Skip to content
This repository has been archived by the owner on Jun 8, 2022. It is now read-only.

Allow use of existing policy #25

Open
wants to merge 5 commits into
base: master
Choose a base branch
from
Open

Allow use of existing policy #25

wants to merge 5 commits into from

Conversation

reisingerf
Copy link

Rather than creating a new policy form a referenced policy document, allow the use of an existing policy by specifying it's ARN.
This not only allows the re-use of an existing policy, but also the control over other aws_iam_policy arguments like path and description.

@raymondbutcher
Copy link
Contributor

Hi @reisingerf , thanks for the PR but this change would break a bunch of places where I'm using this. Here is an example of my usage:

module "lambda" {
  source = "../../../modules/tf-aws-lambda"

  function_name = "deployment-build"
  description   = "Deployment build task"
  handler       = "lambda.lambda_handler"
  runtime       = "python3.6"
  timeout       = 300

  source_path = "${path.module}/lambda.py"

  attach_policy = true
  policy        = "${data.aws_iam_policy_document.lambda.json}"

  environment {
    variables {
      CODEBUILD_PROJECT_NAME = "${aws_codebuild_project.ami.name}"
      SOURCE_BUCKET          = "${var.source_bucket}"
      SOURCE_KEY             = "${var.source_key}"
      SLACK_URLS             = "${jsonencode(var.slack_urls)}"
    }
  }
}

data "aws_iam_policy_document" "lambda" {
  statement {
    effect = "Allow"

    actions = [
      "autoscaling:DescribeAutoScalingGroups",
      "ec2:DescribeImages",
    ]

    resources = [
      "*",
    ]
  }

  statement {
    effect = "Allow"

    actions = [
      "s3:GetObject",
    ]

    resources = [
      "arn:aws:s3:::${var.source_bucket}/${var.source_key}",
    ]
  }

  statement {
    effect = "Allow"

    actions = [
      "codebuild:StartBuild",
    ]

    resources = [
      "${aws_codebuild_project.ami.id}",
    ]
  }
}

I like it because the module deals with the policy resources and I just have to pass in the policy JSON. Your change would force us to create a bunch of policies to hold the JSON but I'd rather let the module do that.

Could you implement your change in a way that doesn't break existing usage? Perhaps a new policy_arns or attach_policy_arns list variable?

@reisingerf
Copy link
Author

I tried to convert my changes into an alternative that leaves the original version intact. Does this look better?

raymondbutcher
raymondbutcher suggested changes Oct 17, 2018
View reviewed changes
iam.tf Show resolved Hide resolved
variables.tf Outdated Show resolved Hide resolved
variables.tf Outdated Show resolved Hide resolved
@reisingerf
Copy link
Author

Sorry, for the long silence! I've completely been side tracked. I've some spare time now, so came back to it.
Happy for any comments!

@ssen1
Copy link

ssen1 commented Aug 26, 2019

what's the status on this?

mbklein pushed a commit to nulib/terraform-aws-lambda that referenced this pull request Apr 25, 2022
@ahlinc
feat: Added support for variety of options for source_path, closes cl…
6cd2a0f 
…aranet#12 (claranet#25)
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@raymondbutcher raymondbutcher raymondbutcher requested changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@reisingerf @raymondbutcher @ssen1