Merge pull request #7 from rafikurnia/feature/lambda-role

rafikurnia · web-flow · commit 9e9c88aae7c0 · 2018-04-17T14:58:17.000+07:00
feature/lambda-role
diff --git a/README.md b/README.md
@@ -6,6 +6,7 @@ Currently supported type of Roles are:
 2. Role for IAM User
 3. Role for External AWS Account
 4. Role for Instance Profile
+5. Role for Lambda
 
 
 Usage
@@ -23,6 +24,7 @@ Modules
 * [IAM User](https://github.com/traveloka/terraform-aws-iam-role/tree/master/modules/user)
 * [External AWS Account](https://github.com/traveloka/terraform-aws-iam-role/tree/master/modules/external)
 * [Instance Profile](https://github.com/traveloka/terraform-aws-iam-role/tree/master/modules/instance)
+* [Lambda](https://github.com/traveloka/terraform-aws-iam-role/tree/master/modules/lambda)
 
 
 Examples
@@ -31,6 +33,7 @@ Examples
 * [IAM Role for User](https://github.com/traveloka/terraform-aws-iam-role/tree/master/examples/user-iam)
 * [IAM Role for 3rd Party AWS Account](https://github.com/traveloka/terraform-aws-iam-role/tree/master/examples/external-account)
 * [IAM Role for Instance Profile](https://github.com/traveloka/terraform-aws-iam-role/tree/master/examples/instance-profile)
+* [IAM Role for Lambda](https://github.com/traveloka/terraform-aws-iam-role/tree/master/examples/lambda-role)
 
 
 Tests
diff --git a/examples/lambda-role/README.md b/examples/lambda-role/README.md
@@ -0,0 +1,4 @@
+example/lambda_role
+===================
+
+This example will create an IAM Role for AWS Lambda.
diff --git a/examples/lambda-role/main.tf b/examples/lambda-role/main.tf
@@ -0,0 +1,13 @@
+provider "aws" {
+  region = "ap-southeast-1"
+}
+
+module "this" {
+  # In actual use case, you have to replace the following line (line 8) with:
+  # source = "github.com/traveloka/terraform-aws-iam-role.git//modules/lambda?ref=v0.4.0"
+  source = "../../modules/lambda"
+
+  product_domain   = "txt"
+  service_name     = "txtjobs"
+  descriptive_name = "Periodic Scheduler"
+}
diff --git a/examples/lambda-role/outputs.tf b/examples/lambda-role/outputs.tf
diff --git a/modules/lambda/README.md b/modules/lambda/README.md
@@ -0,0 +1,8 @@
+terraform-aws-iam-role/lambda
+=============================
+This module allows you to create an IAM Role for AWS Lambda resource.
+
+
+Usage
+-----
+You can open this example: [IAM Role for Lambda](https://github.com/traveloka/terraform-aws-iam-role/tree/master/examples/lambda-role)
diff --git a/modules/lambda/main.tf b/modules/lambda/main.tf
@@ -0,0 +1,38 @@
+locals {
+  descriptive_name = "${join("-", split(" ", lower(var.descriptive_name)))}"
+  role_identifier  = "${var.service_name == "" ? var.product_domain : var.service_name}-${local.descriptive_name}"
+  name_prefix      = "LambdaRole_${local.role_identifier}"
+}
+
+module "random" {
+  source = "github.com/traveloka/terraform-aws-resource-naming.git?ref=v0.4.0"
+
+  name_prefix   = "${local.name_prefix}"
+  resource_type = "iam_role"
+}
+
+# Trust relationship policy document for AWS Service.
+data "aws_iam_policy_document" "this" {
+  statement {
+    actions = ["sts:AssumeRole"]
+    effect  = "Allow"
+
+    principals {
+      type        = "Service"
+      identifiers = ["lambda.amazonaws.com"]
+    }
+  }
+}
+
+# Module, the parent module.
+module "this" {
+  source = "../../"
+
+  role_name        = "${module.random.name}"
+  role_path        = "/lambda-role/"
+  role_description = "Lambda Role for ${local.role_identifier}"
+
+  role_assume_policy         = "${data.aws_iam_policy_document.this.json}"
+  role_force_detach_policies = "${var.role_force_detach_policies}"
+  role_max_session_duration  = "${var.role_max_session_duration}"
+}
diff --git a/modules/lambda/outputs.tf b/modules/lambda/outputs.tf
@@ -0,0 +1,39 @@
+output "aws_account_id" {
+  description = "The AWS Account ID number of the account that owns or contains the calling entity."
+  value       = "${module.this.aws_account_id}"
+}
+
+output "aws_caller_arn" {
+  description = "The AWS ARN associated with the calling entity."
+  value       = "${module.this.aws_caller_arn}"
+}
+
+output "aws_caller_user_id" {
+  description = "The unique identifier of the calling entity."
+  value       = "${module.this.aws_caller_user_id}"
+}
+
+output "role_name" {
+  description = "The name of the role."
+  value       = "${module.this.role_name}"
+}
+
+output "role_arn" {
+  description = "The Amazon Resource Name (ARN) specifying the role."
+  value       = "${module.this.role_arn}"
+}
+
+output "role_description" {
+  description = "The description of the role."
+  value       = "${module.this.role_description}"
+}
+
+output "role_create_date" {
+  description = "The creation date of the IAM role."
+  value       = "${module.this.role_create_date}"
+}
+
+output "role_unique_id" {
+  description = "The stable and unique string identifying the role."
+  value       = "${module.this.role_unique_id}"
+}
diff --git a/modules/lambda/variables.tf b/modules/lambda/variables.tf
@@ -0,0 +1,25 @@
+variable "product_domain" {
+  description = "Product domain these resources belong to."
+  type        = "string"
+}
+
+variable "service_name" {
+  description = "The name of the service that going to assume this role."
+  type        = "string"
+  default     = ""
+}
+
+variable "descriptive_name" {
+  description = "Brief description of Lambda Function. It will be added to the role name. Example value: 'Periodic Scheduler'"
+  type        = "string"
+}
+
+variable "role_force_detach_policies" {
+  description = "Specifies to force detaching any policies the role has before destroying it."
+  default     = false
+}
+
+variable "role_max_session_duration" {
+  description = "The maximum session duration (in seconds) that you want to set for the specified role. If you do not specify a value for this setting, the default maximum of one hour is applied. This setting can have a value from 1 hour to 12 hours."
+  default     = 3600
+}
