github.com/pbthorste/terraform@v0.8.6-0.20170127005045-deb56bd93da2/builtin/providers/aws/resource_aws_lambda_permission_test.go (about)

     1  package aws
     2  
     3  import (
     4  	"encoding/json"
     5  	"fmt"
     6  	"regexp"
     7  	"strings"
     8  	"testing"
     9  	"time"
    10  
    11  	"github.com/aws/aws-sdk-go/aws"
    12  	"github.com/aws/aws-sdk-go/aws/awserr"
    13  	"github.com/aws/aws-sdk-go/service/lambda"
    14  	"github.com/hashicorp/terraform/helper/acctest"
    15  	"github.com/hashicorp/terraform/helper/resource"
    16  	"github.com/hashicorp/terraform/terraform"
    17  )
    18  
    19  func TestLambdaPermissionUnmarshalling(t *testing.T) {
    20  	v := LambdaPolicy{}
    21  	err := json.Unmarshal(testLambdaPolicy, &v)
    22  	if err != nil {
    23  		t.Fatalf("Expected no error when unmarshalling: %s", err)
    24  	}
    25  
    26  	expectedSid := "36fe77d9-a4ae-13fb-8beb-5dc6821d5291"
    27  	if v.Statement[0].Sid != expectedSid {
    28  		t.Fatalf("Expected Sid to match (%q != %q)", v.Statement[0].Sid, expectedSid)
    29  	}
    30  
    31  	expectedFunctionName := "arn:aws:lambda:eu-west-1:319201112229:function:myCustomFunction"
    32  	if v.Statement[0].Resource != expectedFunctionName {
    33  		t.Fatalf("Expected function name to match (%q != %q)", v.Statement[0].Resource, expectedFunctionName)
    34  	}
    35  
    36  	expectedAction := "lambda:InvokeFunction"
    37  	if v.Statement[0].Action != expectedAction {
    38  		t.Fatalf("Expected Action to match (%q != %q)", v.Statement[0].Action, expectedAction)
    39  	}
    40  
    41  	expectedPrincipal := "events.amazonaws.com"
    42  	if v.Statement[0].Principal["Service"] != expectedPrincipal {
    43  		t.Fatalf("Expected Principal to match (%q != %q)", v.Statement[0].Principal["Service"], expectedPrincipal)
    44  	}
    45  
    46  	expectedSourceAccount := "319201112229"
    47  	if v.Statement[0].Condition["StringEquals"]["AWS:SourceAccount"] != expectedSourceAccount {
    48  		t.Fatalf("Expected Source Account to match (%q != %q)",
    49  			v.Statement[0].Condition["StringEquals"]["AWS:SourceAccount"],
    50  			expectedSourceAccount)
    51  	}
    52  }
    53  
    54  func TestLambdaPermissionGetQualifierFromLambdaAliasOrVersionArn_alias(t *testing.T) {
    55  	arnWithAlias := "arn:aws:lambda:us-west-2:187636751137:function:lambda_function_name:testalias"
    56  	expectedQualifier := "testalias"
    57  	qualifier, err := getQualifierFromLambdaAliasOrVersionArn(arnWithAlias)
    58  	if err != nil {
    59  		t.Fatalf("Expected no error when getting qualifier: %s", err)
    60  	}
    61  	if qualifier != expectedQualifier {
    62  		t.Fatalf("Expected qualifier to match (%q != %q)", qualifier, expectedQualifier)
    63  	}
    64  }
    65  
    66  func TestLambdaPermissionGetQualifierFromLambdaAliasOrVersionArn_govcloud(t *testing.T) {
    67  	arnWithAlias := "arn:aws-us-gov:lambda:us-west-2:187636751137:function:lambda_function_name:testalias"
    68  	expectedQualifier := "testalias"
    69  	qualifier, err := getQualifierFromLambdaAliasOrVersionArn(arnWithAlias)
    70  	if err != nil {
    71  		t.Fatalf("Expected no error when getting qualifier: %s", err)
    72  	}
    73  	if qualifier != expectedQualifier {
    74  		t.Fatalf("Expected qualifier to match (%q != %q)", qualifier, expectedQualifier)
    75  	}
    76  }
    77  
    78  func TestLambdaPermissionGetQualifierFromLambdaAliasOrVersionArn_version(t *testing.T) {
    79  	arnWithVersion := "arn:aws:lambda:us-west-2:187636751137:function:lambda_function_name:223"
    80  	expectedQualifier := "223"
    81  	qualifier, err := getQualifierFromLambdaAliasOrVersionArn(arnWithVersion)
    82  	if err != nil {
    83  		t.Fatalf("Expected no error when getting qualifier: %s", err)
    84  	}
    85  	if qualifier != expectedQualifier {
