From 50b946e23dfc0bc0dc67bc68e5912047abd7abec Mon Sep 17 00:00:00 2001 From: James Nesbitt Date: Mon, 20 Sep 2021 15:32:46 +0100 Subject: [PATCH] Adding enabled option --- README.md | 1 + archive.tf | 16 +++++++++---- iam.tf | 36 ++++++++++++++++------------- lambda.tf | 6 ++--- outputs.tf | 12 +++++----- tests/dead-letter-queue/main.tf | 2 ++ tests/environment-variables/main.tf | 2 ++ variables.tf | 6 +++++ 8 files changed, 51 insertions(+), 30 deletions(-) diff --git a/README.md b/README.md index f8795c0..042e1df 100644 --- a/README.md +++ b/README.md @@ -79,6 +79,7 @@ Inputs for this module are the same as the [aws_lambda_function](https://www.ter | lambda\_at\_edge | Set this to true if using Lambda@Edge, to enable publishing, limit the timeout, and allow edgelambda.amazonaws.com to invoke the function | `bool` | `false` | no | | policy | An additional policy to attach to the Lambda function role | `object({json=string})` | | no | | trusted\_entities | Additional trusted entities for the Lambda function. The lambda.amazonaws.com (and edgelambda.amazonaws.com if lambda\_at\_edge is true) is always set | `list(string)` | | no | +| enabled | Enabling and disaling of resources | `bool` | `true` | no | The following arguments from the [aws_lambda_function](https://www.terraform.io/docs/providers/aws/r/lambda_function.html) resource are not supported: diff --git a/archive.tf b/archive.tf index e374bff..e5d2a2f 100644 --- a/archive.tf +++ b/archive.tf @@ -1,6 +1,8 @@ # Generates a filename for the zip archive based on the contents of the files # in source_path. The filename will change when the source code changes. data "external" "archive" { + count = var.enabled ? 1 : 0 + program = ["python", "${path.module}/hash.py"] query = { @@ -14,12 +16,14 @@ data "external" "archive" { # Build the zip archive whenever the filename changes. resource "null_resource" "archive" { + count = var.enabled ? 1 : 0 + triggers = { - filename = lookup(data.external.archive.result, "filename") + filename = lookup(data.external.archive[0].result, "filename") } provisioner "local-exec" { - command = lookup(data.external.archive.result, "build_command") + command = lookup(data.external.archive[0].result, "build_command") working_dir = path.module } } @@ -30,12 +34,14 @@ resource "null_resource" "archive" { # deletes the Lambda function. If the file is rebuilt here, the build # output is unfortunately invisible. data "external" "built" { + count = var.enabled ? 1 : 0 + program = ["python", "${path.module}/built.py"] query = { - build_command = lookup(data.external.archive.result, "build_command") - filename_old = lookup(null_resource.archive.triggers, "filename") - filename_new = lookup(data.external.archive.result, "filename") + build_command = lookup(data.external.archive[0].result, "build_command") + filename_old = lookup(null_resource.archive[0].triggers, "filename") + filename_new = lookup(data.external.archive[0].result, "filename") module_relpath = path.module } } diff --git a/iam.tf b/iam.tf index d231f4c..394c34d 100644 --- a/iam.tf +++ b/iam.tf @@ -1,6 +1,8 @@ # Create the role. data "aws_iam_policy_document" "assume_role" { + count = var.enabled ? 1 : 0 + statement { effect = "Allow" actions = ["sts:AssumeRole"] @@ -13,8 +15,10 @@ data "aws_iam_policy_document" "assume_role" { } resource "aws_iam_role" "lambda" { + count = var.enabled ? 1 : 0 + name = var.function_name - assume_role_policy = data.aws_iam_policy_document.assume_role.json + assume_role_policy = data.aws_iam_policy_document.assume_role[0].json tags = var.tags } @@ -27,7 +31,7 @@ locals { } data "aws_iam_policy_document" "logs" { - count = var.cloudwatch_logs ? 1 : 0 + count = var.enabled && var.cloudwatch_logs ? 1 : 0 statement { effect = "Allow" @@ -54,24 +58,24 @@ data "aws_iam_policy_document" "logs" { } resource "aws_iam_policy" "logs" { - count = var.cloudwatch_logs ? 1 : 0 + count = var.enabled && var.cloudwatch_logs ? 1 : 0 name = "${var.function_name}-logs" policy = data.aws_iam_policy_document.logs[0].json } resource "aws_iam_policy_attachment" "logs" { - count = var.cloudwatch_logs ? 1 : 0 + count = var.enabled && var.cloudwatch_logs ? 1 : 0 name = "${var.function_name}-logs" - roles = [aws_iam_role.lambda.name] + roles = [aws_iam_role.lambda[0].name] policy_arn = aws_iam_policy.logs[0].arn } # Attach an additional policy required for the dead letter config. data "aws_iam_policy_document" "dead_letter" { - count = var.dead_letter_config == null ? 0 : 1 + count = var.dead_letter_config == null ? 0 : var.enabled ? 1 : 0 statement { effect = "Allow" @@ -88,24 +92,24 @@ data "aws_iam_policy_document" "dead_letter" { } resource "aws_iam_policy" "dead_letter" { - count = var.dead_letter_config == null ? 