Use object for var.policy to avoid computed count errors (claranet#53)

raymondbutcher · web-flow · commit 5f3b8be8d113 · 2019-07-02T11:25:27.000+01:00
diff --git a/README.md b/README.md
@@ -39,7 +39,9 @@ module "lambda" {
   source_path = "${path.module}/lambda.py"
 
   // Attach a policy.
-  policy = data.aws_iam_policy_document.lambda.json
+  policy = {
+    json = data.aws_iam_policy_document.lambda.json
+  }
 
   // Add a dead letter queue.
   dead_letter_config = {
@@ -72,7 +74,7 @@ Inputs for this module are the same as the [aws_lambda_function](https://www.ter
 | build\_paths | The files or directories used by the build command, to trigger new Lambda package builds whenever build scripts change | list(string) | `["build.py"]` | no |
 | cloudwatch\_logs | Set this to false to disable logging your Lambda output to CloudWatch Logs | bool | true | no |
 | lambda\_at\_edge | Set this to true if using Lambda@Edge, to enable publishing, limit the timeout, and allow edgelambda.amazonaws.com to invoke the function | bool | false | no |
-| policy | An addional policy to attach to the Lambda function | string | | no |
+| policy | An additional policy to attach to the Lambda function role | object({json=string}) | | no |
 
 The following arguments from the [aws_lambda_function](https://www.terraform.io/docs/providers/aws/r/lambda_function.html) resource are not supported:
 
diff --git a/iam.tf b/iam.tf
@@ -143,7 +143,7 @@ resource "aws_iam_policy" "additional" {
   count = var.policy == null ? 0 : 1
 
   name   = var.function_name
-  policy = var.policy
+  policy = var.policy.json
 }
 
 resource "aws_iam_policy_attachment" "additional" {
diff --git a/tests/policy/lambda.py b/tests/policy/lambda.py
@@ -0,0 +1,5 @@
+def lambda_handler(event, context):
+    if event['pass']:
+        return True
+    else:
+        raise Exception('oh no')
diff --git a/tests/policy/main.tf b/tests/policy/main.tf
@@ -0,0 +1,89 @@
+terraform {
+  backend "local" {
+    path = "terraform.tfstate"
+  }
+}
+
+provider "aws" {
+  region = "eu-west-1"
+}
+
+resource "random_id" "name" {
+  byte_length = 6
+  prefix      = "terraform-aws-lambda-policy-"
+}
+
+resource "aws_sqs_queue" "test" {
+  name = random_id.name.hex
+}
+
+data "aws_iam_policy_document" "computed" {
+  statement {
+    effect = "Allow"
+
+    actions = [
+      "sqs:SendMessage",
+    ]
+
+    resources = [
+      aws_sqs_queue.test.arn,
+    ]
+  }
+}
+
+data "aws_iam_policy_document" "known" {
+  statement {
+    effect = "Deny"
+
+    actions = [
+      "sqs:SendMessage",
+    ]
+
+    resources = [
+      "*",
+    ]
+  }
+}
+
+module "lambda_with_computed_policy" {
+  source = "../../"
+
+  function_name = "${random_id.name.hex}-computed"
+  description   = "Test attaching policy in terraform-aws-lambda"
+  handler       = "lambda.lambda_handler"
+  runtime       = "python3.6"
+
+  source_path = "${path.module}/lambda.py"
+
+  policy = {
+    json = data.aws_iam_policy_document.computed.json
+  }
+}
+
+
+module "lambda_with_known_policy" {
+  source = "../../"
+
+  function_name = "${random_id.name.hex}-known"
+  description   = "Test attaching policy in terraform-aws-lambda"
+  handler       = "lambda.lambda_handler"
+  runtime       = "python3.6"
+
+  source_path = "${path.module}/lambda.py"
+
+  policy = {
+    json = data.aws_iam_policy_document.known.json
+  }
+}
+
+
+module "lambda_without_policy" {
+  source = "../../"
+
+  function_name = "${random_id.name.hex}-without"
+  description   = "Test attaching policy in terraform-aws-lambda"
+  handler       = "lambda.lambda_handler"
+  runtime       = "python3.6"
+
+  source_path = "${path.module}/lambda.py"
+}
diff --git a/variables.tf b/variables.tf
@@ -37,18 +37,20 @@ variable "cloudwatch_logs" {
   default     = true
 }
 
-variable "policy" {
-  description = "An addional policy to attach to the Lambda function"
-  type        = string
-  default     = null
-}
-
 variable "lambda_at_edge" {
   description = "Set this to true if using Lambda@Edge, to enable publishing, limit the timeout, and allow edgelambda.amazonaws.com to invoke the function"
   type        = bool
   default     = false
 }
 
+variable "policy" {
+  description = "An additional policy to attach to the Lambda function role"
+  type = object({
+    json = string
+  })
+  default = null
+}
+
 locals {
   publish = var.lambda_at_edge ? true : var.publish
   timeout = var.lambda_at_edge ? min(var.timeout, 5) : var.timeout

Original file line number	Diff line number	Diff line change
`@@ -143,7 +143,7 @@ resource "aws_iam_policy" "additional" {`
`143`	`143`	`count = var.policy == null ? 0 : 1`
`144`	`144`
`145`	`145`	`name = var.function_name`
`146`		`- policy = var.policy`
	`146`	`+ policy = var.policy.json`
`147`	`147`	`}`
`148`	`148`
`149`	`149`	`resource "aws_iam_policy_attachment" "additional" {`