github.com/mohanarpit/terraform@v0.6.16-0.20160909104007-291f29853544/builtin/providers/aws/resource_aws_lambda_permission_test.go (about) 1 package aws 2 3 import ( 4 "encoding/json" 5 "fmt" 6 "regexp" 7 "strings" 8 "testing" 9 "time" 10 11 "github.com/aws/aws-sdk-go/aws" 12 "github.com/aws/aws-sdk-go/aws/awserr" 13 "github.com/aws/aws-sdk-go/service/lambda" 14 "github.com/hashicorp/terraform/helper/acctest" 15 "github.com/hashicorp/terraform/helper/resource" 16 "github.com/hashicorp/terraform/terraform" 17 ) 18 19 func TestLambdaPermissionUnmarshalling(t *testing.T) { 20 v := LambdaPolicy{} 21 err := json.Unmarshal(testLambdaPolicy, &v) 22 if err != nil { 23 t.Fatalf("Expected no error when unmarshalling: %s", err) 24 } 25 26 expectedSid := "36fe77d9-a4ae-13fb-8beb-5dc6821d5291" 27 if v.Statement[0].Sid != expectedSid { 28 t.Fatalf("Expected Sid to match (%q != %q)", v.Statement[0].Sid, expectedSid) 29 } 30 31 expectedFunctionName := "arn:aws:lambda:eu-west-1:319201112229:function:myCustomFunction" 32 if v.Statement[0].Resource != expectedFunctionName { 33 t.Fatalf("Expected function name to match (%q != %q)", v.Statement[0].Resource, expectedFunctionName) 34 } 35 36 expectedAction := "lambda:InvokeFunction" 37 if v.Statement[0].Action != expectedAction { 38 t.Fatalf("Expected Action to match (%q != %q)", v.Statement[0].Action, expectedAction) 39 } 40 41 expectedPrincipal := "events.amazonaws.com" 42 if v.Statement[0].Principal["Service"] != expectedPrincipal { 43 t.Fatalf("Expected Principal to match (%q != %q)", v.Statement[0].Principal["Service"], expectedPrincipal) 44 } 45 46 expectedSourceAccount := "319201112229" 47 if v.Statement[0].Condition["StringEquals"]["AWS:SourceAccount"] != expectedSourceAccount { 48 t.Fatalf("Expected Source Account to match (%q != %q)", 49 v.Statement[0].Condition["StringEquals"]["AWS:SourceAccount"], 50 expectedSourceAccount) 51 } 52 } 53 54 func TestLambdaPermissionGetQualifierFromLambdaAliasOrVersionArn_alias(t *testing.T) { 55 arnWithAlias := "arn:aws:lambda:us-west-2:187636751137:function:lambda_function_name:testalias" 56 expectedQualifier := "testalias" 57 qualifier, err := getQualifierFromLambdaAliasOrVersionArn(arnWithAlias) 58 if err != nil { 59 t.Fatalf("Expected no error when getting qualifier: %s", err) 60 } 61 if qualifier != expectedQualifier { 62 t.Fatalf("Expected qualifier to match (%q != %q)", qualifier, expectedQualifier) 63 } 64 } 65 66 func TestLambdaPermissionGetQualifierFromLambdaAliasOrVersionArn_version(t *testing.T) { 67 arnWithVersion := "arn:aws:lambda:us-west-2:187636751137:function:lambda_function_name:223" 68 expectedQualifier := "223" 69 qualifier, err := getQualifierFromLambdaAliasOrVersionArn(arnWithVersion) 70 if err != nil { 71 t.Fatalf("Expected no error when getting qualifier: %s", err) 72 } 73 if qualifier != expectedQualifier { 74 t.Fatalf("Expected qualifier to match (%q != %q)", qualifier, expectedQualifier) 75 } 76 } 77 78 func TestLambdaPermissionGetQualifierFromLambdaAliasOrVersionArn_invalid(t *testing.T) { 79 invalidArn := "arn:aws:lambda:us-west-2:187636751137:function:lambda_function_name" 80 qualifier, err := getQualifierFromLambdaAliasOrVersionArn(invalidArn) 81 if err == nil { 82 t.Fatalf("Expected error when getting qualifier") 83 } 84 