github.com/pbthorste/terraform@v0.8.6-0.20170127005045-deb56bd93da2/builtin/providers/aws/resource_aws_lambda_permission_test.go (about) 1 package aws 2 3 import ( 4 "encoding/json" 5 "fmt" 6 "regexp" 7 "strings" 8 "testing" 9 "time" 10 11 "github.com/aws/aws-sdk-go/aws" 12 "github.com/aws/aws-sdk-go/aws/awserr" 13 "github.com/aws/aws-sdk-go/service/lambda" 14 "github.com/hashicorp/terraform/helper/acctest" 15 "github.com/hashicorp/terraform/helper/resource" 16 "github.com/hashicorp/terraform/terraform" 17 ) 18 19 func TestLambdaPermissionUnmarshalling(t *testing.T) { 20 v := LambdaPolicy{} 21 err := json.Unmarshal(testLambdaPolicy, &v) 22 if err != nil { 23 t.Fatalf("Expected no error when unmarshalling: %s", err) 24 } 25 26 expectedSid := "36fe77d9-a4ae-13fb-8beb-5dc6821d5291" 27 if v.Statement[0].Sid != expectedSid { 28 t.Fatalf("Expected Sid to match (%q != %q)", v.Statement[0].Sid, expectedSid) 29 } 30 31 expectedFunctionName := "arn:aws:lambda:eu-west-1:319201112229:function:myCustomFunction" 32 if v.Statement[0].Resource != expectedFunctionName { 33 t.Fatalf("Expected function name to match (%q != %q)", v.Statement[0].Resource, expectedFunctionName) 34 } 35 36 expectedAction := "lambda:InvokeFunction" 37 if v.Statement[0].Action != expectedAction { 38 t.Fatalf("Expected Action to match (%q != %q)", v.Statement[0].Action, expectedAction) 39 } 40 41 expectedPrincipal := "events.amazonaws.com" 42 if v.Statement[0].Principal["Service"] != expectedPrincipal { 43 t.Fatalf("Expected Principal to match (%q != %q)", v.Statement[0].Principal["Service"], expectedPrincipal) 44 } 45 46 expectedSourceAccount := "319201112229" 47 if v.Statement[0].Condition["StringEquals"]["AWS:SourceAccount"] != expectedSourceAccount { 48 t.Fatalf("Expected Source Account to match (%q != %q)", 49 v.Statement[0].Condition["StringEquals"]["AWS:SourceAccount"], 50 expectedSourceAccount) 51 } 52 } 53 54 func TestLambdaPermissionGetQualifierFromLambdaAliasOrVersionArn_alias(t *testing.T) { 55 arnWithAlias := "arn:aws:lambda:us-west-2:187636751137:function:lambda_function_name:testalias" 56 expectedQualifier := "testalias" 57 qualifier, err := getQualifierFromLambdaAliasOrVersionArn(arnWithAlias) 58 if err != nil { 59 t.Fatalf("Expected no error when getting qualifier: %s", err) 60 } 61 if qualifier != expectedQualifier { 62 t.Fatalf("Expected qualifier to match (%q != %q)", qualifier, expectedQualifier) 63 } 64 } 65 66 func TestLambdaPermissionGetQualifierFromLambdaAliasOrVersionArn_govcloud(t *testing.T) { 67 arnWithAlias := "arn:aws-us-gov:lambda:us-west-2:187636751137:function:lambda_function_name:testalias" 68 expectedQualifier := "testalias" 69 qualifier, err := getQualifierFromLambdaAliasOrVersionArn(arnWithAlias) 70 if err != nil { 71 t.Fatalf("Expected no error when getting qualifier: %s", err) 72 } 73 if qualifier != expectedQualifier { 74 t.Fatalf("Expected qualifier to match (%q != %q)", qualifier, expectedQualifier) 75 } 76 } 77 78 func TestLambdaPermissionGetQualifierFromLambdaAliasOrVersionArn_version(t *testing.T) { 79 arnWithVersion := "arn:aws:lambda:us-west-2:187636751137:function:lambda_function_name:223" 80 expectedQualifier := "223" 81 qualifier, err := getQualifierFromLambdaAliasOrVersionArn(arnWithVersion) 82 if err != nil { 83 t.Fatalf("Expected no error when getting qualifier: %s", err) 84 } 85 if