diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 38f92f23..2fb09edb 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -1,6 +1,6 @@ repos: - repo: https://github.com/antonbabenko/pre-commit-terraform - rev: v1.96.1 + rev: v1.96.3 hooks: - id: terraform_fmt - id: terraform_wrapper_module_for_each diff --git a/README.md b/README.md index 928224cd..ed1f32c8 100644 --- a/README.md +++ b/README.md @@ -690,25 +690,17 @@ No modules. | Name | Type | |------|------| | [aws_cloudwatch_log_group.lambda](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_group) | resource | -| [aws_iam_policy.additional_inline](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource | -| [aws_iam_policy.additional_json](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource | -| [aws_iam_policy.additional_jsons](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource | -| [aws_iam_policy.async](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource | -| [aws_iam_policy.dead_letter](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource | -| [aws_iam_policy.logs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource | -| [aws_iam_policy.tracing](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource | -| [aws_iam_policy.vpc](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource | | [aws_iam_role.lambda](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource | -| [aws_iam_role_policy_attachment.additional_inline](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource | -| [aws_iam_role_policy_attachment.additional_json](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource | -| [aws_iam_role_policy_attachment.additional_jsons](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource | +| [aws_iam_role_policy.additional_inline](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource | +| [aws_iam_role_policy.additional_json](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource | +| [aws_iam_role_policy.additional_jsons](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource | +| [aws_iam_role_policy.async](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource | +| [aws_iam_role_policy.dead_letter](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource | +| [aws_iam_role_policy.logs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource | +| [aws_iam_role_policy.tracing](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource | +| [aws_iam_role_policy.vpc](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource | | [aws_iam_role_policy_attachment.additional_many](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource | | [aws_iam_role_policy_attachment.additional_one](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource | -| [aws_iam_role_policy_attachment.async](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource | -| [aws_iam_role_policy_attachment.dead_letter](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource | -| [aws_iam_role_policy_attachment.logs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource | -| [aws_iam_role_policy_attachment.tracing](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource | -| [aws_iam_role_policy_attachment.vpc](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource | | [aws_lambda_event_source_mapping.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_event_source_mapping) | resource | | [aws_lambda_function.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_function) | resource | | [aws_lambda_function_event_invoke_config.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_function_event_invoke_config) | resource | diff --git a/examples/complete/main.tf b/examples/complete/main.tf index 0d87f3c1..d0ae09c8 100644 --- a/examples/complete/main.tf +++ b/examples/complete/main.tf @@ -54,8 +54,7 @@ module "lambda_function" { cloudwatch_logs_log_group_class = "INFREQUENT_ACCESS" - role_path = "/tf-managed/" - policy_path = "/tf-managed/" + role_path = "/tf-managed/" attach_dead_letter_policy = true dead_letter_target_arn = aws_sqs_queue.dlq.arn diff --git a/iam.tf b/iam.tf index 436a4398..8b0440e1 100644 --- a/iam.tf +++ b/iam.tf @@ -131,20 +131,12 @@ data "aws_iam_policy_document" "logs" { } } -resource "aws_iam_policy" "logs" { +resource "aws_iam_role_policy" "logs" { count = local.create_role && var.attach_cloudwatch_logs_policy ? 1 : 0 name = "${local.policy_name}-logs" - path = var.policy_path + role = aws_iam_role.lambda[0].name policy = data.aws_iam_policy_document.logs[0].json - tags = var.tags -} - -resource "aws_iam_role_policy_attachment" "logs" { - count = local.create_role && var.attach_cloudwatch_logs_policy ? 1 : 0 - - role = aws_iam_role.lambda[0].name - policy_arn = aws_iam_policy.logs[0].arn } ##################### @@ -168,20 +160,12 @@ data "aws_iam_policy_document" "dead_letter" { } } -resource "aws_iam_policy" "dead_letter" { +resource "aws_iam_role_policy" "dead_letter" { count = local.create_role && var.attach_dead_letter_policy ? 1 : 0 name = "${local.policy_name}-dl" - path = var.policy_path + role = aws_iam_role.lambda[0].name policy = data.aws_iam_policy_document.dead_letter[0].json - tags = var.tags -} - -resource "aws_iam_role_policy_attachment" "dead_letter" { - count = local.create_role && var.attach_dead_letter_policy ? 