From cb04c01950ea7b23b89b544ec61a19440e45cadf Mon Sep 17 00:00:00 2001
From: Phillip <phillip_shipley@sil.org>
Date: Tue, 18 Feb 2020 09:06:54 -0500
Subject: [PATCH 1/7] Updates to support remote execution of
 id-broker-search-lambda

---
 terraform/041-id-broker-search-lambda/main.tf | 40 ++++++++++++++++++-
 .../041-id-broker-search-lambda/outputs.tf    |  4 ++
 .../remote-execute-policy.json                | 21 ++++++++++
 terraform/041-id-broker-search-lambda/vars.tf |  4 +-
 4 files changed, 66 insertions(+), 3 deletions(-)
 create mode 100644 terraform/041-id-broker-search-lambda/remote-execute-policy.json

diff --git a/terraform/041-id-broker-search-lambda/main.tf b/terraform/041-id-broker-search-lambda/main.tf
index 6032a44f..61e282a5 100644
--- a/terraform/041-id-broker-search-lambda/main.tf
+++ b/terraform/041-id-broker-search-lambda/main.tf
@@ -2,6 +2,31 @@ data "http" "function-checksum" {
   url = "https://${var.function_bucket_name}.s3.amazonaws.com/${var.function_zip_name}.sum"
 }
 
+resource "aws_iam_role" "functionRole" {
+  name               = "${var.idp_name}-${var.app_name}-${var.app_env}-lambda-function-role"
+  assume_role_policy = <<EOF
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Sid": "",
+      "Effect": "Allow",
+      "Principal": {
+        "Service": "lambda.amazonaws.com"
+      },
+      "Action": "sts:AssumeRole"
+    }
+  ]
+}
+EOF
+}
+
+resource "aws_iam_role_policy_attachment" "AWSLambdaVPCAccessExecutionRole" {
+  role       = "${aws_iam_role.functionRole.name}"
+  policy_arn = "arn:aws:iam::aws:policy/service-role/AWSLambdaVPCAccessExecutionRole"
+}
+
+
 resource "aws_lambda_function" "search" {
   s3_bucket        = "${var.function_bucket_name}"
   s3_key           = "${var.function_zip_name}"
@@ -9,7 +34,7 @@ resource "aws_lambda_function" "search" {
   function_name    = "${var.function_name}-${var.idp_name}"
   handler          = "${var.function_name}"
   memory_size      = "${var.memory_size}"
-  role             = "${var.role_arn}"
+  role             = "${aws_iam_role.functionRole.arn}"
   runtime          = "go1.x"
   timeout          = "${var.timeout}"
 
@@ -32,3 +57,16 @@ resource "aws_lambda_function" "search" {
     app_env  = "${var.app_env}"
   }
 }
+
+data "template_file" "remoteExecutePolicy" {
+  filename = "${file("${path.module}/remote-execute-policy.json")}"
+  vars {
+    remote_role_arn = "${var.remote_role_arn}"
+    function_arn    = "${aws_lambda_function.search.arn}"
+  }
+}
+
+resource "aws_iam_role" "lambdaRemoteExecute" {
+  name               = "${var.idp_name}-${var.app_name}-${var.app_env}-lambda-remote-execute"
+  assume_role_policy = "${data.template_file.remoteExecutePolicy.rendered}"
+}
\ No newline at end of file
diff --git a/terraform/041-id-broker-search-lambda/outputs.tf b/terraform/041-id-broker-search-lambda/outputs.tf
index 40abd841..0100caa0 100644
--- a/terraform/041-id-broker-search-lambda/outputs.tf
+++ b/terraform/041-id-broker-search-lambda/outputs.tf
@@ -1,3 +1,7 @@
 output "function_arn" {
   value = "${aws_lambda_function.search.arn}"
 }
+
+output "role_arn_for_remote_execution" {
+  value = "${aws_iam_role.lambdaRemoteExecute.arn}"
+}
\ No newline at end of file
diff --git a/terraform/041-id-broker-search-lambda/remote-execute-policy.json b/terraform/041-id-broker-search-lambda/remote-execute-policy.json
new file mode 100644
index 00000000..fd8637c1
--- /dev/null
+++ b/terraform/041-id-broker-search-lambda/remote-execute-policy.json
@@ -0,0 +1,21 @@
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Effect": "Allow",
+      "Principal": {
+        "Service": "lambda.amazonaws.com",
+        "AWS": "${remote_role_arn}"
+      },
+      "Action": "sts:AssumeRole"
+    },
+    {
+      "Action": [
+        "lambda:InvokeFunction",
+        "lambda:InvokeAsync"
+      ],
+      "Resource": "${function_arn}",
+      "Effect": "Allow"
+    }
+  ]
+}
\ No newline at end of file
diff --git a/terraform/041-id-broker-search-lambda/vars.tf b/terraform/041-id-broker-search-lambda/vars.tf
index c60d1ffb..510419de 100644
--- a/terraform/041-id-broker-search-lambda/vars.tf
+++ b/terraform/041-id-broker-search-lambda/vars.tf
@@ -34,8 +34,8 @@ variable "memory_size" {
   default = "128"
 }
 
