opentofu/builtin/providers/aws/resource_aws_lambda_permission_test.go

804 lines
27 KiB
Go

package aws
import (
"encoding/json"
"fmt"
"regexp"
"strings"
"testing"
"time"
"github.com/aws/aws-sdk-go/aws"
"github.com/aws/aws-sdk-go/aws/awserr"
"github.com/aws/aws-sdk-go/service/lambda"
"github.com/hashicorp/terraform/helper/acctest"
"github.com/hashicorp/terraform/helper/resource"
"github.com/hashicorp/terraform/terraform"
)
func TestLambdaPermissionUnmarshalling(t *testing.T) {
v := LambdaPolicy{}
err := json.Unmarshal(testLambdaPolicy, &v)
if err != nil {
t.Fatalf("Expected no error when unmarshalling: %s", err)
}
expectedSid := "36fe77d9-a4ae-13fb-8beb-5dc6821d5291"
if v.Statement[0].Sid != expectedSid {
t.Fatalf("Expected Sid to match (%q != %q)", v.Statement[0].Sid, expectedSid)
}
expectedFunctionName := "arn:aws:lambda:eu-west-1:319201112229:function:myCustomFunction"
if v.Statement[0].Resource != expectedFunctionName {
t.Fatalf("Expected function name to match (%q != %q)", v.Statement[0].Resource, expectedFunctionName)
}
expectedAction := "lambda:InvokeFunction"
if v.Statement[0].Action != expectedAction {
t.Fatalf("Expected Action to match (%q != %q)", v.Statement[0].Action, expectedAction)
}
expectedPrincipal := "events.amazonaws.com"
if v.Statement[0].Principal["Service"] != expectedPrincipal {
t.Fatalf("Expected Principal to match (%q != %q)", v.Statement[0].Principal["Service"], expectedPrincipal)
}
expectedSourceAccount := "319201112229"
if v.Statement[0].Condition["StringEquals"]["AWS:SourceAccount"] != expectedSourceAccount {
t.Fatalf("Expected Source Account to match (%q != %q)",
v.Statement[0].Condition["StringEquals"]["AWS:SourceAccount"],
expectedSourceAccount)
}
}
func TestLambdaPermissionGetQualifierFromLambdaAliasOrVersionArn_alias(t *testing.T) {
arnWithAlias := "arn:aws:lambda:us-west-2:187636751137:function:lambda_function_name:testalias"
expectedQualifier := "testalias"
qualifier, err := getQualifierFromLambdaAliasOrVersionArn(arnWithAlias)
if err != nil {
t.Fatalf("Expected no error when getting qualifier: %s", err)
}
if qualifier != expectedQualifier {
t.Fatalf("Expected qualifier to match (%q != %q)", qualifier, expectedQualifier)
}
}
func TestLambdaPermissionGetQualifierFromLambdaAliasOrVersionArn_govcloud(t *testing.T) {
arnWithAlias := "arn:aws-us-gov:lambda:us-west-2:187636751137:function:lambda_function_name:testalias"
expectedQualifier := "testalias"
qualifier, err := getQualifierFromLambdaAliasOrVersionArn(arnWithAlias)
if err != nil {
t.Fatalf("Expected no error when getting qualifier: %s", err)
}
if qualifier != expectedQualifier {
t.Fatalf("Expected qualifier to match (%q != %q)", qualifier, expectedQualifier)
}
}
func TestLambdaPermissionGetQualifierFromLambdaAliasOrVersionArn_version(t *testing.T) {
arnWithVersion := "arn:aws:lambda:us-west-2:187636751137:function:lambda_function_name:223"
expectedQualifier := "223"
qualifier, err := getQualifierFromLambdaAliasOrVersionArn(arnWithVersion)
if err != nil {
t.Fatalf("Expected no error when getting qualifier: %s", err)
}
if qualifier != expectedQualifier {
t.Fatalf("Expected qualifier to match (%q != %q)", qualifier, expectedQualifier)
}
}
func TestLambdaPermissionGetQualifierFromLambdaAliasOrVersionArn_invalid(t *testing.T) {