qualifier != expectedQualifier { 86 t.Fatalf("Expected qualifier to match (%q != %q)", qualifier, expectedQualifier) 87 } 88 } 89 90 func TestLambdaPermissionGetQualifierFromLambdaAliasOrVersionArn_invalid(t *testing.T) { 91 invalidArn := "arn:aws:lambda:us-west-2:187636751137:function:lambda_function_name" 92 qualifier, err := getQualifierFromLambdaAliasOrVersionArn(invalidArn) 93 if err == nil { 94 t.Fatalf("Expected error when getting qualifier") 95 } 96 if qualifier != "" { 97 t.Fatalf("Expected qualifier to be empty (%q)", qualifier) 98 } 99 100 // with trailing colon 101 invalidArn = "arn:aws:lambda:us-west-2:187636751137:function:lambda_function_name:" 102 qualifier, err = getQualifierFromLambdaAliasOrVersionArn(invalidArn) 103 if err == nil { 104 t.Fatalf("Expected error when getting qualifier") 105 } 106 if qualifier != "" { 107 t.Fatalf("Expected qualifier to be empty (%q)", qualifier) 108 } 109 } 110 111 func TestLambdaPermissionGetFunctionNameFromLambdaArn_invalid(t *testing.T) { 112 invalidArn := "arn:aws:lambda:us-west-2:187636751137:function:" 113 fn, err := getFunctionNameFromLambdaArn(invalidArn) 114 if err == nil { 115 t.Fatalf("Expected error when parsing invalid ARN (%q)", invalidArn) 116 } 117 if fn != "" { 118 t.Fatalf("Expected empty string when parsing invalid ARN (%q)", invalidArn) 119 } 120 } 121 122 func TestLambdaPermissionGetFunctionNameFromLambdaArn_valid(t *testing.T) { 123 validArn := "arn:aws:lambda:us-west-2:187636751137:function:lambda_function_name" 124 fn, err := getFunctionNameFromLambdaArn(validArn) 125 if err != nil { 126 t.Fatalf("Expected no error (%q): %q", validArn, err) 127 } 128 expectedFunctionname := "lambda_function_name" 129 if fn != expectedFunctionname { 130 t.Fatalf("Expected Lambda function name to match (%q != %q)", 131 validArn, expectedFunctionname) 132 } 133 134 // With qualifier 135 validArn = "arn:aws:lambda:us-west-2:187636751137:function:lambda_function_name:12" 136 fn, err = getFunctionNameFromLambdaArn(validArn) 137 if err != nil { 138 t.Fatalf("Expected no error (%q): %q", validArn, err) 139 } 140 expectedFunctionname = "lambda_function_name" 141 if fn != expectedFunctionname { 142 t.Fatalf("Expected Lambda function name to match (%q != %q)", 143 validArn, expectedFunctionname) 144 } 145 } 146 147 func TestAccAWSLambdaPermission_basic(t *testing.T) { 148 var statement LambdaPolicyStatement 149 endsWithFuncName := regexp.MustCompile(":function:lambda_function_name_perm$") 150 151 resource.Test(t, resource.TestCase{ 152 PreCheck: func() { testAccPreCheck(t) }, 153 Providers: testAccProviders, 154 CheckDestroy: testAccCheckAWSLambdaPermissionDestroy, 155 Steps: []resource.TestStep{ 156 { 157 Config: testAccAWSLambdaPermissionConfig, 158 Check: resource.ComposeTestCheckFunc( 159 testAccCheckLambdaPermissionExists("aws_lambda_permission.allow_cloudwatch", &statement), 160 resource.TestCheckResourceAttr("aws_lambda_permission.allow_cloudwatch", "action", "lambda:InvokeFunction"), 161 resource.TestCheckResourceAttr("aws_lambda_permission.allow_cloudwatch", "principal", "events.amazonaws.com"), 162 resource.TestCheckResourceAttr("aws_lambda_permission.allow_cloudwatch", "statement_id", "AllowExecutionFromCloudWatch"), 163 resource.TestCheckResourceAttr("aws_lambda_permission.allow_cloudwatch", "qualifier", ""), 164 