if qualifier != "" { 85 t.Fatalf("Expected qualifier to be empty (%q)", qualifier) 86 } 87 88 // with trailing colon 89 invalidArn = "arn:aws:lambda:us-west-2:187636751137:function:lambda_function_name:" 90 qualifier, err = getQualifierFromLambdaAliasOrVersionArn(invalidArn) 91 if err == nil { 92 t.Fatalf("Expected error when getting qualifier") 93 } 94 if qualifier != "" { 95 t.Fatalf("Expected qualifier to be empty (%q)", qualifier) 96 } 97 } 98 99 func TestLambdaPermissionGetFunctionNameFromLambdaArn_invalid(t *testing.T) { 100 invalidArn := "arn:aws:lambda:us-west-2:187636751137:function:" 101 fn, err := getFunctionNameFromLambdaArn(invalidArn) 102 if err == nil { 103 t.Fatalf("Expected error when parsing invalid ARN (%q)", invalidArn) 104 } 105 if fn != "" { 106 t.Fatalf("Expected empty string when parsing invalid ARN (%q)", invalidArn) 107 } 108 } 109 110 func TestLambdaPermissionGetFunctionNameFromLambdaArn_valid(t *testing.T) { 111 validArn := "arn:aws:lambda:us-west-2:187636751137:function:lambda_function_name" 112 fn, err := getFunctionNameFromLambdaArn(validArn) 113 if err != nil { 114 t.Fatalf("Expected no error (%q): %q", validArn, err) 115 } 116 expectedFunctionname := "lambda_function_name" 117 if fn != expectedFunctionname { 118 t.Fatalf("Expected Lambda function name to match (%q != %q)", 119 validArn, expectedFunctionname) 120 } 121 122 // With qualifier 123 validArn = "arn:aws:lambda:us-west-2:187636751137:function:lambda_function_name:12" 124 fn, err = getFunctionNameFromLambdaArn(validArn) 125 if err != nil { 126 t.Fatalf("Expected no error (%q): %q", validArn, err) 127 } 128 expectedFunctionname = "lambda_function_name" 129 if fn != expectedFunctionname { 130 t.Fatalf("Expected Lambda function name to match (%q != %q)", 131 validArn, expectedFunctionname) 132 } 133 } 134 135 func TestAccAWSLambdaPermission_basic(t *testing.T) { 136 var statement LambdaPolicyStatement 137 endsWithFuncName := regexp.MustCompile(":function:lambda_function_name_perm$") 138 139 resource.Test(t, resource.TestCase{ 140 PreCheck: func() { testAccPreCheck(t) }, 141 Providers: testAccProviders, 142 CheckDestroy: testAccCheckAWSLambdaPermissionDestroy, 143 Steps: []resource.TestStep{ 144 resource.TestStep{ 145 Config: testAccAWSLambdaPermissionConfig, 146 Check: resource.ComposeTestCheckFunc( 147 testAccCheckLambdaPermissionExists("aws_lambda_permission.allow_cloudwatch", &statement), 148 resource.TestCheckResourceAttr("aws_lambda_permission.allow_cloudwatch", "action", "lambda:InvokeFunction"), 149 resource.TestCheckResourceAttr("aws_lambda_permission.allow_cloudwatch", "principal", "events.amazonaws.com"), 150 resource.TestCheckResourceAttr("aws_lambda_permission.allow_cloudwatch", "statement_id", "AllowExecutionFromCloudWatch"), 151 resource.TestCheckResourceAttr("aws_lambda_permission.allow_cloudwatch", "qualifier", ""), 152 resource.TestMatchResourceAttr("aws_lambda_permission.allow_cloudwatch", "function_name", endsWithFuncName), 153 ), 154 }, 155 }, 156 }) 157 } 158 159 func TestAccAWSLambdaPermission_withRawFunctionName(t *testing.T) { 160 var statement LambdaPolicyStatement 161 endsWithFuncName := regexp.MustCompile(":function:lambda_function_name_perm_raw_func_name$") 162 163 resource.Test(t, resource.TestCase{ 164 