Commit 394d337

RafaelWOantonbabenko

and

authored

feat: Use inline instead of managed policies (#615)

Co-authored-by: Anton Babenko <anton@antonbabenko.com>

1 parent 45c6720 commit 394d337Copy full SHA for 394d337

File tree

6 files changed

+36

-107

lines changed

.pre-commit-config.yaml
README.md
examples/complete
- main.tf
iam.tf
main.tf
variables.tf

6 files changed

+36

-107

lines changed

`‎.pre-commit-config.yaml`

Lines changed: 1 addition & 1 deletion

Original file line number	Diff line number	Diff line change
`@@ -1,6 +1,6 @@`
`1`	`1`	`repos:`
`2`	`2`	`- repo: https://github.com/antonbabenko/pre-commit-terraform`
`3`		`- rev: v1.96.1`
	`3`	`+ rev: v1.96.3`
`4`	`4`	`hooks:`
`5`	`5`	`- id: terraform_fmt`
`6`	`6`	`- id: terraform_wrapper_module_for_each`

`‎README.md`

Lines changed: 8 additions & 16 deletions

Original file line number	Diff line number	Diff line change
`@@ -690,25 +690,17 @@ No modules.`
`690`	`690`	`\| Name \| Type \|`
`691`	`691`	`\|------\|------\|`
`692`	`692`	`\| [aws_cloudwatch_log_group.lambda](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_group) \| resource \|`
`693`		`-\| [aws_iam_policy.additional_inline](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) \| resource \|`
`694`		`-\| [aws_iam_policy.additional_json](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) \| resource \|`
`695`		`-\| [aws_iam_policy.additional_jsons](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) \| resource \|`
`696`		`-\| [aws_iam_policy.async](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) \| resource \|`
`697`		`-\| [aws_iam_policy.dead_letter](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) \| resource \|`
`698`		`-\| [aws_iam_policy.logs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) \| resource \|`
`699`		`-\| [aws_iam_policy.tracing](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) \| resource \|`
`700`		`-\| [aws_iam_policy.vpc](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) \| resource \|`
`701`	`693`	`\| [aws_iam_role.lambda](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) \| resource \|`
`702`		`-\| [aws_iam_role_policy_attachment.additional_inline](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) \| resource \|`
`703`		`-\| [aws_iam_role_policy_attachment.additional_json](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) \| resource \|`
`704`		`-\| [aws_iam_role_policy_attachment.additional_jsons](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) \| resource \|`
	`694`	`+\| [aws_iam_role_policy.additional_inline](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) \| resource \|`
	`695`	`+\| [aws_iam_role_policy.additional_json](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) \| resource \|`
	`696`	`+\| [aws_iam_role_policy.additional_jsons](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) \| resource \|`
	`697`	`+\| [aws_iam_role_policy.async](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) \| resource \|`
	`698`	`+\| [aws_iam_role_policy.dead_letter](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) \| resource \|`
	`699`	`+\| [aws_iam_role_policy.logs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) \| resource \|`
	`700`	`+\| [aws_iam_role_policy.tracing](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) \| resource \|`
	`701`	`+\| [aws_iam_role_policy.vpc](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) \| resource \|`
`705`	`702`	`\| [aws_iam_role_policy_attachment.additional_many](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) \| resource \|`
`706`	`703`	`\| [aws_iam_role_policy_attachment.additional_one](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) \| resource \|`
`707`		`-\| [aws_iam_role_policy_attachment.async](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) \| resource \|`
`708`		`-\| [aws_iam_role_policy_attachment.dead_letter](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) \| resource \|`
`709`		`-\| [aws_iam_role_policy_attachment.logs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) \| resource \|`
`710`		`-\| [aws_iam_role_policy_attachment.tracing](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) \| resource \|`
`711`		`-\| [aws_iam_role_policy_attachment.vpc](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) \| resource \|`
`712`	`704`	`\| [aws_lambda_event_source_mapping.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_event_source_mapping) \| resource \|`
`713`	`705`	`\| [aws_lambda_function.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_function) \| resource \|`
`714`	`706`	`\| [aws_lambda_function_event_invoke_config.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_function_event_invoke_config) \| resource \|`

