Enrichment Lambda IAMΒ #144
Description
Description
- β I have searched the open/closed issues and my issue is not listed.
Versions
-
Module version [Required]: v3.13.0
-
Terraform version: v1.9.8
- Provider version(s): registry.terraform.io/hashicorp/aws v5.80.0
Reproduction Code [Required]
resource "aws_cloudwatch_log_group" "eventbridge-pipe" {
name = "eventbridge-pipe"
}
module "eventbridge" {
source = "terraform-aws-modules/eventbridge/aws"
version = "3.13.0"
bus_name = "blah
pipes = {
test = {
source = "${aws_kinesis_stream.streamA.arn}"
target = "${aws_kinesis_stream.streamO.arn}"
source_parameters = {
kinesis_stream_parameters = {
starting_position = "LATEST"
}
}
target_parameters = {
kinesis_stream_parameters = {
partition_key = "$.deviceId"
}
}
enrichment = "arn:aws:lambda:us-east-1:123456111:function:doit"
}
}
}
resource "aws_kinesis_stream" "streamA" {
name = "streamA"
shard_count = 1
}
resource "aws_kinesis_stream" "streamO" {
name = "streamO"
shard_count = 1
}
Steps to reproduce the behavior:
Apply, and the IAM Role/policy doesn't have the lambda invoke permission. This is because, i think, currently this will only be applied if lambda is your pipe target or using an event destination
Expected behavior
Applying the code above, I expect the pipe to function and properly invoke the enrichment function
Actual behavior
The pipe gets a permission error invoking the enrichment because the lambda:InvokeFunction permission is not added to the pipe Role.
Additional context
I believe I have a fix, but want to check and make sure that I'm not missing some other feature or way to do this. The fix is to add try(v.enrichment, null) to the role_for_pipes.service_integrations.lambda.values section. Maybe add it to other places as well but this is all I need for my use case.
Let me know if this is the fix and I'll get another PR ready to go.