PreCheck: func() { testAccPreCheck(t) }, 165 Providers: testAccProviders, 166 CheckDestroy: testAccCheckAWSLambdaPermissionDestroy, 167 Steps: []resource.TestStep{ 168 resource.TestStep{ 169 Config: testAccAWSLambdaPermissionConfig_withRawFunctionName, 170 Check: resource.ComposeTestCheckFunc( 171 testAccCheckLambdaPermissionExists("aws_lambda_permission.with_raw_func_name", &statement), 172 resource.TestCheckResourceAttr("aws_lambda_permission.with_raw_func_name", "action", "lambda:InvokeFunction"), 173 resource.TestCheckResourceAttr("aws_lambda_permission.with_raw_func_name", "principal", "events.amazonaws.com"), 174 resource.TestCheckResourceAttr("aws_lambda_permission.with_raw_func_name", "statement_id", "AllowExecutionWithRawFuncName"), 175 resource.TestMatchResourceAttr("aws_lambda_permission.with_raw_func_name", "function_name", endsWithFuncName), 176 ), 177 }, 178 }, 179 }) 180 } 181 182 func TestAccAWSLambdaPermission_withQualifier(t *testing.T) { 183 var statement LambdaPolicyStatement 184 endsWithFuncName := regexp.MustCompile(":function:lambda_function_name_perm_qualifier$") 185 186 resource.Test(t, resource.TestCase{ 187 PreCheck: func() { testAccPreCheck(t) }, 188 Providers: testAccProviders, 189 CheckDestroy: testAccCheckAWSLambdaPermissionDestroy, 190 Steps: []resource.TestStep{ 191 resource.TestStep{ 192 Config: testAccAWSLambdaPermissionConfig_withQualifier, 193 Check: resource.ComposeTestCheckFunc( 194 testAccCheckLambdaPermissionExists("aws_lambda_permission.with_qualifier", &statement), 195 resource.TestCheckResourceAttr("aws_lambda_permission.with_qualifier", "action", "lambda:InvokeFunction"), 196 resource.TestCheckResourceAttr("aws_lambda_permission.with_qualifier", "principal", "events.amazonaws.com"), 197 resource.TestCheckResourceAttr("aws_lambda_permission.with_qualifier", "statement_id", "AllowExecutionWithQualifier"), 198 resource.TestMatchResourceAttr("aws_lambda_permission.with_qualifier", "function_name", endsWithFuncName), 199 resource.TestCheckResourceAttr("aws_lambda_permission.with_qualifier", "qualifier", "testalias_perm_qualifier"), 200 ), 201 }, 202 }, 203 }) 204 } 205 206 func TestAccAWSLambdaPermission_multiplePerms(t *testing.T) { 207 var firstStatement LambdaPolicyStatement 208 var firstStatementModified LambdaPolicyStatement 209 210 var secondStatement LambdaPolicyStatement 211 var secondStatementModified LambdaPolicyStatement 212 213 var thirdStatement LambdaPolicyStatement 214 215 resource.Test(t, resource.TestCase{ 216 PreCheck: func() { testAccPreCheck(t) }, 217 Providers: testAccProviders, 218 CheckDestroy: testAccCheckAWSLambdaPermissionDestroy, 219 Steps: []resource.TestStep{ 220 resource.TestStep{ 221 Config: testAccAWSLambdaPermissionConfig_multiplePerms, 222 Check: resource.ComposeTestCheckFunc( 223 // 1st 224 testAccCheckLambdaPermissionExists("aws_lambda_permission.first", &firstStatement), 225 resource.TestCheckResourceAttr("aws_lambda_permission.first", "action", "lambda:InvokeFunction"), 226 resource.TestCheckResourceAttr("aws_lambda_permission.first", "principal", "events.amazonaws.com"), 227 resource.TestCheckResourceAttr("aws_lambda_permission.first", "statement_id", "AllowExecutionFirst"), 228 resource.TestMatchResourceAttr("aws_lambda_permission.first", "function_name", 