Closed klubi closed 8 months ago
Lambda is of the RBAC (Resource Based Access Policy) type, so keeping that in mind I've planned the following:
post-actions terraform file:
resource "aws_lambda_permission" "apigw" {
for_each = var.items
statement_id = each.value.statement_id
action = "lambda:InvokeFunction"
function_name = each.value.function_name
principal = "apigateway.amazonaws.com"
source_arn = each.value.source_arn
}
variable "items" {
type = map(
object({
statement_id = string
function_name = string
source_arn = string
})
)
}
terragrunt manifest:
terraform {
source = "${get_path_to_repo_root()}/terraform//post-actions/post-apigw-lambda"
}
inputs = {
items ={
some-backend = {
statement_id = "AllowExecutionFrom_${local.env}-${local.project}-some-backend-apigw_"
function_name = "auth-api-gateway"
source_arn = "${dependency.api_gateway.outputs.apigatewayv2_api_execution_arn}/authorizers/*"
},
some-backend2 = {
statement_id = "AllowExecutionFrom_${local.env}-${local.project}-some-backend2-apigw_"
function_name = "auth-api-gateway"
source_arn = "${dependency.api_gateway.outputs.apigatewayv2_api_execution_arn}/*/*/*"
}
}
}
However, this does not seems to work. As a continuous of the following post @StackOverflow.
This issue has been automatically marked as stale because it has been open 30 days with no activity. Remove stale label or comment or this issue will be closed in 10 days
This issue was automatically closed because of stale in 10 days
I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.
I'm building an API Gateway that uses custom lambda authorizer. I'm using terragrunt with
terraform-aws-lambda
module to create lambda. Then I'm using terragrunt withterraform-aws-apigateway-v2
to create gateway.The issue I'm facing is related to invocation permission. My gateway authorizer is created without
Without that Gateway can't call custom lambda (CloudWatch logs confirm IAM issue).
Invoke Permissions
So I create my gateway like this (just some pieces of config):
The issue is that lambda also needs gateway dependency, to fetch invocation ARN to use with
allowed_triggers
:And this creates dependency cycle between those two modules. Is there a way around this? There isn't one from terragrunt perspective, but maybe I'm missing something that makes this possible from module perspective.