Merge pull request #39 from vistaprint/feature/lambda-custom-role

Add support to pass an IAM role to use in a lambda
vistaprint · Oct 26, 2018 · 0ae8129 · 0ae8129
2 parents 15f310b + c9420e2
commit 0ae8129
Show file tree

Hide file tree

Showing 4 changed files with 129 additions and 14 deletions.
diff --git a/modules/lambda/main.tf b/modules/lambda/main.tf
@@ -1,4 +1,6 @@
 resource "aws_iam_role" "iam_for_lambda" {
+  count = "${var.create_role ? 1 : 0}"
+
   name = "${var.prefix}iam_for_lambda"
 
   assume_role_policy = <<EOF
@@ -21,7 +23,7 @@ EOF
 resource "aws_iam_role_policy" "policy_for_lambda" {
   count  = "${var.policy == "" ? 0 : 1}"
   name   = "${var.prefix}policy_for_lambda"
-  role   = "${aws_iam_role.iam_for_lambda.id}"
+  role   = "${var.create_role ? join("", aws_iam_role.iam_for_lambda.*.arn) : var.role_arn}"
   policy = "${var.policy}"
 }
 
@@ -33,14 +35,14 @@ resource "aws_lambda_permission" "lambda_permission" {
   principal     = "${lookup(var.permissions[count.index % var.permission_count], "principal")}"
   statement_id  = "${lookup(var.permissions[count.index % var.permission_count], "statement_id")}"
   source_arn    = "${lookup(var.permissions[count.index % var.permission_count], "source_arn")}"
-} 
+}
 
 resource "aws_lambda_function" "lambda_function" {
   count = "${length(var.functions)}"
 
   filename         = "${var.lambda_file}"
   function_name    = "${format("%s%s", var.prefix, element(keys(var.functions), count.index))}"
-  role             = "${aws_iam_role.iam_for_lambda.arn}"
+  role             = "${var.create_role ? join("", aws_iam_role.iam_for_lambda.*.arn) : var.role_arn}"
   handler          = "${lookup(var.functions[element(keys(var.functions), count.index)], "handler")}"
   source_code_hash = "${base64sha256(file("${var.lambda_file}"))}"
   runtime          = "${var.runtime}"

diff --git a/modules/lambda/variables.tf b/modules/lambda/variables.tf
@@ -63,3 +63,15 @@ variable "memory_size" {
   description = "Amount of memory in MB your Lambda Function can use at runtime. Defaults to 128."
   default = "128"
 }
+
+variable "create_role" {
+  description = "Whether to create a specific role and policy"
+
+  default = true
+}
+
+variable "role_arn" {
+  description = "Role ARN to use"
+
+  default = ""
+}
diff --git a/test/lambda/main.tf b/test/lambda/main.tf
@@ -1,6 +1,6 @@
 provider "aws" {
-  profile    = "${var.profile}"
-  region     = "${var.region}"
+  profile = "${var.profile}"
+  region  = "${var.region}"
 }
 
 data "aws_caller_identity" "current" {}
@@ -19,6 +19,13 @@ module "hello_endpoint" {
   path   = ["hello", "{name}"]
 }
 
+module "hello_endpoint_external_role" {
+  source = "../../modules/api_path/path2"
+  api    = "${aws_api_gateway_rest_api.api.id}"
+  parent = "${aws_api_gateway_rest_api.api.root_resource_id}"
+  path   = ["hello-external-role", "{name}"]
+}
+
 module "printvars_endpoint" {
   source = "../../modules/api_path/path2"
   api    = "${aws_api_gateway_rest_api.api.id}"
@@ -30,20 +37,48 @@ module "hello_method" {
   source = "../../modules/api_method"
   api    = "${aws_api_gateway_rest_api.api.id}"
   parent = "${element(module.hello_endpoint.path_resource_id, 1)}"
+
   request = {
     type = "AWS"
-    uri  = "arn:aws:apigateway:${var.region}:lambda:path/2015-03-31/functions/${module.lambdas.lambda_arns["LambdaTestHello"]}/invocations" 
+    uri  = "arn:aws:apigateway:${var.region}:lambda:path/2015-03-31/functions/${module.lambdas.lambda_arns["LambdaTestHello"]}/invocations"
+
     template = <<EOF
 {
   "name": "$input.params('name')"
 }
 EOF
   }
+
   responses = {
     "200" = {
       selection_pattern = ""
-      template = "$input.path('$.Result')"
-      content_type = "text/plain"
+      template          = "$input.path('$.Result')"
+      content_type      = "text/plain"
+    }
+  }
+}
+
+module "hello_method_external_role" {
+  source = "../../modules/api_method"
+  api    = "${aws_api_gateway_rest_api.api.id}"
+  parent = "${element(module.hello_endpoint_external_role.path_resource_id, 1)}"
+
+  request = {
+    type = "AWS"
+    uri  = "arn:aws:apigateway:${var.region}:lambda:path/2015-03-31/functions/${module.lambdas_with_external_role.lambda_arns["LambdaTestHelloExternalRole"]}/invocations"
+
+    template = <<EOF
+{
+  "name": "$input.params('name')"
+}
+EOF
+  }
+
+  responses = {
+    "200" = {
+      selection_pattern = ""
+      template          = "$input.path('$.Result')"
+      content_type      = "text/plain"
     }
   }
 }
@@ -52,20 +87,23 @@ module "printvars_method" {
   source = "../../modules/api_method"
   api    = "${aws_api_gateway_rest_api.api.id}"
   parent = "${element(module.printvars_endpoint.path_resource_id, 1)}"
+
   request = {
     type = "AWS"
-    uri  = "arn:aws:apigateway:${var.region}:lambda:path/2015-03-31/functions/${module.lambdas.lambda_arns["LambdaTestPrintVars"]}/invocations" 
+    uri  = "arn:aws:apigateway:${var.region}:lambda:path/2015-03-31/functions/${module.lambdas.lambda_arns["LambdaTestPrintVars"]}/invocations"
+
     template = <<EOF
 {
   "name": "$input.params('name')"
 }
 EOF
   }
+
   responses = {
     "200" = {
       selection_pattern = ""
-      template = "$input.path('$.Result')"
-      content_type = "text/plain"
+      template          = "$input.path('$.Result')"
+      content_type      = "text/plain"
     }
   }
 }
@@ -76,10 +114,12 @@ module "lambdas" {
   source = "../../modules/lambda"
 