resource.TestMatchResourceAttr("aws_lambda_permission.allow_cloudwatch", "function_name", endsWithFuncName), 165 ), 166 }, 167 }, 168 }) 169 } 170 171 func TestAccAWSLambdaPermission_withRawFunctionName(t *testing.T) { 172 var statement LambdaPolicyStatement 173 endsWithFuncName := regexp.MustCompile(":function:lambda_function_name_perm_raw_func_name$") 174 175 resource.Test(t, resource.TestCase{ 176 PreCheck: func() { testAccPreCheck(t) }, 177 Providers: testAccProviders, 178 CheckDestroy: testAccCheckAWSLambdaPermissionDestroy, 179 Steps: []resource.TestStep{ 180 { 181 Config: testAccAWSLambdaPermissionConfig_withRawFunctionName, 182 Check: resource.ComposeTestCheckFunc( 183 testAccCheckLambdaPermissionExists("aws_lambda_permission.with_raw_func_name", &statement), 184 resource.TestCheckResourceAttr("aws_lambda_permission.with_raw_func_name", "action", "lambda:InvokeFunction"), 185 resource.TestCheckResourceAttr("aws_lambda_permission.with_raw_func_name", "principal", "events.amazonaws.com"), 186 resource.TestCheckResourceAttr("aws_lambda_permission.with_raw_func_name", "statement_id", "AllowExecutionWithRawFuncName"), 187 resource.TestMatchResourceAttr("aws_lambda_permission.with_raw_func_name", "function_name", endsWithFuncName), 188 ), 189 }, 190 }, 191 }) 192 } 193 194 func TestAccAWSLambdaPermission_withQualifier(t *testing.T) { 195 var statement LambdaPolicyStatement 196 endsWithFuncName := regexp.MustCompile(":function:lambda_function_name_perm_qualifier$") 197 198 resource.Test(t, resource.TestCase{ 199 PreCheck: func() { testAccPreCheck(t) }, 200 Providers: testAccProviders, 201 CheckDestroy: testAccCheckAWSLambdaPermissionDestroy, 202 Steps: []resource.TestStep{ 203 { 204 Config: testAccAWSLambdaPermissionConfig_withQualifier, 205 Check: resource.ComposeTestCheckFunc( 206 testAccCheckLambdaPermissionExists("aws_lambda_permission.with_qualifier", &statement), 207 resource.TestCheckResourceAttr("aws_lambda_permission.with_qualifier", "action", "lambda:InvokeFunction"), 208 resource.TestCheckResourceAttr("aws_lambda_permission.with_qualifier", "principal", "events.amazonaws.com"), 209 resource.TestCheckResourceAttr("aws_lambda_permission.with_qualifier", "statement_id", "AllowExecutionWithQualifier"), 210 resource.TestMatchResourceAttr("aws_lambda_permission.with_qualifier", "function_name", endsWithFuncName), 211 resource.TestCheckResourceAttr("aws_lambda_permission.with_qualifier", "qualifier", "testalias_perm_qualifier"), 212 ), 213 }, 214 }, 215 }) 216 } 217 218 func TestAccAWSLambdaPermission_multiplePerms(t *testing.T) { 219 var firstStatement LambdaPolicyStatement 220 var firstStatementModified LambdaPolicyStatement 221 222 var secondStatement LambdaPolicyStatement 223 var secondStatementModified LambdaPolicyStatement 224 225 var thirdStatement LambdaPolicyStatement 226 227 resource.Test(t, resource.TestCase{ 228 PreCheck: func() { testAccPreCheck(t) }, 229 Providers: testAccProviders, 230 CheckDestroy: testAccCheckAWSLambdaPermissionDestroy, 231 Steps: []resource.TestStep{ 232 { 233 Config: testAccAWSLambdaPermissionConfig_multiplePerms, 234 Check: resource.ComposeTestCheckFunc( 235 // 1st 236 testAccCheckLambdaPermissionExists("aws_lambda_permission.first", &firstStatement), 237 resource.TestCheckResourceAttr("aws_lambda_permission.first", "action", "lambda:InvokeFunction"), 238 