229 regexp.MustCompile(":function:lambda_function_name_perm_multiperms$")), 230 // 2nd 231 testAccCheckLambdaPermissionExists("aws_lambda_permission.second", &firstStatementModified), 232 resource.TestCheckResourceAttr("aws_lambda_permission.second", "action", "lambda:*"), 233 resource.TestCheckResourceAttr("aws_lambda_permission.second", "principal", "events.amazonaws.com"), 234 resource.TestCheckResourceAttr("aws_lambda_permission.second", "statement_id", "AllowExecutionSecond"), 235 resource.TestMatchResourceAttr("aws_lambda_permission.second", "function_name", 236 regexp.MustCompile(":function:lambda_function_name_perm_multiperms$")), 237 ), 238 }, 239 resource.TestStep{ 240 Config: testAccAWSLambdaPermissionConfig_multiplePermsModified, 241 Check: resource.ComposeTestCheckFunc( 242 // 1st 243 testAccCheckLambdaPermissionExists("aws_lambda_permission.first", &secondStatement), 244 resource.TestCheckResourceAttr("aws_lambda_permission.first", "action", "lambda:InvokeFunction"), 245 resource.TestCheckResourceAttr("aws_lambda_permission.first", "principal", "events.amazonaws.com"), 246 resource.TestCheckResourceAttr("aws_lambda_permission.first", "statement_id", "AllowExecutionFirst"), 247 resource.TestMatchResourceAttr("aws_lambda_permission.first", "function_name", 248 regexp.MustCompile(":function:lambda_function_name_perm_multiperms$")), 249 // 2nd 250 testAccCheckLambdaPermissionExists("aws_lambda_permission.sec0nd", &secondStatementModified), 251 resource.TestCheckResourceAttr("aws_lambda_permission.sec0nd", "action", "lambda:*"), 252 resource.TestCheckResourceAttr("aws_lambda_permission.sec0nd", "principal", "events.amazonaws.com"), 253 resource.TestCheckResourceAttr("aws_lambda_permission.sec0nd", "statement_id", "AllowExecutionSec0nd"), 254 resource.TestMatchResourceAttr("aws_lambda_permission.sec0nd", "function_name", 255 regexp.MustCompile(":function:lambda_function_name_perm_multiperms$")), 256 // 3rd 257 testAccCheckLambdaPermissionExists("aws_lambda_permission.third", &thirdStatement), 258 resource.TestCheckResourceAttr("aws_lambda_permission.third", "action", "lambda:*"), 259 resource.TestCheckResourceAttr("aws_lambda_permission.third", "principal", "events.amazonaws.com"), 260 resource.TestCheckResourceAttr("aws_lambda_permission.third", "statement_id", "AllowExecutionThird"), 261 resource.TestMatchResourceAttr("aws_lambda_permission.third", "function_name", 262 regexp.MustCompile(":function:lambda_function_name_perm_multiperms$")), 263 ), 264 }, 265 }, 266 }) 267 } 268 269 func TestAccAWSLambdaPermission_withS3(t *testing.T) { 270 rInt := acctest.RandInt() 271 272 var statement LambdaPolicyStatement 273 endsWithFuncName := regexp.MustCompile(":function:lambda_function_name_perm_s3$") 274 275 resource.Test(t, resource.TestCase{ 276 PreCheck: func() { testAccPreCheck(t) }, 277 Providers: testAccProviders, 278 CheckDestroy: testAccCheckAWSLambdaPermissionDestroy, 279 Steps: []resource.TestStep{ 280 resource.TestStep{ 281 Config: fmt.Sprintf(testAccAWSLambdaPermissionConfig_withS3_tpl, rInt), 282 Check: resource.ComposeTestCheckFunc( 283 testAccCheckLambdaPermissionExists("aws_lambda_permission.with_s3", &statement), 284 resource.TestCheckResourceAttr("aws_lambda_permission.with_s3", "action", "lambda:InvokeFunction"), 