Merge pull request #29 from SPHTech-Platform/feature/deployer-permission

Deployer Lambda additional permission feature

Author: jmonte-sph

README.md

@@ -1,3 +1,4 @@
+<!-- BEGIN_TF_DOCS -->
 ## Requirements
 
 | Name | Version |
@@ -11,7 +12,7 @@
 | Name | Version |
 |------|---------|
 | <a name="provider_archive"></a> [archive](#provider\_archive) | 2.3.0 |
-| <a name="provider_aws"></a> [aws](#provider\_aws) | 5.37.0 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | 5.36.0 |
 
 ## Modules
 
@@ -33,7 +34,9 @@
 | [aws_iam_openid_connect_provider.github](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_openid_connect_provider) | data source |
 | [aws_iam_policy_document.sign_code](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_iam_policy_document.update_lambda](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [aws_iam_policy_document.update_lambda_combined](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_iam_policy_document.update_lambda_edge](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [aws_iam_policy_document.update_lambda_edge_combined](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source |
 
 ## Inputs
@@ -64,6 +67,8 @@
 | <a name="input_create_unqualified_alias_lambda_function_url"></a> [create\_unqualified\_alias\_lambda\_function\_url](#input\_create\_unqualified\_alias\_lambda\_function\_url) | Whether to use unqualified alias pointing to $LATEST version in Lambda Function URL | `bool` | `true` | no |
 | <a name="input_dead_letter_target_arn"></a> [dead\_letter\_target\_arn](#input\_dead\_letter\_target\_arn) | The ARN of an SNS topic or SQS queue to notify when an invocation fails. | `string` | `null` | no |
 | <a name="input_default_conditions"></a> [default\_conditions](#input\_default\_conditions) | (Optional) Default condtions to apply, at least one of the following is madatory: 'allow\_main', 'allow\_environment', 'deny\_pull\_request' and 'allow\_all'. | `list(string)` | <pre>[<br>  "allow_main",<br>  "allow_environment"<br>]</pre> | no |
+| <a name="input_deployer_lambda_additional_permission"></a> [deployer\_lambda\_additional\_permission](#input\_deployer\_lambda\_additional\_permission) | Additional permission needed by lambda deployer in json format | `string` | `null` | no |
+| <a name="input_deployer_lambda_edge_additional_permission"></a> [deployer\_lambda\_edge\_additional\_permission](#input\_deployer\_lambda\_edge\_additional\_permission) | Additional permission needed by lambda edge deployer in json format | `string` | `null` | no |
 | <a name="input_description"></a> [description](#input\_description) | Lambda Function Description | `string` | `""` | no |
 | <a name="input_environment_variables"></a> [environment\_variables](#input\_environment\_variables) | A map that defines environment variables for the Lambda Function. | `map(string)` | `{}` | no |
 | <a name="input_ephemeral_storage_size"></a> [ephemeral\_storage\_size](#input\_ephemeral\_storage\_size) | Amount of ephemeral storage (/tmp) in MB your Lambda Function can use at runtime. Valid value between 512 MB to 10,240 MB (10 GB). | `number` | `512` | no |
@@ -123,3 +128,4 @@
 | <a name="output_lambda_role_name"></a> [lambda\_role\_name](#output\_lambda\_role\_name) | The name of the IAM role created for the Lambda Function |
 | <a name="output_lambda_role_unique_id"></a> [lambda\_role\_unique\_id](#output\_lambda\_role\_unique\_id) | The unique id of the IAM role created for the Lambda Function |
 | <a name="output_qualified_arn"></a> [qualified\_arn](#output\_qualified\_arn) | The qualified arn of the lambda function to be associated with Cloudfront as a Lambda@Edge function |
+<!-- END_TF_DOCS -->

data.tf

@@ -33,6 +33,13 @@ data "aws_iam_policy_document" "update_lambda" {
   }
 }
 
+data "aws_iam_policy_document" "update_lambda_combined" {
+  source_policy_documents = compact([
+    data.aws_iam_policy_document.update_lambda.json,
+    var.deployer_lambda_additional_permission
+  ])
+}
+
 data "aws_iam_policy_document" "update_lambda_edge" {
   statement {
     sid = "EnableCFReplication"
@@ -67,6 +74,13 @@ data "aws_iam_policy_document" "update_lambda_edge" {
   }
 }
 
+data "aws_iam_policy_document" "update_lambda_edge_combined" {
+  source_policy_documents = compact([
+    data.aws_iam_policy_document.update_lambda_edge.json,
+    var.deployer_lambda_edge_additional_permission
+  ])
+}
+
 data "aws_iam_policy_document" "sign_code" {
   #checkov:skip=CKV_AWS_356:Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions
   count = var.create_github_actions_signed_code_role ? 1 : 0

examples/lambda-with-apigateway/data.tf

@@ -22,3 +22,17 @@ data "aws_security_groups" "lambda" {
     values = ["SG-EC2-Web&App"]
   }
 }
+
+data "aws_iam_policy_document" "access_s3" {
+  statement {
+    sid = "LambdaAccessS3"
+    actions = [
+      "s3:ListBucket",
+      "s3:GetObject"
+    ]
+    resources = [
+      "arn:aws:s3:::example-bucket-s3",
+      "arn:aws:s3:::example-bucket-s3/*"
+    ]
+  }
+}

examples/lambda-with-apigateway/main.tf

@@ -19,6 +19,8 @@ module "home_feed" {
     "ENV" = "dev"
   }
 
+  deployer_lambda_additional_permission = data.aws_iam_policy_document.access_s3.json
+
   vpc_subnet_ids         = data.aws_subnets.lambda.ids
   vpc_security_group_ids = data.aws_security_groups.lambda.ids
   attach_network_policy  = true

examples/lambda-with-apigateway/versions.tf

@@ -4,7 +4,7 @@ terraform {
   required_providers {
     aws = {
       source  = "hashicorp/aws"
-      version = "~> 4.23"
+      version = ">= 4.23"
     }
   }
 }

github_action.tf

@@ -37,15 +37,15 @@ resource "aws_iam_role_policy" "update_lambda" {
 
   name_prefix = "UpdateLambda"
   role        = module.lambda_gha[0].role.name
-  policy      = data.aws_iam_policy_document.update_lambda.json
+  policy      = data.aws_iam_policy_document.update_lambda_combined.json
 }
 
 resource "aws_iam_role_policy" "update_lambda_edge" {
   count = var.create_github_actions_edge_role ? 1 : 0
 
   name_prefix = "UpdateLambdaEdge"
   role        = module.lambda_gha[0].role.name
-  policy      = data.aws_iam_policy_document.update_lambda_edge.json
+  policy      = data.aws_iam_policy_document.update_lambda_edge_combined.json
 }
 
 resource "aws_iam_role_policy" "sign_code" {

variables.tf

@@ -68,6 +68,18 @@ variable "default_conditions" {
   default     = ["allow_main", "allow_environment"]
 }
 
+variable "deployer_lambda_additional_permission" {
+  description = "Additional permission needed by lambda deployer in json format"
+  type        = string
+  default     = null
+}
+
+variable "deployer_lambda_edge_additional_permission" {
+  description = "Additional permission needed by lambda edge deployer in json format"
+  type        = string
+  default     = null
+}
+
 # Refer https://github.com/terraform-aws-modules/terraform-aws-lambda/blob/master/variables.tf for additional vars
 ##################
 # Lambda Function