resource.TestCheckResourceAttr("aws_lambda_permission.first", "principal", "events.amazonaws.com"), 239 resource.TestCheckResourceAttr("aws_lambda_permission.first", "statement_id", "AllowExecutionFirst"), 240 resource.TestMatchResourceAttr("aws_lambda_permission.first", "function_name", 241 regexp.MustCompile(":function:lambda_function_name_perm_multiperms$")), 242 // 2nd 243 testAccCheckLambdaPermissionExists("aws_lambda_permission.second", &firstStatementModified), 244 resource.TestCheckResourceAttr("aws_lambda_permission.second", "action", "lambda:*"), 245 resource.TestCheckResourceAttr("aws_lambda_permission.second", "principal", "events.amazonaws.com"), 246 resource.TestCheckResourceAttr("aws_lambda_permission.second", "statement_id", "AllowExecutionSecond"), 247 resource.TestMatchResourceAttr("aws_lambda_permission.second", "function_name", 248 regexp.MustCompile(":function:lambda_function_name_perm_multiperms$")), 249 ), 250 }, 251 { 252 Config: testAccAWSLambdaPermissionConfig_multiplePermsModified, 253 Check: resource.ComposeTestCheckFunc( 254 // 1st 255 testAccCheckLambdaPermissionExists("aws_lambda_permission.first", &secondStatement), 256 resource.TestCheckResourceAttr("aws_lambda_permission.first", "action", "lambda:InvokeFunction"), 257 resource.TestCheckResourceAttr("aws_lambda_permission.first", "principal", "events.amazonaws.com"), 258 resource.TestCheckResourceAttr("aws_lambda_permission.first", "statement_id", "AllowExecutionFirst"), 259 resource.TestMatchResourceAttr("aws_lambda_permission.first", "function_name", 260 regexp.MustCompile(":function:lambda_function_name_perm_multiperms$")), 261 // 2nd 262 testAccCheckLambdaPermissionExists("aws_lambda_permission.sec0nd", &secondStatementModified), 263 resource.TestCheckResourceAttr("aws_lambda_permission.sec0nd", "action", "lambda:*"), 264 resource.TestCheckResourceAttr("aws_lambda_permission.sec0nd", "principal", "events.amazonaws.com"), 265 resource.TestCheckResourceAttr("aws_lambda_permission.sec0nd", "statement_id", "AllowExecutionSec0nd"), 266 resource.TestMatchResourceAttr("aws_lambda_permission.sec0nd", "function_name", 267 regexp.MustCompile(":function:lambda_function_name_perm_multiperms$")), 268 // 3rd 269 testAccCheckLambdaPermissionExists("aws_lambda_permission.third", &thirdStatement), 270 resource.TestCheckResourceAttr("aws_lambda_permission.third", "action", "lambda:*"), 271 resource.TestCheckResourceAttr("aws_lambda_permission.third", "principal", "events.amazonaws.com"), 272 resource.TestCheckResourceAttr("aws_lambda_permission.third", "statement_id", "AllowExecutionThird"), 273 resource.TestMatchResourceAttr("aws_lambda_permission.third", "function_name", 274 regexp.MustCompile(":function:lambda_function_name_perm_multiperms$")), 275 ), 276 }, 277 }, 278 }) 279 } 280 281 func TestAccAWSLambdaPermission_withS3(t *testing.T) { 282 rInt := acctest.RandInt() 283 284 var statement LambdaPolicyStatement 285 endsWithFuncName := regexp.MustCompile(":function:lambda_function_name_perm_s3$") 286 287 resource.Test(t, resource.TestCase{ 288 PreCheck: func() { testAccPreCheck(t) }, 289 Providers: testAccProviders, 290 CheckDestroy: testAccCheckAWSLambdaPermissionDestroy, 291 Steps: []resource.TestStep{ 292 { 293 Config: fmt.Sprintf(testAccAWSLambdaPermissionConfig_withS3_tpl, rInt), 294 Check: resource.ComposeTestCheckFunc( 295 