285 resource.TestCheckResourceAttr("aws_lambda_permission.with_s3", "principal", "s3.amazonaws.com"), 286 resource.TestCheckResourceAttr("aws_lambda_permission.with_s3", "statement_id", "AllowExecutionFromS3"), 287 resource.TestMatchResourceAttr("aws_lambda_permission.with_s3", "function_name", endsWithFuncName), 288 resource.TestCheckResourceAttr("aws_lambda_permission.with_s3", "source_arn", 289 fmt.Sprintf("arn:aws:s3:::tf-acc-towards-lambda-%d", rInt)), 290 ), 291 }, 292 }, 293 }) 294 } 295 296 func TestAccAWSLambdaPermission_withSNS(t *testing.T) { 297 var statement LambdaPolicyStatement 298 endsWithFuncName := regexp.MustCompile(":function:lambda_function_name_perm_sns$") 299 endsWithTopicName := regexp.MustCompile(":tf-acc-user-updates-topic$") 300 301 resource.Test(t, resource.TestCase{ 302 PreCheck: func() { testAccPreCheck(t) }, 303 Providers: testAccProviders, 304 CheckDestroy: testAccCheckAWSLambdaPermissionDestroy, 305 Steps: []resource.TestStep{ 306 resource.TestStep{ 307 Config: testAccAWSLambdaPermissionConfig_withSNS, 308 Check: resource.ComposeTestCheckFunc( 309 testAccCheckLambdaPermissionExists("aws_lambda_permission.with_sns", &statement), 310 resource.TestCheckResourceAttr("aws_lambda_permission.with_sns", "action", "lambda:InvokeFunction"), 311 resource.TestCheckResourceAttr("aws_lambda_permission.with_sns", "principal", "sns.amazonaws.com"), 312 resource.TestCheckResourceAttr("aws_lambda_permission.with_sns", "statement_id", "AllowExecutionFromSNS"), 313 resource.TestMatchResourceAttr("aws_lambda_permission.with_sns", "function_name", endsWithFuncName), 314 resource.TestMatchResourceAttr("aws_lambda_permission.with_sns", "source_arn", endsWithTopicName), 315 ), 316 }, 317 }, 318 }) 319 } 320 321 func testAccCheckLambdaPermissionExists(n string, statement *LambdaPolicyStatement) resource.TestCheckFunc { 322 return func(s *terraform.State) error { 323 rs, ok := s.RootModule().Resources[n] 324 if !ok { 325 return fmt.Errorf("Not found: %s", n) 326 } 327 328 conn := testAccProvider.Meta().(*AWSClient).lambdaconn 329 330 // IAM is eventually consistent 331 var foundStatement *LambdaPolicyStatement 332 err := resource.Retry(5*time.Minute, func() *resource.RetryError { 333 var err error 334 foundStatement, err = lambdaPermissionExists(rs, conn) 335 if err != nil { 336 if strings.HasPrefix(err.Error(), "ResourceNotFoundException") { 337 return resource.RetryableError(err) 338 } 339 if strings.HasPrefix(err.Error(), "Lambda policy not found") { 340 return resource.RetryableError(err) 341 } 342 if strings.HasPrefix(err.Error(), "Failed to find statement") { 343 return resource.RetryableError(err) 344 } 345 return resource.NonRetryableError(err) 346 } 347 return nil 348 }) 349 if err != nil { 350 return err 351 } 352 353 *statement = *foundStatement 354 355 return nil 356 } 357 } 358 359 func testAccCheckAWSLambdaPermissionDestroy(s *terraform.State) error { 360 conn := testAccProvider.Meta().