Additional trust relashionships

asavoy · asavoy · commit df325ba38ccf · 2020-08-17T22:48:17.000+10:00
See: claranet#59
diff --git a/README.md b/README.md
@@ -67,6 +67,7 @@ Inputs for this module are the same as the [aws_lambda_function](https://www.ter
 | build\_script | The path to the script which will compile a zip of the lambda function | string | `"build.py"` | no |
 | cloudwatch\_logs | Set this to false to disable logging your Lambda output to CloudWatch Logs | bool | true | no |
 | policy | An additional policy to attach to the Lambda function role | object({json=string}) | | no |
+| trusted\_entities | Additional trusted entities for the Lambda function. The lambda.amazonaws.com (and edgelambda.amazonaws.com if lambda\_at\_edge is true) is always set  | `list(string)` | | no |
 
 The following arguments from the [aws_lambda_function](https://www.terraform.io/docs/providers/aws/r/lambda_function.html) resource are not supported:
 
diff --git a/iam.tf b/iam.tf
@@ -7,7 +7,7 @@ data "aws_iam_policy_document" "assume_role" {
 
     principals {
       type        = "Service"
-      identifiers = ["lambda.amazonaws.com"]
+      identifiers = concat(list("lambda.amazonaws.com"), var.trusted_entities)
     }
   }
 }
diff --git a/variables.tf b/variables.tf
@@ -108,3 +108,9 @@ variable "cloudwatch_logs" {
   type        = bool
   default     = true
 }
+
+variable "trusted_entities" {
+  description = "Lambda function additional trusted entities for assuming roles (trust relationship)"
+  type        = list(string)
+  default     = []
+}

Original file line number	Diff line number	Diff line change
`@@ -7,7 +7,7 @@ data "aws_iam_policy_document" "assume_role" {`
`7`	`7`
`8`	`8`	`principals {`
`9`	`9`	`type = "Service"`
`10`		`- identifiers = ["lambda.amazonaws.com"]`
	`10`	`+ identifiers = concat(list("lambda.amazonaws.com"), var.trusted_entities)`
`11`	`11`	`}`
`12`	`12`	`}`
`13`	`13`	`}`