invalidArn := "arn:aws:lambda:us-west-2:187636751137:function:lambda_function_name"
qualifier, err := getQualifierFromLambdaAliasOrVersionArn(invalidArn)
if err == nil {
t.Fatalf("Expected error when getting qualifier")
}
if qualifier != "" {
t.Fatalf("Expected qualifier to be empty (%q)", qualifier)
}
// with trailing colon
invalidArn = "arn:aws:lambda:us-west-2:187636751137:function:lambda_function_name:"
qualifier, err = getQualifierFromLambdaAliasOrVersionArn(invalidArn)
if err == nil {
t.Fatalf("Expected error when getting qualifier")
}
if qualifier != "" {
t.Fatalf("Expected qualifier to be empty (%q)", qualifier)
}
}
func TestLambdaPermissionGetFunctionNameFromLambdaArn_invalid(t *testing.T) {
invalidArn := "arn:aws:lambda:us-west-2:187636751137:function:"
fn, err := getFunctionNameFromLambdaArn(invalidArn)
if err == nil {
t.Fatalf("Expected error when parsing invalid ARN (%q)", invalidArn)
}
if fn != "" {
t.Fatalf("Expected empty string when parsing invalid ARN (%q)", invalidArn)
}
}
func TestLambdaPermissionGetFunctionNameFromLambdaArn_valid(t *testing.T) {
validArn := "arn:aws:lambda:us-west-2:187636751137:function:lambda_function_name"
fn, err := getFunctionNameFromLambdaArn(validArn)
if err != nil {
t.Fatalf("Expected no error (%q): %q", validArn, err)
}
expectedFunctionname := "lambda_function_name"
if fn != expectedFunctionname {
t.Fatalf("Expected Lambda function name to match (%q != %q)",
validArn, expectedFunctionname)
}
// With qualifier
validArn = "arn:aws:lambda:us-west-2:187636751137:function:lambda_function_name:12"
fn, err = getFunctionNameFromLambdaArn(validArn)
if err != nil {
t.Fatalf("Expected no error (%q): %q", validArn, err)
}
expectedFunctionname = "lambda_function_name"
if fn != expectedFunctionname {
t.Fatalf("Expected Lambda function name to match (%q != %q)",
validArn, expectedFunctionname)
}
}
func TestAccAWSLambdaPermission_basic(t *testing.T) {
var statement LambdaPolicyStatement
endsWithFuncName := regexp.MustCompile(":function:lambda_function_name_perm$")
rName := fmt.Sprintf("tf_iam_%d", acctest.RandInt())
resource.Test(t, resource.TestCase{
PreCheck: func() { testAccPreCheck(t) },
Providers: testAccProviders,
CheckDestroy: testAccCheckAWSLambdaPermissionDestroy,
Steps: []resource.TestStep{
{
Config: testAccAWSLambdaPermissionConfig(rName),
Check: resource.ComposeTestCheckFunc(
testAccCheckLambdaPermissionExists("aws_lambda_permission.allow_cloudwatch", &statement),
resource.TestCheckResourceAttr("aws_lambda_permission.allow_cloudwatch", "action", "lambda:InvokeFunction"),
resource.TestCheckResourceAttr("aws_lambda_permission.allow_cloudwatch", "principal", "events.amazonaws.com"),
resource.TestCheckResourceAttr("aws_lambda_permission.allow_cloudwatch", "statement_id", "AllowExecutionFromCloudWatch"),
resource.TestCheckResourceAttr("aws_lambda_permission.allow_cloudwatch", "qualifier", ""),
resource.TestMatchResourceAttr("aws_lambda_permission.allow_cloudwatch", "function_name", endsWithFuncName),
),
},
},
})
}
func TestAccAWSLambdaPermission_withRawFunctionName(t *testing.T) {
var statement LambdaPolicyStatement
endsWithFuncName := regexp.MustCompile(":function:lambda_function_name_perm_raw_func_name$")
