diff --git a/aws/data_source_aws_lambda_code_signing_config.go b/aws/data_source_aws_lambda_code_signing_config.go new file mode 100644 index 00000000000..92a49a40098 --- /dev/null +++ b/aws/data_source_aws_lambda_code_signing_config.go @@ -0,0 +1,114 @@ +package aws + +import ( + "fmt" + + "github.com/aws/aws-sdk-go/aws" + "github.com/aws/aws-sdk-go/service/lambda" + "github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema" +) + +func dataSourceAwsLambdaCodeSigningConfig() *schema.Resource { + return &schema.Resource{ + Read: dataSourceAwsLambdaCodeSigningConfigRead, + + Schema: map[string]*schema.Schema{ + "arn": { + Type: schema.TypeString, + Required: true, + ValidateFunc: validateArn, + }, + "allowed_publishers": { + Type: schema.TypeList, + Computed: true, + Elem: &schema.Resource{ + Schema: map[string]*schema.Schema{ + "signing_profile_version_arns": { + Type: schema.TypeSet, + Computed: true, + Elem: &schema.Schema{ + Type: schema.TypeString, + }, + Set: schema.HashString, + }, + }, + }, + }, + "policies": { + Type: schema.TypeList, + Computed: true, + Elem: &schema.Resource{ + Schema: map[string]*schema.Schema{ + "untrusted_artifact_on_deployment": { + Type: schema.TypeString, + Computed: true, + }, + }, + }, + }, + "description": { + Type: schema.TypeString, + Computed: true, + }, + "config_id": { + Type: schema.TypeString, + Computed: true, + }, + "last_modified": { + Type: schema.TypeString, + Computed: true, + }, + }, + } +} + +func dataSourceAwsLambdaCodeSigningConfigRead(d *schema.ResourceData, meta interface{}) error { + conn := meta.(*AWSClient).lambdaconn + + arn := d.Get("arn").(string) + + configOutput, err := conn.GetCodeSigningConfig(&lambda.GetCodeSigningConfigInput{ + CodeSigningConfigArn: aws.String(arn), + }) + + if err != nil { + return fmt.Errorf("error getting Lambda code signing config (%s): %s", arn, err) + } + + if configOutput == nil { + return fmt.Errorf("error getting Lambda code signing config (%s): empty response", arn) + } + + codeSigningConfig := configOutput.CodeSigningConfig + if codeSigningConfig == nil { + return fmt.Errorf("error getting Lambda code signing config (%s): empty CodeSigningConfig", arn) + } + + if err := d.Set("config_id", codeSigningConfig.CodeSigningConfigId); err != nil { + return fmt.Errorf("error setting lambda code signing config id: %s", err) + } + + if err := d.Set("description", codeSigningConfig.Description); err != nil { + return fmt.Errorf("error setting lambda code signing config description: %s", err) + } + + if err := d.Set("last_modified", codeSigningConfig.LastModified); err != nil { + return fmt.Errorf("error setting lambda code signing config last modified: %s", err) + } + + if err := d.Set("allowed_publishers", flattenLambdaCodeSigningConfigAllowedPublishers(codeSigningConfig.AllowedPublishers)); err != nil { + return fmt.Errorf("error setting lambda code signing config allowed publishers: %s", err) + } + + if err := d.Set("policies", []interface{}{ + map[string]interface{}{ + "untrusted_artifact_on_deployment": codeSigningConfig.CodeSigningPolicies.UntrustedArtifactOnDeployment, + }, + }); err != nil { + return fmt.Errorf("error setting lambda code signing config code signing policies: %s", err) + } + + d.SetId(aws.StringValue(codeSigningConfig.CodeSigningConfigArn)) + + return nil +} diff --git a/aws/data_source_aws_lambda_code_signing_config_test.go b/aws/data_source_aws_lambda_code_signing_config_test.go new file mode 100644 index 00000000000..cacc267b287 --- /dev/null +++ b/aws/data_source_aws_lambda_code_signing_config_test.go @@ -0,0 +1,124 @@ +package aws + +import ( + "testing" + + "github.com/hashicorp/terraform-plugin-sdk/v2/helper/resource" +) + +func TestAccDataSourceAWSLambdaCodeSigningConfig_basic(t *testing.T) { + dataSourceName := "data.aws_lambda_code_signing_config.test" + resourceName := "aws_lambda_code_signing_config.test" + resource.ParallelTest(t, resource.TestCase{ + PreCheck: func() { testAccPreCheck(t) }, + Providers: testAccProviders, + Steps: []resource.TestStep{ + { + Config: testAccDataSourceAWSLambdaCodeSigningConfigBasic, + Check: resource.ComposeTestCheckFunc( + resource.TestCheckResourceAttrPair(dataSourceName, "arn", resourceName, "arn"), + resource.TestCheckResourceAttrPair(dataSourceName, "allowed_publishers.0.signing_profile_version_arns.#", resourceName, "allowed_publishers.0.signing_profile_version_arns.#"), + ), + }, + }, + }) +} + +func TestAccDataSourceAWSLambdaCodeSigningConfig_PolicyConfigId(t *testing.T) { + dataSourceName := "data.aws_lambda_code_signing_config.test" + resourceName := "aws_lambda_code_signing_config.test" + resource.ParallelTest(t, resource.TestCase{ + PreCheck: func() { testAccPreCheck(t) }, + Providers: testAccProviders, + Steps: []resource.TestStep{ + { + Config: testAccDataSourceAWSLambdaCodeSigningConfigConfigurePolicy, + Check: resource.ComposeTestCheckFunc( + resource.TestCheckResourceAttrPair(dataSourceName, "arn", resourceName, "arn"), + resource.TestCheckResourceAttrPair(dataSourceName, "allowed_publishers.0.signing_profile_version_arns.#", resourceName, "allowed_publishers.0.signing_profile_version_arns.#"), + resource.TestCheckResourceAttrPair(dataSourceName, "policies", resourceName, "policies"), + resource.TestCheckResourceAttrPair(dataSourceName, "config_id", resourceName, "config_id"), + ), + }, + }, + }) +} + +func TestAccDataSourceAWSLambdaCodeSigningConfig_Description(t *testing.T) { + dataSourceName := "data.aws_lambda_code_signing_config.test" + resourceName := "aws_lambda_code_signing_config.test" + resource.ParallelTest(t, resource.TestCase{ + PreCheck: func() { testAccPreCheck(t) }, + Providers: testAccProviders, + Steps: []resource.TestStep{ + { + Config: testAccDataSourceAWSLambdaCodeSigningConfigConfigureDescription, + Check: resource.ComposeTestCheckFunc( + resource.TestCheckResourceAttrPair(dataSourceName, "arn", resourceName, "arn"), + resource.TestCheckResourceAttrPair(dataSourceName, "allowed_publishers.0.signing_profile_version_arns.#", resourceName, "allowed_publishers.0.signing_profile_version_arns.