`‎examples/complete/main.tf`

Lines changed: 1 addition & 2 deletions

Original file line number	Diff line number	Diff line change
`@@ -54,8 +54,7 @@ module "lambda_function" {`
`54`	`54`
`55`	`55`	`cloudwatch_logs_log_group_class = "INFREQUENT_ACCESS"`
`56`	`56`
`57`		`- role_path = "/tf-managed/"`
`58`		`- policy_path = "/tf-managed/"`
	`57`	`+ role_path = "/tf-managed/"`
`59`	`58`
`60`	`59`	`attach_dead_letter_policy = true`
`61`	`60`	`dead_letter_target_arn = aws_sqs_queue.dlq.arn`

`‎iam.tf`

Lines changed: 16 additions & 80 deletions

Original file line number	Diff line number	Diff line change
`@@ -131,20 +131,12 @@ data "aws_iam_policy_document" "logs" {`
`131`	`131`	`}`
`132`	`132`	`}`
`133`	`133`
`134`		`-resource "aws_iam_policy" "logs" {`
	`134`	`+resource "aws_iam_role_policy" "logs" {`
`135`	`135`	`count = local.create_role && var.attach_cloudwatch_logs_policy ? 1 : 0`
`136`	`136`
`137`	`137`	`name = "${local.policy_name}-logs"`
`138`		`- path = var.policy_path`
	`138`	`+ role = aws_iam_role.lambda[0].name`
`139`	`139`	`policy = data.aws_iam_policy_document.logs[0].json`
`140`		`- tags = var.tags`
`141`		`-}`
`142`		`-`
`143`		`-resource "aws_iam_role_policy_attachment" "logs" {`
`144`		`- count = local.create_role && var.attach_cloudwatch_logs_policy ? 1 : 0`
`145`		`-`
`146`		`- role = aws_iam_role.lambda[0].name`
`147`		`- policy_arn = aws_iam_policy.logs[0].arn`
`148`	`140`	`}`
`149`	`141`
`150`	`142`	`#####################`
`@@ -168,20 +160,12 @@ data "aws_iam_policy_document" "dead_letter" {`
`168`	`160`	`}`
`169`	`161`	`}`
`170`	`162`
`171`		`-resource "aws_iam_policy" "dead_letter" {`
	`163`	`+resource "aws_iam_role_policy" "dead_letter" {`
`172`	`164`	`count = local.create_role && var.attach_dead_letter_policy ? 1 : 0`
`173`	`165`
`174`	`166`	`name = "${local.policy_name}-dl"`
`175`		`- path = var.policy_path`
	`167`	`+ role = aws_iam_role.lambda[0].name`
`176`	`168`	`policy = data.aws_iam_policy_document.dead_letter[0].json`
`177`		`- tags = var.tags`
`178`		`-}`
`179`		`-`
`180`		`-resource "aws_iam_role_policy_attachment" "dead_letter" {`
`181`		`- count = local.create_role && var.attach_dead_letter_policy ? 1 : 0`
`182`		`-`
`183`		`- role = aws_iam_role.lambda[0].name`
`184`		`- policy_arn = aws_iam_policy.dead_letter[0].arn`
`185`	`169`	`}`
`186`	`170`
`187`	`171`	`######`
`@@ -195,20 +179,12 @@ data "aws_iam_policy" "vpc" {`
`195`	`179`	`arn = "arn:${data.aws_partition.current.partition}:iam::aws:policy/service-role/AWSLambdaENIManagementAccess"`
`196`	`180`	`}`
`197`	`181`
`198`		`-resource "aws_iam_policy" "vpc" {`
	`182`	`+resource "aws_iam_role_policy" "vpc" {`
`199`	`183`	`count = local.create_role && var.attach_network_policy ? 1 : 0`
`200`	`184`
`201`	`185`	`name = "${local.policy_name}-vpc"`
`202`		`- path = var.policy_path`
	`186`	`+ role = aws_iam_role.lambda[0].name`
`203`	`187`	`policy = data.aws_iam_policy.vpc[0].policy`
`204`		`- tags = var.tags`
`205`		`-}`
`206`		`-`
`207`		`-resource "aws_iam_role_policy_attachment" "vpc" {`
`208`		`- count = local.create_role && var.attach_network_policy ? 1 : 0`
`209`		`-`
`210`		`- role = aws_iam_role.lambda[0].name`
`211`		`- policy_arn = aws_iam_policy.vpc[0].arn`
`212`	`188`	`}`
`213`	`189`
`214`	`190`	`#####################`
`@@ -222,20 +198,12 @@ data "aws_iam_policy" "tracing" {`
`222`	`198`	`arn = "arn:${data.aws_partition.current.partition}:iam::aws:policy/AWSXRayDaemonWriteAccess"`
`223`	`199`	`}`
`224`	`200`
`225`		`-resource "aws_iam_policy" "tracing" {`
	`201`	`+resource "aws_iam_role_policy" "tracing" {`
`226`	`202`	`count = local.create_role && var.attach_tracing_policy ? 1 : 0`
`227`	`203`
`228`	`204`	`name = "${local.policy_name}-tracing"`
`229`		`- path = var.policy_path`
	`205`	`+ role = aws_iam_role.lambda[0].name`
`230`	`206`	`policy = data.aws_iam_policy.tracing[0].policy`
`231`		`- tags = var.tags`
`232`		`-}`