resource.Test(t, resource.TestCase{
PreCheck: func() { testAccPreCheck(t) },
Providers: testAccProviders,
CheckDestroy: testAccCheckAWSLambdaPermissionDestroy,
Steps: []resource.TestStep{
{
Config: testAccAWSLambdaPermissionConfig_withRawFunctionName,
Check: resource.ComposeTestCheckFunc(
testAccCheckLambdaPermissionExists("aws_lambda_permission.with_raw_func_name", &statement),
resource.TestCheckResourceAttr("aws_lambda_permission.with_raw_func_name", "action", "lambda:InvokeFunction"),
resource.TestCheckResourceAttr("aws_lambda_permission.with_raw_func_name", "principal", "events.amazonaws.com"),
resource.TestCheckResourceAttr("aws_lambda_permission.with_raw_func_name", "statement_id", "AllowExecutionWithRawFuncName"),
resource.TestMatchResourceAttr("aws_lambda_permission.with_raw_func_name", "function_name", endsWithFuncName),
),
},
},
})
}
func TestAccAWSLambdaPermission_withQualifier(t *testing.T) {
var statement LambdaPolicyStatement
endsWithFuncName := regexp.MustCompile(":function:lambda_function_name_perm_qualifier$")
resource.Test(t, resource.TestCase{
PreCheck: func() { testAccPreCheck(t) },
Providers: testAccProviders,
CheckDestroy: testAccCheckAWSLambdaPermissionDestroy,
Steps: []resource.TestStep{
{
Config: testAccAWSLambdaPermissionConfig_withQualifier,
Check: resource.ComposeTestCheckFunc(
testAccCheckLambdaPermissionExists("aws_lambda_permission.with_qualifier", &statement),
resource.TestCheckResourceAttr("aws_lambda_permission.with_qualifier", "action", "lambda:InvokeFunction"),
resource.TestCheckResourceAttr("aws_lambda_permission.with_qualifier", "principal", "events.amazonaws.com"),
resource.TestCheckResourceAttr("aws_lambda_permission.with_qualifier", "statement_id", "AllowExecutionWithQualifier"),
resource.TestMatchResourceAttr("aws_lambda_permission.with_qualifier", "function_name", endsWithFuncName),
resource.TestCheckResourceAttr("aws_lambda_permission.with_qualifier", "qualifier", "testalias_perm_qualifier"),
),
},
},
})
}
func TestAccAWSLambdaPermission_multiplePerms(t *testing.T) {
var firstStatement LambdaPolicyStatement
var firstStatementModified LambdaPolicyStatement
var secondStatement LambdaPolicyStatement
var secondStatementModified LambdaPolicyStatement
var thirdStatement LambdaPolicyStatement
resource.Test(t, resource.TestCase{
PreCheck: func() { testAccPreCheck(t) },
Providers: testAccProviders,
CheckDestroy: testAccCheckAWSLambdaPermissionDestroy,
Steps: []resource.TestStep{
{
Config: testAccAWSLambdaPermissionConfig_multiplePerms,
Check: resource.ComposeTestCheckFunc(
// 1st
testAccCheckLambdaPermissionExists("aws_lambda_permission.first", &firstStatement),
resource.TestCheckResourceAttr("aws_lambda_permission.first", "action", "lambda:InvokeFunction"),
resource.TestCheckResourceAttr("aws_lambda_permission.first", "principal", "events.amazonaws.com"),
resource.TestCheckResourceAttr("aws_lambda_permission.first", "statement_id", "AllowExecutionFirst"),
resource.TestMatchResourceAttr("aws_lambda_permission.first", "function_name",
regexp.MustCompile(":function:lambda_function_name_perm_multiperms$")),
// 2nd
testAccCheckLambdaPermissionExists("aws_lambda_permission.second", &firstStatementModified),