    86  		t.Fatalf("Expected qualifier to match (%q != %q)", qualifier, expectedQualifier)
    87  	}
    88  }
    89  
    90  func TestLambdaPermissionGetQualifierFromLambdaAliasOrVersionArn_invalid(t *testing.T) {
    91  	invalidArn := "arn:aws:lambda:us-west-2:187636751137:function:lambda_function_name"
    92  	qualifier, err := getQualifierFromLambdaAliasOrVersionArn(invalidArn)
    93  	if err == nil {
    94  		t.Fatalf("Expected error when getting qualifier")
    95  	}
    96  	if qualifier != "" {
    97  		t.Fatalf("Expected qualifier to be empty (%q)", qualifier)
    98  	}
    99  
   100  	// with trailing colon
   101  	invalidArn = "arn:aws:lambda:us-west-2:187636751137:function:lambda_function_name:"
   102  	qualifier, err = getQualifierFromLambdaAliasOrVersionArn(invalidArn)
   103  	if err == nil {
   104  		t.Fatalf("Expected error when getting qualifier")
   105  	}
   106  	if qualifier != "" {
   107  		t.Fatalf("Expected qualifier to be empty (%q)", qualifier)
   108  	}
   109  }
   110  
   111  func TestLambdaPermissionGetFunctionNameFromLambdaArn_invalid(t *testing.T) {
   112  	invalidArn := "arn:aws:lambda:us-west-2:187636751137:function:"
   113  	fn, err := getFunctionNameFromLambdaArn(invalidArn)
   114  	if err == nil {
   115  		t.Fatalf("Expected error when parsing invalid ARN (%q)", invalidArn)
   116  	}
   117  	if fn != "" {
   118  		t.Fatalf("Expected empty string when parsing invalid ARN (%q)", invalidArn)
   119  	}
   120  }
   121  
   122  func TestLambdaPermissionGetFunctionNameFromLambdaArn_valid(t *testing.T) {
   123  	validArn := "arn:aws:lambda:us-west-2:187636751137:function:lambda_function_name"
   124  	fn, err := getFunctionNameFromLambdaArn(validArn)
   125  	if err != nil {
   126  		t.Fatalf("Expected no error (%q): %q", validArn, err)
   127  	}
   128  	expectedFunctionname := "lambda_function_name"
   129  	if fn != expectedFunctionname {
   130  		t.Fatalf("Expected Lambda function name to match (%q != %q)",
   131  			validArn, expectedFunctionname)
   132  	}
   133  
   134  	// With qualifier
   135  	validArn = "arn:aws:lambda:us-west-2:187636751137:function:lambda_function_name:12"
   136  	fn, err = getFunctionNameFromLambdaArn(validArn)
   137  	if err != nil {
   138  		t.Fatalf("Expected no error (%q): %q", validArn, err)
   139  	}
   140  	expectedFunctionname = "lambda_function_name"
   141  	if fn != expectedFunctionname {
   142  		t.Fatalf("Expected Lambda function name to match (%q != %q)",
   143  			validArn, expectedFunctionname)
   144  	}
   145  }
   146  
   147  func TestAccAWSLambdaPermission_basic(t *testing.T) {
   148  	var statement LambdaPolicyStatement
   149  	endsWithFuncName := regexp.MustCompile(":function:lambda_function_name_perm$")
   150  
   151  	resource.Test(t, resource.TestCase{
   152  		PreCheck:     func() { testAccPreCheck(t) },
   153  		Providers:    testAccProviders,
   154  		CheckDestroy: testAccCheckAWSLambdaPermissionDestroy,
   155  		Steps: []resource.TestStep{
   156  			{
   157  				Config: testAccAWSLambdaPermissionConfig,
   158  				Check: resource.ComposeTestCheckFunc(
   159  					testAccCheckLambdaPermissionExists("aws_lambda_permission.allow_cloudwatch", &statement),
   160  					resource.TestCheckResourceAttr("aws_lambda_permission.allow_cloudwatch", "action", "lambda:InvokeFunction"),
   161  					resource.TestCheckResourceAttr("aws_lambda_permission.allow_cloudwatch", "principal", "events.amazonaws.com"),
   162  					resource.TestCheckResourceAttr("aws_lambda_permission.allow_cloudwatch", "statement_id", "AllowExecutionFromCloudWatch"),
   163  					resource.TestCheckResourceAttr("aws_lambda_permission.allow_cloudwatch", "qualifier", ""),
   164  					resource.TestMatchResourceAttr("aws_lambda_permission.allow_cloudwatch", "function_name", endsWithFuncName),
   165  				),
   166  			},
   167  		},
   168  	})
   169  }
   170  
   171  func TestAccAWSLambdaPermission_withRawFunctionName(t *testing.T) {