0 : 1 + count = var.dead_letter_config == null ? 0 : var.enabled ? 1 : 0 name = "${var.function_name}-dl" policy = data.aws_iam_policy_document.dead_letter[0].json } resource "aws_iam_policy_attachment" "dead_letter" { - count = var.dead_letter_config == null ? 0 : 1 + count = var.dead_letter_config == null ? 0 : var.enabled ? 1 : 0 name = "${var.function_name}-dl" - roles = [aws_iam_role.lambda.name] + roles = [aws_iam_role.lambda[0].name] policy_arn = aws_iam_policy.dead_letter[0].arn } # Attach an additional policy required for the VPC config data "aws_iam_policy_document" "network" { - count = var.vpc_config == null ? 0 : 1 + count = var.vpc_config == null ? 0 : var.enabled ? 1 : 0 statement { effect = "Allow" @@ -123,33 +127,33 @@ data "aws_iam_policy_document" "network" { } resource "aws_iam_policy" "network" { - count = var.vpc_config == null ? 0 : 1 + count = var.vpc_config == null ? 0 : var.enabled ? 1 : 0 name = "${var.function_name}-network" policy = data.aws_iam_policy_document.network[0].json } resource "aws_iam_policy_attachment" "network" { - count = var.vpc_config == null ? 0 : 1 + count = var.vpc_config == null ? 0 : var.enabled ? 1 : 0 name = "${var.function_name}-network" - roles = [aws_iam_role.lambda.name] + roles = [aws_iam_role.lambda[0].name] policy_arn = aws_iam_policy.network[0].arn } # Attach an additional policy if provided. resource "aws_iam_policy" "additional" { - count = var.policy == null ? 0 : 1 + count = var.policy == null ? 0 : var.enabled ? 1 : 0 name = var.function_name policy = var.policy.json } resource "aws_iam_policy_attachment" "additional" { - count = var.policy == null ? 0 : 1 + count = var.policy == null ? 0 : var.enabled ? 1 : 0 name = var.function_name - roles = [aws_iam_role.lambda.name] + roles = [aws_iam_role.lambda[0].name] policy_arn = aws_iam_policy.additional[0].arn } diff --git a/lambda.tf b/lambda.tf index 2fdd510..b82171f 100644 --- a/lambda.tf +++ b/lambda.tf @@ -1,8 +1,8 @@ resource "aws_lambda_function" "lambda" { - + count = var.enabled ? 1 : 0 function_name = var.function_name description = var.description - role = aws_iam_role.lambda.arn + role = aws_iam_role.lambda[0].arn handler = var.handler memory_size = var.memory_size reserved_concurrent_executions = var.reserved_concurrent_executions @@ -14,7 +14,7 @@ resource "aws_lambda_function" "lambda" { # Use a generated filename to determine when the source code has changed. - filename = data.external.built.result.filename + filename = data.external.built[0].result.filename depends_on = [null_resource.archive] # Add dynamic blocks based on variables. diff --git a/outputs.tf b/outputs.tf index 8e9e4e6..b3d9c92 100644 --- a/outputs.tf +++ b/outputs.tf @@ -1,29 +1,29 @@ output "function_arn" { description = "The ARN of the Lambda function" - value = aws_lambda_function.lambda.arn + value = join("", aws_lambda_function.lambda.*.arn) } output "function_invoke_arn" { description = "The Invoke ARN of the Lambda function" - value = aws_lambda_function.lambda.invoke_arn + value = join("", aws_lambda_function.lambda.*.invoke_arn) } output "function_name" { description = "The name of the Lambda function" - value = aws_lambda_function.lambda.function_name + value = join("", aws_lambda_function.lambda.*.function_name) } output "function_qualified_arn" { description = "The qualified ARN of the Lambda function" - value = aws_lambda_function.lambda.qualified_arn + value = join("", aws_lambda_function.lambda.*.qualified_arn) } output "role_arn" { description = "The ARN of the IAM role created for the Lambda function" - value = aws_iam_role.lambda.arn + value = join("", aws_iam_role.lambda.*.arn) } output "role_name" { description = "The name of the IAM role created for the Lambda function" - value = aws_iam_role.lambda.name + value = join("", aws_iam_role.lambda.*.name) } diff --git a/tests/dead-letter-queue/main.tf b/tests/dead-letter-queue/main.tf index 083e312..716fa6c 100644 --- a/tests/dead-letter-queue/main.tf +++ b/tests/dead-letter-queue/main.tf @@ -31,4 +31,6 @@ module "lambda" { dead_letter_config = { target_arn = aws_sqs_queue.dlq.arn } + + enabled = true } diff --git a/tests/environment-variables/main.tf b/tests/environment-variables/main.tf index 44ca0d6..b7fe9f7 100644 --- a/tests/environment-variables/main.tf +++ b/tests/environment-variables/main.tf @@ -30,4 +30,6 @@ module "lambda" { ARN = aws_iam_user.test.arn } } + + enabled = true } diff --git a/variables.tf b/variables.tf index 1b17bd5..7f30ca4 100644 --- a/variables.tf +++ b/variables.tf @@ -134,3 +134,9 @@ variable "vpc_config" { }) default = null } + +variable "enabled" { + description = "Enable or disable the Lambda resources." + type = bool + default = true +}