`233`		`-`
`234`		`-resource "aws_iam_role_policy_attachment" "tracing" {`
`235`		`- count = local.create_role && var.attach_tracing_policy ? 1 : 0`
`236`		`-`
`237`		`- role = aws_iam_role.lambda[0].name`
`238`		`- policy_arn = aws_iam_policy.tracing[0].arn`
`239`	`207`	`}`
`240`	`208`
`241`	`209`	`###############################`
`@@ -259,60 +227,36 @@ data "aws_iam_policy_document" "async" {`
`259`	`227`	`}`
`260`	`228`	`}`
`261`	`229`
`262`		`-resource "aws_iam_policy" "async" {`
	`230`	`+resource "aws_iam_role_policy" "async" {`
`263`	`231`	`count = local.create_role && var.attach_async_event_policy ? 1 : 0`
`264`	`232`
`265`	`233`	`name = "${local.policy_name}-async"`
`266`		`- path = var.policy_path`
	`234`	`+ role = aws_iam_role.lambda[0].name`
`267`	`235`	`policy = data.aws_iam_policy_document.async[0].json`
`268`		`- tags = var.tags`
`269`		`-}`
`270`		`-`
`271`		`-resource "aws_iam_role_policy_attachment" "async" {`
`272`		`- count = local.create_role && var.attach_async_event_policy ? 1 : 0`
`273`		`-`
`274`		`- role = aws_iam_role.lambda[0].name`
`275`		`- policy_arn = aws_iam_policy.async[0].arn`
`276`	`236`	`}`
`277`	`237`
`278`	`238`	`###########################`
`279`	`239`	`# Additional policy (JSON)`
`280`	`240`	`###########################`
`281`	`241`
`282`		`-resource "aws_iam_policy" "additional_json" {`
	`242`	`+resource "aws_iam_role_policy" "additional_json" {`
`283`	`243`	`count = local.create_role && var.attach_policy_json ? 1 : 0`
`284`	`244`
`285`	`245`	`name = local.policy_name`
`286`		`- path = var.policy_path`
	`246`	`+ role = aws_iam_role.lambda[0].name`
`287`	`247`	`policy = var.policy_json`
`288`		`- tags = var.tags`
`289`		`-}`
`290`		`-`
`291`		`-resource "aws_iam_role_policy_attachment" "additional_json" {`
`292`		`- count = local.create_role && var.attach_policy_json ? 1 : 0`
`293`		`-`
`294`		`- role = aws_iam_role.lambda[0].name`
`295`		`- policy_arn = aws_iam_policy.additional_json[0].arn`
`296`	`248`	`}`
`297`	`249`
`298`	`250`	`#####################################`
`299`	`251`	`# Additional policies (list of JSON)`
`300`	`252`	`#####################################`
`301`	`253`
`302`		`-resource "aws_iam_policy" "additional_jsons" {`
	`254`	`+resource "aws_iam_role_policy" "additional_jsons" {`
`303`	`255`	`count = local.create_role && var.attach_policy_jsons ? var.number_of_policy_jsons : 0`
`304`	`256`
`305`	`257`	`name = "${local.policy_name}-${count.index}"`
`306`		`- path = var.policy_path`
	`258`	`+ role = aws_iam_role.lambda[0].name`
`307`	`259`	`policy = var.policy_jsons[count.index]`
`308`		`- tags = var.tags`
`309`		`-}`
`310`		`-`
`311`		`-resource "aws_iam_role_policy_attachment" "additional_jsons" {`
`312`		`- count = local.create_role && var.attach_policy_jsons ? var.number_of_policy_jsons : 0`
`313`		`-`
`314`		`- role = aws_iam_role.lambda[0].name`
`315`		`- policy_arn = aws_iam_policy.additional_jsons[count.index].arn`
`316`	`260`	`}`
`317`	`261`
`318`	`262`	`###########################`
`@@ -383,18 +327,10 @@ data "aws_iam_policy_document" "additional_inline" {`
`383`	`327`	`}`
`384`	`328`	`}`
`385`	`329`
`386`		`-resource "aws_iam_policy" "additional_inline" {`
	`330`	`+resource "aws_iam_role_policy" "additional_inline" {`
`387`	`331`	`count = local.create_role && var.attach_policy_statements ? 1 : 0`
`388`	`332`
`389`	`333`	`name = "${local.policy_name}-inline"`
`390`		`- path = var.policy_path`
	`334`	`+ role = aws_iam_role.lambda[0].name`
`391`	`335`	`policy = data.aws_iam_policy_document.additional_inline[0].json`
`392`		`- tags = var.tags`
`393`		`-}`
`394`		`-`
`395`		`-resource "aws_iam_role_policy_attachment" "additional_inline" {`
`396`		`- count = local.create_role && var.attach_policy_statements ? 1 : 0`
`397`		`-`
`398`		`- role = aws_iam_role.lambda[0].name`
`399`		`- policy_arn = aws_iam_policy.additional_inline[0].arn`
`400`	`336`	`}`

