From e4277991146de9a240e85566a65d1d576393f795 Mon Sep 17 00:00:00 2001 From: Joscha Nassenstein Date: Tue, 2 May 2023 11:42:55 +0200 Subject: [PATCH 1/3] Allow custom KMS key encryption for packages that are stored in s3 The aws_s3_object resource currently does not allow to specify to kms_key_id parameter to provide a custom KMS key ARN to use for encryption. A new variable "s3_kms_key_id" has been introduced to allow to specify it. --- main.tf | 1 + variables.tf | 6 ++++++ 2 files changed, 7 insertions(+) diff --git a/main.tf b/main.tf index 78ec8df3..cd0e295b 100644 --- a/main.tf +++ b/main.tf @@ -175,6 +175,7 @@ resource "aws_s3_object" "lambda_package" { storage_class = var.s3_object_storage_class server_side_encryption = var.s3_server_side_encryption + kms_key_id = var.s3_kms_key_id tags = var.s3_object_tags_only ? var.s3_object_tags : merge(var.tags, var.s3_object_tags) diff --git a/variables.tf b/variables.tf index a3215394..ad0541d7 100644 --- a/variables.tf +++ b/variables.tf @@ -678,6 +678,12 @@ variable "s3_server_side_encryption" { default = null } +variable "s3_kms_key_id" { + description = "Specifies a custom KMS key to use for S3 object encryption." + type = string + default = null +} + variable "source_path" { description = "The absolute path to a local file or directory containing your Lambda source code" type = any # string | list(string | map(any)) From 5945ae1229f23e0f935989d0853aa44aa49f53cb Mon Sep 17 00:00:00 2001 From: Joscha Nassenstein Date: Fri, 20 Oct 2023 11:36:41 +0200 Subject: [PATCH 2/3] Add example 's3-custom-kms-key' and update documentation New example 's3-custom-kms-key' was added and mentioned in the main README --- README.md | 12 ++-- examples/s3-custom-kms-key/.gitignore | 1 + examples/s3-custom-kms-key/README.md | 69 +++++++++++++++++++++++ examples/s3-custom-kms-key/main.tf | 57 +++++++++++++++++++ examples/s3-custom-kms-key/outputs.tf | 73 +++++++++++++++++++++++++ examples/s3-custom-kms-key/variables.tf | 0 examples/s3-custom-kms-key/versions.tf | 14 +++++ wrappers/main.tf | 1 + 8 files changed, 222 insertions(+), 5 deletions(-) create mode 100644 examples/s3-custom-kms-key/.gitignore create mode 100644 examples/s3-custom-kms-key/README.md create mode 100644 examples/s3-custom-kms-key/main.tf create mode 100644 examples/s3-custom-kms-key/outputs.tf create mode 100644 examples/s3-custom-kms-key/variables.tf create mode 100644 examples/s3-custom-kms-key/versions.tf diff --git a/README.md b/README.md index c3514c78..b4d9b8af 100644 --- a/README.md +++ b/README.md @@ -558,31 +558,31 @@ module "lambda_function_existing_package_from_remote_url" { ``` ## How to use AWS SAM CLI to test Lambda Function? -[AWS SAM CLI](https://docs.aws.amazon.com/serverless-application-model/latest/developerguide/serverless-sam-cli-command-reference.html) is an open source tool that help the developers to initiate, build, test, and deploy serverless +[AWS SAM CLI](https://docs.aws.amazon.com/serverless-application-model/latest/developerguide/serverless-sam-cli-command-reference.html) is an open source tool that help the developers to initiate, build, test, and deploy serverless applications. SAM CLI tool [supports Terraform applications](https://docs.aws.amazon.com/serverless-application-model/latest/developerguide/what-is-terraform-support.html). SAM CLI provides two ways of testing: local testing and testing on-cloud (Accelerate). ### Local Testing Using SAM CLI, you can invoke the lambda functions defined in the terraform application locally using the [sam local invoke](https://docs.aws.amazon.com/serverless-application-model/latest/developerguide/sam-cli-command-reference-sam-local-invoke.html) -command, providing the function terraform address, or function name, and to set the `hook-name` to `terraform` to tell SAM CLI that the underlying project is a terraform application. +command, providing the function terraform address, or function name, and to set the `hook-name` to `terraform` to tell SAM CLI that the underlying project is a terraform application. You can execute the `sam local invoke` command from your terraform application root directory as following: ``` -sam local invoke --hook-name terraform module.hello_world_function.aws_lambda_function.this[0] +sam local invoke --hook-name terraform module.hello_world_function.aws_lambda_function.this[0] ``` You can also pass an event to your lambda function, or overwrite its environment variables. Check [here](https://docs.aws.amazon.com/serverless-application-model/latest/developerguide/serverless-sam-cli-using-invoke.html) for more information. You can also invoke your lambda function in debugging mode, and step-through your lambda function source code locally in your preferred editor. Check [here](https://docs.aws.amazon.com/serverless-application-model/latest/developerguide/serverless-sam-cli-using-debugging.html) for more information. ### Testing on-cloud (Accelerate) -You can use AWS SAM CLI to quickly test your application on your AWS development account. Using SAM Accelerate, you will be able to develop your lambda functions locally, +You can use AWS SAM CLI to quickly test your application on your AWS development account. Using SAM Accelerate, you will be able to develop your lambda functions locally, and once you save your updates, SAM CLI will update your development account with the updated Lambda functions. So, you can test it on cloud, and if there is any bug, you can quickly update the code, and SAM CLI will take care of pushing it to the cloud. Check [here](https://docs.aws.amazon.com/serverless-application-model/latest/developerguide/accelerate.html) for more information about SAM Accelerate. You can execute the `sam sync` command from your terraform application root directory as following: ``` -sam sync --hook-name terraform --watch +sam sync --hook-name terraform --watch ``` ## How to deploy and manage Lambda Functions? @@ -651,6 +651,7 @@ Q4: What does this error mean - `"We currently do not support adding policies fo - [Event Source Mapping](https://github.com/terraform-aws-modules/terraform-aws-lambda/tree/master/examples/event-source-mapping) - Create Lambda Function with event source mapping configuration (SQS, DynamoDB, Amazon MQ, and Kinesis). - [Triggers](https://github.com/terraform-aws-modules/terraform-aws-lambda/tree/master/examples/triggers) - Create Lambda Function with some triggers (eg, Cloudwatch Events, EventBridge). - [Code Signing](https://github.com/terraform-aws-modules/terraform-aws-lambda/tree/master/examples/code-signing) - Create Lambda Function with code signing configuration. +- [S3 Custom KMS Key](https://github.com/terraform-aws-modules/terraform-aws-lambda/tree/master/examples/s3-custom-kms-key) - Upload Lambda package to S3 using a custom KMS key # Examples by the users of this module @@ -837,6 +838,7 @@ No modules. | [s3\_acl](#input\_s3\_acl) | The canned ACL to apply. Valid values are private, public-read, public-read-write, aws-exec-read, authenticated-read, bucket-owner-read, and bucket-owner-full-control. Defaults to private. | `string` | `"private"` | no | | [s3\_bucket](#input\_s3\_bucket) | S3 bucket to store artifacts | `string` | `null` | no | | [s3\_existing\_package](#input\_s3\_existing\_package) | The S3 bucket object with keys bucket, key, version pointing to an existing zip-file to use | `map(string)` | `null` | no | +| [s3\_kms\_key\_id](#input\_s3\_kms\_key\_id) | Specifies a custom KMS key to use for S3 object encryption. | `string` | `null` | no | | [s3\_object\_storage\_class](#input\_s3\_object\_storage\_class) | Specifies