feat: Added support for policy_jsons (list of strings) (claranet#58)

Author: antonbabenko

.pre-commit-config.yaml

@@ -1,10 +1,10 @@
 repos:
   - repo: git://github.com/antonbabenko/pre-commit-terraform
-    rev: v1.31.0
+    rev: v1.39.0
     hooks:
       - id: terraform_fmt
       - id: terraform_docs
   - repo: git://github.com/pre-commit/pre-commit-hooks
-    rev: v3.1.0
+    rev: v3.2.0
     hooks:
       - id: check-merge-conflict

README.md

@@ -240,12 +240,13 @@ module "vpc" {
 
 ## Additional IAM policies for Lambda Functions
 
-There are 4 supported ways to attach IAM policies to IAM role used by Lambda Function:
+There are 5 supported ways to attach IAM policies to IAM role used by Lambda Function:
 
-1. `policy_json` - set as JSON string or heredoc, when `attach_policy_json = true`.
+1. `policy_json` - JSON string or heredoc, when `attach_policy_json = true`.
+1. `policy_jsons` - List of JSON strings or heredoc, when `attach_policy_jsons = true` and `number_of_policy_jsons > 0`.
 1. `policy` - ARN of existing IAM policy, when `attach_policy = true`.
-1. `policies` - List of ARNs of existing IAM policies, when `attach_policies = true`.
-1. `policy_statements` - Map of maps to define IAM statements which will be generated as IAM policy. Requires `attach_policy_statements = true`. See examples/complete for more information.
+1. `policies` - List of ARNs of existing IAM policies, when `attach_policies = true` and `number_of_policies > 0`.
+1. `policy_statements` - Map of maps to define IAM statements which will be generated as IAM policy. Requires `attach_policy_statements = true`. See `examples/complete` for more information.
 
 
 ## Lambda Permissions for allowed triggers
@@ -557,15 +558,19 @@ Q4: What does this error mean - `"We currently do not support adding policies fo
 |------|---------|
 | terraform | >= 0.12.6, < 0.14 |
 | aws | >= 2.67, < 4.0 |
+| external | ~> 1 |
+| local | ~> 1 |
+| null | ~> 2 |
+| random | ~> 2 |
 
 ## Providers
 
 | Name | Version |
 |------|---------|
 | aws | >= 2.67, < 4.0 |
-| external | n/a |
-| local | n/a |
-| null | n/a |
+| external | ~> 1 |
+| local | ~> 1 |
+| null | ~> 2 |
 
 ## Inputs
 
@@ -580,6 +585,7 @@ Q4: What does this error mean - `"We currently do not support adding policies fo
 | attach\_policies | Controls whether list of policies should be added to IAM role for Lambda Function | `bool` | `false` | no |
 | attach\_policy | Controls whether policy should be added to IAM role for Lambda Function | `bool` | `false` | no |
 | attach\_policy\_json | Controls whether policy\_json should be added to IAM role for Lambda Function | `bool` | `false` | no |
+| attach\_policy\_jsons | Controls whether policy\_jsons should be added to IAM role for Lambda Function | `bool` | `false` | no |
 | attach\_policy\_statements | Controls whether policy\_statements should be added to IAM role for Lambda Function | `bool` | `false` | no |
 | attach\_tracing\_policy | Controls whether X-Ray tracing policy should be added to IAM role for Lambda Function | `bool` | `false` | no |
 | build\_in\_docker | Whether to build dependencies in Docker | `bool` | `false` | no |
@@ -623,9 +629,11 @@ Q4: What does this error mean - `"We currently do not support adding policies fo
 | maximum\_retry\_attempts | Maximum number of times to retry when the function returns an error. Valid values between 0 and 2. Defaults to 2. | `number` | `null` | no |
 | memory\_size | Amount of memory in MB your Lambda Function can use at runtime. Valid value between 128 MB to 3008 MB, in 64 MB increments. | `number` | `128` | no |
 | number\_of\_policies | Number of policies to attach to IAM role for Lambda Function | `number` | `0` | no |
+| number\_of\_policy\_jsons | Number of policies JSON to attach to IAM role for Lambda Function | `number` | `0` | no |
 | policies | List of policy statements ARN to attach to Lambda Function role | `list(string)` | `[]` | no |
 | policy | An additional policy document ARN to attach to the Lambda Function role | `string` | `null` | no |
 | policy\_json | An additional policy document as JSON to attach to the Lambda Function role | `string` | `null` | no |
+| policy\_jsons | List of additional policy documents as JSON to attach to Lambda Function role | `list(string)` | `[]` | no |
 | policy\_statements | Map of dynamic policy statements to attach to Lambda Function role | `any` | `{}` | no |
 | provisioned\_concurrent\_executions | Amount of capacity to allocate. Set to 1 or greater to enable, or set to 0 to disable provisioned concurrency. | `number` | `-1` | no |
 | publish | Whether to publish creation/change as new Lambda Function Version. | `bool` | `false` | no |

