Upgrade module to Terraform 0.12.x (claranet#49)

* Upgrade module to Terraform 0.12.x

I could not find a way to support 0.11.x and 0.12.x at the same time, so this goes all-in on 0.12.x features and cleans up a lot of code in the process.

terraform-docs does not support 0.12.x yet so I've removed the Makefile and manually wrote the README.

I have tried all tests in the test directory and they all worked.

* Clean up remaining 0.11.x code

* Add Terraform version compatibility table

* Remove Terraform from requirements as it's obvious

* Use dynamic blocks properly

Author: raymondbutcher

Diff for: Makefile

@@ -16,6 +16,13 @@ This Terraform module creates and uploads an AWS Lambda function and hides the u
 * Python 2.7 or higher
 * Linux/Unix/Windows
 
+## Terraform version compatibility
+
+| Module version | Terraform version |
+|----------------|-------------------|
+| 1.x.x          | 0.12.x            |
+| 0.x.x          | 0.11.x            |
+
 ## Usage
 
 ```js
@@ -32,64 +39,49 @@ module "lambda" {
   source_path = "${path.module}/lambda.py"
 
   // Attach a policy.
-  attach_policy = true
-  policy        = "${data.aws_iam_policy_document.lambda.json}"
+  policy = data.aws_iam_policy_document.lambda.json
 
   // Add a dead letter queue.
-  attach_dead_letter_config = true
   dead_letter_config {
-    target_arn = "${var.dead_letter_queue_arn}"
+    target_arn = aws_sqs_queue.dlq.arn
   }
 
   // Add environment variables.
   environment {
     variables {
-      SLACK_URL = "${var.slack_url}"
+      SLACK_URL = var.slack_url
     }
   }
 
   // Deploy into a VPC.
-  attach_vpc_config = true
   vpc_config {
-    subnet_ids         = ["${aws_subnet.test.id}"]
-    security_group_ids = ["${aws_security_group.test.id}"]
+    subnet_ids         = [aws_subnet.test.id]
+    security_group_ids = [aws_security_group.test.id]
   }
 }
 ```
 
-### NB - Multi-region usage
-
-IAM and Lambda function names need to be globally unique within your account.
-If you will be deploying this template to multiple regions, you must make the
-function name unique per region, for example by setting
-`function_name = "deployment-deploy-status-${data.aws_region.current.name}"`
-
 ## Inputs
 
+Inputs for this module are the same as the [aws_lambda_function](https://www.terraform.io/docs/providers/aws/r/lambda_function.html) resource with the following additional arguments:
+
 | Name | Description | Type | Default | Required |
-|------|-------------|:----:|:-----:|:-----:|
-| attach\_dead\_letter\_config | Set this to true if using the dead_letter_config variable | string | `"false"` | no |
-| attach\_policy | Set this to true if using the policy variable | string | `"false"` | no |
-| attach\_vpc\_config | Set this to true if using the vpc_config variable | string | `"false"` | no |
-| build\_command | The command that creates the Lambda package zip file | string | `"python build.py '$filename' '$runtime' '$source'"` | no |
-| build\_paths | The files or directories used by the build command, to trigger new Lambda package builds whenever build scripts change | list | `<list>` | no |
-| dead\_letter\_config | Dead letter configuration for the Lambda function | map | `<map>` | no |
-| description | Description of what your Lambda function does | string | `"Managed by Terraform"` | no |
-| enable\_cloudwatch\_logs | Set this to false to disable logging your Lambda output to CloudWatch Logs | string | `"true"` | no |
-| environment | Environment configuration for the Lambda function | map | `<map>` | no |
-| function\_name | A unique name for your Lambda function (and related IAM resources) | string | n/a | yes |
-| handler | The function entrypoint in your code | string | n/a | yes |
-| lambda\_at\_edge | Set this to true if using Lambda@Edge, to enable publishing, limit the timeout, and allow edgelambda.amazonaws.com to invoke the function | string | `"false"` | no |
-| layers | List of Lambda Layer Version ARNs to attach to your Lambda Function. | list | `<list>` | no |
-| memory\_size | Amount of memory in MB your Lambda function can use at runtime | string | `"128"` | no |
-| policy | An addional policy to attach to the Lambda function | string | `""` | no |
-| publish | Whether to publish creation/change as new Lambda Function Version | string | `"false"` | no |
-| reserved\_concurrent\_executions | The amount of reserved concurrent executions for this Lambda function | string | `"-1"` | no |
-| runtime | The runtime environment for the Lambda function | string | n/a | yes |
-| source\_path | The source file or directory containing your Lambda source code | string | n/a | yes |
-| tags | A mapping of tags | map | `<map>` | no |
-| timeout | The amount of time your Lambda function had to run in seconds | string | `"10"` | no |
-| vpc\_config | VPC configuration for the Lambda function | map | `<map>` | no |
+|------|-------------|------|---------|----------|
+| **source\_path** | The absolute path to a local file or directory containing your Lambda source code | string | | yes |
+| build\_command | The command to run to create the Lambda package zip file | string | `"python build.py '$filename' '$runtime' '$source'"` | no |
+| build\_paths | The files or directories used by the build command, to trigger new Lambda package builds whenever build scripts change | list(string) | `["build.py"]` | no |
+| cloudwatch\_logs | Set this to false to disable logging your Lambda output to CloudWatch Logs | bool | true | no |
+| lambda\_at\_edge | Set this to true if using Lambda@Edge, to enable publishing, limit the timeout, and allow edgelambda.amazonaws.com to invoke the function | bool | false | no |
+| policy | An addional policy to attach to the Lambda function | string | | no |
+
+The following arguments from the [aws_lambda_function](https://www.terraform.io/docs/providers/aws/r/lambda_function.html) resource are not supported:
+
+* filename (use source\_path instead)
+* role (one is automatically created)
+* s3_bucket
+* s3_key
+* s3_object_version
+* source_code_hash (changes are handled automatically)
 
