Skip to content

feat: add optional source_account to lambda permissions #87

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
rorynolan wants to merge 4 commits into
base: main
Choose a base branch
from
Open

feat: add optional source_account to lambda permissions #87

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
ffcd082
feat: add optional source_account to lambda permissions
Jul 30, 2025
78a2daf
Require terraform >= 1.4
rorynolan Aug 5, 2025
cb84881
Require terraform >= 1.4
rorynolan Aug 5, 2025
d896fae
Clarify that source_account must be set to satisfy config rule
rorynolan Aug 5, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 3 additions & 2 deletions examples/complete/main.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -105,8 +105,9 @@ module "lambda" {

invoke_function_permissions = [
{
principal = "s3.amazonaws.com"
source_arn = join("", aws_s3_bucket.example[*].arn)
principal = "s3.amazonaws.com"
source_arn = join("", aws_s3_bucket.example[*].arn)
source_account = join("", data.aws_caller_identity.current[*].account_id)
}
]

Expand Down
9 changes: 5 additions & 4 deletions lambda-permissions.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,8 +1,9 @@
resource "aws_lambda_permission" "invoke_function" {
for_each = local.enabled ? { for i, permission in var.invoke_function_permissions : i => permission } : {}

action = "lambda:InvokeFunction"
function_name = aws_lambda_function.this[0].function_name
principal = each.value.principal
source_arn = each.value.source_arn
action = "lambda:InvokeFunction"
function_name = aws_lambda_function.this[0].function_name
principal = each.value.principal
source_arn = each.value.source_arn
source_account = each.value.source_account
}
13 changes: 10 additions & 3 deletions variables.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -248,9 +248,16 @@ variable "inline_iam_policy" {

variable "invoke_function_permissions" {
type = list(object({
principal = string
source_arn = string
principal = string
source_arn = optional(string)
source_account = optional(string)
}))
description = "Defines which external source(s) can invoke this function (action 'lambda:InvokeFunction'). Attributes map to those of https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_permission. NOTE: to keep things simple, we only expose a subset of said attributes. If a more complex configuration is needed, declare the necessary lambda permissions outside of this module"
description = <<EOF
Defines which external source(s) can invoke this function (action 'lambda:InvokeFunction'). Attributes map to those of https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_permission.
- principal: The AWS service or account that will invoke the function
- source_arn: (Optional) The ARN of the specific resource that will invoke the function
- source_account: (Optional) The AWS account ID that is allowed to invoke the function. Used to restrict cross-account access when needed.
NOTE: to keep things simple, we only expose a subset of said attributes. If a more complex configuration is needed, declare the necessary lambda permissions outside of this module
EOF
default = []
}