   172  	var statement LambdaPolicyStatement
   173  	endsWithFuncName := regexp.MustCompile(":function:lambda_function_name_perm_raw_func_name$")
   174  
   175  	resource.Test(t, resource.TestCase{
   176  		PreCheck:     func() { testAccPreCheck(t) },
   177  		Providers:    testAccProviders,
   178  		CheckDestroy: testAccCheckAWSLambdaPermissionDestroy,
   179  		Steps: []resource.TestStep{
   180  			{
   181  				Config: testAccAWSLambdaPermissionConfig_withRawFunctionName,
   182  				Check: resource.ComposeTestCheckFunc(
   183  					testAccCheckLambdaPermissionExists("aws_lambda_permission.with_raw_func_name", &statement),
   184  					resource.TestCheckResourceAttr("aws_lambda_permission.with_raw_func_name", "action", "lambda:InvokeFunction"),
   185  					resource.TestCheckResourceAttr("aws_lambda_permission.with_raw_func_name", "principal", "events.amazonaws.com"),
   186  					resource.TestCheckResourceAttr("aws_lambda_permission.with_raw_func_name", "statement_id", "AllowExecutionWithRawFuncName"),
   187  					resource.TestMatchResourceAttr("aws_lambda_permission.with_raw_func_name", "function_name", endsWithFuncName),
   188  				),
   189  			},
   190  		},
   191  	})
   192  }
   193  
   194  func TestAccAWSLambdaPermission_withQualifier(t *testing.T) {
   195  	var statement LambdaPolicyStatement
   196  	endsWithFuncName := regexp.MustCompile(":function:lambda_function_name_perm_qualifier$")
   197  
   198  	resource.Test(t, resource.TestCase{
   199  		PreCheck:     func() { testAccPreCheck(t) },
   200  		Providers:    testAccProviders,
   201  		CheckDestroy: testAccCheckAWSLambdaPermissionDestroy,
   202  		Steps: []resource.TestStep{
   203  			{
   204  				Config: testAccAWSLambdaPermissionConfig_withQualifier,
   205  				Check: resource.ComposeTestCheckFunc(
   206  					testAccCheckLambdaPermissionExists("aws_lambda_permission.with_qualifier", &statement),
   207  					resource.TestCheckResourceAttr("aws_lambda_permission.with_qualifier", "action", "lambda:InvokeFunction"),
   208  					resource.TestCheckResourceAttr("aws_lambda_permission.with_qualifier", "principal", "events.amazonaws.com"),
   209  					resource.TestCheckResourceAttr("aws_lambda_permission.with_qualifier", "statement_id", "AllowExecutionWithQualifier"),
   210  					resource.TestMatchResourceAttr("aws_lambda_permission.with_qualifier", "function_name", endsWithFuncName),
   211  					resource.TestCheckResourceAttr("aws_lambda_permission.with_qualifier", "qualifier", "testalias_perm_qualifier"),
   212  				),
   213  			},
   214  		},
   215  	})
   216  }
   217  
   218  func TestAccAWSLambdaPermission_multiplePerms(t *testing.T) {
   219  	var firstStatement LambdaPolicyStatement
   220  	var firstStatementModified LambdaPolicyStatement
   221  
   222  	var secondStatement LambdaPolicyStatement
   223  	var secondStatementModified LambdaPolicyStatement
   224  
   225  	var thirdStatement LambdaPolicyStatement
   226  
   227  	resource.Test(t, resource.TestCase{
   228  		PreCheck:     func() { testAccPreCheck(t) },
   229  		Providers:    testAccProviders,
   230  		CheckDestroy: testAccCheckAWSLambdaPermissionDestroy,
   231  		Steps: []resource.TestStep{
   232  			{
   233  				Config: testAccAWSLambdaPermissionConfig_multiplePerms,
   234  				Check: resource.ComposeTestCheckFunc(
   235  					// 1st
   236  					testAccCheckLambdaPermissionExists("aws_lambda_permission.first", &firstStatement),
   237  					resource.TestCheckResourceAttr("aws_lambda_permission.first", "action", "lambda:InvokeFunction"),
   238  					resource.TestCheckResourceAttr("aws_lambda_permission.first", "principal", "events.amazonaws.com"),
   239  					resource.TestCheckResourceAttr("aws_lambda_permission.first", "statement_id", "AllowExecutionFirst"),
   240  					resource.TestMatchResourceAttr("aws_lambda_permission.first", "function_name",
