Allow extra permissions for lambda role#29
Conversation
There was a problem hiding this comment.
Pull request overview
Adds a configurable way for consumers of the root module (and modules/scheduled-lambda) to attach additional IAM managed policies to the scheduled Lambda execution role, and exposes the role name as an output.
Changes:
- Introduces new input variables for “additional policy ARNs” (root + scheduled-lambda module) and wires them through.
- Attaches the provided managed policy ARNs to the scheduled Lambda execution role.
- Adds new outputs for the scheduled Lambda execution role name (module + root) and updates module README/example wiring.
Reviewed changes
Copilot reviewed 9 out of 9 changed files in this pull request and generated 2 comments.
Show a summary per file
| File | Description |
|---|---|
| variables.tf | Adds root input scheduled_lambda_additional_policy_arns. |
| outputs.tf | Adds root output scheduled_lambda_role_name. |
| modules/scheduled-lambda/variables.tf | Adds module input additional_policy_arns. |
| modules/scheduled-lambda/outputs.tf | Adds module output execution_role_name. |
| modules/scheduled-lambda/main.tf | Attaches each additional policy ARN to the Lambda role. |
| modules/scheduled-lambda/README.md | Documents the new input/output and shows example usage. |
| main.tf | Passes root variable through to the scheduled-lambda submodule. |
| examples/basic/variables.tf | Adds example variable for additional policy ARNs. |
| examples/basic/main.tf | Wires example variable into the root module call. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
You can also share your feedback on Copilot code review. Take the survey.
1. Now it takes a mapping. This solves the problem that we can't use foreach on ARNs that are unknown before the plan, and that count/index means that the resources are order-dependent. 2. Now we allow either managed policies or inline policies. We check against the AWS default quota of 10 managed policies. 3. We move our built-in policy to inline, so that it doesn't take one of the slots for the managed policies.
There was a problem hiding this comment.
Pull request overview
Adds configurable extra IAM permissions for the scheduled Lambda execution role (from both the root module and the modules/scheduled-lambda module), making it easier for consumers to grant additional AWS capabilities without forking the module.
Changes:
- Introduces inputs to pass additional managed policy ARNs and additional inline policy JSON documents to the scheduled Lambda role.
- Refactors the module’s built-in permissions from a dedicated managed policy + attachment to an inline role policy.
- Exposes the scheduled Lambda execution role name as a new output (module + root).
Reviewed changes
Copilot reviewed 9 out of 9 changed files in this pull request and generated 3 comments.
Show a summary per file
| File | Description |
|---|---|
| variables.tf | Adds root-module inputs to pass additional managed/inline policies into scheduled_lambda. |
| main.tf | Wires new root variables into the module "scheduled_lambda" call. |
| outputs.tf | Adds root output for the scheduled Lambda role name. |
| modules/scheduled-lambda/variables.tf | Adds module inputs + validations for additional managed/inline policies. |
| modules/scheduled-lambda/main.tf | Attaches built-in permissions as an inline policy; attaches caller-managed policies and caller inline policies. |
| modules/scheduled-lambda/outputs.tf | Adds module output for execution role name. |
| modules/scheduled-lambda/README.md | Documents new inputs/outputs and provides usage examples. |
| examples/basic/variables.tf | Adds example inputs for extra role permissions. |
| examples/basic/main.tf | Passes example inputs through to the root module. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
You can also share your feedback on Copilot code review. Take the survey.
| can(regex("\\S", policy_json)) && can(jsondecode(policy_json)) | ||
| ]) | ||
| error_message = "additional_inline_policies values must be non-empty JSON strings." | ||
| } |
There was a problem hiding this comment.
This is an incorrect statement. There's a limit of 10 managed policies, but you can have as many inline as your want (although there is a limit on total length.)
You can add as many inline policies as you want to an IAM user, role, or group.
| @@ -34,11 +67,14 @@ module "scheduled_lambda" { | |||
| - `image_command` (list(string)): Optional override for the container CMD/handler. | |||
| - `tags` (map(string)): Tags to apply to created resources. | |||
| - `create_test_url` (bool): Create a public Lambda Function URL for temporary testing only (not for production). This URL has no auth and is publicly accessible, so it can be abused. | |||
| - `additional_managed_policy_arns` (map(string)): Additional IAM managed policy ARNs to attach to the Lambda execution role, keyed by stable labels. Supports up to 10 entries. | |||
| - `additional_inline_policies` (map(string)): Additional inline IAM policy JSON documents to attach to the Lambda execution role, keyed by stable labels. AWS enforces the aggregate inline-policy size limit. | |||
There was a problem hiding this comment.
This is an incorrect statement. There's a limit of 10 managed policies, but you can have as many inline as your want (although there is a limit on total length.)
You can add as many inline policies as you want to an IAM user, role, or group.
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
This adds in input to
scheduled_lambdaand to the root module to allow users to easily add additional permissions to the lambda role, in case it needs additional AWS functionality.