Add support for declaring simple lambda permissions in-module

[jpalomaki]

what

Allow lambda configuration author to optionally declare lambda:InvokeFunction lambda permissions directly in this module.

More complex permissions configurations could still be done outside of this module.

why

This co-locates permissions related to the lambda in the module configuration (where we also declare lambda IAM role permissions), which can help a reader understand where the lambda is invoked from, e.g. in cases where the actual event sources are declared in a different root configuration.

In our specific use case, we use terragrunt to deploy the lambda function (straight from terraform registry module), so this feature would also help us avoid having to create a wrapper module just to add the necessary permission resources.

questions

1. Because we support terraform 0.14+ (no default value support for optionals), we scope this to just the specific action lambda:InvokeFunction and keep the number of attributes a user has to fill in, small. Does this look like a sane approach (looks like it could cover a lot of ground already, judging by examples)?
2. Because we support terraform 0.14+, we can't do replace_triggered_by. Not entirely sure if that is a problem though, since we just attach the permission to the function itself (and not an alias or version)
3. The resource for_each is keyed by list index, which isn't ideal, since it would force recreations if items are shuffled/inserted

references

Slack discussion, cc/ @osterman

[jpalomaki]

FWIW, I've run a quick smoke test using my fork branch as source

[dudymas]

/terratest

[jpalomaki]

@dudymas I've now added a depends_on that ought to fix the race, can you re-run the tests?

[dudymas]

/terratest

[dudymas]

Looking good! Now, you'll just need to make sure when enabled=false that the bucket and other resources aren't created. Sorry for the rigor, but we've got to make sure disabling a component truly does not create any resources. See test step here:

terraform-aws-lambda-function/test/src/examples_complete_test.go

Line 62 in db40e88

testNoChanges(t, "../../examples/complete")

[jpalomaki]

@dudymas All right, I've now added count's to the new resources

[dudymas]

/terratest

[dudymas]

unfortunately, terraform doesn't handle counts of 0 very well on its own. I recommend using the join() function for the bucket arn, similar to here:

terraform-aws-lambda-function/examples/complete/main.tf

Line 10 in b9923cf

join("", data.aws_partition.current.*.partition),

[jpalomaki]

unfortunately, terraform doesn't handle counts of 0 very well on its own. I recommend using the join() function for the bucket arn, similar to here:

terraform-aws-lambda-function/examples/complete/main.tf

Line 10 in b9923cf

join("", data.aws_partition.current.*.partition),

Oh right, the module instance itself isn't guarded by a count. Should be fixed now.

[dudymas]

/terratest

[gberenice]

/terratest

[gberenice]

@jpalomaki could you please address this linter error:

Raw Output:
main.tf:109:50: warning: List items should be accessed using square brackets ()

Should be like:

join("", aws_s3_bucket.example[*].arn)

[jpalomaki]

/terratest

[jpalomaki]

@dudymas @gberenice I've now fixed that linter warning, but looks like I can't run terratest myself

[gberenice]

/terratest

[jpalomaki]

@gberenice I've now fixed the apparent formatting errors, please retest

[gberenice]

/terratest

[gberenice]

@jpalomaki thanks for contribution!

[github-actions]

These changes were released in v0.5.6.