   241  						regexp.MustCompile(":function:lambda_function_name_perm_multiperms$")),
   242  					// 2nd
   243  					testAccCheckLambdaPermissionExists("aws_lambda_permission.second", &firstStatementModified),
   244  					resource.TestCheckResourceAttr("aws_lambda_permission.second", "action", "lambda:*"),
   245  					resource.TestCheckResourceAttr("aws_lambda_permission.second", "principal", "events.amazonaws.com"),
   246  					resource.TestCheckResourceAttr("aws_lambda_permission.second", "statement_id", "AllowExecutionSecond"),
   247  					resource.TestMatchResourceAttr("aws_lambda_permission.second", "function_name",
   248  						regexp.MustCompile(":function:lambda_function_name_perm_multiperms$")),
   249  				),
   250  			},
   251  			{
   252  				Config: testAccAWSLambdaPermissionConfig_multiplePermsModified,
   253  				Check: resource.ComposeTestCheckFunc(
   254  					// 1st
   255  					testAccCheckLambdaPermissionExists("aws_lambda_permission.first", &secondStatement),
   256  					resource.TestCheckResourceAttr("aws_lambda_permission.first", "action", "lambda:InvokeFunction"),
   257  					resource.TestCheckResourceAttr("aws_lambda_permission.first", "principal", "events.amazonaws.com"),
   258  					resource.TestCheckResourceAttr("aws_lambda_permission.first", "statement_id", "AllowExecutionFirst"),
   259  					resource.TestMatchResourceAttr("aws_lambda_permission.first", "function_name",
   260  						regexp.MustCompile(":function:lambda_function_name_perm_multiperms$")),
   261  					// 2nd
   262  					testAccCheckLambdaPermissionExists("aws_lambda_permission.sec0nd", &secondStatementModified),
   263  					resource.TestCheckResourceAttr("aws_lambda_permission.sec0nd", "action", "lambda:*"),
   264  					resource.TestCheckResourceAttr("aws_lambda_permission.sec0nd", "principal", "events.amazonaws.com"),
   265  					resource.TestCheckResourceAttr("aws_lambda_permission.sec0nd", "statement_id", "AllowExecutionSec0nd"),
   266  					resource.TestMatchResourceAttr("aws_lambda_permission.sec0nd", "function_name",
   267  						regexp.MustCompile(":function:lambda_function_name_perm_multiperms$")),
   268  					// 3rd
   269  					testAccCheckLambdaPermissionExists("aws_lambda_permission.third", &thirdStatement),
   270  					resource.TestCheckResourceAttr("aws_lambda_permission.third", "action", "lambda:*"),
   271  					resource.TestCheckResourceAttr("aws_lambda_permission.third", "principal", "events.amazonaws.com"),
   272  					resource.TestCheckResourceAttr("aws_lambda_permission.third", "statement_id", "AllowExecutionThird"),
   273  					resource.TestMatchResourceAttr("aws_lambda_permission.third", "function_name",
   274  						regexp.MustCompile(":function:lambda_function_name_perm_multiperms$")),
   275  				),
   276  			},
   277  		},
   278  	})
   279  }
   280  
   281  func TestAccAWSLambdaPermission_withS3(t *testing.T) {
   282  	rInt := acctest.RandInt()
   283  
   284  	var statement LambdaPolicyStatement
   285  	endsWithFuncName := regexp.MustCompile(":function:lambda_function_name_perm_s3$")
   286  
   287  	resource.Test(t, resource.TestCase{
   288  		PreCheck:     func() { testAccPreCheck(t) },
   289  		Providers:    testAccProviders,
   290  		CheckDestroy: testAccCheckAWSLambdaPermissionDestroy,
   291  		Steps: []resource.TestStep{
   292  			{
   293  				Config: fmt.Sprintf(testAccAWSLambdaPermissionConfig_withS3_tpl, rInt),
   294  				Check: resource.ComposeTestCheckFunc(
   295  					testAccCheckLambdaPermissionExists("aws_lambda_permission.with_s3", &statement),
   296  					resource.TestCheckResourceAttr("aws_lambda_permission.with_s3", "action", "lambda:InvokeFunction"),
   297  					resource.TestCheckResourceAttr("aws_lambda_permission.with_s3", "principal", "s3.amazonaws.com"),
   298  					resource.TestCheckResourceAttr("aws_lambda_permission.with_s3", "statement_id", "AllowExecutionFromS3"),
