feat: add support for custom Lambda@Edge policies (#333)

* feat: Add support for custom Lambda@Edge policies

* docs: README and example update

* chore: There's no need to provide a default value for an empty list of strings

* fix: Init policy_documents with an empty array

* feat: Simplify Lambda@Edge role policy handling

Attribute renamed from `policy_documents` to `additional_policy`. Add
`LambdaWriteCloudWatchLogs` SID to default CloudWatch policy to make
overrrides possible.

* fix: Remove .json reference from string object

* docs: Update README file

* docs: Remove '$${lambda_arn}' reference from the docs

Dynamic Lambda ARN repalcements bring no value for Lambda IAM execution
roles, as typically you'd like to list other AWS resources/services
there, not the Lambda itself.

* chore: README update

Author: jwadolowski

examples/complete/lambda-at-edge.tf

@@ -3,6 +3,33 @@ provider "aws" {
   alias  = "us-east-1"
 }
 
+data "aws_iam_policy_document" "s3_policy" {
+  statement {
+    sid    = "AllowS3GetObjectFoo"
+    effect = "Allow"
+
+    actions = [
+      "s3:GetObject",
+    ]
+
+    resources = [
+      "arn:aws:s3:::example-bucket-foo/*",
+    ]
+  }
+  statement {
+    sid    = "AllowS3PutObjectBar"
+    effect = "Allow"
+
+    actions = [
+      "s3:PutObject",
+    ]
+
+    resources = [
+      "arn:aws:s3:::example-bucket-bar/*",
+    ]
+  }
+}
+
 module "lambda_at_edge" {
   source = "../../modules/lambda@edge"
 
@@ -48,13 +75,14 @@ module "lambda_at_edge" {
       include_body = false
     },
     origin_request = {
-      source_zip   = "origin-request.zip"
-      runtime      = "nodejs16.x"
-      handler      = "index.handler"
-      memory_size  = 128
-      timeout      = 3
-      event_type   = "origin-request"
-      include_body = false
+      source_zip        = "origin-request.zip"
+      runtime           = "nodejs16.x"
+      handler           = "index.handler"
+      memory_size       = 128
+      timeout           = 3
+      event_type        = "origin-request"
+      include_body      = false
+      additional_policy = data.aws_iam_policy_document.s3_policy.json
     },
     # Add security headers to the request from CF to the origin
     origin_response = {
@@ -83,10 +111,11 @@ module "lambda_at_edge" {
         EOT
         filename = "index.js"
       }]
-      runtime      = "nodejs16.x"
-      handler      = "index.handler"
-      memory_size  = 128
-      timeout      = 3
+      runtime     = "nodejs16.x"
+      handler     = "index.handler"
+      memory_size = 128
+      timeout     = 3
+
       event_type   = "origin-response"
       include_body = false
     }