resource.TestCheckResourceAttr("aws_lambda_permission.second", "action", "lambda:*"),
resource.TestCheckResourceAttr("aws_lambda_permission.second", "principal", "events.amazonaws.com"),
resource.TestCheckResourceAttr("aws_lambda_permission.second", "statement_id", "AllowExecutionSecond"),
resource.TestMatchResourceAttr("aws_lambda_permission.second", "function_name",
regexp.MustCompile(":function:lambda_function_name_perm_multiperms$")),
),
},
{
Config: testAccAWSLambdaPermissionConfig_multiplePermsModified,
Check: resource.ComposeTestCheckFunc(
// 1st
testAccCheckLambdaPermissionExists("aws_lambda_permission.first", &secondStatement),
resource.TestCheckResourceAttr("aws_lambda_permission.first", "action", "lambda:InvokeFunction"),
resource.TestCheckResourceAttr("aws_lambda_permission.first", "principal", "events.amazonaws.com"),
resource.TestCheckResourceAttr("aws_lambda_permission.first", "statement_id", "AllowExecutionFirst"),
resource.TestMatchResourceAttr("aws_lambda_permission.first", "function_name",
regexp.MustCompile(":function:lambda_function_name_perm_multiperms$")),
// 2nd
testAccCheckLambdaPermissionExists("aws_lambda_permission.sec0nd", &secondStatementModified),
resource.TestCheckResourceAttr("aws_lambda_permission.sec0nd", "action", "lambda:*"),
resource.TestCheckResourceAttr("aws_lambda_permission.sec0nd", "principal", "events.amazonaws.com"),
resource.TestCheckResourceAttr("aws_lambda_permission.sec0nd", "statement_id", "AllowExecutionSec0nd"),
resource.TestMatchResourceAttr("aws_lambda_permission.sec0nd", "function_name",
regexp.MustCompile(":function:lambda_function_name_perm_multiperms$")),
// 3rd
testAccCheckLambdaPermissionExists("aws_lambda_permission.third", &thirdStatement),
resource.TestCheckResourceAttr("aws_lambda_permission.third", "action", "lambda:*"),
resource.TestCheckResourceAttr("aws_lambda_permission.third", "principal", "events.amazonaws.com"),
resource.TestCheckResourceAttr("aws_lambda_permission.third", "statement_id", "AllowExecutionThird"),
resource.TestMatchResourceAttr("aws_lambda_permission.third", "function_name",
regexp.MustCompile(":function:lambda_function_name_perm_multiperms$")),
),
},
},
})
}
func TestAccAWSLambdaPermission_withS3(t *testing.T) {
rInt := acctest.RandInt()
var statement LambdaPolicyStatement
endsWithFuncName := regexp.MustCompile(":function:lambda_function_name_perm_s3$")
resource.Test(t, resource.TestCase{
PreCheck: func() { testAccPreCheck(t) },
Providers: testAccProviders,
CheckDestroy: testAccCheckAWSLambdaPermissionDestroy,
Steps: []resource.TestStep{
{
Config: fmt.Sprintf(testAccAWSLambdaPermissionConfig_withS3_tpl, rInt),
Check: resource.ComposeTestCheckFunc(
testAccCheckLambdaPermissionExists("aws_lambda_permission.with_s3", &statement),
resource.TestCheckResourceAttr("aws_lambda_permission.with_s3", "action", "lambda:InvokeFunction"),
resource.TestCheckResourceAttr("aws_lambda_permission.with_s3", "principal", "s3.amazonaws.com"),
resource.TestCheckResourceAttr("aws_lambda_permission.with_s3", "statement_id", "AllowExecutionFromS3"),
resource.TestMatchResourceAttr("aws_lambda_permission.with_s3", "function_name", endsWithFuncName),
resource.TestCheckResourceAttr("aws_lambda_permission.with_s3", "source_arn",