   299  					resource.TestMatchResourceAttr("aws_lambda_permission.with_s3", "function_name", endsWithFuncName),
   300  					resource.TestCheckResourceAttr("aws_lambda_permission.with_s3", "source_arn",
   301  						fmt.Sprintf("arn:aws:s3:::tf-acc-towards-lambda-%d", rInt)),
   302  				),
   303  			},
   304  		},
   305  	})
   306  }
   307  
   308  func TestAccAWSLambdaPermission_withSNS(t *testing.T) {
   309  	var statement LambdaPolicyStatement
   310  	endsWithFuncName := regexp.MustCompile(":function:lambda_function_name_perm_sns$")
   311  	endsWithTopicName := regexp.MustCompile(":tf-acc-user-updates-topic$")
   312  
   313  	resource.Test(t, resource.TestCase{
   314  		PreCheck:     func() { testAccPreCheck(t) },
   315  		Providers:    testAccProviders,
   316  		CheckDestroy: testAccCheckAWSLambdaPermissionDestroy,
   317  		Steps: []resource.TestStep{
   318  			{
   319  				Config: testAccAWSLambdaPermissionConfig_withSNS,
   320  				Check: resource.ComposeTestCheckFunc(
   321  					testAccCheckLambdaPermissionExists("aws_lambda_permission.with_sns", &statement),
   322  					resource.TestCheckResourceAttr("aws_lambda_permission.with_sns", "action", "lambda:InvokeFunction"),
   323  					resource.TestCheckResourceAttr("aws_lambda_permission.with_sns", "principal", "sns.amazonaws.com"),
   324  					resource.TestCheckResourceAttr("aws_lambda_permission.with_sns", "statement_id", "AllowExecutionFromSNS"),
   325  					resource.TestMatchResourceAttr("aws_lambda_permission.with_sns", "function_name", endsWithFuncName),
   326  					resource.TestMatchResourceAttr("aws_lambda_permission.with_sns", "source_arn", endsWithTopicName),
   327  				),
   328  			},
   329  		},
   330  	})
   331  }
   332  
   333  func testAccCheckLambdaPermissionExists(n string, statement *LambdaPolicyStatement) resource.TestCheckFunc {
   334  	return func(s *terraform.State) error {
   335  		rs, ok := s.RootModule().Resources[n]
   336  		if !ok {
   337  			return fmt.Errorf("Not found: %s", n)
   338  		}
   339  
   340  		conn := testAccProvider.Meta().(*AWSClient).lambdaconn
   341  
   342  		// IAM is eventually consistent
   343  		var foundStatement *LambdaPolicyStatement
   344  		err := resource.Retry(5*time.Minute, func() *resource.RetryError {
   345  			var err error
   346  			foundStatement, err = lambdaPermissionExists(rs, conn)
   347  			if err != nil {
   348  				if strings.HasPrefix(err.Error(), "ResourceNotFoundException") {
   349  					return resource.RetryableError(err)
   350  				}
   351  				if strings.HasPrefix(err.Error(), "Lambda policy not found") {
   352  					return resource.RetryableError(err)
   353  				}
   354  				if strings.HasPrefix(err.Error(), "Failed to find statement") {
   355  					return resource.RetryableError(err)
   356  				}
   357  				return resource.NonRetryableError(err)
   358  			}
   359  			return nil
   360  		})
   361  		if err != nil {
   362  			return err
   363  		}
   364  
   365  		*statement = *foundStatement
   366  
   367  		return nil
   368  	}
   369  }
   370  
   371  func testAccCheckAWSLambdaPermissionDestroy(s *terraform.State) error {
   372  	conn := testAccProvider.Meta().(*AWSClient).lambdaconn
   373  
   374  	for _, rs := range s.RootModule().Resources {
   375  		if rs.Type != "aws_lambda_permission" {
   376  			continue
   377  		}
   378  
   379  		// IAM is eventually consistent
   380  		err := resource.Retry(5*time.Minute, func() *resource.RetryError {
   381  			err := isLambdaPermissionGone(rs, conn)
   382  			if err != nil {
   383  				if !strings.HasPrefix(err.Error(), "Error unmarshalling Lambda policy") {
   384  					return resource.RetryableError(err)
   385  				}
   386  				return resource.NonRetryableError(err)
   387  			}
   388  			return nil
   389  		})
   390  		if err != nil {
   391  			return err
   392  		}
   393  	}
   394  
   395  	return nil
   396  }
   397  