modules/lambda@edge/README.md

@@ -73,7 +73,7 @@ module "lambda_at_edge" {
 | <a name="input_destruction_delay"></a> [destruction\_delay](#input\_destruction\_delay) | The delay, in [Golang ParseDuration](https://pkg.go.dev/time#ParseDuration) format, to wait before destroying the Lambda@Edge<br>functions.<br><br>This delay is meant to circumvent Lambda@Edge functions not being immediately deletable following their dissociation from<br>a CloudFront distribution, since they are replicated to CloudFront Edge servers around the world.<br><br>If set to `null`, no delay will be introduced.<br><br>By default, the delay is 20 minutes. This is because it takes about 3 minutes to destroy a CloudFront distribution, and<br>around 15 minutes until the Lambda@Edge function is available for deletion, in most cases.<br><br>For more information, see: https://github.com/hashicorp/terraform-provider-aws/issues/1721. | `string` | `"20m"` | no |
 | <a name="input_enabled"></a> [enabled](#input\_enabled) | Set to false to prevent the module from creating any resources | `bool` | `null` | no |
 | <a name="input_environment"></a> [environment](#input\_environment) | ID element. Usually used for region e.g. 'uw2', 'us-west-2', OR role 'prod', 'staging', 'dev', 'UAT' | `string` | `null` | no |
-| <a name="input_functions"></a> [functions](#input\_functions) | Lambda@Edge functions to create.<br><br>The key of this map is the name label of the Lambda@Edge function.<br><br>`source.filename` and `source.content` dictate the name and content of the files that will make up the Lambda function<br>source, respectively.<br><br>`runtime`, `handler`, `memory_size`, and `timeout` correspond to the attributes of the same name in the [lambda\_function](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_function)<br>resource.<br><br>`event_type` and `include_body` correspond to the attributes of the same name in the [Lambda Function association block<br>of the cloudfront\_distribution](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudfront_distribution#lambda-function-association)<br>resource. | <pre>map(object({<br>    source = list(object({<br>      filename = string<br>      content  = string<br>    }))<br>    runtime      = string<br>    handler      = string<br>    memory_size  = number<br>    timeout      = number<br>    event_type   = string<br>    include_body = bool<br>  }))</pre> | n/a | yes |
+| <a name="input_functions"></a> [functions](#input\_functions) | Lambda@Edge functions to create.<br><br>The key of this map is the name label of the Lambda@Edge function.<br><br>One of `source`, `source_dir` or `source_zip` should be specified. These variables are mutually exclusive.<br><br>`source.filename` and `source.content` dictate the name and content of the files that will make up the Lambda function<br>source, respectively.<br><br>`source_dir` contains path to whole directory that has to be archived.<br><br>`source_zip` contains path to zip file with lambda source.<br><br>`runtime`, `handler`, `memory_size` and `timeout` correspond to the attributes of the same name in the [lambda\_function](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_function)<br>resource. See [here](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/lambda-at-edge-function-restrictions.html) for Lambda@Edge function restrictions.<br><br>`additional_policy` contains additional IAM policies for Lambda@Edge function. It's possible to override default policy statement by providing your own statement with `LambdaWriteCloudWatchLogs` sid.<br><br>`event_type` and `include_body` correspond to the attributes of the same name in the [Lambda Function association block<br>of the cloudfront\_distribution](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudfront_distribution#lambda-function-association)<br>resource. | <pre>map(object({<br>    source = optional(list(object({<br>      filename = string<br>      content  = string<br>    })))<br>    source_dir        = optional(string)<br>    source_zip        = optional(string)<br>    runtime           = string<br>    handler           = string<br>    memory_size       = optional(number, 128)<br>    timeout           = optional(number, 3)<br>    additional_policy = optional(string, "{}")<br>    event_type        = string<br>    include_body      = bool<br>  }))</pre> | n/a | yes |
 | <a name="input_id_length_limit"></a> [id\_length\_limit](#input\_id\_length\_limit) | Limit `id` to this many characters (minimum 6).<br>Set to `0` for unlimited length.<br>Set to `null` for keep the existing setting, which defaults to `0`.<br>Does not affect `id_full`. | `number` | `null` | no |
 | <a name="input_label_key_case"></a> [label\_key\_case](#input\_label\_key\_case) | Controls the letter case of the `tags` keys (label names) for tags generated by this module.<br>Does not affect keys of tags passed in via the `tags` input.<br>Possible values: `lower`, `title`, `upper`.<br>Default value: `title`. | `string` | `null` | no |
 | <a name="input_label_order"></a> [label\_order](#input\_label\_order) | The order in which the labels (ID elements) appear in the `id`.<br>Defaults to ["namespace", "environment", "stage", "name", "attributes"].<br>You can omit any of the 6 labels ("tenant" is the 6th), but at least one must be present. | `list(string)` | `null` | no |

modules/lambda@edge/main.tf

@@ -32,6 +32,7 @@ module "function_label" {
 
 data "aws_iam_policy_document" "lambda_write_logs" {
   statement {
+    sid = "LambdaWriteCloudWatchLogs"
     actions = [
       "logs:CreateLogGroup",
       "logs:CreateLogStream",
@@ -63,6 +64,7 @@ module "role" {
 
   policy_documents = [
     data.aws_iam_policy_document.lambda_write_logs.json,
+    each.value.additional_policy
   ]
 
   context = module.function_label[each.key].context

modules/lambda@edge/variables.tf

@@ -16,6 +16,8 @@ variable "functions" {
   `runtime`, `handler`, `memory_size` and `timeout` correspond to the attributes of the same name in the [lambda_function](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_function)
   resource. See [here](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/lambda-at-edge-function-restrictions.html) for Lambda@Edge function restrictions.
 
+  `additional_policy` contains additional IAM policies for Lambda@Edge function. It's possible to override default policy statement by providing your own statement with `LambdaWriteCloudWatchLogs` sid.
+
   `event_type` and `include_body` correspond to the attributes of the same name in the [Lambda Function association block
   of the cloudfront_distribution](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudfront_distribution#lambda-function-association)
   resource.
@@ -25,14 +27,15 @@ variable "functions" {
       filename = string
       content  = string
     })))
-    source_dir   = optional(string)
-    source_zip   = optional(string)
-    runtime      = string
-    handler      = string
-    memory_size  = optional(number, 128)
-    timeout      = optional(number, 3)
-    event_type   = string
-    include_body = bool
+    source_dir        = optional(string)
+    source_zip        = optional(string)
+    runtime           = string
+    handler           = string
+    memory_size       = optional(number, 128)
+    timeout           = optional(number, 3)
+    additional_policy = optional(string, "{}")
+    event_type        = string
+    include_body      = bool
   }))
 
   validation {
@@ -63,4 +66,4 @@ variable "destruction_delay" {
   For more information, see: https://github.com/hashicorp/terraform-provider-aws/issues/1721.
   EOT
   default     = "20m"
-}
+}