#"), + resource.TestCheckResourceAttrPair(dataSourceName, "description", resourceName, "description"), + ), + }, + }, + }) +} + +const testAccDataSourceAWSLambdaCodeSigningConfigBasic = ` +resource "aws_signer_signing_profile" "test" { + platform_id = "AWSLambda-SHA384-ECDSA" +} + +resource "aws_lambda_code_signing_config" "test" { + allowed_publishers { + signing_profile_version_arns = [ + aws_signer_signing_profile.test.version_arn + ] + } +} + +data "aws_lambda_code_signing_config" "test" { + arn = aws_lambda_code_signing_config.test.arn +} +` + +const testAccDataSourceAWSLambdaCodeSigningConfigConfigurePolicy = ` +resource "aws_signer_signing_profile" "test" { + platform_id = "AWSLambda-SHA384-ECDSA" +} + +resource "aws_lambda_code_signing_config" "test" { + allowed_publishers { + signing_profile_version_arns = [ + aws_signer_signing_profile.test.version_arn + ] + } + + policies { + untrusted_artifact_on_deployment = "Warn" + } +} + +data "aws_lambda_code_signing_config" "test" { + arn = aws_lambda_code_signing_config.test.arn +} +` + +const testAccDataSourceAWSLambdaCodeSigningConfigConfigureDescription = ` +resource "aws_signer_signing_profile" "test" { + platform_id = "AWSLambda-SHA384-ECDSA" +} + +resource "aws_lambda_code_signing_config" "test" { + allowed_publishers { + signing_profile_version_arns = [ + aws_signer_signing_profile.test.version_arn + ] + } + + description = "Code Signing Config for app A" +} + +data "aws_lambda_code_signing_config" "test" { + arn = aws_lambda_code_signing_config.test.arn +} +` diff --git a/aws/data_source_aws_lambda_function.go b/aws/data_source_aws_lambda_function.go index eef73afe14c..2af279f2670 100644 --- a/aws/data_source_aws_lambda_function.go +++ b/aws/data_source_aws_lambda_function.go @@ -169,6 +169,18 @@ func dataSourceAwsLambdaFunction() *schema.Resource { Computed: true, }, "tags": tagsSchemaComputed(), + "signing_profile_version_arn": { + Type: schema.TypeString, + Computed: true, + }, + "signing_job_arn": { + Type: schema.TypeString, + Computed: true, + }, + "code_signing_config_arn": { + Type: schema.TypeString, + Computed: true, + }, }, } } @@ -243,6 +255,16 @@ func dataSourceAwsLambdaFunctionRead(d *schema.ResourceData, meta interface{}) e d.Set("memory_size", function.MemorySize) d.Set("qualified_arn", qualifiedARN) + // Add Signing Profile Version ARN + if err := d.Set("signing_profile_version_arn", function.SigningProfileVersionArn); err != nil { + return fmt.Errorf("Error setting signing profile version arn for Lambda Function: %s", err) + } + + // Add Signing Job ARN + if err := d.Set("signing_job_arn", function.SigningJobArn); err != nil { + return fmt.Errorf("Error setting signing job arn for Lambda Function: %s", err) + } + reservedConcurrentExecutions := int64(-1) if output.Concurrency != nil { reservedConcurrentExecutions = aws.Int64Value(output.Concurrency.ReservedConcurrentExecutions) @@ -281,6 +303,23 @@ func dataSourceAwsLambdaFunctionRead(d *schema.ResourceData, meta interface{}) e return fmt.Errorf("error setting file_system_config: %s", err) } + // Get Code Signing Config Output + // If code signing config output exists, set it to that value, otherwise set it empty. + codeSigningConfigInput := &lambda.GetFunctionCodeSigningConfigInput{ + FunctionName: aws.String(d.Get("function_name").(string)), + } + + getCodeSigningConfigOutput, err := conn.GetFunctionCodeSigningConfig(codeSigningConfigInput) + if err != nil { + return fmt.Errorf("error getting Lambda Function (%s) Code Signing Config: %w", aws.StringValue(function.FunctionName), err) + } + + if getCodeSigningConfigOutput == nil || getCodeSigningConfigOutput.CodeSigningConfigArn == nil { + d.Set("code_signing_config_arn", "") + } else { + d.Set("code_signing_config_arn", getCodeSigningConfigOutput.CodeSigningConfigArn) + } + d.SetId(aws.StringValue(function.FunctionName)) return nil diff --git a/aws/data_source_aws_lambda_function_test.go b/aws/data_source_aws_lambda_function_test.go index 55395593659..4a2557ba05a 100644 --- a/aws/data_source_aws_lambda_function_test.go +++ b/aws/data_source_aws_lambda_function_test.go @@ -39,6 +39,9 @@ func TestAccDataSourceAWSLambdaFunction_basic(t *testing.T) { resource.TestCheckResourceAttrPair(dataSourceName, "tracing_config.#", resourceName, "tracing_config.#"), resource.TestCheckResourceAttrPair(dataSourceName, "tracing_config.0.mode", resourceName, "tracing_config.0.mode"), resource.TestCheckResourceAttrPair(dataSourceName, "version", resourceName, "version"), + resource.TestCheckResourceAttrPair(dataSourceName, "signing_profile_version_arn", resourceName, "signing_profile_version_arn"), + resource.TestCheckResourceAttrPair(dataSourceName, "signing_job_arn", resourceName, "signing_job_arn"), + resource.TestCheckResourceAttrPair(dataSourceName, "code_signing_config_arn", resourceName, "code_signing_config_arn"), ), }, }, diff --git a/aws/data_source_aws_lambda_layer_version.go b/aws/data_source_aws_lambda_layer_version.go index e3de48b63a7..9e162d441d6 100644 --- a/aws/data_source_aws_lambda_layer_version.go +++ b/aws/data_source_aws_lambda_layer_version.go @@ -66,6 +66,14 @@ func dataSourceAwsLambdaLayerVersion() *schema.Resource { Type: schema.TypeInt, Computed: true, }, + "signing_profile_version_arn": { + Type: schema.TypeString, + Computed: true, + }, + "signing_job_arn": { + Type: schema.TypeString, + Computed: true, + }, }, } } @@ -142,6 +150,12 @@ func dataSourceAwsLambdaLayerVersionRead(d *schema.ResourceData, meta interface{ if err := d.Set("source_code_size", output.Content.CodeSize); err != nil { return fmt.Errorf("error setting lambda layer source code size: %s", err) } + if err := d.Set("signing_profile_version_arn", output.Content.SigningProfileVersionArn); err != nil { + return fmt.Errorf("Error setting lambda layer signing profile arn: %s", err) + } + if err := d.Set("signing_job_arn", output.Content.SigningJobArn); err != nil { + return fmt.Errorf("Error setting lambda layer signing job arn: %s", err) + } d.SetId(aws.StringValue(output.LayerVersionArn)) diff --git a/aws/data_source_aws_lambda_layer_version_test.go b/aws/data_source_aws_lambda_layer_version_test.go index 8347756f58b..b4611c4f171 100644 --- a/aws/data_source_aws_lambda_layer_version_test.go +++ b/aws/data_source_aws_lambda_layer_version_test.go @@ -30,6 +30,8 @@ func TestAccDataSourceAWSLambdaLayerVersion_basic(t *testing.T) { resource.TestCheckResourceAttrPair(dataSourceName, "created_date", resourceName, "created_date"), resource.TestCheckResourceAttrPair(dataSourceName, "source_code_hash", resourceName, "source_code_hash"), resource.TestCheckResourceAttrPair(dataSourceName, "source_code_size", resourceName, "source_code_size"), + resource.TestCheckResourceAttrPair(dataSourceName, "signing_profile_version_arn", resourceName, "signing_profile_version_arn"), + resource.TestCheckResourceAttrPair(dataSourceName, "signing_job_arn", resourceName, "signing_job_arn"), ), }, }, diff --git a/aws/provider.go b/aws/provider.go index 8fd45b6577b..8f9197c063c 100644 --- a/aws/provider.go +++ b/aws/provider.go @@ -281,6 +281,7 @@ func Provider() *schema.Provider { "aws_kms_secret": dataSourceAwsKmsSecret(), "aws_kms_secrets": dataSourceAwsKmsSecrets(), "aws_lambda_alias": dataSourceAwsLambdaAlias(), + "aws_lambda_code_signing_config": dataSourceAwsLambdaCodeSigningConfig(), "aws_lambda_function": dataSourceAwsLambdaFunction(), "aws_lambda_invocation": dataSourceAwsLambdaInvocation(), "aws_lambda_layer_version": dataSourceAwsLambdaLayerVersion(), @@ -730,6 +731,7 @@ func Provider() *schema.Provider { "aws_kms_key": resourceAwsKmsKey(), "aws_kms_ciphertext": resourceAwsKmsCiphertext(), "aws_lambda_alias": resourceAwsLambdaAlias(), + "aws_lambda_code_signing_config": resourceAwsLambdaCodeSigningConfig(), "aws_lambda_event_source_mapping": resourceAwsLambdaEventSourceMapping(), "aws_lambda_function_event_invoke_config": resourceAwsLambdaFunctionEventInvokeConfig(), "aws_lambda_function": resourceAwsLambdaFunction(), diff --git a/aws/resource_aws_lambda_code_signing_config.go b/aws/resource_aws_lambda_code_signing_config.go new file mode 100644 index 00000000000..67119f1d4a8 --- /dev/null +++ b/aws/resource_aws_lambda_code_signing_config.go @@ -0,0 +1,250 @@ +package aws + +import ( + "fmt" + "log" + + "github.com/aws/aws-sdk-go/aws" + "github.com/aws/aws-sdk-go/service/lambda" + "github.com/hashicorp/aws-sdk-go-base/tfawserr" + "github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema" + "github.com/hashicorp/terraform-plugin-sdk/v2/helper/validation" +) + +func resourceAwsLambdaCodeSigningConfig() *schema.Resource { + return &schema.Resource{ + Create: resourceAwsLambdaCodeSigningConfigCreate, + Read: resourceAwsLambdaCodeSigningConfigRead, + Update: resourceAwsLambdaCodeSigningConfigUpdate, + Delete: resourceAwsLambdaCodeSigningConfigDelete, + + Importer: &schema.ResourceImporter{ + State: schema.ImportStatePassthrough, + }, + + Schema: map[string]*schema.Schema{ + "allowed_publishers": { + Type: schema.TypeList, + Required: true, + MaxItems: 1, + Elem: &schema.Resource{ + Schema: map[string]*schema.Schema{ + "signing_profile_version_arns": { + Type: schema.TypeSet, + Required: true, + MinItems: 1, + MaxItems: 20, + Elem: &schema.Schema{ + Type: schema.TypeString, + ValidateFunc: validateArn, + }, + Set: schema.HashString, + }, + }, + }, + }, + "policies": { + Type: schema.TypeList, + MaxItems: 1, + Optional: true, + Computed: true, + Elem: &schema.Resource{ + Schema: map[string]*schema.Schema{ + "untrusted_artifact_on_deployment": { + Type: schema.TypeString, + Required: true, + ValidateFunc: validation.StringInSlice( + lambda.CodeSigningPolicy_Values(), + false), + }, + }, + }, + }, + "arn": { + Type: schema.TypeString, + Computed: true, + }, + "config_id": { + Type: schema.TypeString, + Computed: true, + }, + "description": { + Type: schema.TypeString, + Optional: true, + ValidateFunc: validation.StringLenBetween(0, 256), + }, + "last_modified": { + Type: schema.TypeString, + Computed: true, + }, + }, + } +} + +func resourceAwsLambdaCodeSigningConfigCreate(d *schema.ResourceData, meta interface{}) error { + conn := meta.(*AWSClient).lambdaconn + + log.Printf("[DEBUG] Creating Lambda code signing config") + + configInput := &lambda.CreateCodeSigningConfigInput{ + AllowedPublishers: expandLambdaCodeSigningConfigAllowedPublishers(d.Get("allowed_publishers").([]interface{})), + Description: aws.String(d.Get("description").(string)), + } + + if v, ok := d.GetOk("policies"); ok { + codeSigningPolicies := v.([]interface{}) + policies := codeSigningPolicies[0].(map[string]interface{}) + configInput.CodeSigningPolicies = &lambda.CodeSigningPolicies{ + UntrustedArtifactOnDeployment: aws.String(policies["untrusted_artifact_on_deployment"].(string)), + } + } + + configOutput, err := conn.CreateCodeSigningConfig(configInput) + if err != nil { + return fmt.Errorf("error creating Lambda code signing config: %s", err) + } + + if configOutput == nil || configOutput.CodeSigningConfig == nil { + return fmt.Errorf("error creating Lambda code signing config: empty output") + } + d.SetId(aws.StringValue(configOutput.CodeSigningConfig.CodeSigningConfigArn)) + + return resourceAwsLambdaCodeSigningConfigRead(d, meta) +} + +func resourceAwsLambdaCodeSigningConfigRead(d *schema.ResourceData, meta interface{}) error { + conn := meta.(*AWSClient).lambdaconn + + configOutput, err := conn.GetCodeSigningConfig(&lambda.GetCodeSigningConfigInput{ + CodeSigningConfigArn: aws.String(d.Id()), + }) + + if !d.IsNewResource() && tfawserr.ErrCodeEquals(err, lambda.ErrCodeResourceNotFoundException) { + log.Printf("[WARN] Lambda Code Signing Config (%s) not found, removing from state", d.Id()) + d.SetId("") + return nil + } + + if err != nil { + return fmt.Errorf("error reading Lambda code signing config (%s): %s", d.Id(), err) + } + + codeSigningConfig := configOutput.CodeSigningConfig + if codeSigningConfig == nil { + return fmt.Errorf("error getting Lambda code signing config (%s): empty CodeSigningConfig", d.Id()) + } + + if err := d.Set("arn", codeSigningConfig.CodeSigningConfigArn); err != nil { + return fmt.Errorf("error setting lambda code signing config arn: %s", err) + } + + if err := d.Set("config_id", codeSigningConfig.CodeSigningConfigId); err != nil { + return fmt.Errorf("error setting lambda code signing config id: %s", err) + } + + if err := d.Set("description", codeSigningConfig.Description); err != nil { + return fmt.Errorf("error setting lambda code signing config description: %s", err) + } + + if err := d.Set("last_modified", codeSigningConfig.LastModified); err != nil { + return fmt.Errorf("error setting lambda code signing config last modified: %s", err) + } + + if err := d.Set("allowed_publishers", flattenLambdaCodeSigningConfigAllowedPublishers(codeSigningConfig.AllowedPublishers)); err != nil { + return fmt.Errorf("error setting lambda code signing config allowed publishers: %s", err) + } + + if err := d.Set("policies", flattenCodeSigningPolicies(codeSigningConfig.CodeSigningPolicies)); err != nil { + return fmt.Errorf("error setting lambda code signing config code signing policies: %s", err) + } + + return nil +} + +func resourceAwsLambdaCodeSigningConfigUpdate(d *schema.ResourceData, meta interface{}) error { + conn := meta.(*AWSClient).lambdaconn + + configInput := &lambda.UpdateCodeSigningConfigInput{ + CodeSigningConfigArn: aws.String(d.Id()), + } + + configUpdate := false + if d.HasChange("allowed_publishers") { + configInput.AllowedPublishers = expandLambdaCodeSigningConfigAllowedPublishers(d.Get("allowed_publishers").([]interface{})) + configUpdate = true + } + if d.HasChange("policies") { + codeSigningPolicies := d.Get("policies").([]interface{}) + policies := codeSigningPolicies[0].(map[string]interface{}) + configInput.CodeSigningPolicies = &lambda.CodeSigningPolicies{ + UntrustedArtifactOnDeployment: aws.String(policies["untrusted_artifact_on_deployment"].(string)), + } + configUpdate = true + } + if d.HasChange("description") { + configInput.Description = aws.String(d.Get("description").(string)) + configUpdate = true + } + + if configUpdate { + log.Printf("[DEBUG] Updating Lambda code signing config: %#v", configInput) + + _, err := conn.UpdateCodeSigningConfig(configInput) + if err != nil { + return fmt.Errorf("error updating Lambda code signing config (%s): %s", d.Id(), err) + } + } + + return resourceAwsLambdaCodeSigningConfigRead(d, meta) +} + +func resourceAwsLambdaCodeSigningConfigDelete(d *schema.ResourceData, meta interface{}) error { + conn := meta.