feat: add optional source_account to lambda permissions

Rory Nolan · claude · Rory Nolan · commit ffcd0827f99b · 2025-07-30T05:33:14.000-07:00
- Make both source_arn and source_account optional in invoke_function_permissions - Add comprehensive documentation for all permission fields - Update complete example to demonstrate source_account usage - Maintain backward compatibility with existing configurations 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com>
diff --git a/examples/complete/main.tf b/examples/complete/main.tf
@@ -105,8 +105,9 @@ module "lambda" {
 
   invoke_function_permissions = [
     {
-      principal  = "s3.amazonaws.com"
-      source_arn = join("", aws_s3_bucket.example[*].arn)
+      principal      = "s3.amazonaws.com"
+      source_arn     = join("", aws_s3_bucket.example[*].arn)
+      source_account = join("", data.aws_caller_identity.current[*].account_id)
     }
   ]
 
diff --git a/lambda-permissions.tf b/lambda-permissions.tf
@@ -1,8 +1,9 @@
 resource "aws_lambda_permission" "invoke_function" {
   for_each = local.enabled ? { for i, permission in var.invoke_function_permissions : i => permission } : {}
 
-  action        = "lambda:InvokeFunction"
-  function_name = aws_lambda_function.this[0].function_name
-  principal     = each.value.principal
-  source_arn    = each.value.source_arn
+  action         = "lambda:InvokeFunction"
+  function_name  = aws_lambda_function.this[0].function_name
+  principal      = each.value.principal
+  source_arn     = each.value.source_arn
+  source_account = each.value.source_account
 }
diff --git a/variables.tf b/variables.tf
@@ -248,9 +248,16 @@ variable "inline_iam_policy" {
 
 variable "invoke_function_permissions" {
   type = list(object({
-    principal  = string
-    source_arn = string
+    principal      = string
+    source_arn     = optional(string)
+    source_account = optional(string)
   }))
-  description = "Defines which external source(s) can invoke this function (action 'lambda:InvokeFunction'). Attributes map to those of https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_permission. NOTE: to keep things simple, we only expose a subset of said attributes. If a more complex configuration is needed, declare the necessary lambda permissions outside of this module"
+  description = <<EOF
+  Defines which external source(s) can invoke this function (action 'lambda:InvokeFunction'). Attributes map to those of https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_permission. 
+  - principal: The AWS service or account that will invoke the function
+  - source_arn: (Optional) The ARN of the specific resource that will invoke the function
+  - source_account: (Optional) The AWS account ID that is allowed to invoke the function. Used to restrict cross-account access when needed.
+  NOTE: to keep things simple, we only expose a subset of said attributes. If a more complex configuration is needed, declare the necessary lambda permissions outside of this module
+  EOF
   default     = []
 }

Original file line number	Diff line number	Diff line change
`@@ -105,8 +105,9 @@ module "lambda" {`
`105`	`105`
`106`	`106`	`invoke_function_permissions = [`
`107`	`107`	`{`
`108`		`- principal = "s3.amazonaws.com"`
`109`		`- source_arn = join("", aws_s3_bucket.example[*].arn)`
	`108`	`+ principal = "s3.amazonaws.com"`
	`109`	`+ source_arn = join("", aws_s3_bucket.example[*].arn)`
	`110`	`+ source_account = join("", data.aws_caller_identity.current[*].account_id)`
`110`	`111`	`}`
`111`	`112`	`]`
`112`	`113`