testAccCheckLambdaPermissionExists("aws_lambda_permission.with_s3", &statement), 296 resource.TestCheckResourceAttr("aws_lambda_permission.with_s3", "action", "lambda:InvokeFunction"), 297 resource.TestCheckResourceAttr("aws_lambda_permission.with_s3", "principal", "s3.amazonaws.com"), 298 resource.TestCheckResourceAttr("aws_lambda_permission.with_s3", "statement_id", "AllowExecutionFromS3"), 299 resource.TestMatchResourceAttr("aws_lambda_permission.with_s3", "function_name", endsWithFuncName), 300 resource.TestCheckResourceAttr("aws_lambda_permission.with_s3", "source_arn", 301 fmt.Sprintf("arn:aws:s3:::tf-acc-towards-lambda-%d", rInt)), 302 ), 303 }, 304 }, 305 }) 306 } 307 308 func TestAccAWSLambdaPermission_withSNS(t *testing.T) { 309 var statement LambdaPolicyStatement 310 endsWithFuncName := regexp.MustCompile(":function:lambda_function_name_perm_sns$") 311 endsWithTopicName := regexp.MustCompile(":tf-acc-user-updates-topic$") 312 313 resource.Test(t, resource.TestCase{ 314 PreCheck: func() { testAccPreCheck(t) }, 315 Providers: testAccProviders, 316 CheckDestroy: testAccCheckAWSLambdaPermissionDestroy, 317 Steps: []resource.TestStep{ 318 { 319 Config: testAccAWSLambdaPermissionConfig_withSNS, 320 Check: resource.ComposeTestCheckFunc( 321 testAccCheckLambdaPermissionExists("aws_lambda_permission.with_sns", &statement), 322 resource.TestCheckResourceAttr("aws_lambda_permission.with_sns", "action", "lambda:InvokeFunction"), 323 resource.TestCheckResourceAttr("aws_lambda_permission.with_sns", "principal", "sns.amazonaws.com"), 324 resource.TestCheckResourceAttr("aws_lambda_permission.with_sns", "statement_id", "AllowExecutionFromSNS"), 325 resource.TestMatchResourceAttr("aws_lambda_permission.with_sns", "function_name", endsWithFuncName), 326 resource.TestMatchResourceAttr("aws_lambda_permission.with_sns", "source_arn", endsWithTopicName), 327 ), 328 }, 329 }, 330 }) 331 } 332 333 func testAccCheckLambdaPermissionExists(n string, statement *LambdaPolicyStatement) resource.TestCheckFunc { 334 return func(s *terraform.State) error { 335 rs, ok := s.RootModule().Resources[n] 336 if !ok { 337 return fmt.Errorf("Not found: %s", n) 338 } 339 340 conn := testAccProvider.Meta().(*AWSClient).lambdaconn 341 342 // IAM is eventually consistent 343 var foundStatement *LambdaPolicyStatement 344 err := resource.Retry(5*time.Minute, func() *resource.RetryError { 345 var err error 346 foundStatement, err = lambdaPermissionExists(rs, conn) 347 if err != nil { 348 if strings.HasPrefix(err.Error(), "ResourceNotFoundException") { 349 return resource.RetryableError(err) 350 } 351 if strings.HasPrefix(err.Error(), "Lambda policy not found") { 352 return resource.RetryableError(err) 353 } 354 if strings.HasPrefix(err.Error(), "Failed to find statement") { 355 return resource.RetryableError(err) 356 } 357 return resource.NonRetryableError(err) 358 } 359 return nil 360 }) 361 if err != nil { 362 return err 363 } 364 365 *statement = *foundStatement 366 367 return nil 368 } 369 } 370 371 func testAccCheckAWSLambdaPermissionDestroy(s *terraform.State) error { 372 conn := testAccProvider.Meta().