examples/complete/main.tf

@@ -76,6 +76,24 @@ module "lambda_function" {
 }
 EOF
 
+  attach_policy_jsons = true
+  policy_jsons = [<<EOF
+{
+    "Version": "2012-10-17",
+    "Statement": [
+        {
+            "Effect": "Allow",
+            "Action": [
+                "xray:*"
+            ],
+            "Resource": ["*"]
+        }
+    ]
+}
+EOF
+  ]
+  number_of_policy_jsons = 1
+
   attach_policy = true
   policy        = "arn:aws:iam::aws:policy/AWSXRayDaemonWriteAccess"
 
@@ -206,7 +224,7 @@ module "lambda_with_provisioned_concurrency" {
 
   hash_extra = "hash-extra-lambda-provisioned"
 
-  provisioned_concurrent_executions = 2
+  provisioned_concurrent_executions = -1 # 2
 }
 
 ###########

iam.tf

@@ -219,6 +219,25 @@ resource "aws_iam_policy_attachment" "additional_json" {
   policy_arn = aws_iam_policy.additional_json[0].arn
 }
 
+#####################################
+# Additional policies (list of JSON)
+#####################################
+
+resource "aws_iam_policy" "additional_jsons" {
+  count = local.create_role && var.attach_policy_jsons ? var.number_of_policy_jsons : 0
+
+  name   = "${var.function_name}-${count.index}"
+  policy = var.policy_jsons[count.index]
+}
+
+resource "aws_iam_policy_attachment" "additional_jsons" {
+  count = local.create_role && var.attach_policy_jsons ? var.number_of_policy_jsons : 0
+
+  name       = "${var.function_name}-${count.index}"
+  roles      = [aws_iam_role.lambda[0].name]
+  policy_arn = aws_iam_policy.additional_jsons[count.index].arn
+}
+
 ###########################
 # ARN of additional policy
 ###########################

variables.tf

@@ -359,6 +359,12 @@ variable "attach_policy_json" {
   default     = false
 }
 
+variable "attach_policy_jsons" {
+  description = "Controls whether policy_jsons should be added to IAM role for Lambda Function"
+  type        = bool
+  default     = false
+}
+
 variable "attach_policy" {
   description = "Controls whether policy should be added to IAM role for Lambda Function"
   type        = bool
@@ -371,6 +377,12 @@ variable "attach_policies" {
   default     = false
 }
 
+variable "number_of_policy_jsons" {
+  description = "Number of policies JSON to attach to IAM role for Lambda Function"
+  type        = number
+  default     = 0
+}
+
 variable "number_of_policies" {
   description = "Number of policies to attach to IAM role for Lambda Function"
   type        = number
@@ -395,6 +407,12 @@ variable "policy_json" {
   default     = null
 }
 
+variable "policy_jsons" {
+  description = "List of additional policy documents as JSON to attach to Lambda Function role"
+  type        = list(string)
+  default     = []
+}
+
 variable "policy" {
   description = "An additional policy document ARN to attach to the Lambda Function role"
   type        = string

versions.tf

@@ -2,6 +2,10 @@ terraform {
   required_version = ">= 0.12.6, < 0.14"
 
   required_providers {
-    aws = ">= 2.67, < 4.0"
+    aws      = ">= 2.67, < 4.0"
+    external = "~> 1"
+    local    = "~> 1"
+    random   = "~> 2"
+    null     = "~> 2"
   }
 }