Merge pull request #148 from proactiveops/iam-improvements

skwashd · web-flow · commit e6775e93dbd1 · 2024-10-20T19:39:58.000+11:00
Add IAM options
diff --git a/README.md b/README.md
@@ -24,10 +24,12 @@ The configuration file has the following structure:
 
 ```toml
 bundle="/path/containing/code/to/bundle/into/build" # default is none
+iam_role_prefix="my-prefix-" # default is "pf-" for PicoFun
 layers="arn:aws:lambda:us-east-1:012345678910:layer:example:1,arn:aws:lambda:us-east-1:012345678910:layer:another-example:123" # default is none
 output_dir="/path/to/write/output-files" # default is current-working-directory/output
 postprocessor="fully.qualified.reference.to.postprocessor" # default is none
 preprocessor="fully.qualified.reference.to.preprocessor" # default is none
+role_permissions_boundary="arn:aws:iam::012345678910:policy/..." # default is none
 subnets="subnet-1234567890abcdef0,subnet-234567890abcdef01" # default is none and VPC networking is no enabled
 tags=... # default is none
 template_path="/path/to/templates" # default is current-working-directory/templates
diff --git a/picofun/config.py b/picofun/config.py
@@ -15,10 +15,12 @@ class Config:
     _attrs: typing.ClassVar[dict[str : typing.Any]] = {
         "_config_file": str,
         "bundle": str,
+        "iam_role_prefix": str,
         "layers": list,
         "output_dir": str,
         "postprocessor": str,
         "preprocessor": str,
+        "role_permissions_boundary": str,
         "subnets": list,
         "tags": dict,
         "template_path": str,
@@ -147,10 +149,12 @@ def set_defaults(self) -> None:
         defaults = {
             "_config_file": "",
             "bundle": None,
+            "iam_role_prefix": "pf-",
             "layers": [],
             "output_dir": os.path.realpath(os.path.join(os.getcwd(), "output")),
             "postprocessor": "",
             "preprocessor": "",
+            "role_permissions_boundary": None,
             "subnets": [],
             "tags": {},
             "template_path": os.path.join(files("picofun"), "templates"),
diff --git a/picofun/templates/main.tf.j2 b/picofun/templates/main.tf.j2
@@ -122,9 +122,10 @@ resource "aws_lambda_function" "this" {
 }
 
 resource "aws_iam_role" "lambda" {
-  name = "pf-{{ namespace }}"
+  name = "{{ iam_role_prefix }}{{ namespace }}"
 
   assume_role_policy = data.aws_iam_policy_document.lambda_assume_role.json
+  permissions_boundary = {{ '"{}"'.format(role_permissions_boundary) if role_permissions_boundary else "null" }}
 
   tags = local.tags
 }
diff --git a/picofun/terraform_generator.py b/picofun/terraform_generator.py
@@ -33,10 +33,12 @@ def generate(
         template = self._template.get("main.tf.j2")
 
         terraform_content = template.render(
-            namespace=self._namespace,
+            bundle=self._config.bundle,
+            iam_role_prefix=self._config.iam_role_prefix,
             lambdas=lambdas,
             layers=self._config.layers,
-            bundle=self._config.bundle,
+            namespace=self._namespace,
+            role_permissions_boundary=self._config.role_permissions_boundary,
             subnets=self._config.subnets,
             tags=self._config.tags,
         )

Original file line number	Diff line number	Diff line change
`@@ -122,9 +122,10 @@ resource "aws_lambda_function" "this" {`
`122`	`122`	`}`
`123`	`123`
`124`	`124`	`resource "aws_iam_role" "lambda" {`
`125`		`- name = "pf-{{ namespace }}"`
	`125`	`+ name = "{{ iam_role_prefix }}{{ namespace }}"`
`126`	`126`
`127`	`127`	`assume_role_policy = data.aws_iam_policy_document.lambda_assume_role.json`
	`128`	`+ permissions_boundary = {{ '"{}"'.format(role_permissions_boundary) if role_permissions_boundary else "null" }}`
`128`	`129`
`129`	`130`	`tags = local.tags`
`130`	`131`	`}`