feat(aws-lambda): add inline_policies and refactor

- add the ability to pass inline policies
- add the ability to modify log format
- add root level fn outputs
- rename resources for clarity

Author: Script47

lambda-function/README.md

@@ -7,7 +7,7 @@ This module allows you to setup a Lambda function.
 See `variables.tf` for the full argument reference.
 
 ```hcl
-module "lambda_fn" {
+module "fn" {
   source = "github.com/script47/aws-tf-modules/lambda-function"
 
   name        = "my-lambda-func"
@@ -17,6 +17,18 @@ module "lambda_fn" {
   policy_arns = [
     "arn:aws:iam::aws:policy/service-role/AWSLambdaVPCAccessExecutionRole"
   ]
+  inline_policies = {
+    s3_access = {
+      Version = "2012-10-17"
+      Statement = [
+        {
+          Action = ["s3:GetObject"]
+          Effect   = "Allow"
+          Resource = "arn:aws:s3:::my-bucket/*"
+        }
+      ]
+    }
+  }
   layer_arns = [
     "arn:aws:lambda:us-east-1:xxxxxxxxxxxx:layer:layer-name:1"
   ]
@@ -36,9 +48,10 @@ module "lambda_fn" {
 
   logs = {
     enabled           = true
+    format            = "Text"
+    retention_in_days = 30
     app_log_level     = "INFO"
     system_log_level  = "INFO"
-    retention_in_days = 30
   }
 
   permissions = {
@@ -63,4 +76,4 @@ module "lambda_fn" {
     Environment = "production"
   }
 }
-```
+```

lambda-function/cloudwatch.tf

@@ -2,7 +2,7 @@ locals {
   log_group_name = "/aws/lambda/${var.name}"
 }
 
-resource "aws_cloudwatch_log_group" "logs" {
+resource "aws_cloudwatch_log_group" "this" {
   count = var.logs.enabled ? 1 : 0
 
   name              = local.log_group_name

lambda-function/iam.tf

@@ -23,4 +23,12 @@ resource "aws_iam_role_policy_attachment" "multiple" {
 
   role       = local.role_name
   policy_arn = each.value
-}
+}
+
+resource "aws_iam_role_policy" "this" {
+  for_each = var.inline_policies
+
+  role   = local.role_name
+  name   = each.key
+  policy = jsonencode(each.value)
+}

lambda-function/lambda.tf

@@ -1,4 +1,4 @@
-resource "aws_lambda_function" "fn" {
+resource "aws_lambda_function" "this" {
   function_name                  = var.name
   description                    = var.description
   role                           = local.role_arn
@@ -19,10 +19,10 @@ resource "aws_lambda_function" "fn" {
 
   dynamic "logging_config" {
     for_each = var.logs.enabled ? [1] : []
-    
+
     content {
-      log_group             = aws_cloudwatch_log_group.logs[0].name
-      log_format            = "JSON"
+      log_group             = aws_cloudwatch_log_group.this[0].name
+      log_format            = var.logs.format
       application_log_level = var.logs.app_log_level
       system_log_level      = var.logs.system_log_level
     }
@@ -36,22 +36,22 @@ resource "aws_lambda_permission" "permissions" {
 
   statement_id  = each.key
   action        = each.value.action
-  function_name = aws_lambda_function.fn.function_name
+  function_name = aws_lambda_function.this.function_name
   principal     = each.value.principal
   source_arn    = each.value.source_arn
 }
 
 resource "aws_lambda_function_event_invoke_config" "invoke_config" {
   count = var.async_invoke_config.enabled ? 1 : 0
 
-  function_name                = aws_lambda_function.fn.function_name
+  function_name                = aws_lambda_function.this.function_name
   maximum_retry_attempts       = var.async_invoke_config.max_retries
   maximum_event_age_in_seconds = var.async_invoke_config.max_event_age
 
   dynamic "destination_config" {
     for_each = (
-    var.async_invoke_config.success_destination_arn != null ||
-    var.async_invoke_config.failure_destination_arn != null
+      var.async_invoke_config.success_destination_arn != null ||
+      var.async_invoke_config.failure_destination_arn != null
     ) ? [1] : []
 
     content {
@@ -72,4 +72,4 @@ resource "aws_lambda_function_event_invoke_config" "invoke_config" {
       }
     }
   }
-}
+}

lambda-function/outputs.tf

@@ -1,13 +1,27 @@
+output "arn" {
+  value = aws_lambda_function.this.arn
+}
+
+output "function_name" {
+  value = aws_lambda_function.this.function_name
+}
+
+output "invoke_arn" {
+  value = aws_lambda_function.this.invoke_arn
+}
+
 output "fn" {
+  description = "Lambda function details"
   value = {
-    arn        = aws_lambda_function.fn.arn
-    name       = aws_lambda_function.fn.function_name
-    invoke_arn = aws_lambda_function.fn.invoke_arn
+    arn        = aws_lambda_function.this.arn
+    name       = aws_lambda_function.this.function_name
+    invoke_arn = aws_lambda_function.this.invoke_arn
   }
 }
 
 output "log_group" {
+  description = "CloudWatch log group details (if enabled)"
   value = {
-    arn = length(aws_cloudwatch_log_group.logs) > 0 ? aws_cloudwatch_log_group.logs[0].arn : null
+    arn = try(aws_cloudwatch_log_group.this[0].arn, null)
   }
 }

lambda-function/variables.tf

@@ -21,6 +21,12 @@ variable "policy_arns" {
   default     = []
 }
 
+variable "inline_policies" {
+  type        = map(any)
+  description = "Map of inline IAM policy documents"
+  default     = {}
+}
+
 variable "layer_arns" {
   type        = list(string)
   default     = []
@@ -76,9 +82,10 @@ variable "handler" {
 variable "logs" {
   type = object({
     enabled           = optional(bool, true)
+    format            = optional(string, "Text") # Text, JSON
+    retention_in_days = optional(number, 30)
     app_log_level     = optional(string, "INFO") # TRACE, DEBUG, INFO, WARN, ERROR, FATAL
     system_log_level  = optional(string, "INFO") # DEBUG, INFO, WARN
-    retention_in_days = optional(number, 30)
   })
   default = {}
 }