fix(iam): move to full ARN for stability

MickVanDuijn · MickVanDuijn · commit 0f8e0938d5d8 · 2022-09-05T10:42:15.000+02:00
diff --git a/iam.tf b/iam.tf
@@ -3,7 +3,7 @@ resource "aws_cloudformation_stack" "lambda_permissions" {
   template_body = jsonencode({
     Resources = merge([
       for urlPath, config in local.definition : {
-        for httpMethod, definition in config : "AllowExecutionFromAPIGateway${substr(sha256("${upper(httpMethod)} ${urlPath}  "), 0, 8)}" => {
+        for httpMethod, definition in config : "AllowExecutionFromAPIGateway${substr(sha256("${upper(httpMethod)} ${urlPath}"), 0, 8)}" => {
           Type = "AWS::Lambda::Permission"
           Properties = {
             FunctionName = definition.lambda.function_name
@@ -31,7 +31,7 @@ data "aws_iam_policy_document" "vpc_invoke" {
         identifiers = ["*"]
       }
       actions   = ["execute-api:Invoke"]
-      resources = ["execute-api:/${statement.value}/*/*"]
+      resources = ["arn:aws:execute-api:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:${aws_rest_api.this.id}/${statement.value}/*/*"]
       condition {
         test     = "StringNotEquals"
         variable = "aws:sourceVpc"
@@ -49,7 +49,7 @@ data "aws_iam_policy_document" "vpc_invoke" {
         identifiers = ["*"]
       }
       actions   = ["execute-api:Invoke"]
-      resources = ["execute-api:/${statement.value}/*/*"]
+      resources = ["arn:aws:execute-api:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:${aws_rest_api.this.id}/${statement.value}/*/*"]
     }
   }
 }

Original file line number	Diff line number	Diff line change
`@@ -3,7 +3,7 @@ resource "aws_cloudformation_stack" "lambda_permissions" {`
`3`	`3`	`template_body = jsonencode({`
`4`	`4`	`Resources = merge([`
`5`	`5`	`for urlPath, config in local.definition : {`
`6`		`- for httpMethod, definition in config : "AllowExecutionFromAPIGateway${substr(sha256("${upper(httpMethod)} ${urlPath} "), 0, 8)}" => {`
	`6`	`+ for httpMethod, definition in config : "AllowExecutionFromAPIGateway${substr(sha256("${upper(httpMethod)} ${urlPath}"), 0, 8)}" => {`
`7`	`7`	`Type = "AWS::Lambda::Permission"`
`8`	`8`	`Properties = {`
`9`	`9`	`FunctionName = definition.lambda.function_name`
`@@ -31,7 +31,7 @@ data "aws_iam_policy_document" "vpc_invoke" {`
`31`	`31`	`identifiers = ["*"]`
`32`	`32`	`}`
`33`	`33`	`actions = ["execute-api:Invoke"]`
`34`		`- resources = ["execute-api:/${statement.value}//"]`
	`34`	`+ resources = ["arn:aws:execute-api:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:${aws_rest_api.this.id}/${statement.value}//"]`
`35`	`35`	`condition {`
`36`	`36`	`test = "StringNotEquals"`
`37`	`37`	`variable = "aws:sourceVpc"`
`@@ -49,7 +49,7 @@ data "aws_iam_policy_document" "vpc_invoke" {`
`49`	`49`	`identifiers = ["*"]`
`50`	`50`	`}`
`51`	`51`	`actions = ["execute-api:Invoke"]`
`52`		`- resources = ["execute-api:/${statement.value}//"]`
	`52`	`+ resources = ["arn:aws:execute-api:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:${aws_rest_api.this.id}/${statement.value}//"]`
`53`	`53`	`}`
`54`	`54`	`}`
`55`	`55`	`}`