From ffcd0827f99ba8c4d3ea44c144f70988ccd2d4d7 Mon Sep 17 00:00:00 2001 From: Rory Nolan Date: Wed, 30 Jul 2025 05:33:14 -0700 Subject: [PATCH 1/4] feat: add optional source_account to lambda permissions MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit - Make both source_arn and source_account optional in invoke_function_permissions - Add comprehensive documentation for all permission fields - Update complete example to demonstrate source_account usage - Maintain backward compatibility with existing configurations 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude --- examples/complete/main.tf | 5 +++-- lambda-permissions.tf | 9 +++++---- variables.tf | 13 ++++++++++--- 3 files changed, 18 insertions(+), 9 deletions(-) diff --git a/examples/complete/main.tf b/examples/complete/main.tf index b678c53..fb32465 100644 --- a/examples/complete/main.tf +++ b/examples/complete/main.tf @@ -105,8 +105,9 @@ module "lambda" { invoke_function_permissions = [ { - principal = "s3.amazonaws.com" - source_arn = join("", aws_s3_bucket.example[*].arn) + principal = "s3.amazonaws.com" + source_arn = join("", aws_s3_bucket.example[*].arn) + source_account = join("", data.aws_caller_identity.current[*].account_id) } ] diff --git a/lambda-permissions.tf b/lambda-permissions.tf index a8cd24b..eee87a4 100644 --- a/lambda-permissions.tf +++ b/lambda-permissions.tf @@ -1,8 +1,9 @@ resource "aws_lambda_permission" "invoke_function" { for_each = local.enabled ? { for i, permission in var.invoke_function_permissions : i => permission } : {} - action = "lambda:InvokeFunction" - function_name = aws_lambda_function.this[0].function_name - principal = each.value.principal - source_arn = each.value.source_arn + action = "lambda:InvokeFunction" + function_name = aws_lambda_function.this[0].function_name + principal = each.value.principal + source_arn = each.value.source_arn + source_account = each.value.source_account } diff --git a/variables.tf b/variables.tf index c8bfbb0..0105767 100644 --- a/variables.tf +++ b/variables.tf @@ -248,9 +248,16 @@ variable "inline_iam_policy" { variable "invoke_function_permissions" { type = list(object({ - principal = string - source_arn = string + principal = string + source_arn = optional(string) + source_account = optional(string) })) - description = "Defines which external source(s) can invoke this function (action 'lambda:InvokeFunction'). Attributes map to those of https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_permission. NOTE: to keep things simple, we only expose a subset of said attributes. If a more complex configuration is needed, declare the necessary lambda permissions outside of this module" + description = < Date: Tue, 5 Aug 2025 10:40:02 -0700 Subject: [PATCH 2/4] Require terraform >= 1.4 --- examples/complete/versions.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/examples/complete/versions.tf b/examples/complete/versions.tf index c6da977..9e3d479 100644 --- a/examples/complete/versions.tf +++ b/examples/complete/versions.tf @@ -1,5 +1,5 @@ terraform { - required_version = ">= 0.14" + required_version = ">= 1.4" required_providers { aws = { From cb84881ee532ecf369166fafe4ceb59da4deff52 Mon Sep 17 00:00:00 2001 From: Rory Nolan Date: Tue, 5 Aug 2025 10:40:30 -0700 Subject: [PATCH 3/4] Require terraform >= 1.4 --- examples/docker-image/versions.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/examples/docker-image/versions.tf b/examples/docker-image/versions.tf index b78d471..8eba512 100644 --- a/examples/docker-image/versions.tf +++ b/examples/docker-image/versions.tf @@ -1,5 +1,5 @@ terraform { - required_version = ">= 0.14" + required_version = ">= 1.4" required_providers { aws = { From d896fae96160a3e20693fe0588fe9f47d86811f3 Mon Sep 17 00:00:00 2001 From: Rory Nolan Date: Tue, 5 Aug 2025 10:43:12 -0700 Subject: [PATCH 4/4] Clarify that source_account must be set to satisfy config rule --- variables.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/variables.tf b/variables.tf index 0105767..647f894 100644 --- a/variables.tf +++ b/variables.tf @@ -256,7 +256,7 @@ variable "invoke_function_permissions" { Defines which external source(s) can invoke this function (action 'lambda:InvokeFunction'). Attributes map to those of https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_permission. - principal: The AWS service or account that will invoke the function - source_arn: (Optional) The ARN of the specific resource that will invoke the function - - source_account: (Optional) The AWS account ID that is allowed to invoke the function. Used to restrict cross-account access when needed. + - source_account: (Optional) The AWS account ID that is allowed to invoke the function. Used to restrict cross-account access when needed. This must be specified to satisfy the config rule [lambda-function-public-access-prohibited](https://docs.aws.amazon.com/config/latest/developerguide/lambda-function-public-access-prohibited.html). NOTE: to keep things simple, we only expose a subset of said attributes. If a more complex configuration is needed, declare the necessary lambda permissions outside of this module EOF default = []