Merge branch 'master' into aws_iam_role_policy_attachment

Author: nitrocode

Makefile

@@ -16,6 +16,13 @@ This Terraform module creates and uploads an AWS Lambda function and hides the u
 * Python 2.7 or higher
 * Linux/Unix/Windows
 
+## Terraform version compatibility
+
+| Module version | Terraform version |
+|----------------|-------------------|
+| 1.x.x          | 0.12.x            |
+| 0.x.x          | 0.11.x            |
+
 ## Usage
 
 ```js
@@ -32,67 +39,59 @@ module "lambda" {
   source_path = "${path.module}/lambda.py"
 
   // Attach a policy.
-  attach_policy = true
-  policy        = "${data.aws_iam_policy_document.lambda.json}"
+  policy = {
+    json = data.aws_iam_policy_document.lambda.json
+  }
 
   // Add a dead letter queue.
-  attach_dead_letter_config = true
-  dead_letter_config {
-    target_arn = "${var.dead_letter_queue_arn}"
+  dead_letter_config = {
+    target_arn = aws_sqs_queue.dlq.arn
   }
 
   // Add environment variables.
-  environment {
-    variables {
-      SLACK_URL = "${var.slack_url}"
+  environment = {
+    variables = {
+      SLACK_URL = var.slack_url
     }
   }
 
   // Deploy into a VPC.
-  attach_vpc_config = true
-  vpc_config {
-    subnet_ids         = ["${aws_subnet.test.id}"]
-    security_group_ids = ["${aws_security_group.test.id}"]
+  vpc_config = {
+    subnet_ids         = [aws_subnet.test.id]
+    security_group_ids = [aws_security_group.test.id]
   }
 }
 ```
 
-### NB - Multi-region usage
-
-IAM and Lambda function names need to be globally unique within your account.
-If you will be deploying this template to multiple regions, you must make the
-function name unique per region, for example by setting
-`function_name = "deployment-deploy-status-${data.aws_region.current.name}"`
-
 ## Inputs
 
+Inputs for this module are the same as the [aws_lambda_function](https://www.terraform.io/docs/providers/aws/r/lambda_function.html) resource with the following additional arguments:
+
 | Name | Description | Type | Default | Required |
-|------|-------------|:----:|:-----:|:-----:|
-| attach\_dead\_letter\_config | Set this to true if using the dead_letter_config variable | string | `"false"` | no |
-| attach\_policy | Set this to true if using the policy variable | string | `"false"` | no |
-| attach\_vpc\_config | Set this to true if using the vpc_config variable | string | `"false"` | no |
-| build\_command | The command that creates the Lambda package zip file | string | `"python build.py '$filename' '$runtime' '$source'"` | no |
-| build\_paths | The files or directories used by the build command, to trigger new Lambda package builds whenever build scripts change | list | `<list>` | no |
-| dead\_letter\_config | Dead letter configuration for the Lambda function | map | `<map>` | no |
-| description | Description of what your Lambda function does | string | `"Managed by Terraform"` | no |
-| enable\_cloudwatch\_logs | Set this to false to disable logging your Lambda output to CloudWatch Logs | string | `"true"` | no |
-| environment | Environment configuration for the Lambda function | map | `<map>` | no |
-| function\_name | A unique name for your Lambda function (and related IAM resources) | string | n/a | yes |
-| handler | The function entrypoint in your code | string | n/a | yes |
-| memory\_size | Amount of memory in MB your Lambda function can use at runtime | string | `"128"` | no |
-| policy | An addional policy to attach to the Lambda function | string | `""` | no |
-| reserved\_concurrent\_executions | The amount of reserved concurrent executions for this Lambda function | string | `"0"` | no |
-| runtime | The runtime environment for the Lambda function | string | n/a | yes |
-| source\_path | The source file or directory containing your Lambda source code | string | n/a | yes |
-| tags | A mapping of tags | map | `<map>` | no |
-| timeout | The amount of time your Lambda function had to run in seconds | string | `"10"` | no |
-| vpc\_config | VPC configuration for the Lambda function | map | `<map>` | no |
+|------|-------------|------|---------|----------|
+| **source\_path** | The absolute path to a local file or directory containing your Lambda source code | `string` | | yes |
+| build\_command | The command to run to create the Lambda package zip file | `string` | `"python build.py '$filename' '$runtime' '$source'"` | no |
+| build\_paths | The files or directories used by the build command, to trigger new Lambda package builds whenever build scripts change | `list(string)` | `["build.py"]` | no |
+| cloudwatch\_logs | Set this to false to disable logging your Lambda output to CloudWatch Logs | `bool` | `true` | no |
+| lambda\_at\_edge | Set this to true if using Lambda@Edge, to enable publishing, limit the timeout, and allow edgelambda.amazonaws.com to invoke the function | `bool` | `false` | no |
+| policy | An additional policy to attach to the Lambda function role | `object({json=string})` | | no |
+
+The following arguments from the [aws_lambda_function](https://www.terraform.io/docs/providers/aws/r/lambda_function.html) resource are not supported:
+
+* filename (use source\_path instead)
+* role (one is automatically created)
+* s3_bucket
+* s3_key
+* s3_object_version
+* source_code_hash (changes are handled automatically)
 
