search

terraform-aws-modules / terraform-aws-lambda

Terraform module, which takes care of a lot of AWS Lambda/serverless tasks (build dependencies, packages, updates, deployments) in countless combinations 🇺🇦
https://registry.terraform.io/modules/terraform-aws-modules/lambda/aws
Apache License 2.0
911 stars 683 forks source link

Lack of principal_org_id variable for resource aws_lambda_permission #431

Closed tcharewicz closed 1 year ago

tcharewicz commented 1 year ago

Is your request related to a new offering from AWS?

No, it's old feature but not implemented to the lambda module.

Is your request related to a problem? Please describe.

I would like to create lambda with permissions to invoke only by config service from accounts that belong to known organization.

Describe the solution you'd like.

Add variable principal_org_id to resource aws_lambda_permission. Example below.

resource "aws_lambda_permission" "current_version_triggers" {
  for_each = { for k, v in var.allowed_triggers : k => v if local.create && var.create_function && !var.create_layer && var.create_current_version_allowed_triggers }

  function_name = aws_lambda_function.this[0].function_name
  qualifier     = aws_lambda_function.this[0].version

  statement_id       = try(each.value.statement_id, each.key)
  action             = try(each.value.action, "lambda:InvokeFunction")
  principal          = try(each.value.principal, format("%s.amazonaws.com", try(each.value.service, "")))
  principal_org_id   = try(each.value.principal_org_id, null)
  source_arn         = try(each.value.source_arn, null)
  source_account     = try(each.value.source_account, null)
  event_source_token = try(each.value.event_source_token, null)
}

# Error: Error adding new Lambda Permission for lambda: InvalidParameterValueException: We currently do not support adding policies for $LATEST.
resource "aws_lambda_permission" "unqualified_alias_triggers" {
  for_each = { for k, v in var.allowed_triggers : k => v if local.create && var.create_function && !var.create_layer && var.create_unqualified_alias_allowed_triggers }

  function_name = aws_lambda_function.this[0].function_name

  statement_id       = try(each.value.statement_id, each.key)
  action             = try(each.value.action, "lambda:InvokeFunction")
  principal          = try(each.value.principal, format("%s.amazonaws.com", try(each.value.service, "")))
  principal_org_id   = try(each.value.principal_org_id, null)
  source_arn         = try(each.value.source_arn, null)
  source_account     = try(each.value.source_account, null)
  event_source_token = try(each.value.event_source_token, null)
}
tcharewicz commented 1 year ago

PR for this additional variable https://github.com/terraform-aws-modules/terraform-aws-lambda/issues/431

github-actions[bot] commented 1 year ago

This issue has been automatically marked as stale because it has been open 30 days with no activity. Remove stale label or comment or this issue will be closed in 10 days

FrancisRodier commented 1 year ago

This is still an issue.

antonbabenko commented 1 year ago

This issue has been resolved in version 4.16.0 :tada:

github-actions[bot] commented 1 year ago

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.