fmt.Sprintf("arn:aws:s3:::tf-acc-towards-lambda-%d", rInt)),
),
},
},
})
}
func TestAccAWSLambdaPermission_withSNS(t *testing.T) {
var statement LambdaPolicyStatement
endsWithFuncName := regexp.MustCompile(":function:lambda_function_name_perm_sns$")
endsWithTopicName := regexp.MustCompile(":tf-acc-user-updates-topic$")
resource.Test(t, resource.TestCase{
PreCheck: func() { testAccPreCheck(t) },
Providers: testAccProviders,
CheckDestroy: testAccCheckAWSLambdaPermissionDestroy,
Steps: []resource.TestStep{
{
Config: testAccAWSLambdaPermissionConfig_withSNS,
Check: resource.ComposeTestCheckFunc(
testAccCheckLambdaPermissionExists("aws_lambda_permission.with_sns", &statement),
resource.TestCheckResourceAttr("aws_lambda_permission.with_sns", "action", "lambda:InvokeFunction"),
resource.TestCheckResourceAttr("aws_lambda_permission.with_sns", "principal", "sns.amazonaws.com"),
resource.TestCheckResourceAttr("aws_lambda_permission.with_sns", "statement_id", "AllowExecutionFromSNS"),
resource.TestMatchResourceAttr("aws_lambda_permission.with_sns", "function_name", endsWithFuncName),
resource.TestMatchResourceAttr("aws_lambda_permission.with_sns", "source_arn", endsWithTopicName),
),
},
},
})
}
func TestAccAWSLambdaPermission_withIAMRole(t *testing.T) {
var statement LambdaPolicyStatement
endsWithFuncName := regexp.MustCompile(":function:lambda_function_name_perm_iamrole$")
endsWithRoleName := regexp.MustCompile("/iam_for_lambda_perm_iamrole$")
resource.Test(t, resource.TestCase{
PreCheck: func() { testAccPreCheck(t) },
Providers: testAccProviders,
CheckDestroy: testAccCheckAWSLambdaPermissionDestroy,
Steps: []resource.TestStep{
{
Config: testAccAWSLambdaPermissionConfig_withIAMRole,
Check: resource.ComposeTestCheckFunc(
testAccCheckLambdaPermissionExists("aws_lambda_permission.iam_role", &statement),
resource.TestCheckResourceAttr("aws_lambda_permission.iam_role", "action", "lambda:InvokeFunction"),
resource.TestMatchResourceAttr("aws_lambda_permission.iam_role", "principal", endsWithRoleName),
resource.TestCheckResourceAttr("aws_lambda_permission.iam_role", "statement_id", "AllowExecutionFromIAMRole"),
resource.TestMatchResourceAttr("aws_lambda_permission.iam_role", "function_name", endsWithFuncName),
),
},
},
})
}
func testAccCheckLambdaPermissionExists(n string, statement *LambdaPolicyStatement) resource.TestCheckFunc {
return func(s *terraform.State) error {
rs, ok := s.RootModule().Resources[n]
if !ok {
return fmt.Errorf("Not found: %s", n)
}
conn := testAccProvider.Meta().(*AWSClient).lambdaconn
// IAM is eventually consistent
var foundStatement *LambdaPolicyStatement
err := resource.Retry(5*time.Minute, func() *resource.RetryError {
var err error
foundStatement, err = lambdaPermissionExists(rs, conn)
if err != nil {
if strings.HasPrefix(err.Error(), "ResourceNotFoundException") {
return resource.RetryableError(err)
}
if strings.HasPrefix(err.Error(), "Lambda policy not found") {
return resource.RetryableError(err)
}
if strings.HasPrefix(err.Error(), "Failed to find statement") {
return resource.RetryableError(err)
}
return resource.NonRetryableError(err)
}
return nil
})
if err != nil {
return err
}
*statement = *foundStatement
return nil
}
}
func testAccCheckAWSLambdaPermissionDestroy(s *terraform.State) error {