the desired Storage Class for the artifact uploaded to S3. Can be either STANDARD, REDUCED\_REDUNDANCY, ONEZONE\_IA, INTELLIGENT\_TIERING, or STANDARD\_IA. | `string` | `"ONEZONE_IA"` | no | | [s3\_object\_tags](#input\_s3\_object\_tags) | A map of tags to assign to S3 bucket object. | `map(string)` | `{}` | no | | [s3\_object\_tags\_only](#input\_s3\_object\_tags\_only) | Set to true to not merge tags with s3\_object\_tags. Useful to avoid breaching S3 Object 10 tag limit. | `bool` | `false` | no | diff --git a/examples/s3-custom-kms-key/.gitignore b/examples/s3-custom-kms-key/.gitignore new file mode 100644 index 00000000..b205ba3d --- /dev/null +++ b/examples/s3-custom-kms-key/.gitignore @@ -0,0 +1 @@ +builds/* diff --git a/examples/s3-custom-kms-key/README.md b/examples/s3-custom-kms-key/README.md new file mode 100644 index 00000000..af03d947 --- /dev/null +++ b/examples/s3-custom-kms-key/README.md @@ -0,0 +1,69 @@ +# AWS Lambda Function with custom KMS key encryption in S3 + +Configuration in this directory creates AWS Lambda Function that is uploaded to S3 using a self-managed KMS key. + +## Usage + +To run this example you need to execute: + +```bash +$ terraform init +$ terraform plan +$ terraform apply +``` + +Note that this example may create resources which cost money. Run `terraform destroy` when you don't need these resources. + + +## Requirements + +| Name | Version | +|------|---------| +| [terraform](#requirement\_terraform) | >= 1.0 | +| [aws](#requirement\_aws) | >= 4.63 | +| [random](#requirement\_random) | >= 2.0 | + +## Providers + +| Name | Version | +|------|---------| +| [aws](#provider\_aws) | >= 4.63 | +| [random](#provider\_random) | >= 2.0 | + +## Modules + +| Name | Source | Version | +|------|--------|---------| +| [lambda\_function](#module\_lambda\_function) | ../../ | n/a | +| [s3\_bucket](#module\_s3\_bucket) | terraform-aws-modules/s3-bucket/aws | ~> 3.0 | + +## Resources + +| Name | Type | +|------|------| +| [aws_kms_key.objects](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_key) | resource | +| [random_pet.this](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/pet) | resource | + +## Inputs + +No inputs. + +## Outputs + +| Name | Description | +|------|-------------| +| [lambda\_cloudwatch\_log\_group\_arn](#output\_lambda\_cloudwatch\_log\_group\_arn) | The ARN of the Cloudwatch Log Group | +| [lambda\_function\_arn](#output\_lambda\_function\_arn) | The ARN of the Lambda Function | +| [lambda\_function\_arn\_static](#output\_lambda\_function\_arn\_static) | The static ARN of the Lambda Function. Use this to avoid cycle errors between resources (e.g., Step Functions) | +| [lambda\_function\_invoke\_arn](#output\_lambda\_function\_invoke\_arn) | The Invoke ARN of the Lambda Function | +| [lambda\_function\_last\_modified](#output\_lambda\_function\_last\_modified) | The date Lambda Function resource was last modified | +| [lambda\_function\_name](#output\_lambda\_function\_name) | The name of the Lambda Function | +| [lambda\_function\_qualified\_arn](#output\_lambda\_function\_qualified\_arn) | The ARN identifying your Lambda Function Version | +| [lambda\_function\_qualified\_invoke\_arn](#output\_lambda\_function\_qualified\_invoke\_arn) | The Invoke ARN identifying your Lambda Function Version | +| [lambda\_function\_source\_code\_hash](#output\_lambda\_function\_source\_code\_hash) | Base64-encoded representation of raw SHA-256 sum of the zip file | +| [lambda\_function\_source\_code\_size](#output\_lambda\_function\_source\_code\_size) | The size in bytes of the function .zip file | +| [lambda\_function\_version](#output\_lambda\_function\_version) | Latest published version of Lambda Function | +| [lambda\_role\_arn](#output\_lambda\_role\_arn) | The ARN of the IAM role created for the Lambda Function | +| [lambda\_role\_name](#output\_lambda\_role\_name) | The name of the IAM role created for the Lambda Function | +| [s3\_object](#output\_s3\_object) | The map with S3 object data of zip archive deployed (if deployment was from S3) | + diff --git a/examples/s3-custom-kms-key/main.tf b/examples/s3-custom-kms-key/main.tf new file mode 100644 index 00000000..081b3635 --- /dev/null +++ b/examples/s3-custom-kms-key/main.tf @@ -0,0 +1,57 @@ +provider "aws" { + region = "eu-west-1" + + # Make it faster by skipping something + skip_metadata_api_check = true + skip_region_validation = true + skip_credentials_validation = true + skip_requesting_account_id = true +} + +module "lambda_function" { + source = "../../" + + function_name = "${random_pet.this.id}-lambda-s3-custom-kms-key" + handler = "index.lambda_handler" + runtime = "python3.8" + source_path = "${path.module}/../fixtures/python3.8-app1" + + store_on_s3 = true + s3_bucket = module.s3_bucket.s3_bucket_id + s3_prefix = "lambda-builds/" + + # Upload to S3 using our self-managed KMS key + s3_kms_key_id = aws_kms_key.objects.arn +} + +resource "random_pet" "this" { + length = 2 +} + +resource "aws_kms_key" "objects" { + description = "KMS key used to encrypt bucket objects" + deletion_window_in_days = 7 +} + +module "s3_bucket" { + source = "terraform-aws-modules/s3-bucket/aws" + version = "~> 3.0" + + bucket_prefix = "${random_pet.this.id}-" + force_destroy = true + + # S3 bucket-level Public Access Block configuration + block_public_acls = true + block_public_policy = true + ignore_public_acls = true + restrict_public_buckets = true + + # Only allow uploads with specific KMS key + attach_deny_incorrect_kms_key_sse = true + allowed_kms_key_arn = aws_kms_key.objects.arn + attach_deny_unencrypted_object_uploads = true + + versioning = { + enabled = true + } +} diff --git a/examples/s3-custom-kms-key/outputs.tf b/examples/s3-custom-kms-key/outputs.tf new file mode 100644 index 00000000..aa2457d1 --- /dev/null +++ b/examples/s3-custom-kms-key/outputs.tf @@ -0,0 +1,73 @@ +# Lambda Function +output "lambda_function_arn" { + description = "The ARN of the Lambda Function" + value = module.lambda_function.lambda_function_arn +} + +output "lambda_function_arn_static" { + description = "The static ARN of the Lambda Function. Use this to avoid cycle errors between resources (e.g., Step Functions)" + value = module.lambda_function.lambda_function_arn_static +} + +output "lambda_function_invoke_arn" { + description = "The Invoke ARN of the Lambda Function" + value = module.lambda_function.lambda_function_invoke_arn +} + +output "lambda_function_name" { + description = "The name of the Lambda Function" + value = module.lambda_function.lambda_function_name +} + +output "lambda_function_qualified_arn" { + description = "The ARN identifying your Lambda Function Version" + value = module.lambda_function.lambda_function_qualified_arn +} + +output "lambda_function_qualified_invoke_arn" { + description = "The Invoke ARN identifying your Lambda Function Version" + value = module.lambda_function.lambda_function_qualified_invoke_arn +} + +output "lambda_function_version" { + description = "Latest published version of Lambda Function" + value = module.lambda_function.lambda_function_version +} + +output "lambda_function_last_modified" { + description = "The date Lambda Function resource was last modified" + value = module.lambda_function.lambda_function_last_modified +} + +output "lambda_function_source_code_hash" { + description = "Base64-encoded representation of raw SHA-256 sum of the zip file" + value = module.lambda_function.lambda_function_source_code_hash +} + +output "lambda_function_source_code_size" { + description = "The size in bytes of the function .zip file" + value = module.lambda_function.lambda_function_source_code_size +} + +# IAM Role +output "lambda_role_arn" { + description = "The ARN of the IAM role created for the Lambda Function" + value = module.lambda_function.lambda_role_arn +} + +output "lambda_role_name" { + description = "The name of the IAM role created for the Lambda Function" + value = module.lambda_function.lambda_role_name +} + +# CloudWatch Log Group +output "lambda_cloudwatch_log_group_arn" { + description = "The ARN of the Cloudwatch Log Group" + value = module.lambda_function.lambda_cloudwatch_log_group_arn +} + +# Deployment package +output "s3_object" { + description = "The map with S3 object data of zip archive deployed (if deployment was from S3)" + value = module.lambda_function.s3_object +} diff --git a/examples/s3-custom-kms-key/variables.tf b/examples/s3-custom-kms-key/variables.tf new file mode 100644 index 00000000..e69de29b diff --git a/examples/s3-custom-kms-key/versions.tf b/examples/s3-custom-kms-key/versions.tf new file mode 100644 index 00000000..5afa48b5 --- /dev/null +++ b/examples/s3-custom-kms-key/versions.tf @@ -0,0 +1,14 @@ +terraform { + required_version = ">= 1.0" + + required_providers { + aws = { + source = "hashicorp/aws" + version = ">= 4.63" + } + random = { + source = "hashicorp/random" + version = ">= 2.0" + } + } +} diff --git a/wrappers/main.tf b/wrappers/main.tf index f4a520bf..9b41b386 100644 --- a/wrappers/main.tf +++ b/wrappers/main.tf @@ -109,6 +109,7 @@ module "wrapper" { s3_bucket = try(each.value.s3_bucket, var.defaults.s3_bucket, null) s3_acl = try(each.value.s3_acl, var.defaults.s3_acl, "private") s3_server_side_encryption = try(each.value.s3_server_side_encryption, var.defaults.s3_server_side_encryption, null) + s3_kms_key_id = try(each.value.s3_kms_key_id, var.defaults.s3_kms_key_id, null) source_path = try(each.value.source_path, var.defaults.source_path, null) hash_extra = try(each.value.hash_extra, var.defaults.hash_extra, "") build_in_docker = try(each.value.build_in_docker, var.defaults.build_in_docker, false) From a5cd8ffc9e175c14374ede14fdbd6fa396840bc9 Mon Sep 17 00:00:00 2001 From: Anton Babenko Date: Fri, 3 Nov 2023 13:06:53 +0100 Subject: [PATCH 3/3] Removed unnecessary examples/s3-custom-kms-key --- .pre-commit-config.yaml | 4 +- README.md | 1 - examples/s3-custom-kms-key/.gitignore | 1 - examples/s3-custom-kms-key/README.md | 69 --------- examples/s3-custom-kms-key/main.tf | 57 ------- examples/s3-custom-kms-key/outputs.tf | 73 --------- examples/s3-custom-kms-key/variables.tf | 0 examples/s3-custom-kms-key/versions.tf | 14 -- wrappers/alias/main.tf | 20 +-- wrappers/deploy/main.tf | 54 +++---- wrappers/docker-build/main.tf | 14 +- wrappers/main.tf | 188 ++++++++++++------------ 12 files changed, 140 insertions(+), 355 deletions(-) delete mode 100644 examples/s3-custom-kms-key/.gitignore delete mode 100644 examples/s3-custom-kms-key/README.md delete mode 100644 examples/s3-custom-kms-key/main.tf delete mode 100644 examples/s3-custom-kms-key/outputs.tf delete mode 100644 examples/s3-custom-kms-key/variables.tf delete mode 100644 examples/s3-custom-kms-key/versions.tf diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index e79e67b2..e809a4e4 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -1,6 +1,6 @@ repos: - repo: https://github.com/antonbabenko/pre-commit-terraform - rev: v1.81.0 + rev: v1.83.5 hooks: - id: terraform_fmt - id: terraform_wrapper_module_for_each @@ -24,7 +24,7 @@ repos: - '--args=--only=terraform_standard_module_structure' - '--args=--only=terraform_workspace_remote' - repo: https://github.com/pre-commit/pre-commit-hooks - rev: v4.4.0 + rev: v4.5.0 hooks: - id: check-merge-conflict - id: end-of-file-fixer diff --git a/README.md b/README.md index f5ea3dee..6f6f7a19 100644 --- a/README.md +++ b/README.md @@ -651,7 +651,6 @@ Q4: What does this error mean - `"We currently do not support adding policies fo - [Event Source Mapping](https://github.com/terraform-aws-modules/terraform-aws-lambda/tree/master/examples/event-source-mapping) - Create Lambda Function with event source mapping configuration (SQS, DynamoDB, Amazon MQ, and Kinesis). - [Triggers](https://github.com/terraform-aws-modules/terraform-aws-lambda/tree/master/examples/triggers) - Create Lambda Function with some triggers (eg, Cloudwatch Events, EventBridge). - [Code Signing](https://github.com/terraform-aws-modules/terraform-aws-lambda/tree/master/examples/code-signing) - Create Lambda Function with code signing configuration. -- [S3 Custom KMS Key](https://github.com/terraform-aws-modules/terraform-aws-lambda/tree/master/examples/s3-custom-kms-key) - Upload Lambda package to S3 using a custom KMS key # Examples by the users of this module diff --git a/examples/s3-custom-kms-key/.gitignore b/examples/s3-custom-kms-key/.gitignore deleted file mode 100644 index b205ba3d..00000000 --- a/examples/s3-custom-kms-key/.gitignore +++ /dev/null @@ -1 +0,0 @@ -builds/* diff --git a/examples/s3-custom-kms-key/README.md b/examples/s3-custom-kms-key/README.md deleted file mode 100644 index af03d947..00000000 --- a/examples/s3-custom-kms-key/README.md +++ /dev/null @@ -1,69 +0,0 @@ -# AWS Lambda Function with custom KMS key encryption in S3 - -Configuration in this directory creates AWS Lambda Function that is uploaded to S3 using a self-managed KMS key. - -## Usage - -To run this example you need to execute: - -```bash -$ terraform init -$ terraform plan -$ terraform apply -``` - -Note that this example may create resources which cost money. Run `terraform destroy` when you don't need these resources. - - -## Requirements - -| Name | Version | -|------|---------| -| [terraform](#requirement\_terraform) | >= 1.0 | -| [aws](#requirement\_aws) | >= 4.63 | -| [random](#requirement\_random) | >= 2.0 | - -## Providers - -| Name | Version | -|------|---------| -| [aws](#provider\_aws) | >= 4.63 | -| [random](#provider\_random) | >= 2.0 | - -## Modules - -| Name | Source | Version | -|------|--------|---------| -| [lambda\_function](#module\_lambda\_function) | ../../ | n/a | -| [s3\_bucket](#module\_s3\_bucket) | terraform-aws-modules/s3-bucket/aws | ~> 3.0 | - -## Resources - -| Name | Type | -|------|------| -| [aws_kms_key.objects](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_key) | resource | -| [random_pet.this](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/pet) | resource | - -## Inputs - -No inputs. - -## Outputs - -| Name | Description | -|------|-------------| -| [lambda\_cloudwatch\_log\_group\_arn](#output\_lambda\_cloudwatch\_log\_group\_arn) | The ARN of the Cloudwatch Log Group | -| [lambda\_function\_arn](#output\_lambda\_function\_arn) | The ARN of the Lambda Function | -| [lambda\_function\_arn\_static](#output\_lambda\_function\_arn\_static) | The static ARN of the Lambda Function. Use this to avoid cycle errors between resources (e.g., Step Functions) | -| [lambda\_function\_invoke\_arn](#output\_lambda\_function\_invoke\_arn) | The Invoke ARN of the Lambda Function | -| [lambda\_function\_last\_modified](#output\_lambda\_function\_last\_modified) | The date Lambda Function resource was last modified | -| [lambda\_function\_name](#output\_lambda\_function\_name) | The name of the Lambda Function | -| [lambda\_function\_qualified\_arn](#output\_lambda\_function\_qualified\_arn) | The ARN identifying your Lambda Function Version | -| [lambda\_function\_qualified\_invoke\_arn](#output\_lambda\_function\_qualified\_invoke\_arn) | The Invoke ARN identifying your Lambda Function Version | -| [lambda\_function\_source\_code\_hash](#output\_lambda\_function\_source\_code\_hash) | Base64-encoded