(*AWSClient).lambdaconn 373 374 for _, rs := range s.RootModule().Resources { 375 if rs.Type != "aws_lambda_permission" { 376 continue 377 } 378 379 // IAM is eventually consistent 380 err := resource.Retry(5*time.Minute, func() *resource.RetryError { 381 err := isLambdaPermissionGone(rs, conn) 382 if err != nil { 383 if !strings.HasPrefix(err.Error(), "Error unmarshalling Lambda policy") { 384 return resource.RetryableError(err) 385 } 386 return resource.NonRetryableError(err) 387 } 388 return nil 389 }) 390 if err != nil { 391 return err 392 } 393 } 394 395 return nil 396 } 397 398 func isLambdaPermissionGone(rs *terraform.ResourceState, conn *lambda.Lambda) error { 399 params := &lambda.GetPolicyInput{ 400 FunctionName: aws.String(rs.Primary.Attributes["function_name"]), 401 } 402 if v, ok := rs.Primary.Attributes["qualifier"]; ok { 403 params.Qualifier = aws.String(v) 404 } 405 406 resp, err := conn.GetPolicy(params) 407 if awsErr, ok := err.(awserr.Error); ok { 408 if awsErr.Code() == "ResourceNotFoundException" { 409 // no policy found => all statements deleted 410 return nil 411 } 412 } 413 if err != nil { 414 return fmt.Errorf("Unexpected error when checking existence of Lambda permission: %s\n%s", 415 rs.Primary.ID, err) 416 } 417 418 policyInBytes := []byte(*resp.Policy) 419 policy := LambdaPolicy{} 420 err = json.Unmarshal(policyInBytes, &policy) 421 if err != nil { 422 return fmt.Errorf("Error unmarshalling Lambda policy (%s): %s", *resp.Policy, err) 423 } 424 425 state, err := findLambdaPolicyStatementById(&policy, rs.Primary.ID) 426 if err != nil { 427 // statement not found => deleted 428 return nil 429 } 430 431 return fmt.Errorf("Policy statement expected to be gone (%s):\n%s", 432 rs.Primary.ID, *state) 433 } 434 435 func lambdaPermissionExists(rs *terraform.ResourceState, conn *lambda.Lambda) (*LambdaPolicyStatement, error) { 436 params := &lambda.GetPolicyInput{ 437 FunctionName: aws.String(rs.Primary.Attributes["function_name"]), 438 } 439 if v, ok := rs.Primary.Attributes["qualifier"]; ok { 440 params.Qualifier = aws.String(v) 441 } 442 443 resp, err := conn.GetPolicy(params) 444 if err != nil { 445 return nil, fmt.Errorf("Lambda policy not found: %q", err) 446 } 447 448 if resp.Policy == nil { 449 return nil, fmt.Errorf("Received Lambda policy is empty") 450 } 451 452 policyInBytes := []byte(*resp.Policy) 453 policy := LambdaPolicy{} 454 err = json.Unmarshal(policyInBytes, &policy) 455 if err != nil { 456 return nil, fmt.Errorf("Error unmarshalling Lambda policy: %s", err) 457 } 458 459 return findLambdaPolicyStatementById(&policy, rs.Primary.ID) 460 } 461 462 var testAccAWSLambdaPermissionConfig = ` 463 resource "aws_lambda_permission" "allow_cloudwatch" { 464 statement_id = "AllowExecutionFromCloudWatch" 465 action = "lambda:InvokeFunction" 466 function_name = "${aws_lambda_function.test_lambda.arn}" 467 principal = "events.amazonaws.com" 468 } 469 470 resource "aws_lambda_function" "test_lambda" { 471 filename = "test-fixtures/lambdatest.zip" 472 function_name = "lambda_function_name_perm" 473 role = "${aws_iam_role.iam_for_lambda.arn}" 474 handler = "exports.handler" 475 runtime = "nodejs4.3" 476 } 477 478 resource "aws_iam_role" "iam_for_lambda" { 479 name = "iam_for_lambda_perm" 480 assume_role_policy = <<EOF 481 { 482 "Version": "2012-10-17", 483 "Statement": [ 484 { 485 "Action": "sts:AssumeRole", 486 "Principal": { 487 "Service": "lambda.amazonaws.com" 488 }, 489 "Effect": "Allow", 490 "Sid": "" 491 } 492 ] 493 } 494 EOF 495 } 496 ` 497 498 var testAccAWSLambdaPermissionConfig_withRawFunctionName = ` 499 