mirror of
https://github.com/opentofu/opentofu.git
synced 2025-01-08 15:13:56 -06:00
Fixes issue for cross account iam role with aws_lambda_permission (#13865)
This commit is contained in:
parent
6327796f4a
commit
399cf72414
@ -230,7 +230,12 @@ func resourceAwsLambdaPermissionRead(d *schema.ResourceData, meta interface{}) e
|
||||
}
|
||||
|
||||
d.Set("action", statement.Action)
|
||||
d.Set("principal", statement.Principal["Service"])
|
||||
// Check if the pricipal is a cross-account IAM role
|
||||
if _, ok := statement.Principal["AWS"]; ok {
|
||||
d.Set("principal", statement.Principal["AWS"])
|
||||
} else {
|
||||
d.Set("principal", statement.Principal["Service"])
|
||||
}
|
||||
|
||||
if stringEquals, ok := statement.Condition["StringEquals"]; ok {
|
||||
d.Set("source_account", stringEquals["AWS:SourceAccount"])
|
||||
|
@ -332,6 +332,30 @@ func TestAccAWSLambdaPermission_withSNS(t *testing.T) {
|
||||
})
|
||||
}
|
||||
|
||||
func TestAccAWSLambdaPermission_withIAMRole(t *testing.T) {
|
||||
var statement LambdaPolicyStatement
|
||||
endsWithFuncName := regexp.MustCompile(":function:lambda_function_name_perm_iamrole$")
|
||||
endsWithRoleName := regexp.MustCompile("/iam_for_lambda_perm_iamrole$")
|
||||
|
||||
resource.Test(t, resource.TestCase{
|
||||
PreCheck: func() { testAccPreCheck(t) },
|
||||
Providers: testAccProviders,
|
||||
CheckDestroy: testAccCheckAWSLambdaPermissionDestroy,
|
||||
Steps: []resource.TestStep{
|
||||
{
|
||||
Config: testAccAWSLambdaPermissionConfig_withIAMRole,
|
||||
Check: resource.ComposeTestCheckFunc(
|
||||
testAccCheckLambdaPermissionExists("aws_lambda_permission.iam_role", &statement),
|
||||
resource.TestCheckResourceAttr("aws_lambda_permission.iam_role", "action", "lambda:InvokeFunction"),
|
||||
resource.TestMatchResourceAttr("aws_lambda_permission.iam_role", "principal", endsWithRoleName),
|
||||
resource.TestCheckResourceAttr("aws_lambda_permission.iam_role", "statement_id", "AllowExecutionFromIAMRole"),
|
||||
resource.TestMatchResourceAttr("aws_lambda_permission.iam_role", "function_name", endsWithFuncName),
|
||||
),
|
||||
},
|
||||
},
|
||||
})
|
||||
}
|
||||
|
||||
func testAccCheckLambdaPermissionExists(n string, statement *LambdaPolicyStatement) resource.TestCheckFunc {
|
||||
return func(s *terraform.State) error {
|
||||
rs, ok := s.RootModule().Resources[n]
|
||||
@ -724,6 +748,42 @@ EOF
|
||||
}
|
||||
`
|
||||
|
||||
var testAccAWSLambdaPermissionConfig_withIAMRole = `
|
||||
resource "aws_lambda_permission" "iam_role" {
|
||||
statement_id = "AllowExecutionFromIAMRole"
|
||||
action = "lambda:InvokeFunction"
|
||||
function_name = "${aws_lambda_function.my-func.arn}"
|
||||
principal = "${aws_iam_role.police.arn}"
|
||||
}
|
||||
|
||||
resource "aws_lambda_function" "my-func" {
|
||||
filename = "test-fixtures/lambdatest.zip"
|
||||
function_name = "lambda_function_name_perm_iamrole"
|
||||
role = "${aws_iam_role.police.arn}"
|
||||
handler = "exports.handler"
|
||||
runtime = "nodejs4.3"
|
||||
}
|
||||
|
||||
resource "aws_iam_role" "police" {
|
||||
name = "iam_for_lambda_perm_iamrole"
|
||||
assume_role_policy = <<EOF
|
||||
{
|
||||
"Version": "2012-10-17",
|
||||
"Statement": [
|
||||
{
|
||||
"Action": "sts:AssumeRole",
|
||||
"Principal": {
|
||||
"Service": "lambda.amazonaws.com"
|
||||
},
|
||||
"Effect": "Allow",
|
||||
"Sid": ""
|
||||
}
|
||||
]
|
||||
}
|
||||
EOF
|
||||
}
|
||||
`
|
||||
|
||||
var testLambdaPolicy = []byte(`{
|
||||
"Version": "2012-10-17",
|
||||
"Statement": [
|
||||
|
Loading…
Reference in New Issue
Block a user