representation of raw SHA-256 sum of the zip file | -| [lambda\_function\_source\_code\_size](#output\_lambda\_function\_source\_code\_size) | The size in bytes of the function .zip file | -| [lambda\_function\_version](#output\_lambda\_function\_version) | Latest published version of Lambda Function | -| [lambda\_role\_arn](#output\_lambda\_role\_arn) | The ARN of the IAM role created for the Lambda Function | -| [lambda\_role\_name](#output\_lambda\_role\_name) | The name of the IAM role created for the Lambda Function | -| [s3\_object](#output\_s3\_object) | The map with S3 object data of zip archive deployed (if deployment was from S3) | - diff --git a/examples/s3-custom-kms-key/main.tf b/examples/s3-custom-kms-key/main.tf deleted file mode 100644 index 081b3635..00000000 --- a/examples/s3-custom-kms-key/main.tf +++ /dev/null @@ -1,57 +0,0 @@ -provider "aws" { - region = "eu-west-1" - - # Make it faster by skipping something - skip_metadata_api_check = true - skip_region_validation = true - skip_credentials_validation = true - skip_requesting_account_id = true -} - -module "lambda_function" { - source = "../../" - - function_name = "${random_pet.this.id}-lambda-s3-custom-kms-key" - handler = "index.lambda_handler" - runtime = "python3.8" - source_path = "${path.module}/../fixtures/python3.8-app1" - - store_on_s3 = true - s3_bucket = module.s3_bucket.s3_bucket_id - s3_prefix = "lambda-builds/" - - # Upload to S3 using our self-managed KMS key - s3_kms_key_id = aws_kms_key.objects.arn -} - -resource "random_pet" "this" { - length = 2 -} - -resource "aws_kms_key" "objects" { - description = "KMS key used to encrypt bucket objects" - deletion_window_in_days = 7 -} - -module "s3_bucket" { - source = "terraform-aws-modules/s3-bucket/aws" - version = "~> 3.0" - - bucket_prefix = "${random_pet.this.id}-" - force_destroy = true - - # S3 bucket-level Public Access Block configuration - block_public_acls = true - block_public_policy = true - ignore_public_acls = true - restrict_public_buckets = true - - # Only allow uploads with specific KMS key - attach_deny_incorrect_kms_key_sse = true - allowed_kms_key_arn = aws_kms_key.objects.arn - attach_deny_unencrypted_object_uploads = true - - versioning = { - enabled = true - } -} diff --git a/examples/s3-custom-kms-key/outputs.tf b/examples/s3-custom-kms-key/outputs.tf deleted file mode 100644 index aa2457d1..00000000 --- a/examples/s3-custom-kms-key/outputs.tf +++ /dev/null @@ -1,73 +0,0 @@ -# Lambda Function -output "lambda_function_arn" { - description = "The ARN of the Lambda Function" - value = module.lambda_function.lambda_function_arn -} - -output "lambda_function_arn_static" { - description = "The static ARN of the Lambda Function. Use this to avoid cycle errors between resources (e.g., Step Functions)" - value = module.lambda_function.lambda_function_arn_static -} - -output "lambda_function_invoke_arn" { - description = "The Invoke ARN of the Lambda Function" - value = module.lambda_function.lambda_function_invoke_arn -} - -output "lambda_function_name" { - description = "The name of the Lambda Function" - value = module.lambda_function.lambda_function_name -} - -output "lambda_function_qualified_arn" { - description = "The ARN identifying your Lambda Function Version" - value = module.lambda_function.lambda_function_qualified_arn -} - -output "lambda_function_qualified_invoke_arn" { - description = "The Invoke ARN identifying your Lambda Function Version" - value = module.lambda_function.lambda_function_qualified_invoke_arn -} - -output "lambda_function_version" { - description = "Latest published version of Lambda Function" - value = module.lambda_function.lambda_function_version -} - -output "lambda_function_last_modified" { - description = "The date Lambda Function resource was last modified" - value = module.lambda_function.lambda_function_last_modified -} - -output "lambda_function_source_code_hash" { - description = "Base64-encoded representation of raw SHA-256 sum of the zip file" - value = module.lambda_function.lambda_function_source_code_hash -} - -output "lambda_function_source_code_size" { - description = "The size in bytes of the function .zip file" - value = module.lambda_function.lambda_function_source_code_size -} - -# IAM Role -output "lambda_role_arn" { - description = "The ARN of the IAM role created for the Lambda Function" - value = module.lambda_function.lambda_role_arn -} - -output "lambda_role_name" { - description = "The name of the IAM role created for the Lambda Function" - value = module.lambda_function.lambda_role_name -} - -# CloudWatch Log Group -output "lambda_cloudwatch_log_group_arn" { - description = "The ARN of the Cloudwatch Log Group" - value = module.lambda_function.lambda_cloudwatch_log_group_arn -} - -# Deployment package -output "s3_object" { - description = "The map with S3 object data of zip archive deployed (if deployment was from S3)" - value = module.lambda_function.s3_object -} diff --git a/examples/s3-custom-kms-key/variables.tf b/examples/s3-custom-kms-key/variables.tf deleted file mode 100644 index e69de29b..00000000 diff --git a/examples/s3-custom-kms-key/versions.tf b/examples/s3-custom-kms-key/versions.tf deleted file mode 100644 index 5afa48b5..00000000 --- a/examples/s3-custom-kms-key/versions.tf +++ /dev/null @@ -1,14 +0,0 @@ -terraform { - required_version = ">= 1.0" - - required_providers { - aws = { - source = "hashicorp/aws" - version = ">= 4.63" - } - random = { - source = "hashicorp/random" - version = ">= 2.0" - } - } -} diff --git a/wrappers/alias/main.tf b/wrappers/alias/main.tf index 81d3aad9..7729dd06 100644 --- a/wrappers/alias/main.tf +++ b/wrappers/alias/main.tf @@ -3,23 +3,23 @@ module "wrapper" { for_each = var.items + allowed_triggers = try(each.value.allowed_triggers, var.defaults.allowed_triggers, {}) create = try(each.value.create, var.defaults.create, true) - use_existing_alias = try(each.value.use_existing_alias, var.defaults.use_existing_alias, false) - refresh_alias = try(each.value.refresh_alias, var.defaults.refresh_alias, true) create_async_event_config = try(each.value.create_async_event_config, var.defaults.create_async_event_config, false) - create_version_async_event_config = try(each.value.create_version_async_event_config, var.defaults.create_version_async_event_config, true) + create_qualified_alias_allowed_triggers = try(each.value.create_qualified_alias_allowed_triggers, var.defaults.create_qualified_alias_allowed_triggers, true) create_qualified_alias_async_event_config = try(each.value.create_qualified_alias_async_event_config, var.defaults.create_qualified_alias_async_event_config, true) create_version_allowed_triggers = try(each.value.create_version_allowed_triggers, var.defaults.create_version_allowed_triggers, true) - create_qualified_alias_allowed_triggers = try(each.value.create_qualified_alias_allowed_triggers, var.defaults.create_qualified_alias_allowed_triggers, true) - name = try(each.value.name, var.defaults.name, "") + create_version_async_event_config = try(each.value.create_version_async_event_config, var.defaults.create_version_async_event_config, true) description = try(each.value.description, var.defaults.description, "") + destination_on_failure = try(each.value.destination_on_failure, var.defaults.destination_on_failure, null) + destination_on_success = try(each.value.destination_on_success, var.defaults.destination_on_success, null) + event_source_mapping = try(each.value.event_source_mapping, var.defaults.event_source_mapping, {}) function_name = try(each.value.function_name, var.defaults.function_name, "") function_version = try(each.value.function_version, var.defaults.function_version, "") - routing_additional_version_weights = try(each.value.routing_additional_version_weights, var.defaults.routing_additional_version_weights, {}) maximum_event_age_in_seconds = try(each.value.maximum_event_age_in_seconds, var.defaults.maximum_event_age_in_seconds, null) maximum_retry_attempts = try(each.value.maximum_retry_attempts, var.defaults.maximum_retry_attempts, null) - destination_on_failure = try(each.value.destination_on_failure, var.defaults.destination_on_failure, null) - destination_on_success = try(each.value.destination_on_success, var.defaults.destination_on_success, null) - allowed_triggers = try(each.value.allowed_triggers, var.defaults.allowed_triggers, {}) - event_source_mapping = try(each.value.event_source_mapping, var.defaults.event_source_mapping, {}) + name = try(each.value.name, var.defaults.name, "") + refresh_alias = try(each.value.refresh_alias, var.defaults.refresh_alias, true) + routing_additional_version_weights = try(each.value.routing_additional_version_weights, var.defaults.routing_additional_version_weights, {}) + use_existing_alias = try(each.value.use_existing_alias, var.defaults.use_existing_alias, false) } diff --git a/wrappers/deploy/main.tf b/wrappers/deploy/main.tf index e09fa0f1..47cc3d8b 100644 --- a/wrappers/deploy/main.tf +++ b/wrappers/deploy/main.tf @@ -3,39 +3,39 @@ module "wrapper" { for_each = var.items - create = try(each.value.create, var.defaults.create, true) - tags = try(each.value.tags, var.defaults.tags, {}) - alias_name = try(each.value.alias_name, var.defaults.alias_name, "") - function_name = try(each.value.function_name, var.defaults.function_name, "") - current_version = try(each.value.current_version, var.defaults.current_version, "") - target_version = try(each.value.target_version, var.defaults.target_version, "") - before_allow_traffic_hook_arn = try(each.value.before_allow_traffic_hook_arn, var.defaults.before_allow_traffic_hook_arn, "") after_allow_traffic_hook_arn = try(each.value.after_allow_traffic_hook_arn, var.defaults.after_allow_traffic_hook_arn, "") - interpreter = try(each.value.interpreter, var.defaults.interpreter, ["/bin/bash", "-c"]) - description = try(each.value.description, var.defaults.description, "") - create_app = try(each.value.create_app, var.defaults.create_app, false) - use_existing_app = try(each.value.use_existing_app, var.defaults.use_existing_app, false) + alarm_enabled = try(each.value.alarm_enabled, var.defaults.alarm_enabled, false) + alarm_ignore_poll_alarm_failure = try(each.value.alarm_ignore_poll_alarm_failure, var.defaults.alarm_ignore_poll_alarm_failure, false) + alarms = try(each.value.alarms, var.defaults.alarms, []) + alias_name = try(each.value.alias_name, var.defaults.alias_name, "") app_name = try(each.value.app_name, var.defaults.app_name, "") - create_deployment_group = try(each.value.create_deployment_group, var.defaults.create_deployment_group, false) - use_existing_deployment_group = try(each.value.use_existing_deployment_group, var.defaults.use_existing_deployment_group, false) - deployment_group_name = try(each.value.deployment_group_name, var.defaults.deployment_group_name, "") - deployment_config_name = try(each.value.deployment_config_name, var.defaults.deployment_config_name, "CodeDeployDefault.LambdaAllAtOnce") + attach_hooks_policy = try(each.value.attach_hooks_policy, var.defaults.attach_hooks_policy, true) + attach_triggers_policy = try(each.value.attach_triggers_policy, var.defaults.attach_triggers_policy, false) auto_rollback_enabled = try(each.value.auto_rollback_enabled, var.defaults.auto_rollback_enabled, true) auto_rollback_events = try(each.value.auto_rollback_events, var.defaults.auto_rollback_events, ["DEPLOYMENT_STOP_ON_ALARM"]) - alarm_enabled = try(each.value.alarm_enabled, var.defaults.alarm_enabled, false) - alarms = try(each.value.alarms, var.defaults.alarms, []) - alarm_ignore_poll_alarm_failure = try(each.value.alarm_ignore_poll_alarm_failure, var.defaults.alarm_ignore_poll_alarm_failure, false) - triggers = try(each.value.triggers, var.defaults.triggers, {}) aws_cli_command = try(each.value.aws_cli_command, var.defaults.aws_cli_command, "aws") - save_deploy_script = try(each.value.save_deploy_script, var.defaults.save_deploy_script, false) + before_allow_traffic_hook_arn = try(each.value.before_allow_traffic_hook_arn, var.defaults.before_allow_traffic_hook_arn, "") + codedeploy_principals = try(each.value.codedeploy_principals, var.defaults.codedeploy_principals, ["codedeploy.amazonaws.com"]) + codedeploy_role_name = try(each.value.codedeploy_role_name, var.defaults.codedeploy_role_name, "") + create = try(each.value.create, var.defaults.create, true) + create_app = try(each.value.create_app, var.defaults.create_app, false) + create_codedeploy_role = try(each.value.create_codedeploy_role, var.defaults.create_codedeploy_role, true) create_deployment = try(each.value.create_deployment, var.defaults.create_deployment, false) - run_deployment = try(each.value.run_deployment, var.defaults.run_deployment, false) + create_deployment_group = try(each.value.create_deployment_group, var.defaults.create_deployment_group, false) + current_version = try(each.value.current_version, var.defaults.current_version, "") + deployment_config_name = try(each.value.deployment_config_name, var.defaults.deployment_config_name, "CodeDeployDefault.LambdaAllAtOnce") + deployment_group_name = try(each.value.deployment_group_name, var.defaults.deployment_group_name, "") + description = try(each.value.description, var.defaults.description, "") force_deploy = try(each.value.force_deploy, var.defaults.force_deploy, false) - wait_deployment_completion = try(each.value.wait_deployment_completion, var.defaults.wait_deployment_completion, false) - create_codedeploy_role = try(each.value.create_codedeploy_role, var.defaults.create_codedeploy_role, true) - codedeploy_role_name = try(each.value.codedeploy_role_name, var.defaults.codedeploy_role_name, "") - codedeploy_principals = try(each.value.codedeploy_principals, var.defaults.codedeploy_principals, ["codedeploy.amazonaws.com"]) - attach_hooks_policy = try(each.value.attach_hooks_policy, var.defaults.attach_hooks_policy, true) - attach_triggers_policy = try(each.value.attach_triggers_policy, var.defaults.attach_triggers_policy, false) + function_name = try(each.value.function_name, var.defaults.function_name, "") get_deployment_sleep_timer = try(each.value.get_deployment_sleep_timer, var.defaults.get_deployment_sleep_timer, 5) + interpreter = try(each.value.interpreter, var.defaults.interpreter, ["/bin/bash", "-c"]) + run_deployment = try(each.value.run_deployment, var.defaults.run_deployment, false) + save_deploy_script = try(each.value.save_deploy_script, var.defaults.save_deploy_script, false) + tags = try(each.value.tags, var.defaults.tags, {}) + target_version = try(each.value.target_version, var.defaults.target_version, "") + triggers = try(each.value.triggers, var.defaults.triggers, {}) + use_existing_app = try(each.value.use_existing_app, var.defaults.use_existing_app, false) + use_existing_deployment_group = try(each.value.use_existing_deployment_group, var.defaults.use_existing_deployment_group, false) + wait_deployment_completion = try(each.value.wait_deployment_completion, var.defaults.wait_deployment_completion, false) } diff --git a/wrappers/docker-build/main.tf b/wrappers/docker-build/main.tf index c53be636..81afa562 100644 --- a/wrappers/docker-build/main.tf +++ b/wrappers/docker-build/main.tf @@ -3,19 +3,19 @@ module "wrapper" { for_each = var.items + build_args = try(each.value.build_args, var.defaults.build_args, {}) create_ecr_repo = try(each.value.create_ecr_repo, var.defaults.create_ecr_repo, false) create_sam_metadata = try(each.value.create_sam_metadata, var.defaults.create_sam_metadata, false) + docker_file_path = try(each.value.docker_file_path, var.defaults.docker_file_path, "Dockerfile") ecr_address = try(each.value.ecr_address, var.defaults.ecr_address, null) + ecr_force_delete = try(each.value.ecr_force_delete, var.defaults.ecr_force_delete, true) ecr_repo = try(each.value.ecr_repo, var.defaults.ecr_repo, null) + ecr_repo_lifecycle_policy = try(each.value.ecr_repo_lifecycle_policy, var.defaults.ecr_repo_lifecycle_policy, null) + ecr_repo_tags = try(each.value.ecr_repo_tags, var.defaults.ecr_repo_tags, {}) image_tag = try(each.value.image_tag, var.defaults.image_tag, null) - source_path = try(each.value.source_path, var.defaults.source_path, null) - docker_file_path = try(each.value.docker_file_path, var.defaults.docker_file_path, "Dockerfile") image_tag_mutability = try(each.value.image_tag_mutability, var.defaults.image_tag_mutability, "MUTABLE") - scan_on_push = try(each.value.scan_on_push, var.defaults.scan_on_push, false) - ecr_force_delete = try(each.value.ecr_force_delete, var.defaults.ecr_force_delete, true) - ecr_repo_tags = try(each.value.ecr_repo_tags, var.defaults.ecr_repo_tags, {}) - build_args = try(each.value.build_args, var.defaults.build_args, {}) - ecr_repo_lifecycle_policy = try(each.value.ecr_repo_lifecycle_policy, var.defaults.ecr_repo_lifecycle_policy, null) keep_remotely = try(each.value.keep_remotely, var.defaults.keep_remotely, false) platform = try(each.value.platform, var.defaults.platform, null) + scan_on_push = try(each.value.scan_on_push, var.defaults.scan_on_push, false) + source_path = try(each.value.source_path, var.defaults.source_path, null) } diff --git a/wrappers/main.tf b/wrappers/main.tf index c1b4f2dc..d842223d 100644 --- a/wrappers/main.tf +++ b/wrappers/main.tf @@ -3,123 +3,123 @@ module "wrapper" { for_each = var.items + allowed_triggers = try(each.value.allowed_triggers, var.defaults.allowed_triggers, {}) + architectures = try(each.value.architectures, var.defaults.architectures, null) + artifacts_dir = try(each.value.artifacts_dir, var.defaults.artifacts_dir, "builds") + assume_role_policy_statements = try(each.value.assume_role_policy_statements, var.defaults.assume_role_policy_statements, {}) + attach_async_event_policy = try(each.value.attach_async_event_policy, var.defaults.attach_async_event_policy, false) + attach_cloudwatch_logs_policy = try(each.value.attach_cloudwatch_logs_policy, var.defaults.attach_cloudwatch_logs_policy, true) + attach_dead_letter_policy = try(each.value.attach_dead_letter_policy, var.defaults.attach_dead_letter_policy, false) + attach_network_policy = try(each.value.attach_network_policy, var.defaults.attach_network_policy, false) + attach_policies = try(each.value.attach_policies, var.defaults.attach_policies, false) + attach_policy = try(each.value.attach_policy, var.defaults.attach_policy, false) + attach_policy_json = try(each.value.attach_policy_json, var.defaults.attach_policy_json, false) + attach_policy_jsons = try(each.value.attach_policy_jsons, var.defaults.attach_policy_jsons, false) + attach_policy_statements = try(each.value.attach_policy_statements, var.defaults.attach_policy_statements, false) + attach_tracing_policy = try(each.value.attach_tracing_policy, var.defaults.attach_tracing_policy, false) + authorization_type = try(each.value.authorization_type, var.defaults.authorization_type, "NONE") + build_in_docker = try(each.value.build_in_docker, var.defaults.build_in_docker, false) + cloudwatch_logs_kms_key_id = try(each.value.cloudwatch_logs_kms_key_id, var.defaults.cloudwatch_logs_kms_key_id, null) + cloudwatch_logs_retention_in_days = try(each.value.cloudwatch_logs_retention_in_days, var.defaults.cloudwatch_logs_retention_in_days, null) + cloudwatch_logs_tags = try(each.value.cloudwatch_logs_tags, var.defaults.cloudwatch_logs_tags, {}) + code_signing_config_arn = try(each.value.code_signing_config_arn, var.defaults.code_signing_config_arn, null) + compatible_architectures = try(each.value.compatible_architectures, var.defaults.compatible_architectures, null) + compatible_runtimes = try(each.value.compatible_runtimes, var.defaults.compatible_runtimes, []) + cors = try(each.value.cors, var.defaults.cors, {}) create = try(each.value.create, var.defaults.create, true) - create_package = try(each.value.create_package, var.defaults.create_package, true) + create_async_event_config = try(each.value.create_async_event_config, var.defaults.create_async_event_config, false) + create_current_version_allowed_triggers = try(each.value.create_current_version_allowed_triggers, var.defaults.create_current_version_allowed_triggers, true) + create_current_version_async_event_config = try(each.value.create_current_version_async_event_config, var.defaults.create_current_version_async_event_config, true) create_function = try(each.value.create_function, var.defaults.create_function, true) + create_lambda_function_url = try(each.value.create_lambda_function_url, var.defaults.create_lambda_function_url, false) create_layer = try(each.value.create_layer, var.defaults.create_layer, false) + create_package = try(each.value.create_package, var.defaults.create_package, true) create_role = try(each.value.create_role, var.defaults.create_role, true) - create_lambda_function_url = try(each.value.create_lambda_function_url, var.defaults.create_lambda_function_url, false) create_sam_metadata = try(each.value.create_sam_metadata, var.defaults.create_sam_metadata, false) - putin_khuylo = try(each.value.putin_khuylo, var.defaults.putin_khuylo, true) - lambda_at_edge = try(each.value.lambda_at_edge, var.defaults.lambda_at_edge, false) - lambda_at_edge_logs_all_regions = try(each.value.lambda_at_edge_logs_all_regions, var.defaults.lambda_at_edge_logs_all_regions, true) - function_name = try(each.value.function_name, var.defaults.function_name, "") - handler = try(each.value.handler, var.defaults.handler, "") - runtime = try(each.value.runtime, var.defaults.runtime, "") - lambda_role = try(each.value.lambda_role, var.defaults.lambda_role, "") - description = try(each.value.description, var.defaults.description, "") - code_signing_config_arn = try(each.value.code_signing_config_arn, var.defaults.code_signing_config_arn, null) - layers = try(each.value.layers, var.defaults.layers, null) - architectures = try(each.value.architectures, var.defaults.architectures, null) - kms_key_arn = try(each.value.kms_key_arn, var.defaults.kms_key_arn, null) - memory_size = try(each.value.memory_size, var.defaults.memory_size, 128) - ephemeral_storage_size = try(each.value.ephemeral_storage_size, var.defaults.ephemeral_storage_size, 512) - publish = try(each.value.publish, var.defaults.publish, false) - reserved_concurrent_executions = try(each.value.reserved_concurrent_executions, var.defaults.reserved_concurrent_executions, -1) - timeout = try(each.value.timeout, var.defaults.timeout, 3) + create_unqualified_alias_allowed_triggers = try(each.value.create_unqualified_alias_allowed_triggers, var.defaults.create_unqualified_alias_allowed_triggers, true) + create_unqualified_alias_async_event_config = try(each.value.create_unqualified_alias_async_event_config, var.defaults.create_unqualified_alias_async_event_config, true) + create_unqualified_alias_lambda_function_url = try(each.value.create_unqualified_alias_lambda_function_url, var.defaults.create_unqualified_alias_lambda_function_url, true) dead_letter_target_arn = try(each.value.dead_letter_target_arn, var.defaults.dead_letter_target_arn, null) + description = try(each.value.description, var.defaults.description, "") + destination_on_failure = try(each.value.destination_on_failure, var.defaults.destination_on_failure, null) + destination_on_success = try(each.value.destination_on_success, var.defaults.destination_on_success, null) + docker_additional_options = try(each.value.docker_additional_options, var.defaults.docker_additional_options, []) + docker_build_root = try(each.value.docker_build_root, var.defaults.docker_build_root, "") + docker_entrypoint = try(each.value.docker_entrypoint, var.defaults.docker_entrypoint, null) + docker_file = try(each.value.docker_file, var.defaults.docker_file, "") + docker_image = try(each.value.docker_image, var.defaults.docker_image, "") + docker_pip_cache = try(each.value.docker_pip_cache, var.defaults.docker_pip_cache, null) + docker_with_ssh_agent = try(each.value.docker_with_ssh_agent, var.defaults.docker_with_ssh_agent, false) environment_variables = try(each.value.environment_variables, var.defaults.environment_variables, {}) - tracing_mode = try(each.value.tracing_mode, var.defaults.tracing_mode, null) - vpc_subnet_ids = try(each.value.vpc_subnet_ids, var.defaults.vpc_subnet_ids, null) - vpc_security_group_ids = try(each.value.vpc_security_group_ids, var.defaults.vpc_security_group_ids, null) - tags = try(each.value.tags, var.defaults.tags, {}) + ephemeral_storage_size = try(each.value.ephemeral_storage_size, var.defaults.ephemeral_storage_size, 512) + event_source_mapping = try(each.value.event_source_mapping, var.defaults.event_source_mapping, {}) + file_system_arn = try(each.value.file_system_arn, var.defaults.file_system_arn, null) + file_system_local_mount_path = try(each.value.file_system_local_mount_path, var.defaults.file_system_local_mount_path, null) + function_name = try(each.value.function_name, var.defaults.function_name, "") function_tags = try(each.value.function_tags, var.defaults.function_tags, {}) - s3_object_tags = try(each.value.s3_object_tags, var.defaults.s3_object_tags, {}) - s3_object_tags_only = try(each.value.s3_object_tags_only, var.defaults.s3_object_tags_only, false) - package_type = try(each.value.package_type, var.defaults.package_type, "Zip") - image_uri = try(each.value.image_uri, var.defaults.image_uri, null) - image_config_entry_point = try(each.value.image_config_entry_point, var.defaults.image_config_entry_point, []) + handler = try(each.value.handler, var.defaults.handler, "") + hash_extra = try(each.value.hash_extra, var.defaults.hash_extra, "") + ignore_source_code_hash = try(each.value.ignore_source_code_hash, var.defaults.ignore_source_code_hash, false) image_config_command = try(each.value.image_config_command, var.defaults.image_config_command, []) + image_config_entry_point = try(each.value.image_config_entry_point, var.defaults.image_config_entry_point, []) image_config_working_directory = try(each.value.image_config_working_directory, var.defaults.image_config_working_directory, null) - snap_start = try(each.value.snap_start, var.defaults.snap_start, false) - replace_security_groups_on_destroy = try(each.value.replace_security_groups_on_destroy, var.defaults.replace_security_groups_on_destroy, null) - replacement_security_group_ids = try(each.value.replacement_security_group_ids, var.defaults.replacement_security_group_ids, null) - timeouts = try(each.value.timeouts, var.defaults.timeouts, {}) - create_unqualified_alias_lambda_function_url = try(each.value.create_unqualified_alias_lambda_function_url, var.defaults.create_unqualified_alias_lambda_function_url, true) - authorization_type = try(each.value.authorization_type, var.defaults.authorization_type, "NONE") - cors = try(each.value.cors, var.defaults.cors, {}) + image_uri = try(each.value.image_uri, var.defaults.image_uri, null) invoke_mode = try(each.value.invoke_mode, var.defaults.invoke_mode, null) + kms_key_arn = try(each.value.kms_key_arn, var.defaults.kms_key_arn, null) + lambda_at_edge = try(each.value.lambda_at_edge, var.defaults.lambda_at_edge, false) + lambda_at_edge_logs_all_regions = try(each.value.lambda_at_edge_logs_all_regions, var.defaults.lambda_at_edge_logs_all_regions, true) + lambda_role = try(each.value.lambda_role, var.defaults.lambda_role, "") layer_name = try(each.value.layer_name, var.defaults.layer_name, "") layer_skip_destroy = try(each.value.layer_skip_destroy, var.defaults.layer_skip_destroy, false) + layers = try(each.value.layers, var.defaults.layers, null) license_info = try(each.value.license_info, var.defaults.license_info, "") - compatible_runtimes = try(each.value.compatible_runtimes, var.defaults.compatible_runtimes, []) - compatible_architectures = try(each.value.compatible_architectures, var.defaults.compatible_architectures, null) - create_async_event_config = try(each.value.create_async_event_config, var.defaults.create_async_event_config, false) - create_current_version_async_event_config = try(each.value.create_current_version_async_event_config, var.defaults.create_current_version_async_event_config, true) - create_unqualified_alias_async_event_config = try(each.value.create_unqualified_alias_async_event_config, var.defaults.create_unqualified_alias_async_event_config, true) + local_existing_package = try(each.value.local_existing_package, var.defaults.local_existing_package, null) maximum_event_age_in_seconds = try(each.value.maximum_event_age_in_seconds, var.defaults.maximum_event_age_in_seconds, null) maximum_retry_attempts = try(each.value.maximum_retry_attempts, var.defaults.maximum_retry_attempts, null) - destination_on_failure = try(each.value.destination_on_failure, var.defaults.destination_on_failure, null) - destination_on_success = try(each.value.destination_on_success, var.defaults.destination_on_success, null) + memory_size = try(each.value.memory_size, var.defaults.memory_size, 128) + number_of_policies = try(each.value.number_of_policies, var.defaults.number_of_policies, 0) + number_of_policy_jsons = try(each.value.number_of_policy_jsons, var.defaults.number_of_policy_jsons, 0) + package_type = try(each.value.package_type, var.defaults.package_type, "Zip") + policies = try(each.value.policies, var.defaults.policies, []) + policy = try(each.value.policy, var.defaults.policy, null) + policy_json = try(each.value.policy_json, var.defaults.policy_json, null) + policy_jsons = try(each.value.policy_jsons, var.defaults.policy_jsons, []) + policy_name = try(each.value.policy_name, var.defaults.policy_name, null) + policy_path = try(each.value.policy_path, var.defaults.policy_path, null) + policy_statements = try(each.value.policy_statements, var.defaults.policy_statements, {}) provisioned_concurrent_executions = try(each.value.provisioned_concurrent_executions, var.defaults.provisioned_concurrent_executions, -1) - create_current_version_allowed_triggers = try(each.value.create_current_version_allowed_triggers, var.defaults.create_current_version_allowed_triggers, true) - create_unqualified_alias_allowed_triggers = try(each.value.create_unqualified_alias_allowed_triggers, var.defaults.create_unqualified_alias_allowed_triggers, true) - allowed_triggers = try(each.value.allowed_triggers, var.defaults.allowed_triggers, {}) - event_source_mapping = try(each.value.event_source_mapping, var.defaults.event_source_mapping, {}) - use_existing_cloudwatch_log_group = try(each.value.use_existing_cloudwatch_log_group, var.defaults.use_existing_cloudwatch_log_group, false) - cloudwatch_logs_retention_in_days = try(each.value.cloudwatch_logs_retention_in_days, var.defaults.cloudwatch_logs_retention_in_days, null) - cloudwatch_logs_kms_key_id = try(each.value.cloudwatch_logs_kms_key_id, var.defaults.cloudwatch_logs_kms_key_id, null) - cloudwatch_logs_tags = try(each.value.cloudwatch_logs_tags, var.defaults.cloudwatch_logs_tags, {}) - role_name = try(each.value.role_name, var.defaults.role_name, null) + publish = try(each.value.publish, var.defaults.publish, false) + putin_khuylo = try(each.value.putin_khuylo, var.defaults.putin_khuylo, true) + recreate_missing_package = try(each.value.recreate_missing_package, var.defaults.recreate_missing_package, true) + replace_security_groups_on_destroy = try(each.value.replace_security_groups_on_destroy, var.defaults.replace_security_groups_on_destroy, null) + replacement_security_group_ids = try(each.value.replacement_security_group_ids, var.defaults.replacement_security_group_ids, null) + reserved_concurrent_executions = try(each.value.reserved_concurrent_executions, var.defaults.reserved_concurrent_executions, -1) role_description = try(each.value.role_description, var.defaults.role_description, null) - role_path = try(each.value.role_path, var.defaults.role_path, null) role_force_detach_policies = try(each.value.role_force_detach_policies, var.defaults.role_force_detach_policies, true) + role_maximum_session_duration = try(each.value.role_maximum_session_duration, var.defaults.role_maximum_session_duration, 3600) + role_name = try(each.value.role_name, var.defaults.role_name, null) + role_path = try(each.value.role_path, var.defaults.role_path, null) role_permissions_boundary = try(each.value.role_permissions_boundary, var.defaults.role_permissions_boundary, null) role_tags = try(each.value.role_tags, var.defaults.role_tags, {}) - role_maximum_session_duration = try(each.value.role_maximum_session_duration, var.defaults.role_maximum_session_duration, 3600) - policy_name = try(each.value.policy_name, var.defaults.policy_name, null) - attach_cloudwatch_logs_policy = try(each.value.attach_cloudwatch_logs_policy, var.defaults.attach_cloudwatch_logs_policy, true) - attach_dead_letter_policy = try(each.value.attach_dead_letter_policy, var.defaults.attach_dead_letter_policy, false) - attach_network_policy = try(each.value.attach_network_policy, var.defaults.attach_network_policy, false) - attach_tracing_policy = try(each.value.attach_tracing_policy, var.defaults.attach_tracing_policy, false) - attach_async_event_policy = try(each.value.attach_async_event_policy, var.defaults.attach_async_event_policy, false) - attach_policy_json = try(each.value.attach_policy_json, var.defaults.attach_policy_json, false) - attach_policy_jsons = try(each.value.attach_policy_jsons, var.defaults.attach_policy_jsons, false) - attach_policy = try(each.value.attach_policy, var.defaults.attach_policy, false) - attach_policies = try(each.value.attach_policies, var.defaults.attach_policies, false) - policy_path = try(each.value.policy_path, var.defaults.policy_path, null) - number_of_policy_jsons = try(each.value.number_of_policy_jsons, var.defaults.number_of_policy_jsons, 0) - number_of_policies = try(each.value.number_of_policies, var.defaults.number_of_policies, 0) - attach_policy_statements = try(each.value.attach_policy_statements, var.defaults.attach_policy_statements, false) - trusted_entities = try(each.value.trusted_entities, var.defaults.trusted_entities, []) - assume_role_policy_statements = try(each.value.assume_role_policy_statements, var.defaults.assume_role_policy_statements, {}) - policy_json = try(each.value.policy_json, var.defaults.policy_json, null) - policy_jsons = try(each.value.policy_jsons, var.defaults.policy_jsons, []) - policy = try(each.value.policy, var.defaults.policy, null) - policies = try(each.value.policies, var.defaults.policies, []) - policy_statements = try(each.value.policy_statements, var.defaults.policy_statements, {}) - file_system_arn = try(each.value.file_system_arn, var.defaults.file_system_arn, null) - file_system_local_mount_path = try(each.value.file_system_local_mount_path, var.defaults.file_system_local_mount_path, null) - artifacts_dir = try(each.value.artifacts_dir, var.defaults.artifacts_dir, "builds") - s3_prefix = try(each.value.s3_prefix, var.defaults.s3_prefix, null) - ignore_source_code_hash = try(each.value.ignore_source_code_hash, var.defaults.ignore_source_code_hash, false) - local_existing_package = try(each.value.local_existing_package, var.defaults.local_existing_package, null) + runtime = try(each.value.runtime, var.defaults.runtime, "") + s3_acl = try(each.value.s3_acl, var.defaults.s3_acl, "private") + s3_bucket = try(each.value.s3_bucket, var.defaults.s3_bucket, null) s3_existing_package = try(each.value.s3_existing_package, var.defaults.s3_existing_package, null) - store_on_s3 = try(each.value.store_on_s3, var.defaults.store_on_s3, false) + s3_kms_key_id = try(each.value.s3_kms_key_id, var.defaults.s3_kms_key_id, null) s3_object_storage_class = try(each.value.s3_object_storage_class, var.defaults.s3_object_storage_class, "ONEZONE_IA") - s3_bucket = try(each.value.s3_bucket, var.defaults.s3_bucket, null) - s3_acl = try(each.value.s3_acl, var.defaults.s3_acl, "private") + s3_object_tags = try(each.value.s3_object_tags, var.defaults.s3_object_tags, {}) + s3_object_tags_only = try(each.value.s3_object_tags_only, var.defaults.s3_object_tags_only, false) + s3_prefix = try(each.value.s3_prefix, var.defaults.s3_prefix, null) s3_server_side_encryption = try(each.value.s3_server_side_encryption, var.defaults.s3_server_side_encryption, null) - s3_kms_key_id = try(each.value.s3_kms_key_id, var.defaults.s3_kms_key_id, null) + snap_start = try(each.value.snap_start, var.defaults.snap_start, false) source_path = try(each.value.source_path, var.defaults.source_path, null) - hash_extra = try(each.value.hash_extra, var.defaults.hash_extra, "") - build_in_docker = try(each.value.build_in_docker, var.defaults.build_in_docker, false) - docker_file = try(each.value.docker_file, var.defaults.docker_file, "") - docker_build_root = try(each.value.docker_build_root, var.defaults.docker_build_root, "") - docker_image = try(each.value.docker_image, var.defaults.docker_image, "") - docker_with_ssh_agent = try(each.value.docker_with_ssh_agent, var.defaults.docker_with_ssh_agent, false) - docker_pip_cache = try(each.value.docker_pip_cache, var.defaults.docker_pip_cache, null) - docker_additional_options = try(each.value.docker_additional_options, var.defaults.docker_additional_options, []) - docker_entrypoint = try(each.value.docker_entrypoint, var.defaults.docker_entrypoint, null) - recreate_missing_package = try(each.value.recreate_missing_package, var.defaults.recreate_missing_package, true) + store_on_s3 = try(each.value.store_on_s3, var.defaults.store_on_s3, false) + tags = try(each.value.tags, var.defaults.tags, {}) + timeout = try(each.value.timeout, var.defaults.timeout, 3) + timeouts = try(each.value.timeouts, var.defaults.timeouts, {}) + tracing_mode = try(each.value.tracing_mode, var.defaults.tracing_mode, null) + trusted_entities = try(each.value.trusted_entities, var.defaults.trusted_entities, []) + use_existing_cloudwatch_log_group = try(each.value.use_existing_cloudwatch_log_group, var.defaults.use_existing_cloudwatch_log_group, false) + vpc_security_group_ids = try(each.value.vpc_security_group_ids, var.defaults.vpc_security_group_ids, null) + vpc_subnet_ids = try(each.value.vpc_subnet_ids, var.defaults.vpc_subnet_ids, null) }