  }
+}
diff --git a/lambda-permissions.tf b/lambda-permissions.tf
@@ -0,0 +1,8 @@
+resource "aws_lambda_permission" "invoke_function" {
+  for_each = local.enabled ? { for i, permission in var.invoke_function_permissions: i => permission } : {}
+
+  action        = "lambda:InvokeFunction"
+  function_name = aws_lambda_function.this[0].function_name
+  principal     = each.value.principal
+  source_arn    = each.value.source_arn
+}
diff --git a/variables.tf b/variables.tf
@@ -245,3 +245,12 @@ variable "inline_iam_policy" {
   description = "Inline policy document (JSON) to attach to the lambda role"
   default     = null
 }
+
+variable "invoke_function_permissions" {
+  type = list(object({
+    principal  = string
+    source_arn = string
+  }))
+  description = "Defines which external source(s) can invoke this function (action 'lambda:InvokeFunction'). Attributes map to those of https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_permission. NOTE: to keep things simple, we only expose a subset of said attributes. If a more complex configuration is needed, declare the necessary lambda permissions outside of this module"
+  default = []
+}