feat: extend trusted_entities variable

terraform-aws-modules · Apr 17, 2021 · 0c5ff91 · 0c5ff91
1 parent 0a1a1a3
commit 0c5ff91
Show file tree

Hide file tree

Showing 5 changed files with 49 additions and 3 deletions.
diff --git a/README.md b/README.md
@@ -727,7 +727,7 @@ No modules.
 | <a name="input_tags"></a> [tags](#input\_tags) | A map of tags to assign to resources. | `map(string)` | `{}` | no |
 | <a name="input_timeout"></a> [timeout](#input\_timeout) | The amount of time your Lambda Function has to run in seconds. | `number` | `3` | no |
 | <a name="input_tracing_mode"></a> [tracing\_mode](#input\_tracing\_mode) | Tracing mode of the Lambda Function. Valid value can be either PassThrough or Active. | `string` | `null` | no |
-| <a name="input_trusted_entities"></a> [trusted\_entities](#input\_trusted\_entities) | Lambda Function additional trusted entities for assuming roles (trust relationship) | `list(string)` | `[]` | no |
+| <a name="input_trusted_entities"></a> [trusted\_entities](#input\_trusted\_entities) | Lambda Function additional trusted entities for assuming roles (trust relationship) | `list(any)` | `[]` | no |
 | <a name="input_use_existing_cloudwatch_log_group"></a> [use\_existing\_cloudwatch\_log\_group](#input\_use\_existing\_cloudwatch\_log\_group) | Whether to use an existing CloudWatch log group or create new | `bool` | `false` | no |
 | <a name="input_vpc_security_group_ids"></a> [vpc\_security\_group\_ids](#input\_vpc\_security\_group\_ids) | List of security group ids when Lambda Function should run in the VPC. | `list(string)` | `null` | no |
 | <a name="input_vpc_subnet_ids"></a> [vpc\_subnet\_ids](#input\_vpc\_subnet\_ids) | List of subnet ids when Lambda Function should run in the VPC. Usually private or intra subnets. | `list(string)` | `null` | no |

diff --git a/examples/complete/README.md b/examples/complete/README.md
@@ -42,6 +42,7 @@ Note that this example may create resources which cost money. Run `terraform des
 | <a name="module_lambda_layer_local"></a> [lambda\_layer\_local](#module\_lambda\_layer\_local) | ../../ |  |
 | <a name="module_lambda_layer_s3"></a> [lambda\_layer\_s3](#module\_lambda\_layer\_s3) | ../../ |  |
 | <a name="module_lambda_with_provisioned_concurrency"></a> [lambda\_with\_provisioned\_concurrency](#module\_lambda\_with\_provisioned\_concurrency) | ../../ |  |
+| <a name="module_lambda_with_trusted_entities"></a> [lambda\_with\_trusted\_entities](#module\_lambda\_with\_trusted\_entities) | ../../ |  |
 | <a name="module_s3_bucket"></a> [s3\_bucket](#module\_s3\_bucket) | terraform-aws-modules/s3-bucket/aws |  |
 
 ## Resources

diff --git a/examples/complete/main.tf b/examples/complete/main.tf
@@ -227,6 +227,33 @@ module "lambda_with_provisioned_concurrency" {
   provisioned_concurrent_executions = -1 # 2
 }
 
+###############################################
+# Lambda Function with trusted entities
+###############################################
+
+module "lambda_with_trusted_entities" {
+  source = "../../"
+
+  function_name = "${random_pet.this.id}-lambda-trusted-entities"
+  handler       = "index.lambda_handler"
+  runtime       = "python3.8"
+
+  source_path = "${path.module}/../fixtures/python3.8-app1"
+
+  trusted_entities = [
+    {
+      type = "AWS",
+      identifiers = [
+        "arn:aws:iam::123456789012:root",
+        "999999999999",
+        "arn:aws:sts::123456789012:assumed-role/RoleName/[email protected]"
+      ]
+    }
+  ]
+  # trusted_entities also accepts a list of aws services :
+  # trusted_entities = ["service-name.amazonaws.com", "ecs.amazonaws.com"]
+}
+
 ###########
 # Disabled
 ###########

diff --git a/iam.tf b/iam.tf
@@ -18,6 +18,16 @@ locals {
 # IAM role
 ###########
 
+locals {
+  trusted_service_entities = try([for service in var.trusted_entities : tostring(service)], [])
+  trusted_object_entities = try([for principal in var.trusted_entities :
+    {
+      type        = tostring(principal.type),
+      identifiers = tolist(principal.identifiers)
+    }
+  ], [])
+}
+
 data "aws_iam_policy_document" "assume_role" {
   count = local.create_role ? 1 : 0
 
@@ -27,7 +37,15 @@ data "aws_iam_policy_document" "assume_role" {
 
     principals {
       type        = "Service"
-      identifiers = distinct(concat(slice(["lambda.amazonaws.com", "edgelambda.amazonaws.com"], 0, var.lambda_at_edge ? 2 : 1), var.trusted_entities))
+      identifiers = distinct(concat(slice(["lambda.amazonaws.com", "edgelambda.amazonaws.com"], 0, var.lambda_at_edge ? 2 : 1), local.trusted_service_entities))
+    }
+
+    dynamic "principals" {
+      for_each = local.trusted_object_entities
+      content {
+        type        = principals.value.type
+        identifiers = principals.value.identifiers
+      }
     }
   }
 }

diff --git a/variables.tf b/variables.tf
@@ -437,7 +437,7 @@ variable "attach_policy_statements" {
 
 variable "trusted_entities" {
   description = "Lambda Function additional trusted entities for assuming roles (trust relationship)"
-  type        = list(string)
+  type        = list(any)
   default     = []
 }