Allow use of existing policy #25

reisingerf · 2018-08-23T01:42:14Z

Rather than creating a new policy form a referenced policy document, allow the use of an existing policy by specifying it's ARN.
This not only allows the re-use of an existing policy, but also the control over other aws_iam_policy arguments like path and description.

raymondbutcher · 2018-10-16T13:22:09Z

Hi @reisingerf , thanks for the PR but this change would break a bunch of places where I'm using this. Here is an example of my usage:

module "lambda" {
  source = "../../../modules/tf-aws-lambda"

  function_name = "deployment-build"
  description   = "Deployment build task"
  handler       = "lambda.lambda_handler"
  runtime       = "python3.6"
  timeout       = 300

  source_path = "${path.module}/lambda.py"

  attach_policy = true
  policy        = "${data.aws_iam_policy_document.lambda.json}"

  environment {
    variables {
      CODEBUILD_PROJECT_NAME = "${aws_codebuild_project.ami.name}"
      SOURCE_BUCKET          = "${var.source_bucket}"
      SOURCE_KEY             = "${var.source_key}"
      SLACK_URLS             = "${jsonencode(var.slack_urls)}"
    }
  }
}

data "aws_iam_policy_document" "lambda" {
  statement {
    effect = "Allow"

    actions = [
      "autoscaling:DescribeAutoScalingGroups",
      "ec2:DescribeImages",
    ]

    resources = [
      "*",
    ]
  }

  statement {
    effect = "Allow"

    actions = [
      "s3:GetObject",
    ]

    resources = [
      "arn:aws:s3:::${var.source_bucket}/${var.source_key}",
    ]
  }

  statement {
    effect = "Allow"

    actions = [
      "codebuild:StartBuild",
    ]

    resources = [
      "${aws_codebuild_project.ami.id}",
    ]
  }
}

I like it because the module deals with the policy resources and I just have to pass in the policy JSON. Your change would force us to create a bunch of policies to hold the JSON but I'd rather let the module do that.

Could you implement your change in a way that doesn't break existing usage? Perhaps a new policy_arns or attach_policy_arns list variable?

reisingerf · 2018-10-16T22:05:17Z

I tried to convert my changes into an alternative that leaves the original version intact. Does this look better?

iam.tf

variables.tf

reisingerf · 2019-02-20T21:20:29Z

Sorry, for the long silence! I've completely been side tracked. I've some spare time now, so came back to it.
Happy for any comments!

ssen1 · 2019-08-26T18:28:57Z

what's the status on this?

…aranet#12 (claranet#25)

Allow use of existing policy

82d7b37

Convert change in addition.

4ce5c41

raymondbutcher suggested changes Oct 17, 2018

View reviewed changes

iam.tf Show resolved Hide resolved

variables.tf Outdated Show resolved Hide resolved

variables.tf Outdated Show resolved Hide resolved

reisingerf added 3 commits October 18, 2018 09:09

Refactor policy_arn to list; Add invoke_arn to module output.

735bd5a

Merge with upstream

1f00f3a

Fix additional policies attachment

694dccb

mbklein pushed a commit to nulib/terraform-aws-lambda that referenced this pull request Apr 25, 2022

feat: Added support for variety of options for source_path, closes cl…

6cd2a0f

…aranet#12 (claranet#25)

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Allow use of existing policy #25

Allow use of existing policy #25

reisingerf commented Aug 23, 2018

raymondbutcher commented Oct 16, 2018

reisingerf commented Oct 16, 2018

reisingerf commented Feb 20, 2019

ssen1 commented Aug 26, 2019

Allow use of existing policy #25

Are you sure you want to change the base?

Allow use of existing policy #25

Conversation

reisingerf commented Aug 23, 2018

raymondbutcher commented Oct 16, 2018

reisingerf commented Oct 16, 2018

reisingerf commented Feb 20, 2019

ssen1 commented Aug 26, 2019