Skip to content

Commit e236168

Browse files
committed
feat(aws-lambda): add inline_policies and refactor
- add the ability to pass inline policies - add the ability to modify log format - add root level fn outputs - rename resources for clarity
1 parent 3c535ef commit e236168

File tree

6 files changed

+61
-19
lines changed

6 files changed

+61
-19
lines changed

lambda-function/README.md

Lines changed: 16 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -7,7 +7,7 @@ This module allows you to setup a Lambda function.
77
See `variables.tf` for the full argument reference.
88

99
```hcl
10-
module "lambda_fn" {
10+
module "fn" {
1111
source = "github.com/script47/aws-tf-modules/lambda-function"
1212
1313
name = "my-lambda-func"
@@ -17,6 +17,18 @@ module "lambda_fn" {
1717
policy_arns = [
1818
"arn:aws:iam::aws:policy/service-role/AWSLambdaVPCAccessExecutionRole"
1919
]
20+
inline_policies = {
21+
s3_access = {
22+
Version = "2012-10-17"
23+
Statement = [
24+
{
25+
Action = ["s3:GetObject"]
26+
Effect = "Allow"
27+
Resource = "arn:aws:s3:::my-bucket/*"
28+
}
29+
]
30+
}
31+
}
2032
layer_arns = [
2133
"arn:aws:lambda:us-east-1:xxxxxxxxxxxx:layer:layer-name:1"
2234
]
@@ -36,9 +48,10 @@ module "lambda_fn" {
3648
3749
logs = {
3850
enabled = true
51+
format = "Text"
52+
retention_in_days = 30
3953
app_log_level = "INFO"
4054
system_log_level = "INFO"
41-
retention_in_days = 30
4255
}
4356
4457
permissions = {
@@ -63,4 +76,4 @@ module "lambda_fn" {
6376
Environment = "production"
6477
}
6578
}
66-
```
79+
```

lambda-function/cloudwatch.tf

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -2,7 +2,7 @@ locals {
22
log_group_name = "/aws/lambda/${var.name}"
33
}
44

5-
resource "aws_cloudwatch_log_group" "logs" {
5+
resource "aws_cloudwatch_log_group" "this" {
66
count = var.logs.enabled ? 1 : 0
77

88
name = local.log_group_name

lambda-function/iam.tf

Lines changed: 9 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -23,4 +23,12 @@ resource "aws_iam_role_policy_attachment" "multiple" {
2323

2424
role = local.role_name
2525
policy_arn = each.value
26-
}
26+
}
27+
28+
resource "aws_iam_role_policy" "this" {
29+
for_each = var.inline_policies
30+
31+
role = local.role_name
32+
name = each.key
33+
policy = jsonencode(each.value)
34+
}

lambda-function/lambda.tf

Lines changed: 9 additions & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -1,4 +1,4 @@
1-
resource "aws_lambda_function" "fn" {
1+
resource "aws_lambda_function" "this" {
22
function_name = var.name
33
description = var.description
44
role = local.role_arn
@@ -19,10 +19,10 @@ resource "aws_lambda_function" "fn" {
1919

2020
dynamic "logging_config" {
2121
for_each = var.logs.enabled ? [1] : []
22-
22+
2323
content {
24-
log_group = aws_cloudwatch_log_group.logs[0].name
25-
log_format = "JSON"
24+
log_group = aws_cloudwatch_log_group.this[0].name
25+
log_format = var.logs.format
2626
application_log_level = var.logs.app_log_level
2727
system_log_level = var.logs.system_log_level
2828
}
@@ -36,22 +36,22 @@ resource "aws_lambda_permission" "permissions" {
3636

3737
statement_id = each.key
3838
action = each.value.action
39-
function_name = aws_lambda_function.fn.function_name
39+
function_name = aws_lambda_function.this.function_name
4040
principal = each.value.principal
4141
source_arn = each.value.source_arn
4242
}
4343

4444
resource "aws_lambda_function_event_invoke_config" "invoke_config" {
4545
count = var.async_invoke_config.enabled ? 1 : 0
4646

47-
function_name = aws_lambda_function.fn.function_name
47+
function_name = aws_lambda_function.this.function_name
4848
maximum_retry_attempts = var.async_invoke_config.max_retries
4949
maximum_event_age_in_seconds = var.async_invoke_config.max_event_age
5050

5151
dynamic "destination_config" {
5252
for_each = (
53-
var.async_invoke_config.success_destination_arn != null ||
54-
var.async_invoke_config.failure_destination_arn != null
53+
var.async_invoke_config.success_destination_arn != null ||
54+
var.async_invoke_config.failure_destination_arn != null
5555
) ? [1] : []
5656

5757
content {
@@ -72,4 +72,4 @@ resource "aws_lambda_function_event_invoke_config" "invoke_config" {
7272
}
7373
}
7474
}
75-
}
75+
}

lambda-function/outputs.tf

Lines changed: 18 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -1,13 +1,27 @@
1+
output "arn" {
2+
value = aws_lambda_function.this.arn
3+
}
4+
5+
output "function_name" {
6+
value = aws_lambda_function.this.function_name
7+
}
8+
9+
output "invoke_arn" {
10+
value = aws_lambda_function.this.invoke_arn
11+
}
12+
113
output "fn" {
14+
description = "Lambda function details"
215
value = {
3-
arn = aws_lambda_function.fn.arn
4-
name = aws_lambda_function.fn.function_name
5-
invoke_arn = aws_lambda_function.fn.invoke_arn
16+
arn = aws_lambda_function.this.arn
17+
name = aws_lambda_function.this.function_name
18+
invoke_arn = aws_lambda_function.this.invoke_arn
619
}
720
}
821

922
output "log_group" {
23+
description = "CloudWatch log group details (if enabled)"
1024
value = {
11-
arn = length(aws_cloudwatch_log_group.logs) > 0 ? aws_cloudwatch_log_group.logs[0].arn : null
25+
arn = try(aws_cloudwatch_log_group.this[0].arn, null)
1226
}
1327
}

lambda-function/variables.tf

Lines changed: 8 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -21,6 +21,12 @@ variable "policy_arns" {
2121
default = []
2222
}
2323

24+
variable "inline_policies" {
25+
type = map(any)
26+
description = "Map of inline IAM policy documents"
27+
default = {}
28+
}
29+
2430
variable "layer_arns" {
2531
type = list(string)
2632
default = []
@@ -76,9 +82,10 @@ variable "handler" {
7682
variable "logs" {
7783
type = object({
7884
enabled = optional(bool, true)
85+
format = optional(string, "Text") # Text, JSON
86+
retention_in_days = optional(number, 30)
7987
app_log_level = optional(string, "INFO") # TRACE, DEBUG, INFO, WARN, ERROR, FATAL
8088
system_log_level = optional(string, "INFO") # DEBUG, INFO, WARN
81-
retention_in_days = optional(number, 30)
8289
})
8390
default = {}
8491
}

0 commit comments

Comments
 (0)