(*AWSClient).lambdaconn 361 362 for _, rs := range s.RootModule().Resources { 363 if rs.Type != "aws_lambda_permission" { 364 continue 365 } 366 367 // IAM is eventually consistent 368 err := resource.Retry(5*time.Minute, func() *resource.RetryError { 369 err := isLambdaPermissionGone(rs, conn) 370 if err != nil { 371 if !strings.HasPrefix(err.Error(), "Error unmarshalling Lambda policy") { 372 return resource.RetryableError(err) 373 } 374 return resource.NonRetryableError(err) 375 } 376 return nil 377 }) 378 if err != nil { 379 return err 380 } 381 } 382 383 return nil 384 } 385 386 func isLambdaPermissionGone(rs *terraform.ResourceState, conn *lambda.Lambda) error { 387 params := &lambda.GetPolicyInput{ 388 FunctionName: aws.String(rs.Primary.Attributes["function_name"]), 389 } 390 if v, ok := rs.Primary.Attributes["qualifier"]; ok { 391 params.Qualifier = aws.String(v) 392 } 393 394 resp, err := conn.GetPolicy(params) 395 if awsErr, ok := err.(awserr.Error); ok { 396 if awsErr.Code() == "ResourceNotFoundException" { 397 // no policy found => all statements deleted 398 return nil 399 } 400 } 401 if err != nil { 402 return fmt.Errorf("Unexpected error when checking existence of Lambda permission: %s\n%s", 403 rs.Primary.ID, err) 404 } 405 406 policyInBytes := []byte(*resp.Policy) 407 policy := LambdaPolicy{} 408 err = json.Unmarshal(policyInBytes, &policy) 409 if err != nil { 410 return fmt.Errorf("Error unmarshalling Lambda policy (%s): %s", *resp.Policy, err) 411 } 412 413 state, err := findLambdaPolicyStatementById(&policy, rs.Primary.ID) 414 if err != nil { 415 // statement not found => deleted 416 return nil 417 } 418 419 return fmt.Errorf("Policy statement expected to be gone (%s):\n%s", 420 rs.Primary.ID, *state) 421 } 422 423 func lambdaPermissionExists(rs *terraform.ResourceState, conn *lambda.Lambda) (*LambdaPolicyStatement, error) { 424 params := &lambda.GetPolicyInput{ 425 FunctionName: aws.String(rs.Primary.Attributes["function_name"]), 426 } 427 if v, ok := rs.Primary.Attributes["qualifier"]; ok { 428 params.Qualifier = aws.String(v) 429 } 430 431 resp, err := conn.GetPolicy(params) 432 if err != nil { 433 return nil, fmt.Errorf("Lambda policy not found: %q", err) 434 } 435 436 if resp.Policy == nil { 437 return nil, fmt.Errorf("Received Lambda policy is empty") 438 } 439 440 policyInBytes := []byte(*resp.Policy) 441 policy := LambdaPolicy{} 442 err = json.Unmarshal(policyInBytes, &policy) 443 if err != nil { 444 return nil, fmt.Errorf("Error unmarshalling Lambda policy: %s", err) 445 } 446 447 return findLambdaPolicyStatementById(&policy, rs.Primary.ID) 448 } 449 450 var testAccAWSLambdaPermissionConfig = ` 451 resource "aws_lambda_permission" "allow_cloudwatch" { 452 statement_id = "AllowExecutionFromCloudWatch" 453 action = "lambda:InvokeFunction" 454 function_name = "${aws_lambda_function.test_lambda.arn}" 455 principal = "events.amazonaws.com" 456 } 457 458 resource "aws_lambda_function" "test_lambda" { 459 filename = "test-fixtures/lambdatest.zip" 460 function_name = "lambda_function_name_perm" 461 role = "${aws_iam_role.iam_for_lambda.arn}" 462 handler = "exports.handler" 463 } 464 465 resource "aws_iam_role" "iam_for_lambda" { 466 name = "iam_for_lambda_perm" 467 assume_role_policy = <<EOF 468 { 469 "Version": "2012-10-17", 470 "Statement": [ 471 { 472 "Action": "sts:AssumeRole", 473 "Principal": { 474 "Service": "lambda.amazonaws.com" 475 }, 476 "Effect": "Allow", 477 "Sid": "" 478 } 479 ] 480 } 481 EOF 482 } 483 ` 484 485 var testAccAWSLambdaPermissionConfig_withRawFunctionName = ` 486 resource "aws_lambda_permission" "with_raw_func_name" { 487 statement_id = "AllowExecutionWithRawFuncName" 488 action = "lambda:InvokeFunction" 489 function_name = "${aws_lambda_function.test_lambda.arn}" 490 principal = "events.amazonaws.com" 491 } 492 493 resource "aws_lambda_function" "test_lambda" { 494 filename = "test-fixtures/lambdatest.zip" 495 function_name = "lambda_function_name_perm_raw_func_name" 496 role = "${aws_iam_role.iam_for_lambda.arn}" 497 handler = "exports.handler" 498 } 499 500 resource "aws_iam_role" "iam_for_lambda" { 501 name = "iam_for_lambda_perm_raw_func_name" 502 assume_role_policy = <<EOF 503 { 504 "Version": "2012-10-17", 505 "Statement": [ 506 { 507 "Action": "sts:AssumeRole", 508 "Principal": { 509 "Service": "lambda.amazonaws.com" 510 }, 511 "Effect": "Allow", 512 "Sid": "" 513 } 514 ] 515 } 516 EOF 517 } 518 ` 519 520 var testAccAWSLambdaPermissionConfig_withQualifier = ` 521 resource "aws_lambda_permission" "with_qualifier" { 522 statement_id = "AllowExecutionWithQualifier" 523 action = "lambda:InvokeFunction" 524 function_name = "${aws_lambda_function.test_lambda.arn}" 525 principal = "events.amazonaws.com" 526 source_account = "111122223333" 527 source_arn = "arn:aws:events:eu-west-1:111122223333:rule/RunDaily" 528 qualifier = "${aws_lambda_alias.test_alias.name}" 529 } 530 531 resource "aws_lambda_alias" "test_alias" { 532 name = "testalias_perm_qualifier" 533 description = "a sample description" 534 function_name = "${aws_lambda_function.test_lambda.arn}" 535 function_version = "$LATEST" 536 } 537 538 resource "aws_lambda_function" "test_lambda" { 539 filename = "test-fixtures/lambdatest.zip" 540 function_name = "lambda_function_name_perm_qualifier" 541 role = "${aws_iam_role.iam_for_lambda.arn}" 542 handler = "exports.handler" 543 } 544 545 resource "aws_iam_role" "iam_for_lambda" { 546 name = "iam_for_lambda_perm_qualifier" 547 assume_role_policy = <<EOF 548 { 549 "Version": "2012-10-17", 550 "Statement": [ 551 { 552 "Action": "sts:AssumeRole", 553 "Principal": { 554 "Service": "lambda.amazonaws.com" 555 }, 556 "Effect": "Allow", 557 "Sid": "" 558 } 559 ] 560 } 561 EOF 562 } 563 ` 564 565 var testAccAWSLambdaPermissionConfig_multiplePerms_tpl = ` 566 resource "aws_lambda_permission" "first" { 567 statement_id = "AllowExecutionFirst" 568 action = "lambda:InvokeFunction" 569 function_name = "${aws_lambda_function.test_lambda.arn}" 570 principal = "events.amazonaws.com" 571 } 572 573 resource "aws_lambda_permission" "%s" { 574 statement_id = "%s" 575 action = "lambda:*" 576 function_name = "${aws_lambda_function.test_lambda.arn}" 577 principal = "events.amazonaws.com" 578 } 579 %s 580 581 resource "aws_lambda_function" "test_lambda" { 582 filename = "test-fixtures/lambdatest.zip" 583 function_name = "lambda_function_name_perm_multiperms" 584 role = "${aws_iam_role.iam_for_lambda.arn}" 585 handler = "exports.handler" 586 } 587 588 resource "aws_iam_role" "iam_for_lambda" { 589 name = "iam_for_lambda_perm_multi_perms" 590 assume_role_policy = <<EOF 591 { 592 "Version": "2012-10-17", 593 "Statement": [ 594 { 595 "Action": "sts:AssumeRole", 596 "Principal": { 597 "Service": "lambda.amazonaws.com" 598 }, 599 "Effect": "Allow", 600 "Sid": "" 601 } 602 ] 603 } 604 EOF 605 } 606 ` 607 608 var