Skip to content

Commit f86cdf4

Browse files
committed
♻️ Use inline instead of managed policies
1 parent 1d12240 commit f86cdf4

File tree

3 files changed

+18
-78
lines changed

3 files changed

+18
-78
lines changed

README.md

Lines changed: 6 additions & 12 deletions
Original file line numberDiff line numberDiff line change
@@ -689,23 +689,17 @@ No modules.
689689
| Name | Type |
690690
|------|------|
691691
| [aws_cloudwatch_log_group.lambda](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_group) | resource |
692-
| [aws_iam_policy.additional_inline](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
693-
| [aws_iam_policy.additional_json](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
694-
| [aws_iam_policy.additional_jsons](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
695-
| [aws_iam_policy.async](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
696-
| [aws_iam_policy.dead_letter](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
697-
| [aws_iam_policy.logs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
698692
| [aws_iam_policy.tracing](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
699693
| [aws_iam_policy.vpc](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
700694
| [aws_iam_role.lambda](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
701-
| [aws_iam_role_policy_attachment.additional_inline](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
702-
| [aws_iam_role_policy_attachment.additional_json](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
703-
| [aws_iam_role_policy_attachment.additional_jsons](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
695+
| [aws_iam_role_policy.additional_inline](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource |
696+
| [aws_iam_role_policy.additional_json](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource |
697+
| [aws_iam_role_policy.additional_jsons](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource |
698+
| [aws_iam_role_policy.async](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource |
699+
| [aws_iam_role_policy.dead_letter](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource |
700+
| [aws_iam_role_policy.logs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource |
704701
| [aws_iam_role_policy_attachment.additional_many](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
705702
| [aws_iam_role_policy_attachment.additional_one](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
706-
| [aws_iam_role_policy_attachment.async](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
707-
| [aws_iam_role_policy_attachment.dead_letter](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
708-
| [aws_iam_role_policy_attachment.logs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
709703
| [aws_iam_role_policy_attachment.tracing](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
710704
| [aws_iam_role_policy_attachment.vpc](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
711705
| [aws_lambda_event_source_mapping.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_event_source_mapping) | resource |

iam.tf

Lines changed: 12 additions & 60 deletions
Original file line numberDiff line numberDiff line change
@@ -131,20 +131,12 @@ data "aws_iam_policy_document" "logs" {
131131
}
132132
}
133133

134-
resource "aws_iam_policy" "logs" {
134+
resource "aws_iam_role_policy" "logs" {
135135
count = local.create_role && var.attach_cloudwatch_logs_policy ? 1 : 0
136136

137137
name = "${local.policy_name}-logs"
138-
path = var.policy_path
138+
role = aws_iam_role.lambda[0].name
139139
policy = data.aws_iam_policy_document.logs[0].json
140-
tags = var.tags
141-
}
142-
143-
resource "aws_iam_role_policy_attachment" "logs" {
144-
count = local.create_role && var.attach_cloudwatch_logs_policy ? 1 : 0
145-
146-
role = aws_iam_role.lambda[0].name
147-
policy_arn = aws_iam_policy.logs[0].arn
148140
}
149141

150142
#####################
@@ -168,20 +160,12 @@ data "aws_iam_policy_document" "dead_letter" {
168160
}
169161
}
170162

171-
resource "aws_iam_policy" "dead_letter" {
163+
resource "aws_iam_role_policy" "dead_letter" {
172164
count = local.create_role && var.attach_dead_letter_policy ? 1 : 0
173165

174166
name = "${local.policy_name}-dl"
175-
path = var.policy_path
167+
role = aws_iam_role.lambda[0].name
176168
policy = data.aws_iam_policy_document.dead_letter[0].json
177-
tags = var.tags
178-
}
179-
180-
resource "aws_iam_role_policy_attachment" "dead_letter" {
181-
count = local.create_role && var.attach_dead_letter_policy ? 1 : 0
182-
183-
role = aws_iam_role.lambda[0].name
184-
policy_arn = aws_iam_policy.dead_letter[0].arn
185169
}
186170

187171
######
@@ -259,60 +243,36 @@ data "aws_iam_policy_document" "async" {
259243
}
260244
}
261245