(*AWSClient).lambdaconn + + _, err := conn.DeleteCodeSigningConfig(&lambda.DeleteCodeSigningConfigInput{ + CodeSigningConfigArn: aws.String(d.Id()), + }) + + if err != nil { + if tfawserr.ErrCodeEquals(err, lambda.ErrCodeResourceNotFoundException) { + return nil + } + return fmt.Errorf("error deleting Lambda code signing config (%s): %s", d.Id(), err) + } + + log.Printf("[DEBUG] Lambda code signing config %q deleted", d.Id()) + return nil +} + +func expandLambdaCodeSigningConfigAllowedPublishers(allowedPublishers []interface{}) *lambda.AllowedPublishers { + if len(allowedPublishers) == 0 || allowedPublishers[0] == nil { + return nil + } + + mAllowedPublishers := allowedPublishers[0].(map[string]interface{}) + + return &lambda.AllowedPublishers{ + SigningProfileVersionArns: expandStringSet(mAllowedPublishers["signing_profile_version_arns"].(*schema.Set)), + } +} + +func flattenLambdaCodeSigningConfigAllowedPublishers(allowedPublishers *lambda.AllowedPublishers) []interface{} { + if allowedPublishers == nil { + return []interface{}{} + } + + return []interface{}{map[string]interface{}{ + "signing_profile_version_arns": flattenStringSet(allowedPublishers.SigningProfileVersionArns), + }} +} + +func flattenCodeSigningPolicies(p *lambda.CodeSigningPolicies) []interface{} { + if p == nil { + return nil + } + m := map[string]interface{}{ + "untrusted_artifact_on_deployment": p.UntrustedArtifactOnDeployment, + } + + return []interface{}{m} +} diff --git a/aws/resource_aws_lambda_code_signing_config_test.go b/aws/resource_aws_lambda_code_signing_config_test.go new file mode 100644 index 00000000000..df40ae6000a --- /dev/null +++ b/aws/resource_aws_lambda_code_signing_config_test.go @@ -0,0 +1,240 @@ +package aws + +import ( + "fmt" + "testing" + + "github.com/aws/aws-sdk-go/aws" + "github.com/aws/aws-sdk-go/service/lambda" + "github.com/hashicorp/aws-sdk-go-base/tfawserr" + "github.com/hashicorp/terraform-plugin-sdk/v2/helper/resource" + "github.com/hashicorp/terraform-plugin-sdk/v2/terraform" + "github.com/terraform-providers/terraform-provider-aws/aws/internal/tfawsresource" +) + +func TestAccAWSLambdaCodeSigningConfig_basic(t *testing.T) { + resourceName := "aws_lambda_code_signing_config.code_signing_config" + signingProfile1 := "aws_signer_signing_profile.test1" + signingProfile2 := "aws_signer_signing_profile.test2" + var conf lambda.GetCodeSigningConfigOutput + + resource.ParallelTest(t, resource.TestCase{ + PreCheck: func() { testAccPreCheck(t) }, + Providers: testAccProviders, + CheckDestroy: testAccCheckCodeSigningConfigDestroy, + Steps: []resource.TestStep{ + { + Config: testAccAWSLambdaCodeSigningConfigBasic(), + Check: resource.ComposeTestCheckFunc( + testAccCheckAwsCodeSigningConfigExists(resourceName, &conf), + resource.TestCheckResourceAttr(resourceName, "description", "Code Signing Config for test account"), + resource.TestCheckResourceAttr(resourceName, "allowed_publishers.0.signing_profile_version_arns.#", "2"), + tfawsresource.TestCheckTypeSetElemAttrPair(resourceName, "allowed_publishers.0.signing_profile_version_arns.*", signingProfile1, "version_arn"), + tfawsresource.TestCheckTypeSetElemAttrPair(resourceName, "allowed_publishers.0.signing_profile_version_arns.*", signingProfile2, "version_arn"), + resource.TestCheckResourceAttr(resourceName, "policies.0.untrusted_artifact_on_deployment", "Warn"), + ), + }, + { + ResourceName: resourceName, + ImportState: true, + ImportStateVerify: true, + }, + }, + }) +} + +func TestAccAWSLambdaCodeSigningConfig_UpdatePolicy(t *testing.T) { + resourceName := "aws_lambda_code_signing_config.code_signing_config" + var conf lambda.GetCodeSigningConfigOutput + + resource.ParallelTest(t, resource.TestCase{ + PreCheck: func() { testAccPreCheck(t) }, + Providers: testAccProviders, + CheckDestroy: testAccCheckCodeSigningConfigDestroy, + Steps: []resource.TestStep{ + { + Config: testAccAWSLambdaCodeSigningConfigBasic(), + Check: resource.ComposeTestCheckFunc( + testAccCheckAwsCodeSigningConfigExists(resourceName, &conf), + resource.TestCheckResourceAttr(resourceName, "description", "Code Signing Config for test account"), + resource.TestCheckResourceAttr(resourceName, "policies.0.untrusted_artifact_on_deployment", "Warn"), + ), + }, + { + Config: testAccAWSLambdaCodeSigningConfigUpdatePolicy(), + Check: resource.ComposeTestCheckFunc( + testAccCheckAwsCodeSigningConfigExists(resourceName, &conf), + resource.TestCheckResourceAttr(resourceName, "policies.0.untrusted_artifact_on_deployment", "Enforce"), + ), + }, + { + ResourceName: resourceName, + ImportState: true, + ImportStateVerify: true, + }, + }, + }) +} + +func TestAccAWSLambdaCodeSigningConfig_UpdatePublishers(t *testing.T) { + resourceName := "aws_lambda_code_signing_config.code_signing_config" + signingProfile1 := "aws_signer_signing_profile.test1" + signingProfile2 := "aws_signer_signing_profile.test2" + var conf lambda.GetCodeSigningConfigOutput + + resource.ParallelTest(t, resource.TestCase{ + PreCheck: func() { testAccPreCheck(t) }, + Providers: testAccProviders, + CheckDestroy: testAccCheckCodeSigningConfigDestroy, + Steps: []resource.TestStep{ + { + Config: testAccAWSLambdaCodeSigningConfigBasic(), + Check: resource.ComposeTestCheckFunc( + testAccCheckAwsCodeSigningConfigExists(resourceName, &conf), + resource.TestCheckResourceAttr(resourceName, "description", "Code Signing Config for test account"), + resource.TestCheckResourceAttr(resourceName, "allowed_publishers.0.signing_profile_version_arns.#", "2"), + tfawsresource.TestCheckTypeSetElemAttrPair(resourceName, "allowed_publishers.0.signing_profile_version_arns.*", signingProfile1, "version_arn"), + tfawsresource.TestCheckTypeSetElemAttrPair(resourceName, "allowed_publishers.0.signing_profile_version_arns.*", signingProfile2, "version_arn"), + ), + }, + { + Config: testAccAWSLambdaCodeSigningConfigUpdatePublishers(), + Check: resource.ComposeTestCheckFunc( + testAccCheckAwsCodeSigningConfigExists(resourceName, &conf), + resource.TestCheckResourceAttr(resourceName, "allowed_publishers.0.signing_profile_version_arns.#", "1"), + tfawsresource.TestCheckTypeSetElemAttrPair(resourceName, "allowed_publishers.0.signing_profile_version_arns.