1 : 0 - - role = aws_iam_role.lambda[0].name - policy_arn = aws_iam_policy.dead_letter[0].arn } ###### @@ -195,20 +179,12 @@ data "aws_iam_policy" "vpc" { arn = "arn:${data.aws_partition.current.partition}:iam::aws:policy/service-role/AWSLambdaENIManagementAccess" } -resource "aws_iam_policy" "vpc" { +resource "aws_iam_role_policy" "vpc" { count = local.create_role && var.attach_network_policy ? 1 : 0 name = "${local.policy_name}-vpc" - path = var.policy_path + role = aws_iam_role.lambda[0].name policy = data.aws_iam_policy.vpc[0].policy - tags = var.tags -} - -resource "aws_iam_role_policy_attachment" "vpc" { - count = local.create_role && var.attach_network_policy ? 1 : 0 - - role = aws_iam_role.lambda[0].name - policy_arn = aws_iam_policy.vpc[0].arn } ##################### @@ -222,20 +198,12 @@ data "aws_iam_policy" "tracing" { arn = "arn:${data.aws_partition.current.partition}:iam::aws:policy/AWSXRayDaemonWriteAccess" } -resource "aws_iam_policy" "tracing" { +resource "aws_iam_role_policy" "tracing" { count = local.create_role && var.attach_tracing_policy ? 1 : 0 name = "${local.policy_name}-tracing" - path = var.policy_path + role = aws_iam_role.lambda[0].name policy = data.aws_iam_policy.tracing[0].policy - tags = var.tags -} - -resource "aws_iam_role_policy_attachment" "tracing" { - count = local.create_role && var.attach_tracing_policy ? 1 : 0 - - role = aws_iam_role.lambda[0].name - policy_arn = aws_iam_policy.tracing[0].arn } ############################### @@ -259,60 +227,36 @@ data "aws_iam_policy_document" "async" { } } -resource "aws_iam_policy" "async" { +resource "aws_iam_role_policy" "async" { count = local.create_role && var.attach_async_event_policy ? 1 : 0 name = "${local.policy_name}-async" - path = var.policy_path + role = aws_iam_role.lambda[0].name policy = data.aws_iam_policy_document.async[0].json - tags = var.tags -} - -resource "aws_iam_role_policy_attachment" "async" { - count = local.create_role && var.attach_async_event_policy ? 1 : 0 - - role = aws_iam_role.lambda[0].name - policy_arn = aws_iam_policy.async[0].arn } ########################### # Additional policy (JSON) ########################### -resource "aws_iam_policy" "additional_json" { +resource "aws_iam_role_policy" "additional_json" { count = local.create_role && var.attach_policy_json ? 1 : 0 name = local.policy_name - path = var.policy_path + role = aws_iam_role.lambda[0].name policy = var.policy_json - tags = var.tags -} - -resource "aws_iam_role_policy_attachment" "additional_json" { - count = local.create_role && var.attach_policy_json ? 1 : 0 - - role = aws_iam_role.lambda[0].name - policy_arn = aws_iam_policy.additional_json[0].arn } ##################################### # Additional policies (list of JSON) ##################################### -resource "aws_iam_policy" "additional_jsons" { +resource "aws_iam_role_policy" "additional_jsons" { count = local.create_role && var.attach_policy_jsons ? var.number_of_policy_jsons : 0 name = "${local.policy_name}-${count.index}" - path = var.policy_path + role = aws_iam_role.lambda[0].name policy = var.policy_jsons[count.index] - tags = var.tags -} - -resource "aws_iam_role_policy_attachment" "additional_jsons" { - count = local.create_role && var.attach_policy_jsons ? var.number_of_policy_jsons : 0 - - role = aws_iam_role.lambda[0].name - policy_arn = aws_iam_policy.additional_jsons[count.index].arn } ########################### @@ -383,18 +327,10 @@ data "aws_iam_policy_document" "additional_inline" { } } -resource "aws_iam_policy" "additional_inline" { +resource "aws_iam_role_policy" "additional_inline" { count = local.create_role && var.attach_policy_statements ? 1 : 0 name = "${local.policy_name}-inline" - path = var.policy_path + role = aws_iam_role.lambda[0].name policy = data.aws_iam_policy_document.additional_inline[0].json - tags = var.tags -} - -resource "aws_iam_role_policy_attachment" "additional_inline" { - count = local.create_role && var.attach_policy_statements ? 1 : 0 - - role = aws_iam_role.lambda[0].name - policy_arn = aws_iam_policy.additional_inline[0].arn } diff --git a/main.tf b/main.tf index c37d445c..6c3f0940 100644 --- a/main.tf +++ b/main.tf @@ -154,16 +154,16 @@ resource "aws_lambda_function" "this" { aws_cloudwatch_log_group.lambda, # Before the lambda is created the execution role with all its policies should be ready - aws_iam_role_policy_attachment.additional_inline, - aws_iam_role_policy_attachment.additional_json, - aws_iam_role_policy_attachment.additional_jsons, + aws_iam_role_policy.additional_inline, + aws_iam_role_policy.additional_json, + aws_iam_role_policy.additional_jsons, + aws_iam_role_policy.async, + aws_iam_role_policy.dead_letter, + aws_iam_role_policy.logs, + aws_iam_role_policy.tracing, + aws_iam_role_policy.vpc, aws_iam_role_policy_attachment.additional_many, aws_iam_role_policy_attachment.additional_one, - aws_iam_role_policy_attachment.async, - aws_iam_role_policy_attachment.logs, - aws_iam_role_policy_attachment.dead_letter, - aws_iam_role_policy_attachment.vpc, - aws_iam_role_policy_attachment.tracing, ] } diff --git a/variables.tf b/variables.tf index 91ff6961..c4aac208 100644 --- a/variables.tf +++ b/variables.tf @@ -578,6 +578,8 @@ variable "attach_policies" { default = false } +# TODO: DEPRECATED: Remove this variable in the next major version +# tflint-ignore: all variable "policy_path" { description = "Path of policies to that should be added to IAM role for Lambda Function" type = string