Lack of principal_org_id variable for resource aws_lambda_permission
tcharewicz opened this issue · 5 comments
Is your request related to a new offering from AWS?
No, it's old feature but not implemented to the lambda module.
Is your request related to a problem? Please describe.
I would like to create lambda with permissions to invoke only by config service from accounts that belong to known organization.
Describe the solution you'd like.
Add variable principal_org_id to resource aws_lambda_permission. Example below.
resource "aws_lambda_permission" "current_version_triggers" {
for_each = { for k, v in var.allowed_triggers : k => v if local.create && var.create_function && !var.create_layer && var.create_current_version_allowed_triggers }
function_name = aws_lambda_function.this[0].function_name
qualifier = aws_lambda_function.this[0].version
statement_id = try(each.value.statement_id, each.key)
action = try(each.value.action, "lambda:InvokeFunction")
principal = try(each.value.principal, format("%s.amazonaws.com", try(each.value.service, "")))
principal_org_id = try(each.value.principal_org_id, null)
source_arn = try(each.value.source_arn, null)
source_account = try(each.value.source_account, null)
event_source_token = try(each.value.event_source_token, null)
}
# Error: Error adding new Lambda Permission for lambda: InvalidParameterValueException: We currently do not support adding policies for $LATEST.
resource "aws_lambda_permission" "unqualified_alias_triggers" {
for_each = { for k, v in var.allowed_triggers : k => v if local.create && var.create_function && !var.create_layer && var.create_unqualified_alias_allowed_triggers }
function_name = aws_lambda_function.this[0].function_name
statement_id = try(each.value.statement_id, each.key)
action = try(each.value.action, "lambda:InvokeFunction")
principal = try(each.value.principal, format("%s.amazonaws.com", try(each.value.service, "")))
principal_org_id = try(each.value.principal_org_id, null)
source_arn = try(each.value.source_arn, null)
source_account = try(each.value.source_account, null)
event_source_token = try(each.value.event_source_token, null)
}
PR for this additional variable #431
This issue has been automatically marked as stale because it has been open 30 days
with no activity. Remove stale label or comment or this issue will be closed in 10 days
This is still an issue.
This issue has been resolved in version 4.16.0 🎉
I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.