Refactor to aws_iam_role_policy instead of policy attachment

Author: npalm

examples/default/main.tf

@@ -28,7 +28,7 @@ module "runners" {
   }
 
   webhook_lambda_zip                = "lambdas-download/webhook.zip"
-  runner_binaries_syncer_lambda_zip = "lambdas-download/syncer.zip"
+  runner_binaries_syncer_lambda_zip = "lambdas-download/runner-binaries-syncer.zip"
   runners_lambda_zip                = "lambdas-download/runners.zip"
   enable_organization_runners       = false
   runner_extra_labels               = "default,example"

main.tf

@@ -37,22 +37,15 @@ module "webhook" {
   lambda_timeout = var.webhook_lambda_timeout
 }
 
-resource "aws_iam_policy" "webhook" {
-  name        = "${var.environment}-lambda-webhook-publish-sqs-policy"
-  description = "Lambda webhook sqs policy"
+resource "aws_iam_role_policy" "webhook" {
+  name = "${var.environment}-lambda-webhook-publish-sqs-policy"
+  role = module.webhook.role.name
 
   policy = templatefile("${path.module}/policies/lambda-publish-sqs-policy.json", {
     sqs_resource_arn = aws_sqs_queue.queued_builds.arn
   })
 }
 
-resource "aws_iam_policy_attachment" "webhook" {
-  name       = "${var.environment}-webhook-sqs"
-  roles      = [module.webhook.role.name]
-  policy_arn = aws_iam_policy.webhook.arn
-}
-
-
 module "runners" {
   source = "./modules/runners"
 

modules/runner-binaries-syncer/runner-binaries-syncer.tf

@@ -38,35 +38,22 @@ data "aws_iam_policy_document" "lambda_assume_role_policy" {
   }
 }
 
-resource "aws_iam_policy" "lambda_logging" {
-  name        = "${var.environment}-lamda-logging-policy-syncer"
-  description = "Lambda logging policy"
+resource "aws_iam_role_policy" "lambda_logging" {
+  name = "${var.environment}-lamda-logging-policy-syncer"
+  role = aws_iam_role.syncer_lambda.id
 
   policy = templatefile("${path.module}/policies/lambda-cloudwatch.json", {})
 }
 
-
-resource "aws_iam_policy_attachment" "syncer_logging" {
-  name       = "${var.environment}-logging"
-  roles      = [aws_iam_role.syncer_lambda.name]
-  policy_arn = aws_iam_policy.lambda_logging.arn
-}
-
-resource "aws_iam_policy" "syncer" {
-  name        = "${var.environment}-lamda-syncer-s3-policy"
-  description = "Lambda syncer policy"
+resource "aws_iam_role_policy" "syncer" {
+  name = "${var.environment}-lamda-syncer-s3-policy"
+  role = aws_iam_role.syncer_lambda.id
 
   policy = templatefile("${path.module}/policies/lambda-syncer.json", {
     s3_resource_arn = "${aws_s3_bucket.action_dist.arn}/${local.action_runner_distribution_object_key}"
   })
 }
 
-resource "aws_iam_policy_attachment" "syncer" {
-  name       = "${var.environment}-syncer"
-  roles      = [aws_iam_role.syncer_lambda.name]
-  policy_arn = aws_iam_policy.syncer.arn
-}
-
 resource "aws_cloudwatch_event_rule" "syncer" {
   schedule_expression = var.lambda_schedule_expression
   tags                = var.tags

modules/runners/scale-down.tf

@@ -43,17 +43,12 @@ resource "aws_iam_role" "scale_down" {
   assume_role_policy = data.aws_iam_policy_document.lambda_assume_role_policy.json
 }
 
-resource "aws_iam_policy" "scale_down" {
-  name        = "${var.environment}-lambda-scale-down-policy"
-  description = "Lambda scale up policy"
-  policy      = templatefile("${path.module}/policies/lambda-scale-down.json", {})
+resource "aws_iam_role_policy" "scale_down" {
+  name   = "${var.environment}-lambda-scale-down-policy"
+  role   = aws_iam_role.scale_down.name
+  policy = templatefile("${path.module}/policies/lambda-scale-down.json", {})
 }
 
-resource "aws_iam_policy_attachment" "scale_down" {
-  name       = "${var.environment}-scale-down"
-  roles      = [aws_iam_role.scale_down.name]
-  policy_arn = aws_iam_policy.scale_down.arn
-}
 
 
 

modules/runners/scale-up.tf

@@ -41,19 +41,12 @@ resource "aws_iam_role" "scale_up" {
   assume_role_policy = data.aws_iam_policy_document.lambda_assume_role_policy.json
 }
 
-resource "aws_iam_policy" "scale_up" {
-  name        = "${var.environment}-lambda-scale-up-policy"
-  description = "Lambda scale up policy"
+resource "aws_iam_role_policy" "scale_up" {
+  name = "${var.environment}-lambda-scale-up-policy"
+  role = aws_iam_role.scale_up.name
 
   policy = templatefile("${path.module}/policies/lambda-scale-up.json", {
     arn_runner_instance_role = aws_iam_role.runner.arn
     sqs_arn                  = var.sqs.arn
   })
 }
-
-resource "aws_iam_policy_attachment" "scale_up" {
-  name       = "${var.environment}-scale-up"
-  roles      = [aws_iam_role.scale_up.name]
-  policy_arn = aws_iam_policy.scale_up.arn
-}
-

modules/webhook/main.tf

@@ -92,15 +92,8 @@ resource "aws_iam_role" "webhook_lambda" {
   tags               = var.tags
 }
 
-resource "aws_iam_policy" "webhook_logging" {
-  name        = "${var.environment}-lamda-logging-policy"
-  description = "Lambda logging policy"
-
+resource "aws_iam_role_policy" "webhook_logging" {
+  name   = "${var.environment}-lamda-logging-policy"
+  role   = aws_iam_role.webhook_lambda.name
   policy = templatefile("${path.module}/policies/lambda-cloudwatch.json", {})
 }
-
-resource "aws_iam_policy_attachment" "webhook_logging" {
-  name       = "${var.environment}-logging"
-  roles      = [aws_iam_role.webhook_lambda.name]
-  policy_arn = aws_iam_policy.webhook_logging.arn
-}

modules/webhook/variables.tf

@@ -20,8 +20,7 @@ variable "tags" {
 
 variable "sqs_build_queue" {
   type = object({
-    id  = string
-    arn = string
+    id = string
   })
 }