feat: Extended trusted_entities variable to support multiple types (#143)

Author: flibustier

README.md

@@ -727,7 +727,7 @@ No modules.
 | <a name="input_tags"></a> [tags](#input\_tags) | A map of tags to assign to resources. | `map(string)` | `{}` | no |
 | <a name="input_timeout"></a> [timeout](#input\_timeout) | The amount of time your Lambda Function has to run in seconds. | `number` | `3` | no |
 | <a name="input_tracing_mode"></a> [tracing\_mode](#input\_tracing\_mode) | Tracing mode of the Lambda Function. Valid value can be either PassThrough or Active. | `string` | `null` | no |
-| <a name="input_trusted_entities"></a> [trusted\_entities](#input\_trusted\_entities) | Lambda Function additional trusted entities for assuming roles (trust relationship) | `list(string)` | `[]` | no |
+| <a name="input_trusted_entities"></a> [trusted\_entities](#input\_trusted\_entities) | List of additional trusted entities for assuming Lambda Function role (trust relationship) | `any` | `[]` | no |
 | <a name="input_use_existing_cloudwatch_log_group"></a> [use\_existing\_cloudwatch\_log\_group](#input\_use\_existing\_cloudwatch\_log\_group) | Whether to use an existing CloudWatch log group or create new | `bool` | `false` | no |
 | <a name="input_vpc_security_group_ids"></a> [vpc\_security\_group\_ids](#input\_vpc\_security\_group\_ids) | List of security group ids when Lambda Function should run in the VPC. | `list(string)` | `null` | no |
 | <a name="input_vpc_subnet_ids"></a> [vpc\_subnet\_ids](#input\_vpc\_subnet\_ids) | List of subnet ids when Lambda Function should run in the VPC. Usually private or intra subnets. | `list(string)` | `null` | no |

examples/complete/README.md

@@ -41,6 +41,7 @@ Note that this example may create resources which cost money. Run `terraform des
 | <a name="module_lambda_function_existing_package_local"></a> [lambda\_function\_existing\_package\_local](#module\_lambda\_function\_existing\_package\_local) | ../../ |  |
 | <a name="module_lambda_layer_local"></a> [lambda\_layer\_local](#module\_lambda\_layer\_local) | ../../ |  |
 | <a name="module_lambda_layer_s3"></a> [lambda\_layer\_s3](#module\_lambda\_layer\_s3) | ../../ |  |
+| <a name="module_lambda_with_mixed_trusted_entities"></a> [lambda\_with\_mixed\_trusted\_entities](#module\_lambda\_with\_mixed\_trusted\_entities) | ../../ |  |
 | <a name="module_lambda_with_provisioned_concurrency"></a> [lambda\_with\_provisioned\_concurrency](#module\_lambda\_with\_provisioned\_concurrency) | ../../ |  |
 | <a name="module_s3_bucket"></a> [s3\_bucket](#module\_s3\_bucket) | terraform-aws-modules/s3-bucket/aws |  |
 

examples/complete/main.tf

@@ -227,6 +227,37 @@ module "lambda_with_provisioned_concurrency" {
   provisioned_concurrent_executions = -1 # 2
 }
 
+###############################################
+# Lambda Function with mixed trusted entities
+###############################################
+
+module "lambda_with_mixed_trusted_entities" {
+  source = "../../"
+
+  function_name = "${random_pet.this.id}-lambda-mixed-trusted-entities"
+  handler       = "index.lambda_handler"
+  runtime       = "python3.8"
+
+  source_path = "${path.module}/../fixtures/python3.8-app1"
+
+  trusted_entities = [
+    "appsync.amazonaws.com",
+    {
+      type = "AWS",
+      identifiers = [
+        "arn:aws:iam::307990089504:root",
+      ]
+    },
+    {
+      type = "Service",
+      identifiers = [
+        "codedeploy.amazonaws.com",
+        "ecs.amazonaws.com"
+      ]
+    }
+  ]
+}
+
 ###########
 # Disabled
 ###########

iam.tf

@@ -12,6 +12,20 @@ locals {
   #   for #83 that will allow one to import resources without receiving an error from coalesce.
   # @see https://github.com/terraform-aws-modules/terraform-aws-lambda/issues/83
   role_name = local.create_role ? coalesce(var.role_name, var.function_name, "*") : null
+
+  # IAM Role trusted entities is a list of any (allow strings (services) and maps (type+identifiers))
+  trusted_entities_services = distinct(compact(concat(
+    slice(["lambda.amazonaws.com", "edgelambda.amazonaws.com"], 0, var.lambda_at_edge ? 2 : 1),
+    [for service in var.trusted_entities : try(tostring(service), "")]
+  )))
+
+  trusted_entities_principals = [
+    for principal in var.trusted_entities : {
+      type        = principal.type
+      identifiers = tolist(principal.identifiers)
+    }
+    if !can(tostring(principal))
+  ]
 }
 
 ###########
@@ -27,7 +41,15 @@ data "aws_iam_policy_document" "assume_role" {
 
     principals {
       type        = "Service"
-      identifiers = distinct(concat(slice(["lambda.amazonaws.com", "edgelambda.amazonaws.com"], 0, var.lambda_at_edge ? 2 : 1), var.trusted_entities))
+      identifiers = local.trusted_entities_services
+    }
+
+    dynamic "principals" {
+      for_each = local.trusted_entities_principals
+      content {
+        type        = principals.value.type
+        identifiers = principals.value.identifiers
+      }
     }
   }
 }

variables.tf

@@ -436,8 +436,8 @@ variable "attach_policy_statements" {
 }
 
 variable "trusted_entities" {
-  description = "Lambda Function additional trusted entities for assuming roles (trust relationship)"
-  type        = list(string)
+  description = "List of additional trusted entities for assuming Lambda Function role (trust relationship)"
+  type        = any
   default     = []
 }