From 90a08e34f489923d7be39bb35c3e1f95ebe32c0a Mon Sep 17 00:00:00 2001 From: badra001 Date: Fri, 3 Jan 2025 12:37:17 -0500 Subject: [PATCH] * 2.0.5 -- 2025-01-03 - change inline role policy to aws_iam_role_policy --- CHANGELOG.md | 3 +++ README.md | 5 +++-- role.tf | 17 ++++++++++++----- version.tf | 2 +- 4 files changed, 19 insertions(+), 8 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index ec4f5ee..c4bbafd 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -144,3 +144,6 @@ - code 2.0.4 - add context info and event id to SNS messages - add heritage mismatch information to output + +* 2.0.5 -- 2025-01-03 + - change inline role policy to aws_iam_role_policy diff --git a/README.md b/README.md index 6262002..70c8dc1 100644 --- a/README.md +++ b/README.md @@ -71,6 +71,7 @@ No modules. | [aws_cloudwatch_log_group.log](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_group) | resource | | [aws_dynamodb_table.table](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/dynamodb_table) | resource | | [aws_iam_role.role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource | +| [aws_iam_role_policy.role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource | | [aws_iam_role_policy_attachment.role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource | | [aws_kms_alias.key](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_alias) | resource | | [aws_kms_key.key](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_key) | resource | @@ -104,13 +105,13 @@ No modules. |------|-------------|------|---------|:--------:| | [account\_alias](#input\_account\_alias) | AWS Account Alias | `string` | `""` | no | | [account\_id](#input\_account\_id) | AWS Account ID (default will pull from current user) | `string` | `""` | no | -| [component\_tags](#input\_component\_tags) | Additional tags for Components (s3, kms, ddb) | `map(map(string))` | 
{
  "ddb": {},
  "kms": {},
  "s3": {}
}
| no | +| [component\_tags](#input\_component\_tags) | Additional tags for Components (s3, kms, ddb) | `map(map(string))` | 
{
  "ddb": {},
  "kms": {},
  "s3": {}
}
| no | | [create](#input\_create) | Flag to indicate whether to create the resources or not (default: true) | `bool` | `true` | no | | [dynamodb\_table\_name](#input\_dynamodb\_table\_name) | Different DynamoDB table name to override default of var.name | `string` | `null` | no | | [enable\_sns](#input\_enable\_sns) | Enable use of SNS for reporting errors | `bool` | `false` | no | | [enable\_sqs](#input\_enable\_sqs) | Enable use of SQS for SNS to send errors. Requires the use of enable\_sns as well | `bool` | `false` | no | | [kms\_key\_name](#input\_kms\_key\_name) | Different KMS Key (for SNS and SQS) to override default of var.name | `string` | `null` | no | -| [lambda\_environment\_variables](#input\_lambda\_environment\_variables) | Map of lambda environment variables and values | `map(string)` | 
{
  "DNS_RR_TimeToLive": 60,
  "DebugLogLevel": "INFO",
  "DynamoDBName": null,
  "EMRTagPrefix": "aws",
  "HeritageIdentifier": "dynr53",
  "HeritageTXTRecordPrefix": "_txt",
  "MaxApiRetry": 10,
  "RemoteRoleArnFormat": "arn:%s:iam::%s:role/r-inf-dynamic-route53-actions",
  "SleepTime": 60,
  "SnsEnable": false,
  "SnsTopicArn": "",
  "TagKeyCname": "boc:dns:cname",
  "TagKeyFlags": "boc:dns:flags",
  "TagKeyHostName": "boc:dns:name",
  "TagKeyPtrname": "boc:dns:ptrname",
  "TagKeyZone": "boc:dns:zone"
}
| no | +| [lambda\_environment\_variables](#input\_lambda\_environment\_variables) | Map of lambda environment variables and values | `map(string)` | 
{
  "DNS_RR_TimeToLive": 60,
  "DebugLogLevel": "INFO",
  "DynamoDBName": null,
  "EMRTagPrefix": "aws",
  "HeritageIdentifier": "dynr53",
  "HeritageTXTRecordPrefix": "_txt",
  "MaxApiRetry": 10,
  "RemoteRoleArnFormat": "arn:%s:iam::%s:role/r-inf-dynamic-route53-actions",
  "SleepTime": 60,
  "SnsEnable": false,
  "SnsTopicArn": "",
  "TagKeyCname": "boc:dns:cname",
  "TagKeyFlags": "boc:dns:flags",
  "TagKeyHostName": "boc:dns:name",
  "TagKeyPtrname": "boc:dns:ptrname",
  "TagKeyZone": "boc:dns:zone"
}
| no | | [lambda\_environment\_variables\_override](#input\_lambda\_environment\_variables\_override) | Map of lambda environment variables and values to override from the defaults | `map(string)` | `{}` | no | | [lambda\_name](#input\_lambda\_name) | Different Lambda name to override default of var.name | `string` | `null` | no | | [name](#input\_name) | Name to use within all the created resources (default: inf-dynamic-route53) | `string` | `"inf-dynamic-route53"` | no | diff --git a/role.tf b/role.tf index 96a8e09..ba2d674 100644 --- a/role.tf +++ b/role.tf @@ -11,10 +11,10 @@ resource "aws_iam_role" "role" { max_session_duration = local._defaults["max_session_duration"] assume_role_policy = data.aws_iam_policy_document.lambda_assume.json - inline_policy { - name = var.name - policy = data.aws_iam_policy_document.lambda_policy.json - } + # inline_policy { + # name = var.name + # policy = data.aws_iam_policy_document.lambda_policy.json + # } lifecycle { ignore_changes = [tags["boc:tf_module_version"]] @@ -28,9 +28,16 @@ resource "aws_iam_role" "role" { ) } +# moved from inline policy +resource "aws_iam_role_policy" "role" { + for_each = var.create ? 1 : 0 + role = try(aws_iam_role.role[0].id, null) + policy = data.aws_iam_policy_document.lambda_policy.json + name = var.name +} + resource "aws_iam_role_policy_attachment" "role" { for_each = var.create ? toset([for k, v in data.aws_iam_policy.lambda_policies : v.arn]) : toset([]) - role = var.create ? aws_iam_role.role[0].name : "" policy_arn = each.value } diff --git a/version.tf b/version.tf index f033f34..43de692 100644 --- a/version.tf +++ b/version.tf @@ -1,3 +1,3 @@ locals { - _module_version = "2.0.4" + _module_version = "2.0.5" }