-variable "role_arn" {
-  type = "string"
+variable "remote_role_arn" {
+  description = "ARN to role from different AWS account to be given perission to invoke function"
 }
 
 variable "security_group_ids" {

From 16d963529f234b635a826d6a7a2fc3a8d5dc346f Mon Sep 17 00:00:00 2001
From: Phillip <phillip_shipley@sil.org>
Date: Tue, 18 Feb 2020 09:16:26 -0500
Subject: [PATCH 2/7] fix template file reference

---
 terraform/041-id-broker-search-lambda/main.tf | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/terraform/041-id-broker-search-lambda/main.tf b/terraform/041-id-broker-search-lambda/main.tf
index 61e282a5..4e3ebdb4 100644
--- a/terraform/041-id-broker-search-lambda/main.tf
+++ b/terraform/041-id-broker-search-lambda/main.tf
@@ -59,7 +59,7 @@ resource "aws_lambda_function" "search" {
 }
 
 data "template_file" "remoteExecutePolicy" {
-  filename = "${file("${path.module}/remote-execute-policy.json")}"
+  template = "${file("${path.module}/remote-execute-policy.json")}"
   vars {
     remote_role_arn = "${var.remote_role_arn}"
     function_arn    = "${aws_lambda_function.search.arn}"

From 65b4228aae7bc9a79371a4ee72ac961aad320d05 Mon Sep 17 00:00:00 2001
From: Phillip <phillip_shipley@sil.org>
Date: Tue, 18 Feb 2020 09:31:57 -0500
Subject: [PATCH 3/7] refactored assume role to separate execute role

---
 ...te-policy.json => assume-role-policy.json} |  8 --------
 .../execute-policy.json                       | 13 ++++++++++++
 terraform/041-id-broker-search-lambda/main.tf | 20 +++++++++++++++----
 3 files changed, 29 insertions(+), 12 deletions(-)
 rename terraform/041-id-broker-search-lambda/{remote-execute-policy.json => assume-role-policy.json} (58%)
 create mode 100644 terraform/041-id-broker-search-lambda/execute-policy.json

diff --git a/terraform/041-id-broker-search-lambda/remote-execute-policy.json b/terraform/041-id-broker-search-lambda/assume-role-policy.json
similarity index 58%
rename from terraform/041-id-broker-search-lambda/remote-execute-policy.json
rename to terraform/041-id-broker-search-lambda/assume-role-policy.json
index fd8637c1..3fd04221 100644
--- a/terraform/041-id-broker-search-lambda/remote-execute-policy.json
+++ b/terraform/041-id-broker-search-lambda/assume-role-policy.json
@@ -8,14 +8,6 @@
         "AWS": "${remote_role_arn}"
       },
       "Action": "sts:AssumeRole"
-    },
-    {
-      "Action": [
-        "lambda:InvokeFunction",
-        "lambda:InvokeAsync"
-      ],
-      "Resource": "${function_arn}",
-      "Effect": "Allow"
     }
   ]
 }
\ No newline at end of file
diff --git a/terraform/041-id-broker-search-lambda/execute-policy.json b/terraform/041-id-broker-search-lambda/execute-policy.json
new file mode 100644
index 00000000..fbe33963
--- /dev/null
+++ b/terraform/041-id-broker-search-lambda/execute-policy.json
@@ -0,0 +1,13 @@
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Action": [
+        "lambda:InvokeFunction",
+        "lambda:InvokeAsync"
+      ],
+      "Resource": "${function_arn}",
+      "Effect": "Allow"
+    }
+  ]
+}
\ No newline at end of file
diff --git a/terraform/041-id-broker-search-lambda/main.tf b/terraform/041-id-broker-search-lambda/main.tf
index 4e3ebdb4..46e347c8 100644
--- a/terraform/041-id-broker-search-lambda/main.tf
+++ b/terraform/041-id-broker-search-lambda/main.tf
@@ -58,15 +58,27 @@ resource "aws_lambda_function" "search" {
   }
 }
 
-data "template_file" "remoteExecutePolicy" {
+data "template_file" "assumeRolePolicy" {
   template = "${file("${path.module}/remote-execute-policy.json")}"
   vars {
     remote_role_arn = "${var.remote_role_arn}"
-    function_arn    = "${aws_lambda_function.search.arn}"
   }
 }
 