*", signingProfile1, "version_arn"), + ), + }, + { + ResourceName: resourceName, + ImportState: true, + ImportStateVerify: true, + }, + }, + }) +} + +func testAccAWSLambdaCodeSigningConfigUpdatePublishers() string { + return fmt.Sprintf(` +resource "aws_signer_signing_profile" "test1" { + platform_id = "AWSLambda-SHA384-ECDSA" +} + +resource "aws_signer_signing_profile" "test2" { + platform_id = "AWSLambda-SHA384-ECDSA" +} + +resource "aws_lambda_code_signing_config" "code_signing_config" { + allowed_publishers { + signing_profile_version_arns = [ + aws_signer_signing_profile.test1.version_arn + ] + } +}`) +} + +func testAccAWSLambdaCodeSigningConfigUpdatePolicy() string { + return fmt.Sprintf(` +resource "aws_signer_signing_profile" "test1" { + platform_id = "AWSLambda-SHA384-ECDSA" +} + +resource "aws_signer_signing_profile" "test2" { + platform_id = "AWSLambda-SHA384-ECDSA" +} + +resource "aws_lambda_code_signing_config" "code_signing_config" { + allowed_publishers { + signing_profile_version_arns = [ + aws_signer_signing_profile.test1.version_arn, + aws_signer_signing_profile.test2.version_arn + ] + } + + policies { + untrusted_artifact_on_deployment = "Enforce" + } +}`) +} + +func testAccAWSLambdaCodeSigningConfigBasic() string { + return fmt.Sprintf(` +resource "aws_signer_signing_profile" "test1" { + platform_id = "AWSLambda-SHA384-ECDSA" +} + +resource "aws_signer_signing_profile" "test2" { + platform_id = "AWSLambda-SHA384-ECDSA" +} + +resource "aws_lambda_code_signing_config" "code_signing_config" { + allowed_publishers { + signing_profile_version_arns = [ + aws_signer_signing_profile.test1.version_arn, + aws_signer_signing_profile.test2.version_arn + ] + } + + policies { + untrusted_artifact_on_deployment = "Warn" + } + + description = "Code Signing Config for test account" +}`) +} + +func testAccCheckAwsCodeSigningConfigExists(n string, mapping *lambda.GetCodeSigningConfigOutput) resource.TestCheckFunc { + return func(s *terraform.State) error { + rs, ok := s.RootModule().Resources[n] + if !ok { + return fmt.Errorf("Code Signing Config not found: %s", n) + } + + if rs.Primary.ID == "" { + return fmt.Errorf("Code Signing Config ID not set") + } + + conn := testAccProvider.Meta().(*AWSClient).lambdaconn + + params := &lambda.GetCodeSigningConfigInput{ + CodeSigningConfigArn: aws.String(rs.Primary.ID), + } + + getCodeSigningConfig, err := conn.GetCodeSigningConfig(params) + if err != nil { + return err + } + + *mapping = *getCodeSigningConfig + + return nil + } +} + +func testAccCheckCodeSigningConfigDestroy(s *terraform.State) error { + conn := testAccProvider.Meta().(*AWSClient).lambdaconn + + for _, rs := range s.RootModule().Resources { + if rs.Type != "aws_lambda_code_signing_config" { + continue + } + + _, err := conn.GetCodeSigningConfig(&lambda.GetCodeSigningConfigInput{ + CodeSigningConfigArn: aws.String(rs.Primary.ID), + }) + + if tfawserr.ErrCodeEquals(err, lambda.ErrCodeResourceNotFoundException) { + continue + } + + if err != nil { + return err + } + + return fmt.Errorf("Code Signing Config still exists") + + } + + return nil + +} diff --git a/aws/resource_aws_lambda_function.go b/aws/resource_aws_lambda_function.go index 507777e4588..d93427ec539 100644 --- a/aws/resource_aws_lambda_function.go +++ b/aws/resource_aws_lambda_function.go @@ -63,6 +63,19 @@ func resourceAwsLambdaFunction() *schema.Resource { Optional: true, ConflictsWith: []string{"filename"}, }, + "code_signing_config_arn": { + Type: schema.TypeString, + Optional: true, + ValidateFunc: validateArn, + }, + "signing_profile_version_arn": { + Type: schema.TypeString, + Computed: true, + }, + "signing_job_arn": { + Type: schema.TypeString, + Computed: true, + }, "description": { Type: schema.TypeString, Optional: true, @@ -361,6 +374,10 @@ func resourceAwsLambdaFunctionCreate(d *schema.ResourceData, meta interface{}) e Publish: aws.Bool(d.Get("publish").(bool)), } + if v, ok := d.GetOk("code_signing_config_arn"); ok { + params.CodeSigningConfigArn = aws.String(v.(string)) + } + if v, ok := d.GetOk("layers"); ok && len(v.([]interface{})) > 0 { params.Layers = expandStringList(v.([]interface{})) } @@ -562,17 +579,60 @@ func resourceAwsLambdaFunctionRead(d *schema.ResourceData, meta interface{}) err // getFunctionOutput.Configuration which holds metadata. function := getFunctionOutput.Configuration - d.Set("arn", function.FunctionArn) - d.Set("description", function.Description) - d.Set("handler", function.Handler) - d.Set("memory_size", function.MemorySize) - d.Set("last_modified", function.LastModified) - d.Set("role", function.Role) - d.Set("runtime", function.Runtime) - d.Set("timeout", function.Timeout) - d.Set("kms_key_arn", function.KMSKeyArn) - d.Set("source_code_hash", function.CodeSha256) - d.Set("source_code_size", function.CodeSize) + + if err := d.Set("arn", function.FunctionArn); err != nil { + return fmt.Errorf("Error setting function arn for Lambda Function: %s", err) + } + + if err := d.Set("description", function.Description); err != nil { + return fmt.Errorf("Error setting function description for Lambda Function: %s", err) + } + + if err := d.Set("handler", function.Handler); err != nil { + return fmt.Errorf("Error setting handler for Lambda Function: %s", err) + } + + if err := d.Set("memory_size", function.MemorySize); err != nil { + return fmt.Errorf("Error setting memory size for Lambda Function: %s", err) + } + + if err := d.Set("last_modified", function.LastModified); err != nil { + return fmt.Errorf("Error setting last modified time for Lambda Function: %s", err) + } + + if err := d.Set("role", function.Role); err != nil { + return fmt.Errorf("Error setting role for Lambda Function: %s", err) + } + + if err := d.Set("runtime", function.Runtime); err != nil { + return fmt.Errorf("Error setting runtime for Lambda Function: %s", err) + } + + if err := d.Set("timeout", function.Timeout); err != nil { + return fmt.Errorf("Error setting timeout for Lambda Function: %s", err) + } + + if err := d.Set("kms_key_arn", function.KMSKeyArn); err != nil { + return fmt.Errorf("Error setting KMS key arn for Lambda Function: %s", err) + } + + if err := d.Set("source_code_hash", function.CodeSha256); err != nil { + return fmt.Errorf("Error setting CodeSha256 for Lambda Function: %s", err) + } + + if err := d.Set("source_code_size", function.CodeSize); err != nil { + return fmt.Errorf("Error setting code size for Lambda Function: %s", err) + } + + // Add Signing Profile Version ARN + if err := d.Set("signing_profile_version_arn", function.SigningProfileVersionArn); err != nil { + return fmt.Errorf("Error setting signing profile version arn for Lambda Function: %s", err) + } + + // Add Signing Job ARN + if err := d.Set("signing_job_arn", function.SigningJobArn); err != nil { + return fmt.Errorf("Error setting signing job arn for Lambda Function: %s", err) + } fileSystemConfigs := flattenLambdaFileSystemConfigs(function.FileSystemConfigs) log.Printf("[INFO] Setting Lambda %s file system configs %#v from API", d.Id(), fileSystemConfigs) @@ -651,6 +711,23 @@ func resourceAwsLambdaFunctionRead(d *schema.ResourceData, meta interface{}) err invokeArn := lambdaFunctionInvokeArn(*function.FunctionArn, meta) d.Set("invoke_arn", invokeArn) + // Get Code Signing Config Output + // If code signing config output exists, set it to that value, otherwise set it empty. + codeSigningConfigInput := &lambda.GetFunctionCodeSigningConfigInput{ + FunctionName: aws.String(d.Get("function_name").