262-
resource "aws_iam_policy" "async" {
246+
resource "aws_iam_role_policy" "async" {
263247
count = local.create_role && var.attach_async_event_policy ? 1 : 0
264248

265249
name = "${local.policy_name}-async"
266-
path = var.policy_path
250+
role = aws_iam_role.lambda[0].name
267251
policy = data.aws_iam_policy_document.async[0].json
268-
tags = var.tags
269-
}
270-
271-
resource "aws_iam_role_policy_attachment" "async" {
272-
count = local.create_role && var.attach_async_event_policy ? 1 : 0
273-
274-
role = aws_iam_role.lambda[0].name
275-
policy_arn = aws_iam_policy.async[0].arn
276252
}
277253

278254
###########################
279255
# Additional policy (JSON)
280256
###########################
281257

282-
resource "aws_iam_policy" "additional_json" {
258+
resource "aws_iam_role_policy" "additional_json" {
283259
count = local.create_role && var.attach_policy_json ? 1 : 0
284260

285261
name = local.policy_name
286-
path = var.policy_path
262+
role = aws_iam_role.lambda[0].name
287263
policy = var.policy_json
288-
tags = var.tags
289-
}
290-
291-
resource "aws_iam_role_policy_attachment" "additional_json" {
292-
count = local.create_role && var.attach_policy_json ? 1 : 0
293-
294-
role = aws_iam_role.lambda[0].name
295-
policy_arn = aws_iam_policy.additional_json[0].arn
296264
}
297265

298266
#####################################
299267
# Additional policies (list of JSON)
300268
#####################################
301269

302-
resource "aws_iam_policy" "additional_jsons" {
270+
resource "aws_iam_role_policy" "additional_jsons" {
303271
count = local.create_role && var.attach_policy_jsons ? var.number_of_policy_jsons : 0
304272

305273
name = "${local.policy_name}-${count.index}"
306-
path = var.policy_path
274+
role = aws_iam_role.lambda[0].name
307275
policy = var.policy_jsons[count.index]
308-
tags = var.tags
309-
}
310-
311-
resource "aws_iam_role_policy_attachment" "additional_jsons" {
312-
count = local.create_role && var.attach_policy_jsons ? var.number_of_policy_jsons : 0
313-
314-
role = aws_iam_role.lambda[0].name
315-
policy_arn = aws_iam_policy.additional_jsons[count.index].arn
316276
}
317277

318278
###########################
@@ -383,18 +343,10 @@ data "aws_iam_policy_document" "additional_inline" {
383343
}
384344
}
385345

386-
resource "aws_iam_policy" "additional_inline" {
346+
resource "aws_iam_role_policy" "additional_inline" {
387347
count = local.create_role && var.attach_policy_statements ? 1 : 0
388348

389349
name = "${local.policy_name}-inline"
390-
path = var.policy_path
350+
role = aws_iam_role.lambda[0].name
391351
policy = data.aws_iam_policy_document.additional_inline[0].json
392-
tags = var.tags
393-
}
394-
395-
resource "aws_iam_role_policy_attachment" "additional_inline" {
396-
count = local.create_role && var.attach_policy_statements ? 1 : 0
397-
398-
role = aws_iam_role.lambda[0].name
399-
policy_arn = aws_iam_policy.additional_inline[0].arn
400352
}

main.tf

Lines changed: 0 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -153,14 +153,8 @@ resource "aws_lambda_function" "this" {
153153
aws_cloudwatch_log_group.lambda,
154154

155155
# Before the lambda is created the execution role with all its policies should be ready
156-
aws_iam_role_policy_attachment.additional_inline,
157-
aws_iam_role_policy_attachment.additional_json,
158-
aws_iam_role_policy_attachment.additional_jsons,
159156
aws_iam_role_policy_attachment.additional_many,
160157
aws_iam_role_policy_attachment.additional_one,
161-
aws_iam_role_policy_attachment.async,
162-
aws_iam_role_policy_attachment.logs,
163-
aws_iam_role_policy_attachment.dead_letter,
164158
aws_iam_role_policy_attachment.vpc,
165159
aws_iam_role_policy_attachment.tracing,
166160
]

0 commit comments

Comments
 (0)