feat: Added support for lambda permissions when the target is a lambda function (#240)

Author: eamonnmoloney

.pre-commit-config.yaml

@@ -1,6 +1,6 @@
 repos:
   - repo: https://github.com/antonbabenko/pre-commit-terraform
-    rev: v1.67.0
+    rev: v1.71.0
     hooks:
       - id: terraform_fmt
       - id: terraform_validate

README.md

@@ -33,16 +33,16 @@ module "alb" {
       backend_protocol = "HTTP"
       backend_port     = 80
       target_type      = "instance"
-      targets = [
-        {
+      targets = {
+        my_target = {
           target_id = "i-0123456789abcdefg"
           port = 80
-        },
-        {
+        }
+        my_other_target = {
           target_id = "i-a1b2c3d4e5f6g7h8i"
           port = 8080
         }
-      ]
+      }
     }
   ]
 
@@ -311,6 +311,7 @@ No modules.
 
 | Name | Type |
 |------|------|
+| [aws_lambda_permission.lb](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_permission) | resource |
 | [aws_lb.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lb) | resource |
 | [aws_lb_listener.frontend_http_tcp](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lb_listener) | resource |
 | [aws_lb_listener.frontend_https](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lb_listener) | resource |

examples/complete-alb/README.md

@@ -38,7 +38,8 @@ Note that this example may create resources which cost money. Run `terraform des
 |------|--------|---------|
 | <a name="module_acm"></a> [acm](#module\_acm) | terraform-aws-modules/acm/aws | ~> 3.0 |
 | <a name="module_alb"></a> [alb](#module\_alb) | ../../ | n/a |
-| <a name="module_lambda_function"></a> [lambda\_function](#module\_lambda\_function) | terraform-aws-modules/lambda/aws | ~> 3.0 |
+| <a name="module_lambda_with_allowed_triggers"></a> [lambda\_with\_allowed\_triggers](#module\_lambda\_with\_allowed\_triggers) | terraform-aws-modules/lambda/aws | ~> 3.0 |
+| <a name="module_lambda_without_allowed_triggers"></a> [lambda\_without\_allowed\_triggers](#module\_lambda\_without\_allowed\_triggers) | terraform-aws-modules/lambda/aws | ~> 3.0 |
 | <a name="module_lb_disabled"></a> [lb\_disabled](#module\_lb\_disabled) | ../../ | n/a |
 | <a name="module_security_group"></a> [security\_group](#module\_security\_group) | terraform-aws-modules/security-group/aws | ~> 4.0 |
 

examples/complete-alb/main.tf

@@ -405,13 +405,18 @@ module "alb" {
       target_type                        = "lambda"
       lambda_multi_value_headers_enabled = true
       targets = {
-        # Lambda function permission should be granted before
-        # it is used. There can be an error:
-        # NB: Error registering targets with target group:
-        # AccessDenied: elasticloadbalancing principal does not
-        # have permission to invoke ... from target group ...
-        my_lambda = {
-          target_id = module.lambda_function.lambda_function_arn
+        lambda_with_allowed_triggers = {
+          target_id = module.lambda_with_allowed_triggers.lambda_function_arn
+        }
+      }
+    },
+    {
+      name_prefix = "l2-"
+      target_type = "lambda"
+      targets = {
+        lambda_without_allowed_triggers = {
+          target_id                = module.lambda_without_allowed_triggers.lambda_function_arn
+          attach_lambda_permission = true
         }
       }
     },
@@ -500,12 +505,12 @@ resource "null_resource" "download_package" {
   }
 }
 
-module "lambda_function" {
+module "lambda_with_allowed_triggers" {
   source  = "terraform-aws-modules/lambda/aws"
   version = "~> 3.0"
 
-  function_name = "${random_pet.this.id}-lambda"
-  description   = "My awesome lambda function"
+  function_name = "${random_pet.this.id}-with-allowed-triggers"
+  description   = "My awesome lambda function (with allowed triggers)"
   handler       = "index.lambda_handler"
   runtime       = "python3.8"
 
@@ -523,3 +528,23 @@ module "lambda_function" {
 
   depends_on = [null_resource.download_package]
 }
+
+module "lambda_without_allowed_triggers" {
+  source  = "terraform-aws-modules/lambda/aws"
+  version = "~> 3.0"
+
+  function_name = "${random_pet.this.id}-without-allowed-triggers"
+  description   = "My awesome lambda function (without allowed triggers)"
+  handler       = "index.lambda_handler"
+  runtime       = "python3.8"
+
+  publish = true
+
+  create_package         = false
+  local_existing_package = local.downloaded
+
+  # Allowed triggers will be managed by ALB module
+  allowed_triggers = {}
+
+  depends_on = [null_resource.download_package]
+}

main.tf

@@ -133,6 +133,28 @@ locals {
       if k == "targets"
     ]
   ])...)
+
+  # Filter out the attachments for lambda functions. The ALB target group needs permission to forward a request on to
+  # the specified lambda function. This filtered list is used to create those permission resources
+  target_group_attachments_lambda = {
+    for k, v in local.target_group_attachments :
+    (k) => merge(v, { lambda_function_name = split(":", v.target_id)[6] })
+    if try(v.attach_lambda_permission, false)
+  }
+}
+
+resource "aws_lambda_permission" "lb" {
+  for_each = var.create_lb && local.target_group_attachments_lambda != null ? local.target_group_attachments_lambda : {}
+
+  function_name = each.value.lambda_function_name
+  qualifier     = try(each.value.lambda_qualifier, null)
+
+  statement_id       = try(each.value.lambda_statement_id, "AllowExecutionFromLb")
+  action             = try(each.value.lambda_action, "lambda:InvokeFunction")
+  principal          = try(each.value.lambda_principal, "elasticloadbalancing.amazonaws.com")
+  source_arn         = aws_lb_target_group.main[each.value.tg_index].arn
+  source_account     = try(each.value.lambda_source_account, null)
+  event_source_token = try(each.value.lambda_event_source_token, null)
 }
 
 resource "aws_lb_target_group_attachment" "this" {
@@ -142,6 +164,8 @@ resource "aws_lb_target_group_attachment" "this" {
   target_id         = each.value.target_id
   port              = lookup(each.value, "port", null)
   availability_zone = lookup(each.value, "availability_zone", null)
+
+  depends_on = [aws_lambda_permission.lb]
 }
 
 resource "aws_lb_listener_rule" "https_listener_rule" {