testAccAWSLambdaPermissionConfig_multiplePerms = fmt.Sprintf( 609 testAccAWSLambdaPermissionConfig_multiplePerms_tpl, "second", "AllowExecutionSecond", "") 610 var testAccAWSLambdaPermissionConfig_multiplePermsModified = fmt.Sprintf( 611 testAccAWSLambdaPermissionConfig_multiplePerms_tpl, "sec0nd", "AllowExecutionSec0nd", ` 612 resource "aws_lambda_permission" "third" { 613 statement_id = "AllowExecutionThird" 614 action = "lambda:*" 615 function_name = "${aws_lambda_function.test_lambda.arn}" 616 principal = "events.amazonaws.com" 617 }`) 618 619 var testAccAWSLambdaPermissionConfig_withS3_tpl = ` 620 resource "aws_lambda_permission" "with_s3" { 621 statement_id = "AllowExecutionFromS3" 622 action = "lambda:InvokeFunction" 623 function_name = "${aws_lambda_function.my-func.arn}" 624 principal = "s3.amazonaws.com" 625 source_arn = "${aws_s3_bucket.default.arn}" 626 } 627 628 resource "aws_s3_bucket" "default" { 629 bucket = "tf-acc-towards-lambda-%d" 630 acl = "private" 631 } 632 633 resource "aws_lambda_function" "my-func" { 634 filename = "test-fixtures/lambdatest.zip" 635 function_name = "lambda_function_name_perm_s3" 636 role = "${aws_iam_role.police.arn}" 637 handler = "exports.handler" 638 } 639 640 resource "aws_iam_role" "police" { 641 name = "iam_for_lambda_perm_with_s3" 642 assume_role_policy = <<EOF 643 { 644 "Version": "2012-10-17", 645 "Statement": [ 646 { 647 "Action": "sts:AssumeRole", 648 "Principal": { 649 "Service": "lambda.amazonaws.com" 650 }, 651 "Effect": "Allow", 652 "Sid": "" 653 } 654 ] 655 } 656 EOF 657 } 658 ` 659 660 var testAccAWSLambdaPermissionConfig_withSNS = ` 661 resource "aws_lambda_permission" "with_sns" { 662 statement_id = "AllowExecutionFromSNS" 663 action = "lambda:InvokeFunction" 664 function_name = "${aws_lambda_function.my-func.arn}" 665 principal = "sns.amazonaws.com" 666 source_arn = "${aws_sns_topic.default.arn}" 667 } 668 669 resource "aws_sns_topic" "default" { 670 name = "tf-acc-user-updates-topic" 671 } 672 673 resource "aws_sns_topic_subscription" "lambda" { 674 topic_arn = "${aws_sns_topic.default.arn}" 675 protocol = "lambda" 676 endpoint = "${aws_lambda_function.my-func.arn}" 677 } 678 679 resource "aws_lambda_function" "my-func" { 680 filename = "test-fixtures/lambdatest.zip" 681 function_name = "lambda_function_name_perm_sns" 682 role = "${aws_iam_role.police.arn}" 683 handler = "exports.handler" 684 } 685 686 resource "aws_iam_role" "police" { 687 name = "iam_for_lambda_perm_with_sns" 688 assume_role_policy = <<EOF 689 { 690 "Version": "2012-10-17", 691 "Statement": [ 692 { 693 "Action": "sts:AssumeRole", 694 "Principal": { 695 "Service": "lambda.amazonaws.com" 696 }, 697 "Effect": "Allow", 698 "Sid": "" 699 } 700 ] 701 } 702 EOF 703 } 704 ` 705 706 var testLambdaPolicy = []byte(`{ 707 "Version": "2012-10-17", 708 "Statement": [ 709 { 710 "Condition": { 711 "StringEquals": {"AWS:SourceAccount": "319201112229"}, 712 "ArnLike":{"AWS:SourceArn":"arn:aws:events:eu-west-1:319201112229:rule/RunDaily"} 713 }, 714 "Action": "lambda:InvokeFunction", 715 "Resource": "arn:aws:lambda:eu-west-1:319201112229:function:myCustomFunction", 716 "Effect": "Allow", 717 "Principal": {"Service":"events.amazonaws.com"}, 718 "Sid": "36fe77d9-a4ae-13fb-8beb-5dc6821d5291" 719 } 720 ], 721 "Id":"default" 722 }`)