conn := testAccProvider.Meta().(*AWSClient).lambdaconn
for _, rs := range s.RootModule().Resources {
if rs.Type != "aws_lambda_permission" {
continue
}
// IAM is eventually consistent
err := resource.Retry(5*time.Minute, func() *resource.RetryError {
err := isLambdaPermissionGone(rs, conn)
if err != nil {
if !strings.HasPrefix(err.Error(), "Error unmarshalling Lambda policy") {
return resource.RetryableError(err)
}
return resource.NonRetryableError(err)
}
return nil
})
if err != nil {
return err
}
}
return nil
}
func isLambdaPermissionGone(rs *terraform.ResourceState, conn *lambda.Lambda) error {
params := &lambda.GetPolicyInput{
FunctionName: aws.String(rs.Primary.Attributes["function_name"]),
}
if v, ok := rs.Primary.Attributes["qualifier"]; ok && v != "" {
params.Qualifier = aws.String(v)
}
resp, err := conn.GetPolicy(params)
if awsErr, ok := err.(awserr.Error); ok {
if awsErr.Code() == "ResourceNotFoundException" {
// no policy found => all statements deleted
return nil
}
}
if err != nil {
return fmt.Errorf("Unexpected error when checking existence of Lambda permission: %s\n%s",
rs.Primary.ID, err)
}
policyInBytes := []byte(*resp.Policy)
policy := LambdaPolicy{}
err = json.Unmarshal(policyInBytes, &policy)
if err != nil {
return fmt.Errorf("Error unmarshalling Lambda policy (%s): %s", *resp.Policy, err)
}
state, err := findLambdaPolicyStatementById(&policy, rs.Primary.ID)
if err != nil {
// statement not found => deleted
return nil
}
return fmt.Errorf("Policy statement expected to be gone (%s):\n%s",
rs.Primary.ID, *state)
}
func lambdaPermissionExists(rs *terraform.ResourceState, conn *lambda.Lambda) (*LambdaPolicyStatement, error) {
params := &lambda.GetPolicyInput{
FunctionName: aws.String(rs.Primary.Attributes["function_name"]),
}
if v, ok := rs.Primary.Attributes["qualifier"]; ok && v != "" {
params.Qualifier = aws.String(v)
}
resp, err := conn.GetPolicy(params)
if err != nil {
return nil, fmt.Errorf("Lambda policy not found: %q", err)
}
if resp.Policy == nil {
return nil, fmt.Errorf("Received Lambda policy is empty")
}
policyInBytes := []byte(*resp.Policy)
policy := LambdaPolicy{}
err = json.Unmarshal(policyInBytes, &policy)
if err != nil {
return nil, fmt.Errorf("Error unmarshalling Lambda policy: %s", err)
}
return findLambdaPolicyStatementById(&policy, rs.Primary.ID)
}
func testAccAWSLambdaPermissionConfig(rName string) string {
return fmt.Sprintf(`
resource "aws_lambda_permission" "allow_cloudwatch" {
statement_id = "AllowExecutionFromCloudWatch"
action = "lambda:InvokeFunction"
function_name = "${aws_lambda_function.test_lambda.arn}"
principal = "events.amazonaws.com"
}
resource "aws_lambda_function" "test_lambda" {
filename = "test-fixtures/lambdatest.zip"
function_name = "lambda_function_name_perm"
role = "${aws_iam_role.iam_for_lambda.arn}"
handler = "exports.handler"
runtime = "nodejs4.3"
}
resource "aws_iam_role" "iam_for_lambda" {
name = "%s"
assume_role_policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Action": "sts:AssumeRole",
"Principal": {
"Service": "lambda.amazonaws.com"
},
"Effect": "Allow",
"Sid": ""
}
]
}
EOF
}`, rName)
}
var testAccAWSLambdaPermissionConfig_withRawFunctionName = `
resource "aws_lambda_permission" "with_raw_func_name" {