(string)), + } + + getCodeSigningConfigOutput, err := conn.GetFunctionCodeSigningConfig(codeSigningConfigInput) + if err != nil { + return fmt.Errorf("error getting Lambda Function (%s) code signing config %w", d.Id(), err) + } + + if getCodeSigningConfigOutput == nil || getCodeSigningConfigOutput.CodeSigningConfigArn == nil { + d.Set("code_signing_config_arn", "") + } else { + d.Set("code_signing_config_arn", getCodeSigningConfigOutput.CodeSigningConfigArn) + } + return nil } @@ -704,6 +781,33 @@ func needsFunctionCodeUpdate(d resourceDiffer) bool { func resourceAwsLambdaFunctionUpdate(d *schema.ResourceData, meta interface{}) error { conn := meta.(*AWSClient).lambdaconn + // If Code Signing Config is updated, calls PutFunctionCodeSigningConfig + // If removed, calls DeleteFunctionCodeSigningConfig + if d.HasChange("code_signing_config_arn") { + if v, ok := d.GetOk("code_signing_config_arn"); ok { + configUpdateInput := &lambda.PutFunctionCodeSigningConfigInput{ + CodeSigningConfigArn: aws.String(v.(string)), + FunctionName: aws.String(d.Id()), + } + + _, err := conn.PutFunctionCodeSigningConfig(configUpdateInput) + + if err != nil { + return fmt.Errorf("error updating code signing config arn (Function: %s): %s", d.Id(), err) + } + } else { + configDeleteInput := &lambda.DeleteFunctionCodeSigningConfigInput{ + FunctionName: aws.String(d.Id()), + } + + _, err := conn.DeleteFunctionCodeSigningConfig(configDeleteInput) + + if err != nil { + return fmt.Errorf("error deleting code signing config arn (Function: %s): %s", d.Id(), err) + } + } + } + arn := d.Get("arn").(string) if d.HasChange("tags") { o, n := d.GetChange("tags") @@ -720,6 +824,7 @@ func resourceAwsLambdaFunctionUpdate(d *schema.ResourceData, meta interface{}) e if d.HasChange("description") { configReq.Description = aws.String(d.Get("description").(string)) } + if d.HasChange("handler") { configReq.Handler = aws.String(d.Get("handler").(string)) } diff --git a/aws/resource_aws_lambda_function_test.go b/aws/resource_aws_lambda_function_test.go index 376c58963d8..c9c331fe60f 100644 --- a/aws/resource_aws_lambda_function_test.go +++ b/aws/resource_aws_lambda_function_test.go @@ -180,6 +180,64 @@ func TestAccAWSLambdaFunction_disappears(t *testing.T) { }) } +func TestAccAWSLambdaFunction_codeSigningConfig(t *testing.T) { + var conf lambda.GetFunctionOutput + + rString := acctest.RandString(8) + funcName := fmt.Sprintf("tf_acc_lambda_func_csc_%s", rString) + roleName := fmt.Sprintf("tf_acc_role_lambda_func_csc_%s", rString) + resourceName := "aws_lambda_function.test" + cscResourceName := "aws_lambda_code_signing_config.code_signing_config_1" + cscUpdateResourceName := "aws_lambda_code_signing_config.code_signing_config_2" + + resource.ParallelTest(t, resource.TestCase{ + PreCheck: func() { testAccPreCheck(t) }, + Providers: testAccProviders, + CheckDestroy: testAccCheckLambdaFunctionDestroy, + Steps: []resource.TestStep{ + { + Config: testAccAWSLambdaConfigCSCCreate(roleName, funcName), + Check: resource.ComposeTestCheckFunc( + testAccCheckAwsLambdaFunctionExists(resourceName, funcName, &conf), + testAccCheckAwsLambdaFunctionName(&conf, funcName), + testAccCheckResourceAttrRegionalARN(resourceName, "arn", "lambda", fmt.Sprintf("function:%s", funcName)), + resource.TestCheckResourceAttrPair(resourceName, "code_signing_config_arn", cscResourceName, "arn"), + ), + }, + { + ResourceName: resourceName, + ImportState: true, + ImportStateVerify: true, + ImportStateVerifyIgnore: []string{"filename", "publish"}, + }, + { + Config: testAccAWSLambdaConfigCSCUpdate(roleName, funcName), + Check: resource.ComposeTestCheckFunc( + testAccCheckAwsLambdaFunctionExists(resourceName, funcName, &conf), + testAccCheckAwsLambdaFunctionName(&conf, funcName), + testAccCheckResourceAttrRegionalARN(resourceName, "arn", "lambda", fmt.Sprintf("function:%s", funcName)), + resource.TestCheckResourceAttrPair(resourceName, "code_signing_config_arn", cscUpdateResourceName, "arn"), + ), + }, + { + ResourceName: resourceName, + ImportState: true, + ImportStateVerify: true, + ImportStateVerifyIgnore: []string{"filename", "publish"}, + }, + { + Config: testAccAWSLambdaConfigCSCDelete(roleName, funcName), + Check: resource.ComposeTestCheckFunc( + testAccCheckAwsLambdaFunctionExists(resourceName, funcName, &conf), + testAccCheckAwsLambdaFunctionName(&conf, funcName), + testAccCheckResourceAttrRegionalARN(resourceName, "arn", "lambda", fmt.Sprintf("function:%s", funcName)), + resource.TestCheckResourceAttr(resourceName, "code_signing_config_arn", ""), + ), + }, + }, + }) +} + func TestAccAWSLambdaFunction_concurrency(t *testing.T) { var conf lambda.GetFunctionOutput @@ -1918,6 +1976,113 @@ resource "aws_lambda_function" "test" { `, funcName) } +func testAccAWSLambdaConfigCSCBasic(roleName string) string { + return fmt.Sprintf(` +data "aws_iam_policy_document" "policy" { + statement { + sid = "" + effect = "Allow" + + principals { + identifiers = ["lambda.amazonaws.com"] + type = "Service" + } + + actions = ["sts:AssumeRole"] + } +} + +resource "aws_iam_role" "iam_for_lambda" { + name = "%s" + assume_role_policy = data.aws_iam_policy_document.policy.json +} + +resource "aws_signer_signing_profile" "test1" { + platform_id = "AWSLambda-SHA384-ECDSA" +} + +resource "aws_signer_signing_profile" "test2" { + platform_id = "AWSLambda-SHA384-ECDSA" +} + +resource "aws_signer_signing_profile" "test3" { + platform_id = "AWSLambda-SHA384-ECDSA" +} + +resource "aws_signer_signing_profile" "test4" { + platform_id = "AWSLambda-SHA384-ECDSA" +} + +resource "aws_lambda_code_signing_config" "code_signing_config_1" { + allowed_publishers { + signing_profile_version_arns = [ + aws_signer_signing_profile.test1.version_arn, + aws_signer_signing_profile.test2.version_arn + ] + } + + policies { + untrusted_artifact_on_deployment = "Warn" + } + + description = "Code Signing Config for test account" +} + +resource "aws_lambda_code_signing_config" "code_signing_config_2" { + allowed_publishers { + signing_profile_version_arns = [ + aws_signer_signing_profile.test3.version_arn, + aws_signer_signing_profile.test4.version_arn + ] + } + + policies { + untrusted_artifact_on_deployment = "Warn" + } + + description = "Code Signing Config for test account update" +} +`, roleName) +} + +func testAccAWSLambdaConfigCSCCreate(roleName, funcName string) string { + return fmt.Sprintf(testAccAWSLambdaConfigCSCBasic(roleName)+` +resource "aws_lambda_function" "test" { + filename = "test-fixtures/lambdatest.zip" + function_name = "%s" + role = aws_iam_role.iam_for_lambda.arn + handler = "exports.example" + runtime = "nodejs12.x" + code_signing_config_arn = aws_lambda_code_signing_config.code_signing_config_1.arn +} +`, funcName) +} + +func