   398  func isLambdaPermissionGone(rs *terraform.ResourceState, conn *lambda.Lambda) error {
   399  	params := &lambda.GetPolicyInput{
   400  		FunctionName: aws.String(rs.Primary.Attributes["function_name"]),
   401  	}
   402  	if v, ok := rs.Primary.Attributes["qualifier"]; ok {
   403  		params.Qualifier = aws.String(v)
   404  	}
   405  
   406  	resp, err := conn.GetPolicy(params)
   407  	if awsErr, ok := err.(awserr.Error); ok {
   408  		if awsErr.Code() == "ResourceNotFoundException" {
   409  			// no policy found => all statements deleted
   410  			return nil
   411  		}
   412  	}
   413  	if err != nil {
   414  		return fmt.Errorf("Unexpected error when checking existence of Lambda permission: %s\n%s",
   415  			rs.Primary.ID, err)
   416  	}
   417  
   418  	policyInBytes := []byte(*resp.Policy)
   419  	policy := LambdaPolicy{}
   420  	err = json.Unmarshal(policyInBytes, &policy)
   421  	if err != nil {
   422  		return fmt.Errorf("Error unmarshalling Lambda policy (%s): %s", *resp.Policy, err)
   423  	}
   424  
   425  	state, err := findLambdaPolicyStatementById(&policy, rs.Primary.ID)
   426  	if err != nil {
   427  		// statement not found => deleted
   428  		return nil
   429  	}
   430  
   431  	return fmt.Errorf("Policy statement expected to be gone (%s):\n%s",
   432  		rs.Primary.ID, *state)
   433  }
   434  
   435  func lambdaPermissionExists(rs *terraform.ResourceState, conn *lambda.Lambda) (*LambdaPolicyStatement, error) {
   436  	params := &lambda.GetPolicyInput{
   437  		FunctionName: aws.String(rs.Primary.Attributes["function_name"]),
   438  	}
   439  	if v, ok := rs.Primary.Attributes["qualifier"]; ok {
   440  		params.Qualifier = aws.String(v)
   441  	}
   442  
   443  	resp, err := conn.GetPolicy(params)
   444  	if err != nil {
   445  		return nil, fmt.Errorf("Lambda policy not found: %q", err)
   446  	}
   447  
   448  	if resp.Policy == nil {
   449  		return nil, fmt.Errorf("Received Lambda policy is empty")
   450  	}
   451  
   452  	policyInBytes := []byte(*resp.Policy)
   453  	policy := LambdaPolicy{}
   454  	err = json.Unmarshal(policyInBytes, &policy)
   455  	if err != nil {
   456  		return nil, fmt.Errorf("Error unmarshalling Lambda policy: %s", err)
   457  	}
   458  
   459  	return findLambdaPolicyStatementById(&policy, rs.Primary.ID)
   460  }
   461  
   462  var testAccAWSLambdaPermissionConfig = `
   463  resource "aws_lambda_permission" "allow_cloudwatch" {
   464      statement_id = "AllowExecutionFromCloudWatch"
   465      action = "lambda:InvokeFunction"
   466      function_name = "${aws_lambda_function.test_lambda.arn}"
   467      principal = "events.amazonaws.com"
   468  }
   469  
   470  resource "aws_lambda_function" "test_lambda" {
   471      filename = "test-fixtures/lambdatest.zip"
   472      function_name = "lambda_function_name_perm"
   473      role = "${aws_iam_role.iam_for_lambda.arn}"
   474      handler = "exports.handler"
   475      runtime = "nodejs4.3"
   476  }
   477  
   478  resource "aws_iam_role" "iam_for_lambda" {
   479      name = "iam_for_lambda_perm"
   480      assume_role_policy = <<EOF
   481  {
   482    "Version": "2012-10-17",
   483    "Statement": [
   484      {
   485        "Action": "sts:AssumeRole",
   486        "Principal": {
   487          "Service": "lambda.amazonaws.com"
   488        },
   489        "Effect": "Allow",
   490        "Sid": ""
   491      }
   492    ]
   493  }
   494  EOF
   495  }
   496  `
   497  
   498  var testAccAWSLambdaPermissionConfig_withRawFunctionName = `
   499  resource "aws_lambda_permission" "with_raw_func_name" {
   500      statement_id = "AllowExecutionWithRawFuncName"
   501      action = "lambda:InvokeFunction"
   502      function_name = "${aws_lambda_function.test_lambda.arn}"
   503      principal = "events.amazonaws.com"
   504  }
   505  
   506  resource "aws_lambda_function" "test_lambda" {
   507      filename = "test-fixtures/lambdatest.zip"
