paulschwarzenberger
commented
1 week ago Hi @1oglop1 this is a good idea to allow more flexibility. We can set all of these as environment variables.
Then, in the Terraform, we can pass the environment variables in to the Lambda functions, and use Terraform conditionals to set the current names as the defaults, with additional optional variables that can be passed in from the top level module for people who want to pass in custom resource names.
We're already doing something along these lines for the S3 buckets using the optional bucket_prefix Terraform variable.
Is this something you'd be interested in submitting a PR / PRs for? If so, before you start let's have a discussion via Slack, you can reach me on the CloudSecurityForum Slack workspace. If you're not already a member, please email me on paul@celidor.net with your preferred email address and I'll invite you.
1oglop1
Hi, I am restructuring the solution to fit our use-case and I wanted to avoid modification of the Python code, however the functions which rely on the resolution of resource names rather than resource IDs passed in as parameters.
namely:
https://github.com/serverless-ca/terraform-aws-ca/blob/7e14b3254a44a4bf1492818906636f57129a098f/modules/terraform-aws-ca-lambda/utils/certs/ca.py#L28-L32
https://github.com/serverless-ca/terraform-aws-ca/blob/7e14b3254a44a4bf1492818906636f57129a098f/modules/terraform-aws-ca-lambda/utils/certs/kms.py#L13-L18
https://github.com/serverless-ca/terraform-aws-ca/blob/7e14b3254a44a4bf1492818906636f57129a098f/modules/terraform-aws-ca-lambda/utils/certs/db.py#L13-L20
are forcing certain naming conventions which do not fit my environment.
Would it be possible to update the code so that dynamoDB and kms aliases/arns are function parameters rather than resolved from the naming convention?