testAccAWSLambdaConfigCSCUpdate(roleName, funcName string) string { + return fmt.Sprintf(testAccAWSLambdaConfigCSCBasic(roleName)+` +resource "aws_lambda_function" "test" { + filename = "test-fixtures/lambdatest.zip" + function_name = "%s" + role = aws_iam_role.iam_for_lambda.arn + handler = "exports.example" + runtime = "nodejs12.x" + code_signing_config_arn = aws_lambda_code_signing_config.code_signing_config_2.arn +} +`, funcName) +} + +func testAccAWSLambdaConfigCSCDelete(roleName, funcName string) string { + return fmt.Sprintf(testAccAWSLambdaConfigCSCBasic(roleName)+` +resource "aws_lambda_function" "test" { + filename = "test-fixtures/lambdatest.zip" + function_name = "%s" + role = aws_iam_role.iam_for_lambda.arn + handler = "exports.example" + runtime = "nodejs12.x" +} +`, funcName) +} + func testAccAWSLambdaConfigBasicConcurrency(funcName, policyName, roleName, sgName string) string { return fmt.Sprintf(baseAccAWSLambdaConfig(policyName, roleName, sgName)+` resource "aws_lambda_function" "test" { diff --git a/aws/resource_aws_lambda_layer_version.go b/aws/resource_aws_lambda_layer_version.go index 69109e5b803..a1714e9128f 100644 --- a/aws/resource_aws_lambda_layer_version.go +++ b/aws/resource_aws_lambda_layer_version.go @@ -97,6 +97,14 @@ func resourceAwsLambdaLayerVersion() *schema.Resource { ForceNew: true, Computed: true, }, + "signing_profile_version_arn": { + Type: schema.TypeString, + Computed: true, + }, + "signing_job_arn": { + Type: schema.TypeString, + Computed: true, + }, "source_code_size": { Type: schema.TypeInt, Computed: true, @@ -214,6 +222,12 @@ func resourceAwsLambdaLayerVersionRead(d *schema.ResourceData, meta interface{}) if err := d.Set("source_code_hash", layerVersion.Content.CodeSha256); err != nil { return fmt.Errorf("Error setting lambda layer source code hash: %s", err) } + if err := d.Set("signing_profile_version_arn", layerVersion.Content.SigningProfileVersionArn); err != nil { + return fmt.Errorf("Error setting lambda layer signing profile arn: %s", err) + } + if err := d.Set("signing_job_arn", layerVersion.Content.SigningJobArn); err != nil { + return fmt.Errorf("Error setting lambda layer signing job arn: %s", err) + } if err := d.Set("source_code_size", layerVersion.Content.CodeSize); err != nil { return fmt.Errorf("Error setting lambda layer source code size: %s", err) } diff --git a/aws/resource_aws_lambda_layer_version_test.go b/aws/resource_aws_lambda_layer_version_test.go index 437d4e7faf9..61e35a6934a 100644 --- a/aws/resource_aws_lambda_layer_version_test.go +++ b/aws/resource_aws_lambda_layer_version_test.go @@ -83,6 +83,8 @@ func TestAccAWSLambdaLayerVersion_basic(t *testing.T) { resource.TestCheckResourceAttr(resourceName, "license_info", ""), testAccCheckResourceAttrRegionalARN(resourceName, "layer_arn", "lambda", fmt.Sprintf("layer:%s", layerName)), resource.TestCheckResourceAttr(resourceName, "version", "1"), + resource.TestCheckResourceAttr(resourceName, "signing_profile_version_arn", ""), + resource.TestCheckResourceAttr(resourceName, "signing_job_arn", ""), ), }, diff --git a/website/docs/d/lambda_code_signing_config.html.markdown b/website/docs/d/lambda_code_signing_config.html.markdown new file mode 100644 index 00000000000..bc6da053030 --- /dev/null +++ b/website/docs/d/lambda_code_signing_config.html.markdown @@ -0,0 +1,47 @@ +--- +subcategory: "Lambda" +layout: "aws" +page_title: "AWS: aws_lambda_code_signing_config" +description: |- + Provides a Lambda Code Signing Config data source. +--- + +# Data Source: aws_lambda_code_signing_config + +Provides information about a Lambda Code Signing Config. A code signing configuration defines a list of allowed signing profiles and defines the code-signing validation policy (action to be taken if deployment validation checks fail). + +For information about Lambda code signing configurations and how to use them, see [configuring code signing for Lambda functions][1] + +## Example Usage + +```hcl +data "aws_lambda_code_signing_config" "existing_csc" { + arn = "arn:aws:lambda:${var.aws_region}:${var.aws_account}:code-signing-config:csc-0f6c334abcdea4d8b" +} +``` + +## Argument Reference + +The following arguments are supported: + +* `arn` - (Required) The Amazon Resource Name (ARN) of the code signing configuration. + +## Attributes Reference + +In addition to all arguments above, the following attributes are exported: + +* `allowed_publishers` - List of allowed publishers as signing profiles for this code signing configuration. +* `config_id` - Unique identifier for the code signing configuration. +* `description` - Code signing configuration description. +* `last_modified` - The date and time that the code signing configuration was last modified. +* `policies` - List of code signing policies that control the validation failure action for signature mismatch or expiry. + +`allowed_publishers` is exported with the following attribute: + +* `signing_profile_version_arns` - The Amazon Resource Name (ARN) for each of the signing profiles. A signing profile defines a trusted user who can sign a code package. + +`policies` is exported with the following attribute: + +* `untrusted_artifact_on_deployment` - Code signing configuration policy for deployment validation failure. + +[1]: https://docs.aws.amazon.com/lambda/latest/dg/configuration-codesigning.html diff --git a/website/docs/d/lambda_function.html.markdown b/website/docs/d/lambda_function.html.markdown index 12cea056e4f..1e49d8b2980 100644 --- a/website/docs/d/lambda_function.html.markdown +++ b/website/docs/d/lambda_function.html.markdown @@ -34,6 +34,7 @@ The following arguments are supported: In addition to all arguments above, the following attributes are exported: * `arn` - Unqualified (no `:QUALIFIER` or `:VERSION` suffix) Amazon Resource Name (ARN) identifying your Lambda Function. See also `qualified_arn`. +* `code_signing_config_arn` - Amazon Resource Name (ARN) for a Code Signing Configuration. * `dead_letter_config` - Configure the function's *dead letter queue*. * `description` - Description of what your Lambda Function does. * `environment` - The Lambda environment's configuration settings. @@ -47,7 +48,9 @@ In addition to all arguments above, the following attributes are exported: * `qualified_arn` - Qualified (`:QUALIFIER` or `:VERSION` suffix) Amazon Resource Name (ARN) identifying your Lambda Function. See also `arn`. * `reserved_concurrent_executions` - The amount of reserved concurrent executions for this lambda function or `-1` if unreserved. * `role` - IAM role attached to the Lambda Function. -* `runtime` - The runtime environment for the Lambda function.. +* `runtime` - The runtime environment for the Lambda function. +* `signing_job_arn` - The Amazon Resource Name (ARN) of a signing job. +* `signing_profile_version_arn` - The Amazon Resource Name (ARN) for a signing profile