`‎main.tf`

Lines changed: 8 additions & 8 deletions

Original file line number	Diff line number	Diff line change
`@@ -154,16 +154,16 @@ resource "aws_lambda_function" "this" {`
`154`	`154`	`aws_cloudwatch_log_group.lambda,`
`155`	`155`
`156`	`156`	`# Before the lambda is created the execution role with all its policies should be ready`
`157`		`- aws_iam_role_policy_attachment.additional_inline,`
`158`		`- aws_iam_role_policy_attachment.additional_json,`
`159`		`- aws_iam_role_policy_attachment.additional_jsons,`
	`157`	`+ aws_iam_role_policy.additional_inline,`
	`158`	`+ aws_iam_role_policy.additional_json,`
	`159`	`+ aws_iam_role_policy.additional_jsons,`
	`160`	`+ aws_iam_role_policy.async,`
	`161`	`+ aws_iam_role_policy.dead_letter,`
	`162`	`+ aws_iam_role_policy.logs,`
	`163`	`+ aws_iam_role_policy.tracing,`
	`164`	`+ aws_iam_role_policy.vpc,`
`160`	`165`	`aws_iam_role_policy_attachment.additional_many,`
`161`	`166`	`aws_iam_role_policy_attachment.additional_one,`
`162`		`- aws_iam_role_policy_attachment.async,`
`163`		`- aws_iam_role_policy_attachment.logs,`
`164`		`- aws_iam_role_policy_attachment.dead_letter,`
`165`		`- aws_iam_role_policy_attachment.vpc,`
`166`		`- aws_iam_role_policy_attachment.tracing,`
`167`	`167`	`]`
`168`	`168`	`}`
`169`	`169`

`‎variables.tf`

Lines changed: 2 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -578,6 +578,8 @@ variable "attach_policies" {`
`578`	`578`	`default = false`
`579`	`579`	`}`
`580`	`580`
	`581`	`+# TODO: DEPRECATED: Remove this variable in the next major version`
	`582`	`+# tflint-ignore: all`
`581`	`583`	`variable "policy_path" {`
`582`	`584`	`description = "Path of policies to that should be added to IAM role for Lambda Function"`
`583`	`585`	`type = string`

0 commit comments

Comments

(0)

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Uh oh!

Commit 394d337

File tree

6 files changed

6 files changed

`‎.pre-commit-config.yaml`

`‎README.md`

`‎examples/complete/main.tf`

`‎iam.tf`

`‎main.tf`

`‎variables.tf`

0 commit comments