From 5603ad8e8ab3f20ef6a2da1300dace6aaa64e103 Mon Sep 17 00:00:00 2001 From: Goh Hong Yi Date: Mon, 23 Sep 2024 15:23:15 +0800 Subject: [PATCH 1/4] add support for apigw identifier change --- data.tf | 15 +++++++++++++++ variables.tf | 13 +++++++++++++ 2 files changed, 28 insertions(+) diff --git a/data.tf b/data.tf index cb2520b..6389b29 100644 --- a/data.tf +++ b/data.tf @@ -23,6 +23,7 @@ data "aws_iam_policy_document" "update_lambda" { sid = "LambdaUpdateEvent" actions = [ + "lambda:AddPermission", "lambda:UpdateFunctionCode", "lambda:UpdateFunctionConfiguration", "lambda:UpdateAlias", @@ -33,6 +34,20 @@ data "aws_iam_policy_document" "update_lambda" { ] resources = ["arn:aws:lambda:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:function:${var.function_prefix}*"] } + + dynamic "statement" { + for_each = var.enable_version_identifier ? [1] : [] + content { + sid = "AllowApiGatewayInvoke" + actions = [ + "apigateway:POST", + "apigateway:PUT", + ] + resources = [ + var.apigw_arn, + ] + } + } } data "aws_iam_policy_document" "update_lambda_combined" { diff --git a/variables.tf b/variables.tf index 1f2ed5f..02cce85 100644 --- a/variables.tf +++ b/variables.tf @@ -457,3 +457,16 @@ variable "function_tags" { type = map(string) default = {} } + +# to allow deployments with api gateway triggers and update version whenever there is new deployment +variable "enable_version_identifier" { + description = "Enable version identifier for lambda function" + type = bool + default = false +} + +variable "apigw_arn" { + description = "API Gateway ARN" + type = string + default = null +} From 9fac559b5ba99b12550f93ca6598246f08135f98 Mon Sep 17 00:00:00 2001 From: tymnicholas <46499723+tymnicholas@users.noreply.github.com> Date: Mon, 23 Sep 2024 16:06:34 +0800 Subject: [PATCH 2/4] update APIGW permission to targetted rest api id --- data.tf | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/data.tf b/data.tf index 6389b29..8e52675 100644 --- a/data.tf +++ b/data.tf @@ -43,9 +43,7 @@ data "aws_iam_policy_document" "update_lambda" { "apigateway:POST", "apigateway:PUT", ] - resources = [ - var.apigw_arn, - ] + resources = ["arn:aws:apigateway:${data.aws_region.current.name}::/restapis/${var.apigw_id}/*"] } } } From aaad594c3696f1da8b90ecdd569491ebda1c5978 Mon Sep 17 00:00:00 2001 From: tymnicholas <46499723+tymnicholas@users.noreply.github.com> Date: Mon, 23 Sep 2024 16:06:58 +0800 Subject: [PATCH 3/4] renamed apigw_arn to apigw_id --- variables.tf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/variables.tf b/variables.tf index 02cce85..9b48615 100644 --- a/variables.tf +++ b/variables.tf @@ -465,8 +465,8 @@ variable "enable_version_identifier" { default = false } -variable "apigw_arn" { - description = "API Gateway ARN" +variable "apigw_id" { + description = "API Gateway Id" type = string default = null } From a54a15af117cdd8f870705d715c3be998d07ac45 Mon Sep 17 00:00:00 2001 From: Goh Hong Yi Date: Mon, 23 Sep 2024 16:11:31 +0800 Subject: [PATCH 4/4] update readme --- README.md | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/README.md b/README.md index d3dc42f..abed5c9 100644 --- a/README.md +++ b/README.md @@ -1,4 +1,3 @@ - ## Requirements | Name | Version | @@ -12,7 +11,7 @@ | Name | Version | |------|---------| | [archive](#provider\_archive) | 2.3.0 | -| [aws](#provider\_aws) | 5.45.0 | +| [aws](#provider\_aws) | 5.37.0 | ## Modules @@ -44,6 +43,7 @@ | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| | [allowed\_triggers](#input\_allowed\_triggers) | Map of allowed triggers to create Lambda permissions | `map(any)` | `{}` | no | +| [apigw\_arn](#input\_apigw\_arn) | API Gateway ARN | `string` | `null` | no | | [architectures](#input\_architectures) | Instruction set architecture for your Lambda function. Valid values are ["x86\_64"] and ["arm64"]. | `list(string)` | `null` | no | | [attach\_network\_policy](#input\_attach\_network\_policy) | Flag to attach network policy to use VPC subnet and security group | `bool` | `false` | no | | [attach\_policies](#input\_attach\_policies) | Controls whether AWS managed policies should be added to IAM role for Lambda Function (e.g AWSLambdaBasicExecutionRole) | `bool` | `false` | no | @@ -66,16 +66,18 @@ | [create\_lambda\_role](#input\_create\_lambda\_role) | Controls whether the Lambda Role | `bool` | `true` | no | | [create\_unqualified\_alias\_lambda\_function\_url](#input\_create\_unqualified\_alias\_lambda\_function\_url) | Whether to use unqualified alias pointing to $LATEST version in Lambda Function URL | `bool` | `true` | no | | [dead\_letter\_target\_arn](#input\_dead\_letter\_target\_arn) | The ARN of an SNS topic or SQS queue to notify when an invocation fails. | `string` | `null` | no | -| [default\_conditions](#input\_default\_conditions) | (Optional) Default condtions to apply, at least one of the following is madatory: 'allow\_main', 'allow\_environment', 'deny\_pull\_request' and 'allow\_all'. | `list(string)` | 
