From af3874867ee796979ca80b3e4acbb30b81514cdd Mon Sep 17 00:00:00 2001
From: Uchinda Padmaperuma <89894943+uchinda-sph@users.noreply.github.com>
Date: Tue, 28 Feb 2023 11:54:16 +0800
Subject: [PATCH] add conditon for local external_id

---
 data.tf   | 8 ++++----
 lambda.tf | 2 +-
 locals.tf | 1 +
 3 files changed, 6 insertions(+), 5 deletions(-)

diff --git a/data.tf b/data.tf
index 45b559e..30381b7 100644
--- a/data.tf
+++ b/data.tf
@@ -235,7 +235,7 @@ data "aws_iam_policy_document" "aqua_cspm_custom_trust" {
       test     = "StringEquals"
       variable = "sts:ExternalId"
       values = [
-        jsondecode(aws_lambda_invocation.external_id.result)["ExternalId"],
+        local.external_id,
       ]
     }
 
@@ -264,7 +264,7 @@ data "aws_iam_policy_document" "aqua_cspm_custom_trust" {
       test     = "StringEquals"
       variable = "sts:ExternalId"
       values = [
-        jsondecode(aws_lambda_invocation.external_id.result)["ExternalId"],
+        local.external_id,
       ]
     }
 
@@ -293,7 +293,7 @@ data "aws_iam_policy_document" "aqua_cspm_custom_trust" {
       test     = "StringEquals"
       variable = "sts:ExternalId"
       values = [
-        jsondecode(aws_lambda_invocation.external_id.result)["ExternalId"],
+        local.external_id,
       ]
     }
 
@@ -322,7 +322,7 @@ data "aws_iam_policy_document" "aqua_cspm_custom_trust" {
       test     = "StringEquals"
       variable = "sts:ExternalId"
       values = [
-        jsondecode(aws_lambda_invocation.external_id.result)["ExternalId"],
+        local.external_id,
       ]
     }
 
diff --git a/lambda.tf b/lambda.tf
index 1a1217a..a7ee7ab 100644
--- a/lambda.tf
+++ b/lambda.tf
@@ -38,7 +38,7 @@ resource "aws_lambda_invocation" "onboarding" {
   input = jsonencode({
     ResourceProperties = {
       Secret  = local.secret_name,
-      ExtId   = jsondecode(aws_lambda_invocation.external_id.result)["ExternalId"],
+      ExtId   = local.external_id,
       Group   = var.aqua_group_name,
       RoleArn = aws_iam_role.aqua_cspm.arn,
       AccId   = data.aws_caller_identity.current.account_id
diff --git a/locals.tf b/locals.tf
index e8d5a6b..1832661 100644
--- a/locals.tf
+++ b/locals.tf
@@ -3,6 +3,7 @@ locals {
 
   secret_name = "/aquacspm/secret-cspm"
 
+  external_id = jsondecode(aws_lambda_invocation.external_id.result)["status"] == "FAILED" ? jsondecode(aws_lambda_invocation.external_id.result)["message"] : jsondecode(aws_lambda_invocation.external_id.result)["ExternalId"]
   # public_ip   = "13.215.18.141/32"
 
   aqua_cspm_role_policy_arns = [