version. * `source_code_hash` - Base64-encoded representation of raw SHA-256 sum of the zip file. * `source_code_size` - The size in bytes of the function .zip file. * `timeout` - The function execution time at which Lambda should terminate the function. diff --git a/website/docs/d/lambda_layer_version.html.markdown b/website/docs/d/lambda_layer_version.html.markdown index 16380905b53..cedbf3831bf 100644 --- a/website/docs/d/lambda_layer_version.html.markdown +++ b/website/docs/d/lambda_layer_version.html.markdown @@ -40,6 +40,8 @@ In addition to all arguments above, the following attributes are exported: * `arn` - The Amazon Resource Name (ARN) of the Lambda Layer with version. * `layer_arn` - The Amazon Resource Name (ARN) of the Lambda Layer without version. * `created_date` - The date this resource was created. +* `signing_job_arn` - The Amazon Resource Name (ARN) of a signing job. +* `signing_profile_version_arn` - The Amazon Resource Name (ARN) for a signing profile version. * `source_code_hash` - Base64-encoded representation of raw SHA-256 sum of the zip file. * `source_code_size` - The size in bytes of the function .zip file. * `version` - This Lamba Layer version. diff --git a/website/docs/r/lambda_code_signing_config.html.markdown b/website/docs/r/lambda_code_signing_config.html.markdown new file mode 100644 index 00000000000..1fd8e01073f --- /dev/null +++ b/website/docs/r/lambda_code_signing_config.html.markdown @@ -0,0 +1,63 @@ +--- +subcategory: "Lambda" +layout: "aws" +page_title: "AWS: aws_lambda_code_signing_config" +description: |- + Provides a Lambda Code Signing Config resource. +--- + +# Resource: aws_lambda_code_signing_config + +Provides a Lambda Code Signing Config resource. A code signing configuration defines a list of allowed signing profiles and defines the code-signing validation policy (action to be taken if deployment validation checks fail). + +For information about Lambda code signing configurations and how to use them, see [configuring code signing for Lambda functions][1] + +## Example Usage + +```hcl +resource "aws_lambda_code_signing_config" "new_csc" { + allowed_publishers { + signing_profile_version_arns = [ + aws_signer_signing_profile.example1.arn, + aws_signer_signing_profile.example2.arn, + ] + } + + policies { + untrusted_artifact_on_deployment = "Warn" + } + + description = "My awesome code signing config." +} +``` + +## Argument Reference + +* `allowed_publishers` (Required) A configuration block of allowed publishers as signing profiles for this code signing configuration. Detailed below. +* `policies` (Optional) A configuration block of code signing policies that define the actions to take if the validation checks fail. Detailed below. +* `description` - (Optional) Descriptive name for this code signing configuration. + +The `allowed_publishers` block supports the following argument: + +* `signing_profile_version_arns` - (Required) The Amazon Resource Name (ARN) for each of the signing profiles. A signing profile defines a trusted user who can sign a code package. + +The `policies` block supports the following argument: + +* `untrusted_artifact_on_deployment` - (Required) Code signing configuration policy for deployment validation failure. If you set the policy to Enforce, Lambda blocks the deployment request if code-signing validation checks fail. If you set the policy to Warn, Lambda allows the deployment and creates a CloudWatch log. Valid values: `Warn`, `Enforce`. Default value: `Warn`. + + +## Attributes Reference + +* `arn` - The Amazon Resource Name (ARN) of the code signing configuration. +* `config_id` - Unique identifier for the code signing configuration. +* `last_modified` - The date and time that the code signing configuration was last modified. + +[1]: https://docs.aws.amazon.com/lambda/latest/dg/configuration-codesigning.html + +## Import + +Code Signing Configs can be imported using their ARN, e.g. + +``` +$ terraform import aws_lambda_code_signing_config.imported_csc arn:aws:lambda:us-west-2:123456789012:code-signing-config:csc-0f6c334abcdea4d8b +``` diff --git a/website/docs/r/lambda_function.html.markdown b/website/docs/r/lambda_function.html.markdown index 7de6770e93f..b50b4f78338 100644 --- a/website/docs/r/lambda_function.html.markdown +++ b/website/docs/r/lambda_function.html.markdown @@ -231,6 +231,7 @@ large files efficiently. * `source_code_hash` - (Optional) Used to trigger updates. Must be set to a base64-encoded SHA256 hash of the package file specified with either `filename` or `s3_key`. The usual way to set this is `filebase64sha256("file.zip")` (Terraform 0.11.12 and later) or `base64sha256(file("file.zip"))` (Terraform 0.11.11 and earlier), where "file.zip" is the local filename of the lambda function source archive. * `tags` - (Optional) A map of tags to assign to the object. * `file_system_config` - (Optional) The connection settings for an EFS file system. Fields documented below. Before creating or updating Lambda functions with `file_system_config`, EFS mount targets much be in available lifecycle state. Use `depends_on` to explicitly declare this dependency. See [Using Amazon EFS with Lambda][12]. +* `code_signing_config_arn` - (Optional) Amazon Resource Name (ARN) for a Code Signing Configuration. **dead_letter_config** is a child block with a single argument: @@ -275,6 +276,8 @@ In addition to all arguments above, the following attributes are exported: * `version` - Latest published version of your Lambda Function. * `last_modified` - The date this resource was last modified. * `kms_key_arn` - (Optional) The ARN for the KMS encryption key. +* `signing_job_arn` - The Amazon Resource Name (ARN) of a signing job. +* `signing_profile_version_arn` - The Amazon Resource Name (ARN) for a signing profile version. * `source_code_hash` - Base64-encoded representation of raw SHA-256 sum of the zip file, provided either via `filename` or `s3_*` parameters. * `source_code_size` - The size in bytes of the function .zip file. diff --git a/website/docs/r/lambda_layer_version.html.markdown b/website/docs/r/lambda_layer_version.html.markdown index de84faf7a3c..93b9df8f3b1 100644 --- a/website/docs/r/lambda_layer_version.html.markdown +++ b/website/docs/r/lambda_layer_version.html.markdown @@ -54,6 +54,8 @@ In addition to all arguments above, the following attributes are exported: * `arn` - The Amazon Resource Name (ARN) of the Lambda Layer with version. * `layer_arn` - The Amazon Resource Name (ARN) of the Lambda Layer without version. * `created_date` - The date this resource was created. +* `signing_job_arn` - The Amazon Resource Name (ARN) of a signing job. +* `signing_profile_version_arn` - The Amazon Resource Name (ARN) for a signing profile version. * `source_code_size` - The size in bytes of the function .zip file. * `version` - This Lamba Layer version.