Lack of principal_org_id variable for resource aws_lambda_permission

Question

Lack of principal_org_id variable for resource aws_lambda_permission

tcharewicz opened this issue 2 years ago · 5 comments

Is your request related to a new offering from AWS?

No, it's old feature but not implemented to the lambda module.

Is your request related to a problem? Please describe.

I would like to create lambda with permissions to invoke only by config service from accounts that belong to known organization.

Describe the solution you'd like.

Add variable principal_org_id to resource aws_lambda_permission. Example below.

resource "aws_lambda_permission" "current_version_triggers" {
  for_each = { for k, v in var.allowed_triggers : k => v if local.create && var.create_function && !var.create_layer && var.create_current_version_allowed_triggers }

  function_name = aws_lambda_function.this[0].function_name
  qualifier     = aws_lambda_function.this[0].version

  statement_id       = try(each.value.statement_id, each.key)
  action             = try(each.value.action, "lambda:InvokeFunction")
  principal          = try(each.value.principal, format("%s.amazonaws.com", try(each.value.service, "")))
  principal_org_id   = try(each.value.principal_org_id, null)
  source_arn         = try(each.value.source_arn, null)
  source_account     = try(each.value.source_account, null)
  event_source_token = try(each.value.event_source_token, null)
}

# Error: Error adding new Lambda Permission for lambda: InvalidParameterValueException: We currently do not support adding policies for $LATEST.
resource "aws_lambda_permission" "unqualified_alias_triggers" {
  for_each = { for k, v in var.allowed_triggers : k => v if local.create && var.create_function && !var.create_layer && var.create_unqualified_alias_allowed_triggers }

  function_name = aws_lambda_function.this[0].function_name

  statement_id       = try(each.value.statement_id, each.key)
  action             = try(each.value.action, "lambda:InvokeFunction")
  principal          = try(each.value.principal, format("%s.amazonaws.com", try(each.value.service, "")))
  principal_org_id   = try(each.value.principal_org_id, null)
  source_arn         = try(each.value.source_arn, null)
  source_account     = try(each.value.source_account, null)
  event_source_token = try(each.value.event_source_token, null)
}

Answer 1 · 2023-03-08T14:43:39.000Z

PR for this additional variable #431

Answer 2 · 2023-04-08T00:15:23.000Z

This issue has been automatically marked as stale because it has been open 30 days
with no activity. Remove stale label or comment or this issue will be closed in 10 days

Answer 3 · 2023-04-17T23:58:40.000Z

This is still an issue.

Answer 4 · 2023-04-18T09:45:11.000Z

This issue has been resolved in version 4.16.0 🎉

Answer 5 · 2023-05-19T02:11:28.000Z

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.