statement_id = "AllowExecutionWithRawFuncName"
action = "lambda:InvokeFunction"
function_name = "${aws_lambda_function.test_lambda.arn}"
principal = "events.amazonaws.com"
}
resource "aws_lambda_function" "test_lambda" {
filename = "test-fixtures/lambdatest.zip"
function_name = "lambda_function_name_perm_raw_func_name"
role = "${aws_iam_role.iam_for_lambda.arn}"
handler = "exports.handler"
runtime = "nodejs4.3"
}
resource "aws_iam_role" "iam_for_lambda" {
name = "iam_for_lambda_perm_raw_func_name"
assume_role_policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Action": "sts:AssumeRole",
"Principal": {
"Service": "lambda.amazonaws.com"
},
"Effect": "Allow",
"Sid": ""
}
]
}
EOF
}
`
var testAccAWSLambdaPermissionConfig_withQualifier = `
resource "aws_lambda_permission" "with_qualifier" {
statement_id = "AllowExecutionWithQualifier"
action = "lambda:InvokeFunction"
function_name = "${aws_lambda_function.test_lambda.arn}"
principal = "events.amazonaws.com"
source_account = "111122223333"
source_arn = "arn:aws:events:eu-west-1:111122223333:rule/RunDaily"
qualifier = "${aws_lambda_alias.test_alias.name}"
}
resource "aws_lambda_alias" "test_alias" {
name = "testalias_perm_qualifier"
description = "a sample description"
function_name = "${aws_lambda_function.test_lambda.arn}"
function_version = "$LATEST"
}
resource "aws_lambda_function" "test_lambda" {
filename = "test-fixtures/lambdatest.zip"
function_name = "lambda_function_name_perm_qualifier"
role = "${aws_iam_role.iam_for_lambda.arn}"
handler = "exports.handler"
runtime = "nodejs4.3"
}
resource "aws_iam_role" "iam_for_lambda" {
name = "iam_for_lambda_perm_qualifier"
assume_role_policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Action": "sts:AssumeRole",
"Principal": {
"Service": "lambda.amazonaws.com"
},
"Effect": "Allow",
"Sid": ""
}
]
}
EOF
}
`
var testAccAWSLambdaPermissionConfig_multiplePerms_tpl = `
resource "aws_lambda_permission" "first" {
statement_id = "AllowExecutionFirst"
action = "lambda:InvokeFunction"
function_name = "${aws_lambda_function.test_lambda.arn}"
principal = "events.amazonaws.com"
}
resource "aws_lambda_permission" "%s" {
statement_id = "%s"
action = "lambda:*"
function_name = "${aws_lambda_function.test_lambda.arn}"
principal = "events.amazonaws.com"
}
%s
resource "aws_lambda_function" "test_lambda" {
filename = "test-fixtures/lambdatest.zip"
function_name = "lambda_function_name_perm_multiperms"
role = "${aws_iam_role.iam_for_lambda.arn}"
handler = "exports.handler"
runtime = "nodejs4.3"
}
resource "aws_iam_role" "iam_for_lambda" {
name = "iam_for_lambda_perm_multi_perms"
assume_role_policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Action": "sts:AssumeRole",
"Principal": {
"Service": "lambda.amazonaws.com"
},
"Effect": "Allow",
"Sid": ""
}
]
}
EOF
}
`
var testAccAWSLambdaPermissionConfig_multiplePerms = fmt.Sprintf(
testAccAWSLambdaPermissionConfig_multiplePerms_tpl, "second", "AllowExecutionSecond", "")
var testAccAWSLambdaPermissionConfig_multiplePermsModified = fmt.Sprintf(
testAccAWSLambdaPermissionConfig_multiplePerms_tpl, "sec0nd", "AllowExecutionSec0nd", `
resource "aws_lambda_permission" "third" {
statement_id = "AllowExecutionThird"
action = "lambda:*"