 ## Outputs
 

Diff for: README.md

@@ -1,32 +1,26 @@
-locals {
-  module_relpath_11 = "${substr(path.module, length(path.cwd) + 1, -1)}"
-  module_relpath_12 = "${path.module}"
-  module_relpath    = "${path.cwd == substr(path.module, 0, length(path.cwd)) ? local.module_relpath_11 : local.module_relpath_12}"
-}
-
 # Generates a filename for the zip archive based on the contents of the files
 # in source_path. The filename will change when the source code changes.
 data "external" "archive" {
   program = ["python", "${path.module}/hash.py"]
 
   query = {
-    build_command  = "${var.build_command}"
-    build_paths    = "${jsonencode(var.build_paths)}"
-    module_relpath = "${local.module_relpath}"
-    runtime        = "${var.runtime}"
-    source_path    = "${var.source_path}"
+    build_command  = var.build_command
+    build_paths    = jsonencode(var.build_paths)
+    module_relpath = path.module
+    runtime        = var.runtime
+    source_path    = var.source_path
   }
 }
 
 # Build the zip archive whenever the filename changes.
 resource "null_resource" "archive" {
   triggers = {
-    filename = "${lookup(data.external.archive.result, "filename")}"
+    filename = lookup(data.external.archive.result, "filename")
   }
 
   provisioner "local-exec" {
-    command     = "${lookup(data.external.archive.result, "build_command")}"
-    working_dir = "${path.module}"
+    command     = lookup(data.external.archive.result, "build_command")
+    working_dir = path.module
   }
 }
 
@@ -39,9 +33,9 @@ data "external" "built" {
   program = ["python", "${path.module}/built.py"]
 
   query = {
-    build_command  = "${lookup(data.external.archive.result, "build_command")}"
-    filename_old   = "${lookup(null_resource.archive.triggers, "filename")}"
-    filename_new   = "${lookup(data.external.archive.result, "filename")}"
-    module_relpath = "${local.module_relpath}"
+    build_command  = lookup(data.external.archive.result, "build_command")
+    filename_old   = lookup(null_resource.archive.triggers, "filename")
+    filename_new   = lookup(data.external.archive.result, "filename")
+    module_relpath = path.module
   }
 }

Diff for: archive.tf

@@ -7,27 +7,27 @@ data "aws_iam_policy_document" "assume_role" {
 
     principals {
       type        = "Service"
-      identifiers = ["${slice(list("lambda.amazonaws.com", "edgelambda.amazonaws.com"), 0, var.lambda_at_edge ? 2 : 1)}"]
+      identifiers = slice(list("lambda.amazonaws.com", "edgelambda.amazonaws.com"), 0, var.lambda_at_edge ? 2 : 1)
     }
   }
 }
 
 resource "aws_iam_role" "lambda" {
-  name               = "${var.function_name}"
-  assume_role_policy = "${data.aws_iam_policy_document.assume_role.json}"
-  tags               = "${var.tags}"
+  name               = var.function_name
+  assume_role_policy = data.aws_iam_policy_document.assume_role.json
+  tags               = var.tags
 }
 
 # Attach a policy for logs.
 
 locals {
   lambda_log_group_arn      = "arn:${data.aws_partition.current.partition}:logs:*:${data.aws_caller_identity.current.account_id}:log-group:/aws/lambda/${var.function_name}"
   lambda_edge_log_group_arn = "arn:${data.aws_partition.current.partition}:logs:*:${data.aws_caller_identity.current.account_id}:log-group:/aws/lambda/us-east-1.${var.function_name}"
-  log_group_arns            = ["${slice(list(local.lambda_log_group_arn, local.lambda_edge_log_group_arn), 0, var.lambda_at_edge ? 2 : 1)}"]
+  log_group_arns            = slice(list(local.lambda_log_group_arn, local.lambda_edge_log_group_arn), 0, var.lambda_at_edge ? 2 : 1)
 }
 
 data "aws_iam_policy_document" "logs" {
-  count = "${var.enable_cloudwatch_logs ? 1 : 0}"
+  count = var.cloudwatch_logs ? 1 : 0
 
   statement {
     effect = "Allow"
@@ -49,29 +49,29 @@ data "aws_iam_policy_document" "logs" {
       "logs:PutLogEvents",
     ]
 