 ## Outputs
 
 | Name | Description |
 |------|-------------|
 | function\_arn | The ARN of the Lambda function |
+| function\_invoke\_arn | The Invoke ARN of the Lambda function |
 | function\_name | The name of the Lambda function |
+| function\_qualified\_arn | The qualified ARN of the Lambda function |
 | role\_arn | The ARN of the IAM role created for the Lambda function |
 | role\_name | The name of the IAM role created for the Lambda function |

README.md

@@ -1,30 +1,26 @@
-locals {
-  module_relpath = "${substr(path.module, length(path.cwd) + 1, -1)}"
-}
-
 # Generates a filename for the zip archive based on the contents of the files
 # in source_path. The filename will change when the source code changes.
 data "external" "archive" {
   program = ["python", "${path.module}/hash.py"]
 
   query = {
-    build_command  = "${var.build_command}"
-    build_paths    = "${jsonencode(var.build_paths)}"
-    module_relpath = "${local.module_relpath}"
-    runtime        = "${var.runtime}"
-    source_path    = "${var.source_path}"
+    build_command  = var.build_command
+    build_paths    = jsonencode(var.build_paths)
+    module_relpath = path.module
+    runtime        = var.runtime
+    source_path    = var.source_path
   }
 }
 
 # Build the zip archive whenever the filename changes.
 resource "null_resource" "archive" {
-  triggers {
-    filename = "${lookup(data.external.archive.result, "filename")}"
+  triggers = {
+    filename = lookup(data.external.archive.result, "filename")
   }
 
   provisioner "local-exec" {
-    command     = "${lookup(data.external.archive.result, "build_command")}"
-    working_dir = "${path.module}"
+    command     = lookup(data.external.archive.result, "build_command")
+    working_dir = path.module
   }
 }
 
@@ -37,9 +33,9 @@ data "external" "built" {
   program = ["python", "${path.module}/built.py"]
 
   query = {
-    build_command  = "${lookup(data.external.archive.result, "build_command")}"
-    filename_old   = "${lookup(null_resource.archive.triggers, "filename")}"
-    filename_new   = "${lookup(data.external.archive.result, "filename")}"
-    module_relpath = "${local.module_relpath}"
+    build_command  = lookup(data.external.archive.result, "build_command")
+    filename_old   = lookup(null_resource.archive.triggers, "filename")
+    filename_new   = lookup(data.external.archive.result, "filename")
+    module_relpath = path.module
   }
 }

archive.tf

@@ -2,6 +2,7 @@
 # Installs dependencies with pip automatically.
 