   508      function_name = "lambda_function_name_perm_raw_func_name"
   509      role = "${aws_iam_role.iam_for_lambda.arn}"
   510      handler = "exports.handler"
   511      runtime = "nodejs4.3"
   512  }
   513  
   514  resource "aws_iam_role" "iam_for_lambda" {
   515      name = "iam_for_lambda_perm_raw_func_name"
   516      assume_role_policy = <<EOF
   517  {
   518    "Version": "2012-10-17",
   519    "Statement": [
   520      {
   521        "Action": "sts:AssumeRole",
   522        "Principal": {
   523          "Service": "lambda.amazonaws.com"
   524        },
   525        "Effect": "Allow",
   526        "Sid": ""
   527      }
   528    ]
   529  }
   530  EOF
   531  }
   532  `
   533  
   534  var testAccAWSLambdaPermissionConfig_withQualifier = `
   535  resource "aws_lambda_permission" "with_qualifier" {
   536      statement_id = "AllowExecutionWithQualifier"
   537      action = "lambda:InvokeFunction"
   538      function_name = "${aws_lambda_function.test_lambda.arn}"
   539      principal = "events.amazonaws.com"
   540      source_account = "111122223333"
   541      source_arn = "arn:aws:events:eu-west-1:111122223333:rule/RunDaily"
   542      qualifier = "${aws_lambda_alias.test_alias.name}"
   543  }
   544  
   545  resource "aws_lambda_alias" "test_alias" {
   546      name = "testalias_perm_qualifier"
   547      description = "a sample description"
   548      function_name = "${aws_lambda_function.test_lambda.arn}"
   549      function_version = "$LATEST"
   550  }
   551  
   552  resource "aws_lambda_function" "test_lambda" {
   553      filename = "test-fixtures/lambdatest.zip"
   554      function_name = "lambda_function_name_perm_qualifier"
   555      role = "${aws_iam_role.iam_for_lambda.arn}"
   556      handler = "exports.handler"
   557      runtime = "nodejs4.3"
   558  }
   559  
   560  resource "aws_iam_role" "iam_for_lambda" {
   561      name = "iam_for_lambda_perm_qualifier"
   562      assume_role_policy = <<EOF
   563  {
   564    "Version": "2012-10-17",
   565    "Statement": [
   566      {
   567        "Action": "sts:AssumeRole",
   568        "Principal": {
   569          "Service": "lambda.amazonaws.com"
   570        },
   571        "Effect": "Allow",
   572        "Sid": ""
   573      }
   574    ]
   575  }
   576  EOF
   577  }
   578  `
   579  
   580  var testAccAWSLambdaPermissionConfig_multiplePerms_tpl = `
   581  resource "aws_lambda_permission" "first" {
   582      statement_id = "AllowExecutionFirst"
   583      action = "lambda:InvokeFunction"
   584      function_name = "${aws_lambda_function.test_lambda.arn}"
   585      principal = "events.amazonaws.com"
   586  }
   587  
   588  resource "aws_lambda_permission" "%s" {
   589      statement_id = "%s"
   590      action = "lambda:*"
   591      function_name = "${aws_lambda_function.test_lambda.arn}"
   592      principal = "events.amazonaws.com"
   593  }
   594  %s
   595  
   596  resource "aws_lambda_function" "test_lambda" {
   597      filename = "test-fixtures/lambdatest.zip"
   598      function_name = "lambda_function_name_perm_multiperms"
   599      role = "${aws_iam_role.iam_for_lambda.arn}"
   600      handler = "exports.handler"
   601      runtime = "nodejs4.3"
   602  }
   603  
   604  resource "aws_iam_role" "iam_for_lambda" {
   605      name = "iam_for_lambda_perm_multi_perms"
   606      assume_role_policy = <<EOF
   607  {
   608    "Version": "2012-10-17",
   609    "Statement": [
   610      {
   611        "Action": "sts:AssumeRole",
   612        "Principal": {
   613          "Service": "lambda.amazonaws.com"
   614        },
   615        "Effect": "Allow",
   616        "Sid": ""
   617      }
   618    ]
   619  }
   620  EOF
   621  }
   622  `
   623  
   624  var testAccAWSLambdaPermissionConfig_multiplePerms = fmt.Sprintf(
   625  	testAccAWSLambdaPermissionConfig_multiplePerms_tpl, "second", "AllowExecutionSecond", "")
