From 399cf724144bd9661a738d6cbf80fda1ddea7db8 Mon Sep 17 00:00:00 2001 From: Brandon Clodius Date: Sun, 23 Apr 2017 05:44:07 -0400 Subject: [PATCH] Fixes issue for cross account iam role with aws_lambda_permission (#13865) --- .../aws/resource_aws_lambda_permission.go | 7 ++- .../resource_aws_lambda_permission_test.go | 60 +++++++++++++++++++ 2 files changed, 66 insertions(+), 1 deletion(-) diff --git a/builtin/providers/aws/resource_aws_lambda_permission.go b/builtin/providers/aws/resource_aws_lambda_permission.go index 2cf5b671e..6372526e9 100644 --- a/builtin/providers/aws/resource_aws_lambda_permission.go +++ b/builtin/providers/aws/resource_aws_lambda_permission.go @@ -230,7 +230,12 @@ func resourceAwsLambdaPermissionRead(d *schema.ResourceData, meta interface{}) e } d.Set("action", statement.Action) - d.Set("principal", statement.Principal["Service"]) + // Check if the pricipal is a cross-account IAM role + if _, ok := statement.Principal["AWS"]; ok { + d.Set("principal", statement.Principal["AWS"]) + } else { + d.Set("principal", statement.Principal["Service"]) + } if stringEquals, ok := statement.Condition["StringEquals"]; ok { d.Set("source_account", stringEquals["AWS:SourceAccount"]) diff --git a/builtin/providers/aws/resource_aws_lambda_permission_test.go b/builtin/providers/aws/resource_aws_lambda_permission_test.go index 539a3fc89..357e122e2 100644 --- a/builtin/providers/aws/resource_aws_lambda_permission_test.go +++ b/builtin/providers/aws/resource_aws_lambda_permission_test.go @@ -332,6 +332,30 @@ func TestAccAWSLambdaPermission_withSNS(t *testing.T) { }) } +func TestAccAWSLambdaPermission_withIAMRole(t *testing.T) { + var statement LambdaPolicyStatement + endsWithFuncName := regexp.MustCompile(":function:lambda_function_name_perm_iamrole$") + endsWithRoleName := regexp.MustCompile("/iam_for_lambda_perm_iamrole$") + + resource.Test(t, resource.TestCase{ + PreCheck: func() { testAccPreCheck(t) }, + Providers: testAccProviders, + CheckDestroy: testAccCheckAWSLambdaPermissionDestroy, + Steps: []resource.TestStep{ + { + Config: testAccAWSLambdaPermissionConfig_withIAMRole, + Check: resource.ComposeTestCheckFunc( + testAccCheckLambdaPermissionExists("aws_lambda_permission.iam_role", &statement), + resource.TestCheckResourceAttr("aws_lambda_permission.iam_role", "action", "lambda:InvokeFunction"), + resource.TestMatchResourceAttr("aws_lambda_permission.iam_role", "principal", endsWithRoleName), + resource.TestCheckResourceAttr("aws_lambda_permission.iam_role", "statement_id", "AllowExecutionFromIAMRole"), + resource.TestMatchResourceAttr("aws_lambda_permission.iam_role", "function_name", endsWithFuncName), + ), + }, + }, + }) +} + func testAccCheckLambdaPermissionExists(n string, statement *LambdaPolicyStatement) resource.TestCheckFunc { return func(s *terraform.State) error { rs, ok := s.RootModule().Resources[n] @@ -724,6 +748,42 @@ EOF } ` +var testAccAWSLambdaPermissionConfig_withIAMRole = ` +resource "aws_lambda_permission" "iam_role" { + statement_id = "AllowExecutionFromIAMRole" + action = "lambda:InvokeFunction" + function_name = "${aws_lambda_function.my-func.arn}" + principal = "${aws_iam_role.police.arn}" +} + +resource "aws_lambda_function" "my-func" { + filename = "test-fixtures/lambdatest.zip" + function_name = "lambda_function_name_perm_iamrole" + role = "${aws_iam_role.police.arn}" + handler = "exports.handler" + runtime = "nodejs4.3" +} + +resource "aws_iam_role" "police" { + name = "iam_for_lambda_perm_iamrole" + assume_role_policy = <