 import os
+import shlex
 import shutil
 import subprocess
 import sys
@@ -104,9 +105,17 @@ def create_zip_file(source_dir, target_file):
     )
 
 
-filename = sys.argv[1]
-runtime = sys.argv[2]
-source_path = sys.argv[3]
+def dequote(value):
+    """
+    Handles quotes around values in a shell-compatible fashion.
+
+    """
+    return ' '.join(shlex.split(value))
+
+
+filename = dequote(sys.argv[1])
+runtime = dequote(sys.argv[2])
+source_path = dequote(sys.argv[3])
 
 absolute_filename = os.path.abspath(filename)
 
@@ -132,6 +141,7 @@ def create_zip_file(source_dir, target_file):
                 os.makedirs(target_dir)
             print('cp {} {}'.format(file_name, target_path))
             shutil.copyfile(file_name, target_path)
+            shutil.copymode(file_name, target_path)
 
     # Install dependencies into the temporary directory.
     if runtime.startswith('python'):

build.py

@@ -107,7 +107,7 @@ def update_hash(hash_obj, file_root, file_path):
 build_paths = json.loads(query['build_paths'])
 module_relpath = query['module_relpath']
 runtime = query['runtime']
-source_path = query['source_path']
+source_path = os.path.abspath(query['source_path'])
 
 # Validate the query.
 if not source_path:

hash.py

@@ -7,20 +7,27 @@ data "aws_iam_policy_document" "assume_role" {
 
     principals {
       type        = "Service"
-      identifiers = ["lambda.amazonaws.com"]
+      identifiers = slice(list("lambda.amazonaws.com", "edgelambda.amazonaws.com"), 0, var.lambda_at_edge ? 2 : 1)
     }
   }
 }
 
 resource "aws_iam_role" "lambda" {
-  name               = "${var.function_name}"
-  assume_role_policy = "${data.aws_iam_policy_document.assume_role.json}"
+  name               = var.function_name
+  assume_role_policy = data.aws_iam_policy_document.assume_role.json
+  tags               = var.tags
 }
 
 # Attach a policy for logs.
 
+locals {
+  lambda_log_group_arn      = "arn:${data.aws_partition.current.partition}:logs:*:${data.aws_caller_identity.current.account_id}:log-group:/aws/lambda/${var.function_name}"
+  lambda_edge_log_group_arn = "arn:${data.aws_partition.current.partition}:logs:*:${data.aws_caller_identity.current.account_id}:log-group:/aws/lambda/us-east-1.${var.function_name}"
+  log_group_arns            = slice(list(local.lambda_log_group_arn, local.lambda_edge_log_group_arn), 0, var.lambda_at_edge ? 2 : 1)
+}
+
 data "aws_iam_policy_document" "logs" {
-  count = "${var.enable_cloudwatch_logs ? 1 : 0}"
+  count = var.cloudwatch_logs ? 1 : 0
 
   statement {
     effect = "Allow"
@@ -30,7 +37,7 @@ data "aws_iam_policy_document" "logs" {
     ]
 
     resources = [
-      "arn:${data.aws_partition.current.partition}:logs:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:*",
+      "*",
     ]
   }
 
@@ -42,31 +49,29 @@ data "aws_iam_policy_document" "logs" {
       "logs:PutLogEvents",
     ]
 
-    resources = [
-      "arn:${data.aws_partition.current.partition}:logs:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:log-group:/aws/lambda/${var.function_name}:*",
-    ]
+    resources = concat(formatlist("%v:*", local.log_group_arns), formatlist("%v:*:*", local.log_group_arns))
   }
 }
 
 resource "aws_iam_policy" "logs" {
-  count = "${var.enable_cloudwatch_logs ? 1 : 0}"
+  count = var.cloudwatch_logs ? 1 : 0
 
   name   = "${var.function_name}-logs"
-  policy = "${data.aws_iam_policy_document.logs.json}"
+  policy = data.aws_iam_policy_document.logs[0].json
 }
 
 resource "aws_iam_policy_attachment" "logs" {
-  count = "${var.enable_cloudwatch_logs ? 1 : 0}"
+  count = var.cloudwatch_logs ? 1 : 0
 
   name       = "${var.function_name}-logs"
-  roles      = ["${aws_iam_role.lambda.name}"]
-  policy_arn = "${aws_iam_policy.logs.arn}"
+  roles      = [aws_iam_role.lambda.name]
+  policy_arn = aws_iam_policy.logs[0].arn
 }
 
