New feature - Additional trust relashionships (#59)

* Adding cloudwatch event role for trust relationship lambda

* Adding assume_roles

* Adding few comments and finalizing

* Removing useless comments

* Updating README.md + adding tests

* Update variables.tf

* Update iam.tf

* Update README.md

* Update main.tf

Author: fabrizioromanelli

README.md

@@ -38,6 +38,9 @@ module "lambda" {
   // Specify a file or directory for the source code.
   source_path = "${path.module}/lambda.py"
 
+  // Add additional trusted entities for assuming roles (trust relationships).
+  trusted_entities = ["events.amazonaws.com", "s3.amazonaws.com"]
+
   // Attach a policy.
   policy = {
     json = data.aws_iam_policy_document.lambda.json
@@ -75,6 +78,7 @@ Inputs for this module are the same as the [aws_lambda_function](https://www.ter
 | cloudwatch\_logs | Set this to false to disable logging your Lambda output to CloudWatch Logs | `bool` | `true` | no |
 | lambda\_at\_edge | Set this to true if using Lambda@Edge, to enable publishing, limit the timeout, and allow edgelambda.amazonaws.com to invoke the function | `bool` | `false` | no |
 | policy | An additional policy to attach to the Lambda function role | `object({json=string})` | | no |
+| trusted\_entities | Additional trusted entities for the Lambda function. The lambda.amazonaws.com (and edgelambda.amazonaws.com if lambda\_at\_edge is true) is always set  | `list(string)` | | no |
 
 The following arguments from the [aws_lambda_function](https://www.terraform.io/docs/providers/aws/r/lambda_function.html) resource are not supported:
 

iam.tf

@@ -7,7 +7,7 @@ data "aws_iam_policy_document" "assume_role" {
 
     principals {
       type        = "Service"
-      identifiers = slice(list("lambda.amazonaws.com", "edgelambda.amazonaws.com"), 0, var.lambda_at_edge ? 2 : 1)
+      identifiers = concat(slice(list("lambda.amazonaws.com", "edgelambda.amazonaws.com"), 0, var.lambda_at_edge ? 2 : 1), var.trusted_entities)
     }
   }
 }

tests/assume-roles/lambda.py

@@ -0,0 +1,5 @@
+def lambda_handler(event, context):
+    if event['pass']:
+        return True
+    else:
+        raise Exception('oh no')

tests/assume-roles/main.tf

@@ -0,0 +1,106 @@
+terraform {
+  backend "local" {
+    path = "terraform.tfstate"
+  }
+}
+
+provider "aws" {
+  region = "eu-west-1"
+}
+
+resource "random_id" "name" {
+  byte_length = 6
+  prefix      = "terraform-aws-lambda-policy-"
+}
+
+resource "aws_sqs_queue" "test" {
+  name = random_id.name.hex
+}
+
+data "aws_iam_policy_document" "computed" {
+  statement {
+    effect = "Allow"
+
+    actions = [
+      "sqs:SendMessage",
+    ]
+
+    resources = [
+      aws_sqs_queue.test.arn,
+    ]
+  }
+}
+
+data "aws_iam_policy_document" "known" {
+  statement {
+    effect = "Deny"
+
+    actions = [
+      "sqs:SendMessage",
+    ]
+
+    resources = [
+      "*",
+    ]
+  }
+}
+
+module "lambda_with_computed_policy_add_trust_relationships" {
+  source = "../../"
+
+  function_name = "${random_id.name.hex}-computed"
+  description   = "Test attaching policy with additional trust relationships in terraform-aws-lambda"
+  handler       = "lambda.lambda_handler"
+  runtime       = "python3.6"
+
+  source_path = "${path.module}/lambda.py"
+
+  trusted_entities = ["events.amazonaws.com"]
+
+  policy = {
+    json = data.aws_iam_policy_document.computed.json
+  }
+}
+
+
+module "lambda_with_known_policy_add_trust_relationships" {
+  source = "../../"
+
+  function_name = "${random_id.name.hex}-known"
+  description   = "Test attaching policy with additional trust relationships in terraform-aws-lambda"
+  handler       = "lambda.lambda_handler"
+  runtime       = "python3.6"
+
+  source_path = "${path.module}/lambda.py"
+
+  trusted_entities = ["events.amazonaws.com"]
+
+  policy = {
+    json = data.aws_iam_policy_document.known.json
+  }
+}
+
+
+module "lambda_without_policy_add_trust_relationships" {
+  source = "../../"
+
+  function_name = "${random_id.name.hex}-without"
+  description   = "Test attaching policy with additional trust relationships in terraform-aws-lambda"
+  handler       = "lambda.lambda_handler"
+  runtime       = "python3.6"
+
+  source_path = "${path.module}/lambda.py"
+
+  trusted_entities = ["events.amazonaws.com"]
+}
+
+module "lambda_without_policy_without_added_trust_relationships" {
+  source = "../../"
+
+  function_name = "${random_id.name.hex}-without"
+  description   = "Test attaching policy with additional trust relationships in terraform-aws-lambda"
+  handler       = "lambda.lambda_handler"
+  runtime       = "python3.6"
+
+  source_path = "${path.module}/lambda.py"
+}

variables.tf

@@ -51,6 +51,12 @@ variable "policy" {
   default = null
 }
 
+variable "trusted_entities" {
+  description = "Lambda function additional trusted entities for assuming roles (trust relationship)"
+  type = list(string)
+  default = []
+}
+
 locals {
   publish = var.lambda_at_edge ? true : var.publish
   timeout = var.lambda_at_edge ? min(var.timeout, 5) : var.timeout