resource "aws_lambda_permission" "with_raw_func_name" { 500 statement_id = "AllowExecutionWithRawFuncName" 501 action = "lambda:InvokeFunction" 502 function_name = "${aws_lambda_function.test_lambda.arn}" 503 principal = "events.amazonaws.com" 504 } 505 506 resource "aws_lambda_function" "test_lambda" { 507 filename = "test-fixtures/lambdatest.zip" 508 function_name = "lambda_function_name_perm_raw_func_name" 509 role = "${aws_iam_role.iam_for_lambda.arn}" 510 handler = "exports.handler" 511 runtime = "nodejs4.3" 512 } 513 514 resource "aws_iam_role" "iam_for_lambda" { 515 name = "iam_for_lambda_perm_raw_func_name" 516 assume_role_policy = <<EOF 517 { 518 "Version": "2012-10-17", 519 "Statement": [ 520 { 521 "Action": "sts:AssumeRole", 522 "Principal": { 523 "Service": "lambda.amazonaws.com" 524 }, 525 "Effect": "Allow", 526 "Sid": "" 527 } 528 ] 529 } 530 EOF 531 } 532 ` 533 534 var testAccAWSLambdaPermissionConfig_withQualifier = ` 535 resource "aws_lambda_permission" "with_qualifier" { 536 statement_id = "AllowExecutionWithQualifier" 537 action = "lambda:InvokeFunction" 538 function_name = "${aws_lambda_function.test_lambda.arn}" 539 principal = "events.amazonaws.com" 540 source_account = "111122223333" 541 source_arn = "arn:aws:events:eu-west-1:111122223333:rule/RunDaily" 542 qualifier = "${aws_lambda_alias.test_alias.name}" 543 } 544 545 resource "aws_lambda_alias" "test_alias" { 546 name = "testalias_perm_qualifier" 547 description = "a sample description" 548 function_name = "${aws_lambda_function.test_lambda.arn}" 549 function_version = "$LATEST" 550 } 551 552 resource "aws_lambda_function" "test_lambda" { 553 filename = "test-fixtures/lambdatest.zip" 554 function_name = "lambda_function_name_perm_qualifier" 555 role = "${aws_iam_role.iam_for_lambda.arn}" 556 handler = "exports.handler" 557 runtime = "nodejs4.3" 558 } 559 560 resource "aws_iam_role" "iam_for_lambda" { 561 name = "iam_for_lambda_perm_qualifier" 562 assume_role_policy = <<EOF 563 { 564 "Version": "2012-10-17", 565 "Statement": [ 566 { 567 "Action": "sts:AssumeRole", 568 "Principal": { 569 "Service": "lambda.amazonaws.com" 570 }, 571 "Effect": "Allow", 572 "Sid": "" 573 } 574 ] 575 } 576 EOF 577 } 578 ` 579 580 var testAccAWSLambdaPermissionConfig_multiplePerms_tpl = ` 581 resource "aws_lambda_permission" "first" { 582 statement_id = "AllowExecutionFirst" 583 action = "lambda:InvokeFunction" 584 function_name = "${aws_lambda_function.test_lambda.arn}" 585 principal = "events.amazonaws.com" 586 } 587 588 resource "aws_lambda_permission" "%s" { 589 statement_id = "%s" 590 action = "lambda:*" 591 function_name = "${aws_lambda_function.test_lambda.arn}" 592 principal = "events.amazonaws.com" 593 } 594 %s 595 596 resource "aws_lambda_function" "test_lambda" { 597 filename = "test-fixtures/lambdatest.zip" 598 function_name = "lambda_function_name_perm_multiperms" 599 role = "${aws_iam_role.iam_for_lambda.arn}" 600 handler = "exports.handler" 601 runtime = "nodejs4.3" 602 } 603 604 resource "aws_iam_role" "iam_for_lambda" { 605 name = "iam_for_lambda_perm_multi_perms" 606 assume_role_policy = <<EOF 607 { 608 "Version": "2012-10-17", 609 "Statement": [ 610 { 611 "Action": "sts:AssumeRole", 612 "Principal": { 613 "Service": "lambda.amazonaws.com" 614 }, 615 "Effect": "Allow", 616 "Sid": "" 617 } 618 ] 619 } 620 EOF 621 } 622 ` 623 624 