Skip to content

Commit

Permalink
Merge pull request #91 from silinternational/develop
Browse files Browse the repository at this point in the history 
Updates to support remote execution of id-broker-search-lambda
  • Loading branch information
@fillup
fillup authored Feb 18, 2020
2 parents 3c56b49 + 4f7a239 commit 9b6df81
Show file tree
Hide file tree
Showing 5 changed files with 83 additions and 3 deletions.
13 changes: 13 additions & 0 deletions terraform/041-id-broker-search-lambda/assume-role-policy.json
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,13 @@
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "lambda.amazonaws.com",
"AWS": "${remote_role_arn}"
},
"Action": "sts:AssumeRole"
}
]
}
13 changes: 13 additions & 0 deletions terraform/041-id-broker-search-lambda/execute-policy.json
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,13 @@
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"lambda:InvokeFunction",
"lambda:InvokeAsync"
],
"Resource": "${function_arn}",
"Effect": "Allow"
}
]
}
52 changes: 51 additions & 1 deletion terraform/041-id-broker-search-lambda/main.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,14 +2,39 @@ data "http" "function-checksum" {
url = "https://${var.function_bucket_name}.s3.amazonaws.com/${var.function_zip_name}.sum"
}

resource "aws_iam_role" "functionRole" {
name = "${var.idp_name}-${var.app_name}-${var.app_env}-lambda-function-role"
assume_role_policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"Service": "lambda.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
EOF
}

resource "aws_iam_role_policy_attachment" "AWSLambdaVPCAccessExecutionRole" {
role = "${aws_iam_role.functionRole.name}"
policy_arn = "arn:aws:iam::aws:policy/service-role/AWSLambdaVPCAccessExecutionRole"
}


resource "aws_lambda_function" "search" {
s3_bucket = "${var.function_bucket_name}"
s3_key = "${var.function_zip_name}"
source_code_hash = "${data.http.function-checksum.body}"
function_name = "${var.function_name}-${var.idp_name}"
handler = "${var.function_name}"
memory_size = "${var.memory_size}"
role = "${var.role_arn}"
role = "${aws_iam_role.functionRole.arn}"
runtime = "go1.x"
timeout = "${var.timeout}"

Expand All @@ -32,3 +57,28 @@ resource "aws_lambda_function" "search" {
app_env = "${var.app_env}"
}
}

data "template_file" "assumeRolePolicy" {
template = "${file("${path.module}/assume-role-policy.json")}"
vars {
remote_role_arn = "${var.remote_role_arn}"
}
}

resource "aws_iam_role" "assumeRole" {
name = "${var.idp_name}-${var.app_name}-${var.app_env}-lambda-remote-execute"
assume_role_policy = "${data.template_file.assumeRolePolicy.rendered}"
}

data "template_file" "executePolicy" {
template = "${file("${path.module}/execute-policy.json")}"
vars {
function_arn = "${aws_lambda_function.search.arn}"
}
}

resource "aws_iam_role_policy" "executePolicy" {
name = "invoke-function"
role = "${aws_iam_role.assumeRole.name}"
policy = "${data.template_file.executePolicy.rendered}"
}
4 changes: 4 additions & 0 deletions terraform/041-id-broker-search-lambda/outputs.tf
View file
Original file line number Diff line number Diff line change
@@ -1,3 +1,7 @@
output "function_arn" {
value = "${aws_lambda_function.search.arn}"
}

output "role_arn_for_remote_execution" {
value = "${aws_iam_role.assumeRole.arn}"
}
4 changes: 2 additions & 2 deletions terraform/041-id-broker-search-lambda/vars.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -34,8 +34,8 @@ variable "memory_size" {
default = "128"
}

variable "role_arn" {
type = "string"
variable "remote_role_arn" {
description = "ARN to role from different AWS account to be given permission to invoke function"
}

variable "security_group_ids" {
Expand Down

0 comments on commit 9b6df81

Please sign in to comment.