Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Use Inline Policies instead of Managed #607

Open
RafaelWO opened this issue Aug 6, 2024 · 6 comments · May be fixed by #615
Open

Use Inline Policies instead of Managed #607

RafaelWO opened this issue Aug 6, 2024 · 6 comments · May be fixed by #615

Comments

@RafaelWO
Copy link

RafaelWO commented Aug 6, 2024
edited
Loading

Is your request related to a new offering from AWS?

No.

Is your request related to a problem? Please describe.

Using customer-managed policies is not directly a problem but since the policies are only used for the Lambda function it would be cleaner to use inline policies, IMO. See also Managed policies and inline policies.

Describe the solution you'd like.

I would suggest replacing aws_iam_policy and aws_iam_role_policy_attachment resources (for additional "JSON" policies) with aws_iam_role_policy.

For example, changing

# iam.if:282
resource "aws_iam_policy" "additional_json" {
  count = local.create_role && var.attach_policy_json ? 1 : 0

  name   = local.policy_name
  path   = var.policy_path
  policy = var.policy_json
  tags   = var.tags
}

resource "aws_iam_role_policy_attachment" "additional_json" {
  count = local.create_role && var.attach_policy_json ? 1 : 0

  role       = aws_iam_role.lambda[0].name
  policy_arn = aws_iam_policy.additional_json[0].arn
}

to

resource "aws_iam_role_policy" "additional_json" {
  count = local.create_role && var.attach_policy_json ? 1 : 0

  name   = local.policy_name
  role   = aws_iam_role.lambda[0].name
  policy = var.policy_json
  tags   = var.tags
}

The same applies to resources related to Additional policies (list of JSON).

Describe alternatives you've considered.

The alternative is keeping it the way it is now 🙂

Additional context

If you agree with my suggestion, I'm happy to create a PR with the necessary changes 🙃
@antonbabenko
Copy link
Member

This improvement sounds good. Please make a PR, which will be included as a breaking change in the upcoming major release.

@RafaelWO
Copy link
Author

Great! I will try to make a PR in the next days 🙂

@RafaelWO RafaelWO linked a pull request Aug 29, 2024 that will close this issue
Open
4 tasks
@github-actions GitHub Actions
Copy link

This issue has been automatically marked as stale because it has been open 30 days
with no activity. Remove stale label or comment or this issue will be closed in 10 days

@github-actions github-actions bot added the stale label Sep 26, 2024
@RafaelWO
Copy link
Author

RafaelWO commented Sep 27, 2024
edited
Loading

I'm just waiting on a response on my PR 🙂 - no reason for going stale.

@github-actions github-actions bot removed the stale label Sep 28, 2024
@github-actions GitHub Actions
Copy link

This issue has been automatically marked as stale because it has been open 30 days
with no activity. Remove stale label or comment or this issue will be closed in 10 days

@github-actions github-actions bot added the stale label Oct 28, 2024
@RafaelWO
Copy link
Author

I would very much appreciate a (second) review of my PR, @antonbabenko 😃

@github-actions github-actions bot removed the stale label Oct 31, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

feat: Use inline instead of managed policies RafaelWO/terraform-aws-lambda
2 participants
@antonbabenko @RafaelWO