 # Attach an additional policy required for the dead letter config.
 
 data "aws_iam_policy_document" "dead_letter" {
-  count = "${var.attach_dead_letter_config ? 1 : 0}"
+  count = var.dead_letter_config == null ? 0 : 1
 
   statement {
     effect = "Allow"
@@ -77,29 +82,31 @@ data "aws_iam_policy_document" "dead_letter" {
     ]
 
     resources = [
-      "${lookup(var.dead_letter_config, "target_arn", "")}",
+      var.dead_letter_config.target_arn,
     ]
   }
 }
 
 resource "aws_iam_policy" "dead_letter" {
-  count = "${var.attach_dead_letter_config ? 1 : 0}"
+  count = var.dead_letter_config == null ? 0 : 1
 
   name   = "${var.function_name}-dl"
-  policy = "${data.aws_iam_policy_document.dead_letter.json}"
+  policy = data.aws_iam_policy_document.dead_letter[0].json
 }
 
 resource "aws_iam_policy_attachment" "dead_letter" {
-  count = "${var.attach_dead_letter_config ? 1 : 0}"
+  count = var.dead_letter_config == null ? 0 : 1
 
   name       = "${var.function_name}-dl"
-  roles      = ["${aws_iam_role.lambda.name}"]
-  policy_arn = "${aws_iam_policy.dead_letter.arn}"
+  roles      = [aws_iam_role.lambda.name]
+  policy_arn = aws_iam_policy.dead_letter[0].arn
 }
 
 # Attach an additional policy required for the VPC config
 
 data "aws_iam_policy_document" "network" {
+  count = var.vpc_config == null ? 0 : 1
+
   statement {
     effect = "Allow"
 
@@ -116,32 +123,32 @@ data "aws_iam_policy_document" "network" {
 }
 
 resource "aws_iam_policy" "network" {
-  count = "${var.attach_vpc_config ? 1 : 0}"
+  count = var.vpc_config == null ? 0 : 1
 
   name   = "${var.function_name}-network"
-  policy = "${data.aws_iam_policy_document.network.json}"
+  policy = data.aws_iam_policy_document.network[0].json
 }
 
 resource "aws_iam_role_policy_attachment" "network" {
-  count = "${var.attach_vpc_config ? 1 : 0}"
+  count = var.vpc_config == null ? 0 : 1
 
-  role       = "${aws_iam_role.lambda.name}"
-  policy_arn = "${aws_iam_policy.network.arn}"
+  role       = aws_iam_role.lambda.name
+  policy_arn = aws_iam_policy.network[0].arn
 }
 
 # Attach an additional policy if provided.
 
 resource "aws_iam_policy" "additional" {
-  count = "${var.attach_policy ? 1 : 0}"
+  count = var.policy == null ? 0 : 1
 
-  name   = "${var.function_name}"
-  policy = "${var.policy}"
+  name   = var.function_name
+  policy = var.policy.json
 }
 
 resource "aws_iam_policy_attachment" "additional" {
-  count = "${var.attach_policy ? 1 : 0}"
+  count = var.policy == null ? 0 : 1
 
-  name       = "${var.function_name}"
-  roles      = ["${aws_iam_role.lambda.name}"]
-  policy_arn = "${aws_iam_policy.additional.arn}"
+  name       = var.function_name
+  roles      = [aws_iam_role.lambda.name]
+  policy_arn = aws_iam_policy.additional[0].arn
 }