update iam policy actions

clouddrove · Oct 11, 2019 · 2d4bb8e · 2d4bb8e
1 parent 1929a54
commit 2d4bb8e
Show file tree

Hide file tree

Showing 4 changed files with 44 additions and 41 deletions.
diff --git a/README.md b/README.md
@@ -171,6 +171,7 @@ Here are some examples of how you can use this module in your inventory structur
 | filename | The path to the function's deployment package within the local filesystem. If defined, The s3_-prefixed options cannot be used. | string | `` | no |
 | filenames | The path to the function's deployment package within the local filesystem. If defined, The s3_-prefixed options cannot be used. | list | `<list>` | no |
 | handler | The function entrypoint in your code. | string | - | yes |
+| iam_actions | The actions for Iam Role Policy. | list | `<list>` | no |
 | kms_key_arn | The ARN for the KMS encryption key. | string | `` | no |
 | label_order | Label order, e.g. `name`,`application`. | list | `<list>` | no |
 | layers | List of Lambda Layer Version ARNs (maximum of 5) to attach to your Lambda Function. | string | `` | no |

diff --git a/_example/basic-function/example.tf b/_example/basic-function/example.tf
@@ -3,17 +3,26 @@ provider "aws" {
 }
 
 module "lambda" {
-  source = "git::https://github.com/clouddrove/terraform-aws-lambda.git?ref=tags/0.12.0"
+  source = "./../../"
 
   name        = "lambda"
   application = "clouddrove"
   environment = "test"
   label_order = ["environment", "name", "application"]
   enabled     = true
 
-  filename = "./../../../lambda_function_payload"
-  handler  = "index.handler"
-  runtime  = "nodejs8.10"
+  filename = "./../../../lambda_packages"
+  handler  = "index.lambda_handler"
+  runtime  = "python3.7"
+  iam_actions = [
+    "logs:CreateLogStream",
+    "logs:CreateLogGroup",
+    "logs:PutLogEvents",
+    "ec2:CreateNetworkInterface",
+    "ec2:DescribeNetworkInterfaces",
+    "ec2:DeleteNetworkInterface",
+    "ec2:DescribeSecurityGroups",
+  ]
   variables = {
     foo = "bar"
   }

diff --git a/main.tf b/main.tf
@@ -39,32 +39,19 @@ EOF
 # Module      : Iam policy
 # Description : Terraform module to create Iam policy resource on AWS for lambda.
 resource "aws_iam_policy" "default" {
-  name = "lambda_logging"
-  path = "/"
+  name        = "lambda_logging"
+  path        = "/"
   description = "IAM policy for logging from a lambda"
 
-  policy = <<EOF
-{
-  "Version": "2012-10-17",
-  "Statement": [
-    {
-      "Action": [
-        "logs:CreateLogStream",
-        "logs:CreateLogGroup",
-        "logs:PutLogEvents",
-        "ec2:CreateNetworkInterface",
-        "ec2:DescribeNetworkInterfaces",
-        "ec2:DeleteNetworkInterface",
-        "ec2:DescribeSecurityGroups",
-        "sqs:SendMessage",
-        "sns:Publish"
-      ],
-      "Resource": "*",
-      "Effect": "Allow"
-    }
-  ]
+  policy = data.aws_iam_policy_document.default.json
 }
-EOF
+
+data "aws_iam_policy_document" "default" {
+  statement {
+    actions   = var.iam_actions
+    effect    = "Allow"
+    resources = ["*"]
+  }
 }
 
 # Module      : Iam Role Policy Attachment
@@ -77,10 +64,10 @@ resource "aws_iam_role_policy_attachment" "default" {
 # Module      : Archive file
 # Description : Terraform module to zip a directory.
 data "archive_file" "lambda_zip" {
-    count       = length(var.filenames) > 0 ? length(var.filenames) : 0
-    type        = "zip"
-    source_dir  = element(var.filenames, count.index)["input"]
-    output_path = element(var.filenames, count.index)["output"]
+  count       = length(var.filenames) > 0 ? length(var.filenames) : 0
+  type        = "zip"
+  source_dir  = element(var.filenames, count.index)["input"]
+  output_path = element(var.filenames, count.index)["output"]
 }
 
 # Module      : Lambda layers
@@ -101,10 +88,10 @@ resource "aws_lambda_layer_version" "default" {
 # Module      : Archive file
 # Description : Terraform module to zip a directory.
 data "archive_file" "default" {
-    count       = var.filename != null ? 1 : 0
-    type        = "zip"
-    source_dir  = var.filename
-    output_path = "lambda.zip"
+  count       = var.filename != null ? 1 : 0
+  type        = "zip"
+  source_dir  = var.filename
+  output_path = "lambda.zip"
 }
 
 # Module      : Lambda function
@@ -134,14 +121,14 @@ resource "aws_lambda_function" "default" {
     security_group_ids = var.security_group_ids
   }
   environment {
-   variables = var.variables
+    variables = var.variables
   }
   lifecycle {
-   # Ignore tags added by kubernetes
-   ignore_changes = [
-     "source_code_hash",
-     "last_modified"
-   ]
+    # Ignore tags added by kubernetes
+    ignore_changes = [
+      "source_code_hash",
+      "last_modified"
+    ]
   }
   depends_on = ["aws_iam_role_policy_attachment.default"]
 }

diff --git a/variables.tf b/variables.tf
@@ -181,6 +181,12 @@ variable "event_source_tokens" {
   description = "The Event Source Token to validate. Used with Alexa Skills."
 }
 
+variable "iam_actions" {
+  type        = list
+  default     = []
+  description = "The actions for Iam Role Policy."
+}
+
 variable "actions" {
   type        = list
   default     = []