Skip to content

Commit 46076c1

Browse files
Fran-RgFran-Rg
committed
handle existing package + update example
1 parent c193923 commit 46076c1

File tree

2 files changed

+22
-34
lines changed

2 files changed

+22
-34
lines changed

examples/code-signing/main.tf

Lines changed: 21 additions & 33 deletions
Original file line numberDiff line numberDiff line change
@@ -1,3 +1,6 @@
1+
locals {
2+
lambda_code_signing_profile_name = replace(random_pet.this.id, "-", "")
3+
}
14
provider "aws" {
25
region = "eu-west-1"
36

@@ -14,21 +17,23 @@ provider "aws" {
1417
module "lambda" {
1518
source = "../../"
1619

17-
function_name = random_pet.this.id
18-
handler = "index.lambda_handler"
19-
runtime = "python3.12"
20-
code_signing_config_arn = aws_lambda_code_signing_config.this.arn
21-
create_package = false
20+
function_name = random_pet.this.id
21+
handler = "index.lambda_handler"
22+
runtime = "python3.12"
23+
create_package = false
24+
enable_code_signing = true
25+
code_signing_config_arn = aws_lambda_code_signing_config.this.arn
26+
lambda_code_signing_profile_name = local.lambda_code_signing_profile_name
27+
s3_signing_prefix = "signed/"
2228

29+
store_on_s3 = true
2330
s3_existing_package = {
24-
bucket = aws_signer_signing_job.this.signed_object[0].s3[0].bucket
25-
key = aws_signer_signing_job.this.signed_object[0].s3[0].key
31+
bucket = module.s3_bucket.s3_bucket_id
32+
key = aws_s3_object.unsigned.key
33+
version_id = aws_s3_object.unsigned.version_id
2634
}
27-
}
2835

29-
################################################################################
30-
# Lambda Code Signing
31-
################################################################################
36+
}
3237

3338
resource "aws_s3_object" "unsigned" {
3439
bucket = module.s3_bucket.s3_bucket_id
@@ -41,38 +46,21 @@ resource "aws_s3_object" "unsigned" {
4146
]
4247
}
4348

49+
# ################################################################################
50+
# # Lambda Code Signing
51+
# ################################################################################
52+
4453
resource "aws_signer_signing_profile" "this" {
4554
platform_id = "AWSLambda-SHA384-ECDSA"
4655
# invalid value for name (must be alphanumeric with max length of 64 characters)
47-
name = replace(random_pet.this.id, "-", "")
56+
name = local.lambda_code_signing_profile_name
4857

4958
signature_validity_period {
5059
value = 3
5160
type = "MONTHS"
5261
}
5362
}
5463

55-
resource "aws_signer_signing_job" "this" {
56-
profile_name = aws_signer_signing_profile.this.name
57-
58-
source {
59-
s3 {
60-
bucket = module.s3_bucket.s3_bucket_id
61-
key = aws_s3_object.unsigned.id
62-
version = aws_s3_object.unsigned.version_id
63-
}
64-
}
65-
66-
destination {
67-
s3 {
68-
bucket = module.s3_bucket.s3_bucket_id
69-
prefix = "signed/"
70-
}
71-
}
72-
73-
ignore_signing_job_failure = true
74-
}
75-
7664
resource "aws_lambda_code_signing_config" "this" {
7765
allowed_publishers {
7866
signing_profile_version_arns = [aws_signer_signing_profile.this.version_arn]

main.tf

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -20,7 +20,7 @@ locals {
2020
s3_object_version = var.s3_existing_package != null ? try(var.s3_existing_package.version_id, null) : (var.store_on_s3 ? try(aws_s3_object.lambda_package[0].version_id, null) : null)
2121

2222
# s3_signing
23-
s3_signing_enabled = local.create && var.store_on_s3 && var.create_package && var.enable_code_signing && var.lambda_code_signing_profile_name != null
23+
s3_signing_enabled = local.s3_key != null && local.s3_bucket != null && var.enable_code_signing && var.lambda_code_signing_profile_name != null
2424
s3_signing_bucket = var.s3_signing_bucket != null && local.s3_signing_enabled ? var.s3_signing_bucket : local.s3_bucket
2525
s3_signing_prefix = var.s3_signing_prefix != null && local.s3_signing_enabled ? var.s3_signing_prefix : (var.s3_prefix != null ? var.s3_prefix : "")
2626

0 commit comments

Comments
 (0)