function_name = "${aws_lambda_function.test_lambda.arn}"
principal = "events.amazonaws.com"
}`)
var testAccAWSLambdaPermissionConfig_withS3_tpl = `
resource "aws_lambda_permission" "with_s3" {
statement_id = "AllowExecutionFromS3"
action = "lambda:InvokeFunction"
function_name = "${aws_lambda_function.my-func.arn}"
principal = "s3.amazonaws.com"
source_arn = "${aws_s3_bucket.default.arn}"
}
resource "aws_s3_bucket" "default" {
bucket = "tf-acc-towards-lambda-%d"
acl = "private"
}
resource "aws_lambda_function" "my-func" {
filename = "test-fixtures/lambdatest.zip"
function_name = "lambda_function_name_perm_s3"
role = "${aws_iam_role.police.arn}"
handler = "exports.handler"
runtime = "nodejs4.3"
}
resource "aws_iam_role" "police" {
name = "iam_for_lambda_perm_with_s3"
assume_role_policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Action": "sts:AssumeRole",
"Principal": {
"Service": "lambda.amazonaws.com"
},
"Effect": "Allow",
"Sid": ""
}
]
}
EOF
}
`
var testAccAWSLambdaPermissionConfig_withSNS = `
resource "aws_lambda_permission" "with_sns" {
statement_id = "AllowExecutionFromSNS"
action = "lambda:InvokeFunction"
function_name = "${aws_lambda_function.my-func.arn}"
principal = "sns.amazonaws.com"
source_arn = "${aws_sns_topic.default.arn}"
}
resource "aws_sns_topic" "default" {
name = "tf-acc-user-updates-topic"
}
resource "aws_sns_topic_subscription" "lambda" {
topic_arn = "${aws_sns_topic.default.arn}"
protocol = "lambda"
endpoint = "${aws_lambda_function.my-func.arn}"
}
resource "aws_lambda_function" "my-func" {
filename = "test-fixtures/lambdatest.zip"
function_name = "lambda_function_name_perm_sns"
role = "${aws_iam_role.police.arn}"
handler = "exports.handler"
runtime = "nodejs4.3"
}
resource "aws_iam_role" "police" {
name = "iam_for_lambda_perm_with_sns"
assume_role_policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Action": "sts:AssumeRole",
"Principal": {
"Service": "lambda.amazonaws.com"
},
"Effect": "Allow",
"Sid": ""
}
]
}
EOF
}
`
var testAccAWSLambdaPermissionConfig_withIAMRole = `
resource "aws_lambda_permission" "iam_role" {
statement_id = "AllowExecutionFromIAMRole"
action = "lambda:InvokeFunction"
function_name = "${aws_lambda_function.my-func.arn}"
principal = "${aws_iam_role.police.arn}"
}
resource "aws_lambda_function" "my-func" {
filename = "test-fixtures/lambdatest.zip"
function_name = "lambda_function_name_perm_iamrole"
role = "${aws_iam_role.police.arn}"
handler = "exports.handler"
runtime = "nodejs4.3"
}
resource "aws_iam_role" "police" {
name = "iam_for_lambda_perm_iamrole"
assume_role_policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Action": "sts:AssumeRole",
"Principal": {
"Service": "lambda.amazonaws.com"
},
"Effect": "Allow",
"Sid": ""
}
]
}
EOF
}
`
var testLambdaPolicy = []byte(`{
"Version": "2012-10-17",
"Statement": [
{
"Condition": {
"StringEquals": {"AWS:SourceAccount": "319201112229"},
"ArnLike":{"AWS:SourceArn":"arn:aws:events:eu-west-1:319201112229:rule/RunDaily"}
},
"Action": "lambda:InvokeFunction",
"Resource": "arn:aws:lambda:eu-west-1:319201112229:function:myCustomFunction",
"Effect": "Allow",
"Principal": {"Service":"events.amazonaws.com"},
"Sid": "36fe77d9-a4ae-13fb-8beb-5dc6821d5291"
}
],
"Id":"default"
}`)