[
  "allow_main",
  "allow_environment"
]
| no | +| [default\_conditions](#input\_default\_conditions) | (Optional) Default condtions to apply, at least one of the following is madatory: 'allow\_main', 'allow\_environment', 'deny\_pull\_request' and 'allow\_all'. | `list(string)` | 
[
  "allow_main",
  "allow_environment"
]
| no | | [deployer\_lambda\_additional\_permission](#input\_deployer\_lambda\_additional\_permission) | Additional permission needed by lambda deployer in json format | `string` | `null` | no | | [deployer\_lambda\_edge\_additional\_permission](#input\_deployer\_lambda\_edge\_additional\_permission) | Additional permission needed by lambda edge deployer in json format | `string` | `null` | no | | [description](#input\_description) | Lambda Function Description | `string` | `""` | no | +| [enable\_version\_identifier](#input\_enable\_version\_identifier) | Enable version identifier for lambda function | `bool` | `false` | no | | [environment\_variables](#input\_environment\_variables) | A map that defines environment variables for the Lambda Function. | `map(string)` | `{}` | no | | [ephemeral\_storage\_size](#input\_ephemeral\_storage\_size) | Amount of ephemeral storage (/tmp) in MB your Lambda Function can use at runtime. Valid value between 512 MB to 10,240 MB (10 GB). | `number` | `512` | no | | [event\_source\_mapping](#input\_event\_source\_mapping) | Map of event source mapping | `any` | `{}` | no | | [function\_name](#input\_function\_name) | Lambda Function Name | `string` | n/a | yes | | [function\_prefix](#input\_function\_prefix) | Prefix for the IAM role for lambda functions | `string` | `""` | no | -| [github\_repo](#input\_github\_repo) | GitHub repo to grant access to assume a role via OIDC. | 
object({
    repo         = string
    branches     = optional(list(string), [])
    environments = optional(list(string), ["*"])
    tags         = optional(list(string), [])

    # Custom Role name. It will autocreate based on repo if not provided
    role_name = optional(string)
  })
| n/a | yes | +| [function\_tags](#input\_function\_tags) | A map of tags to assign only to the lambda function | `map(string)` | `{}` | no | +| [github\_repo](#input\_github\_repo) | GitHub repo to grant access to assume a role via OIDC. | 
object({
    repo         = string
    branches     = optional(list(string), [])
    environments = optional(list(string), ["*"])
    tags         = optional(list(string), [])

    # Custom Role name. It will autocreate based on repo if not provided
    role_name = optional(string)
  })
| n/a | yes | | [handler](#input\_handler) | Lambda Function Index Handler | `string` | `"index.handler"` | no | | [image\_config\_command](#input\_image\_config\_command) | The CMD for the docker image | `list(string)` | `[]` | no | | [image\_config\_entry\_point](#input\_image\_config\_entry\_point) | The ENTRYPOINT for the docker image | `list(string)` | `[]` | no | @@ -107,6 +109,7 @@ | [signing\_profile\_name](#input\_signing\_profile\_name) | Name of the signer signing profile to use for signing job | `string` | `null` | no | | [snap\_start](#input\_snap\_start) | (Optional) Snap start settings for low-latency startups | `bool` | `false` | no | | [source\_path](#input\_source\_path) | The absolute path to a local file or directory containing your Lambda source code | `string` | `null` | no | +| [tags](#input\_tags) | A map of tags to assign to resources. | `map(string)` | `{}` | no | | [timeout](#input\_timeout) | The amount of time your Lambda Function has to run in seconds. | `number` | `3` | no | | [tracing\_mode](#input\_tracing\_mode) | Tracing mode of the Lambda Function. Valid value can be either PassThrough or Active. | `string` | `null` | no | | [vpc\_security\_group\_ids](#input\_vpc\_security\_group\_ids) | List of security group ids when Lambda Function should run in the VPC. | `list(string)` | `null` | no | @@ -129,4 +132,3 @@ | [lambda\_role\_name](#output\_lambda\_role\_name) | The name of the IAM role created for the Lambda Function | | [lambda\_role\_unique\_id](#output\_lambda\_role\_unique\_id) | The unique id of the IAM role created for the Lambda Function | | [qualified\_arn](#output\_qualified\_arn) | The qualified arn of the lambda function to be associated with Cloudfront as a Lambda@Edge function | -