-resource "aws_iam_role" "lambdaRemoteExecute" {
+resource "aws_iam_role" "assumeRole" {
   name               = "${var.idp_name}-${var.app_name}-${var.app_env}-lambda-remote-execute"
-  assume_role_policy = "${data.template_file.remoteExecutePolicy.rendered}"
+  assume_role_policy = "${data.template_file.assumeRolePolicy.rendered}"
+}
+
+data "template_file" "executePolicy" {
+  template = "${file("${path.module}/execute-policy.json")}"
+  vars {
+    function_arn = "${aws_lambda_function.search.arn}"
+  }
+}
+
+resource "aws_iam_role_policy" "executePolicy" {
+  name   = "invoke functions"
+  role   = "${aws_iam_role.assumeRole.name}"
+  policy = "${data.template_file.executePolicy.rendered}"
 }
\ No newline at end of file

From 1f97b29ce99396c7924a95a171f9e44ab029893a Mon Sep 17 00:00:00 2001
From: Phillip <phillip_shipley@sil.org>
Date: Tue, 18 Feb 2020 09:33:15 -0500
Subject: [PATCH 4/7] fix incorrect output

---
 terraform/041-id-broker-search-lambda/outputs.tf | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/terraform/041-id-broker-search-lambda/outputs.tf b/terraform/041-id-broker-search-lambda/outputs.tf
index 0100caa0..02ebd3fa 100644
--- a/terraform/041-id-broker-search-lambda/outputs.tf
+++ b/terraform/041-id-broker-search-lambda/outputs.tf
@@ -3,5 +3,5 @@ output "function_arn" {
 }
 
 output "role_arn_for_remote_execution" {
-  value = "${aws_iam_role.lambdaRemoteExecute.arn}"
+  value = "${aws_iam_role.assumeRole.arn}"
 }
\ No newline at end of file

From bfa7016445cd96fc441085c35addc62bacf76fbb Mon Sep 17 00:00:00 2001
From: Phillip <phillip_shipley@sil.org>
Date: Tue, 18 Feb 2020 09:34:24 -0500
Subject: [PATCH 5/7] fix renamed template file

---
 terraform/041-id-broker-search-lambda/main.tf | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/terraform/041-id-broker-search-lambda/main.tf b/terraform/041-id-broker-search-lambda/main.tf
index 46e347c8..57170e6f 100644
--- a/terraform/041-id-broker-search-lambda/main.tf
+++ b/terraform/041-id-broker-search-lambda/main.tf
@@ -59,7 +59,7 @@ resource "aws_lambda_function" "search" {
 }
 
 data "template_file" "assumeRolePolicy" {
-  template = "${file("${path.module}/remote-execute-policy.json")}"
+  template = "${file("${path.module}/assume-role-policy.json")}"
   vars {
     remote_role_arn = "${var.remote_role_arn}"
   }

From 77bf886e11473d03e082eecb92b40ce41ab43332 Mon Sep 17 00:00:00 2001
From: Phillip <phillip_shipley@sil.org>
Date: Tue, 18 Feb 2020 09:35:19 -0500
Subject: [PATCH 6/7] rename inline policy for remote execute

---
 terraform/041-id-broker-search-lambda/main.tf | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/terraform/041-id-broker-search-lambda/main.tf b/terraform/041-id-broker-search-lambda/main.tf
index 57170e6f..486f6398 100644
--- a/terraform/041-id-broker-search-lambda/main.tf
+++ b/terraform/041-id-broker-search-lambda/main.tf
@@ -78,7 +78,7 @@ data "template_file" "executePolicy" {
 }
 
 resource "aws_iam_role_policy" "executePolicy" {
-  name   = "invoke functions"
+  name   = "invoke-function"
   role   = "${aws_iam_role.assumeRole.name}"
   policy = "${data.template_file.executePolicy.rendered}"
 }
\ No newline at end of file

From 4f7a2391f41aee6a2e4d9296fe520654895938aa Mon Sep 17 00:00:00 2001
From: Phillip Shipley <phillip.shipley@gmail.com>
Date: Tue, 18 Feb 2020 10:35:20 -0500
Subject: [PATCH 7/7] Update terraform/041-id-broker-search-lambda/vars.tf

Co-Authored-By: Schparky <3172830+Schparky@users.noreply.github.com>
---
 terraform/041-id-broker-search-lambda/vars.tf | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/terraform/041-id-broker-search-lambda/vars.tf b/terraform/041-id-broker-search-lambda/vars.tf
index 510419de..31064028 100644
--- a/terraform/041-id-broker-search-lambda/vars.tf
+++ b/terraform/041-id-broker-search-lambda/vars.tf
@@ -35,7 +35,7 @@ variable "memory_size" {
 }
 
 variable "remote_role_arn" {
-  description = "ARN to role from different AWS account to be given perission to invoke function"
+  description = "ARN to role from different AWS account to be given permission to invoke function"
 }
 
 variable "security_group_ids" {