-    resources = ["${concat(formatlist("%v:*", local.log_group_arns), formatlist("%v:*:*", local.log_group_arns))}"]
+    resources = concat(formatlist("%v:*", local.log_group_arns), formatlist("%v:*:*", local.log_group_arns))
   }
 }
 
 resource "aws_iam_policy" "logs" {
-  count = "${var.enable_cloudwatch_logs ? 1 : 0}"
+  count = var.cloudwatch_logs ? 1 : 0
 
   name   = "${var.function_name}-logs"
-  policy = "${join("", data.aws_iam_policy_document.logs.*.json)}"
+  policy = data.aws_iam_policy_document.logs[0].json
 }
 
 resource "aws_iam_policy_attachment" "logs" {
-  count = "${var.enable_cloudwatch_logs ? 1 : 0}"
+  count = var.cloudwatch_logs ? 1 : 0
 
   name       = "${var.function_name}-logs"
-  roles      = ["${aws_iam_role.lambda.name}"]
-  policy_arn = "${join("", aws_iam_policy.logs.*.arn)}"
+  roles      = [aws_iam_role.lambda.name]
+  policy_arn = aws_iam_policy.logs[0].arn
 }
 
 # Attach an additional policy required for the dead letter config.
 
 data "aws_iam_policy_document" "dead_letter" {
-  count = "${var.attach_dead_letter_config ? 1 : 0}"
+  count = var.dead_letter_config == null ? 0 : 1
 
   statement {
     effect = "Allow"
@@ -82,29 +82,31 @@ data "aws_iam_policy_document" "dead_letter" {
     ]
 
     resources = [
-      "${lookup(var.dead_letter_config, "target_arn", "")}",
+      var.dead_letter_config.target_arn,
     ]
   }
 }
 
 resource "aws_iam_policy" "dead_letter" {
-  count = "${var.attach_dead_letter_config ? 1 : 0}"
+  count = var.dead_letter_config == null ? 0 : 1
 
   name   = "${var.function_name}-dl"
-  policy = "${join("", data.aws_iam_policy_document.dead_letter.*.json)}"
+  policy = data.aws_iam_policy_document.dead_letter[0].json
 }
 
 resource "aws_iam_policy_attachment" "dead_letter" {
-  count = "${var.attach_dead_letter_config ? 1 : 0}"
+  count = var.dead_letter_config == null ? 0 : 1
 
   name       = "${var.function_name}-dl"
-  roles      = ["${aws_iam_role.lambda.name}"]
-  policy_arn = "${join("", aws_iam_policy.dead_letter.*.arn)}"
+  roles      = [aws_iam_role.lambda.name]
+  policy_arn = aws_iam_policy.dead_letter[0].arn
 }
 
 # Attach an additional policy required for the VPC config
 
 data "aws_iam_policy_document" "network" {
+  count = var.vpc_config == null ? 0 : 1
+
   statement {
     effect = "Allow"
 
@@ -121,33 +123,33 @@ data "aws_iam_policy_document" "network" {
 }
 
 resource "aws_iam_policy" "network" {
-  count = "${var.attach_vpc_config ? 1 : 0}"
+  count = var.vpc_config == null ? 0 : 1
 
   name   = "${var.function_name}-network"
-  policy = "${data.aws_iam_policy_document.network.json}"
+  policy = data.aws_iam_policy_document.network[0].json
 }
 
 resource "aws_iam_policy_attachment" "network" {
-  count = "${var.attach_vpc_config ? 1 : 0}"
+  count = var.vpc_config == null ? 0 : 1
 
   name       = "${var.function_name}-network"
-  roles      = ["${aws_iam_role.lambda.name}"]
-  policy_arn = "${join("", aws_iam_policy.network.*.arn)}"
+  roles      = [aws_iam_role.lambda.name]
+  policy_arn = aws_iam_policy.network[0].arn
 }
 
 # Attach an additional policy if provided.
 
 resource "aws_iam_policy" "additional" {
-  count = "${var.attach_policy ? 1 : 0}"
+  count = var.policy == null ? 0 : 1
 
-  name   = "${var.function_name}"
-  policy = "${var.policy}"
+  name   = var.function_name
+  policy = var.policy
 }
 
 resource "aws_iam_policy_attachment" "additional" {
-  count = "${var.attach_policy ? 1 : 0}"
+  count = var.policy == null ? 0 : 1
 
-  name       = "${var.function_name}"
-  roles      = ["${aws_iam_role.lambda.name}"]
-  policy_arn = "${join("", aws_iam_policy.additional.*.arn)}"
+  name       = var.function_name
+  roles      = [aws_iam_role.lambda.name]
+  policy_arn = aws_iam_policy.additional[0].arn
 }