var testAccAWSLambdaPermissionConfig_multiplePerms = fmt.Sprintf( 625 testAccAWSLambdaPermissionConfig_multiplePerms_tpl, "second", "AllowExecutionSecond", "") 626 var testAccAWSLambdaPermissionConfig_multiplePermsModified = fmt.Sprintf( 627 testAccAWSLambdaPermissionConfig_multiplePerms_tpl, "sec0nd", "AllowExecutionSec0nd", ` 628 resource "aws_lambda_permission" "third" { 629 statement_id = "AllowExecutionThird" 630 action = "lambda:*" 631 function_name = "${aws_lambda_function.test_lambda.arn}" 632 principal = "events.amazonaws.com" 633 }`) 634 635 var testAccAWSLambdaPermissionConfig_withS3_tpl = ` 636 resource "aws_lambda_permission" "with_s3" { 637 statement_id = "AllowExecutionFromS3" 638 action = "lambda:InvokeFunction" 639 function_name = "${aws_lambda_function.my-func.arn}" 640 principal = "s3.amazonaws.com" 641 source_arn = "${aws_s3_bucket.default.arn}" 642 } 643 644 resource "aws_s3_bucket" "default" { 645 bucket = "tf-acc-towards-lambda-%d" 646 acl = "private" 647 } 648 649 resource "aws_lambda_function" "my-func" { 650 filename = "test-fixtures/lambdatest.zip" 651 function_name = "lambda_function_name_perm_s3" 652 role = "${aws_iam_role.police.arn}" 653 handler = "exports.handler" 654 runtime = "nodejs4.3" 655 } 656 657 resource "aws_iam_role" "police" { 658 name = "iam_for_lambda_perm_with_s3" 659 assume_role_policy = <<EOF 660 { 661 "Version": "2012-10-17", 662 "Statement": [ 663 { 664 "Action": "sts:AssumeRole", 665 "Principal": { 666 "Service": "lambda.amazonaws.com" 667 }, 668 "Effect": "Allow", 669 "Sid": "" 670 } 671 ] 672 } 673 EOF 674 } 675 ` 676 677 var testAccAWSLambdaPermissionConfig_withSNS = ` 678 resource "aws_lambda_permission" "with_sns" { 679 statement_id = "AllowExecutionFromSNS" 680 action = "lambda:InvokeFunction" 681 function_name = "${aws_lambda_function.my-func.arn}" 682 principal = "sns.amazonaws.com" 683 source_arn = "${aws_sns_topic.default.arn}" 684 } 685 686 resource "aws_sns_topic" "default" { 687 name = "tf-acc-user-updates-topic" 688 } 689 690 resource "aws_sns_topic_subscription" "lambda" { 691 topic_arn = "${aws_sns_topic.default.arn}" 692 protocol = "lambda" 693 endpoint = "${aws_lambda_function.my-func.arn}" 694 } 695 696 resource "aws_lambda_function" "my-func" { 697 filename = "test-fixtures/lambdatest.zip" 698 function_name = "lambda_function_name_perm_sns" 699 role = "${aws_iam_role.police.arn}" 700 handler = "exports.handler" 701 runtime = "nodejs4.3" 702 } 703 704 resource "aws_iam_role" "police" { 705 name = "iam_for_lambda_perm_with_sns" 706 assume_role_policy = <<EOF 707 { 708 "Version": "2012-10-17", 709 "Statement": [ 710 { 711 "Action": "sts:AssumeRole", 712 "Principal": { 713 "Service": "lambda.amazonaws.com" 714 }, 715 "Effect": "Allow", 716 "Sid": "" 717 } 718 ] 719 } 720 EOF 721 } 722 ` 723 724 var testLambdaPolicy = []byte(`{ 725 "Version": "2012-10-17", 726 "Statement": [ 727 { 728 "Condition": { 729 "StringEquals": {"AWS:SourceAccount": "319201112229"}, 730 "ArnLike":{"AWS:SourceArn":"arn:aws:events:eu-west-1:319201112229:rule/RunDaily"} 731 }, 732 "Action": "lambda:InvokeFunction", 733 "Resource": "arn:aws:lambda:eu-west-1:319201112229:function:myCustomFunction", 734 "Effect": "Allow", 735 "Principal": {"Service":"events.amazonaws.com"}, 736 "Sid": "36fe77d9-a4ae-13fb-8beb-5dc6821d5291" 737 } 738 ], 739 "Id":"default" 740 }`)