   626  var testAccAWSLambdaPermissionConfig_multiplePermsModified = fmt.Sprintf(
   627  	testAccAWSLambdaPermissionConfig_multiplePerms_tpl, "sec0nd", "AllowExecutionSec0nd", `
   628  resource "aws_lambda_permission" "third" {
   629      statement_id = "AllowExecutionThird"
   630      action = "lambda:*"
   631      function_name = "${aws_lambda_function.test_lambda.arn}"
   632      principal = "events.amazonaws.com"
   633  }`)
   634  
   635  var testAccAWSLambdaPermissionConfig_withS3_tpl = `
   636  resource "aws_lambda_permission" "with_s3" {
   637      statement_id = "AllowExecutionFromS3"
   638      action = "lambda:InvokeFunction"
   639      function_name = "${aws_lambda_function.my-func.arn}"
   640      principal = "s3.amazonaws.com"
   641      source_arn = "${aws_s3_bucket.default.arn}"
   642  }
   643  
   644  resource "aws_s3_bucket" "default" {
   645  	bucket = "tf-acc-towards-lambda-%d"
   646      acl = "private"
   647  }
   648  
   649  resource "aws_lambda_function" "my-func" {
   650      filename = "test-fixtures/lambdatest.zip"
   651      function_name = "lambda_function_name_perm_s3"
   652      role = "${aws_iam_role.police.arn}"
   653      handler = "exports.handler"
   654      runtime = "nodejs4.3"
   655  }
   656  
   657  resource "aws_iam_role" "police" {
   658      name = "iam_for_lambda_perm_with_s3"
   659      assume_role_policy = <<EOF
   660  {
   661    "Version": "2012-10-17",
   662    "Statement": [
   663      {
   664        "Action": "sts:AssumeRole",
   665        "Principal": {
   666          "Service": "lambda.amazonaws.com"
   667        },
   668        "Effect": "Allow",
   669        "Sid": ""
   670      }
   671    ]
   672  }
   673  EOF
   674  }
   675  `
   676  
   677  var testAccAWSLambdaPermissionConfig_withSNS = `
   678  resource "aws_lambda_permission" "with_sns" {
   679      statement_id = "AllowExecutionFromSNS"
   680      action = "lambda:InvokeFunction"
   681      function_name = "${aws_lambda_function.my-func.arn}"
   682      principal = "sns.amazonaws.com"
   683      source_arn = "${aws_sns_topic.default.arn}"
   684  }
   685  
   686  resource "aws_sns_topic" "default" {
   687  	name = "tf-acc-user-updates-topic"
   688  }
   689  
   690  resource "aws_sns_topic_subscription" "lambda" {
   691      topic_arn = "${aws_sns_topic.default.arn}"
   692      protocol  = "lambda"
   693      endpoint  = "${aws_lambda_function.my-func.arn}"
   694  }
   695  
   696  resource "aws_lambda_function" "my-func" {
   697      filename = "test-fixtures/lambdatest.zip"
   698      function_name = "lambda_function_name_perm_sns"
   699      role = "${aws_iam_role.police.arn}"
   700      handler = "exports.handler"
   701      runtime = "nodejs4.3"
   702  }
   703  
   704  resource "aws_iam_role" "police" {
   705      name = "iam_for_lambda_perm_with_sns"
   706      assume_role_policy = <<EOF
   707  {
   708    "Version": "2012-10-17",
   709    "Statement": [
   710      {
   711        "Action": "sts:AssumeRole",
   712        "Principal": {
   713          "Service": "lambda.amazonaws.com"
   714        },
   715        "Effect": "Allow",
   716        "Sid": ""
   717      }
   718    ]
   719  }
   720  EOF
   721  }
   722  `
   723  
   724  var testLambdaPolicy = []byte(`{
   725  	"Version": "2012-10-17",
   726  	"Statement": [
   727  		{
   728  			"Condition": {
   729  				"StringEquals": {"AWS:SourceAccount": "319201112229"},
   730  				"ArnLike":{"AWS:SourceArn":"arn:aws:events:eu-west-1:319201112229:rule/RunDaily"}
   731  			},
   732  			"Action": "lambda:InvokeFunction",
   733  			"Resource": "arn:aws:lambda:eu-west-1:319201112229:function:myCustomFunction",
   734  			"Effect": "Allow",
   735  			"Principal": {"Service":"events.amazonaws.com"},
   736  			"Sid": "36fe77d9-a4ae-13fb-8beb-5dc6821d5291"
   737  		}
   738  	],
   739  	"Id":"default"
   740  }`)