   lambda_file = "sample_lambda.zip"
+
   functions = {
     LambdaTestHello = {
       handler = "package.say_hello"
     }
+
     LambdaTestPrintVars = {
       handler = "package.print_vars"
     }
@@ -93,22 +133,75 @@ module "lambdas" {
   memory_size = "256"
 
   permission_count = 1
+
   permissions = [
     {
       principal    = "apigateway.amazonaws.com"
       statement_id = "AllowExecutionFromAPIGateway"
       source_arn   = "arn:aws:execute-api:${var.region}:${data.aws_caller_identity.current.account_id}:${aws_api_gateway_rest_api.api.id}/*/GET/*/*"
+    },
+  ]
+
+  prefix  = "${var.prefix}"
+  runtime = "python3.6"
+}
+
+resource "aws_iam_role" "common_iam_for_lambda" {
+  name = "${var.prefix}common_iam_for_lambda"
+
+  assume_role_policy = <<EOF
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Action": "sts:AssumeRole",
+      "Principal": {
+        "Service": "lambda.amazonaws.com"
+      },
+      "Effect": "Allow",
+      "Sid": ""
+    }
+  ]
+}
+EOF
+}
+
+module "lambdas_with_external_role" {
+  source = "../../modules/lambda"
+
+  lambda_file = "sample_lambda.zip"
+
+  functions = {
+    LambdaTestHelloExternalRole = {
+      handler = "package.say_hello"
     }
+  }
+
+  create_role = false
+  role_arn    = "${aws_iam_role.common_iam_for_lambda.arn}"
+
+  permission_count = 1
+
+  permissions = [
+    {
+      principal    = "apigateway.amazonaws.com"
+      statement_id = "AllowExecutionFromAPIGateway"
+      source_arn   = "arn:aws:execute-api:${var.region}:${data.aws_caller_identity.current.account_id}:${aws_api_gateway_rest_api.api.id}/*/GET/*/*"
+    },
   ]
 
-  prefix = "${var.prefix}"
+  prefix  = "${var.prefix}"
   runtime = "python3.6"
 }
 
 ### Deployment ###
 
 resource "aws_api_gateway_deployment" "deployment" {
-  depends_on = ["module.hello_method", "module.printvars_method"]
+  depends_on = [
+    "module.hello_method",
+    "module.hello_method_external_role",
+    "module.printvars_method",
+  ]
 
   rest_api_id = "${aws_api_gateway_rest_api.api.id}"
   stage_name  = "Prod"
@@ -117,11 +210,15 @@ resource "aws_api_gateway_deployment" "deployment" {
     command = "wait_for_url ${aws_api_gateway_deployment.deployment.invoke_url}/hello/foo 600"
   }
 
+  provisioner "local-exec" {
+    command = "wait_for_url ${aws_api_gateway_deployment.deployment.invoke_url}/hello-external-role/foo 600"
+  }
+
   provisioner "local-exec" {
     command = "wait_for_url ${aws_api_gateway_deployment.deployment.invoke_url}/printvar/foo 600"
   }
 }
 
 output "api_url" {
   value = "${aws_api_gateway_deployment.deployment.invoke_url}"
-}
+}
diff --git a/test/lambda/rakefile.rb b/test/lambda/rakefile.rb
@@ -16,6 +16,10 @@ def self.return_a_value(api_url)
       response = request("#{api_url}/hello/Steve")
       expect(response.status[0]).to eq('200')
       expect(response.read).to eq('Hello Steve')
+
+      response = request("#{api_url}/hello-external-role/Steve")
+      expect(response.status[0]).to eq('200')
+      expect(response.read).to eq('Hello Steve')
     end
 
     def self.access_environment_variables(api_url)