terraform-aws-lambda
terraform-aws-lambda copied to clipboard
terraform-aws-modules
Use Inline Policies instead of Managed
Is your request related to a new offering from AWS?
No.
Is your request related to a problem? Please describe.
Using customer-managed policies is not directly a problem but since the policies are only used for the Lambda function it would be cleaner to use inline policies, IMO. See also Managed policies and inline policies.
Describe the solution you'd like.
I would suggest replacing aws_iam_policy and aws_iam_role_policy_attachment resources (for additional "JSON" policies) with aws_iam_role_policy.
For example, changing
# iam.if:282
resource "aws_iam_policy" "additional_json" {
count = local.create_role && var.attach_policy_json ? 1 : 0
name = local.policy_name
path = var.policy_path
policy = var.policy_json
tags = var.tags
}
resource "aws_iam_role_policy_attachment" "additional_json" {
count = local.create_role && var.attach_policy_json ? 1 : 0
role = aws_iam_role.lambda[0].name
policy_arn = aws_iam_policy.additional_json[0].arn
}
to
resource "aws_iam_role_policy" "additional_json" {
count = local.create_role && var.attach_policy_json ? 1 : 0
name = local.policy_name
role = aws_iam_role.lambda[0].name
policy = var.policy_json
tags = var.tags
}
The same applies to resources related to Additional policies (list of JSON).
Describe alternatives you've considered.
The alternative is keeping it the way it is now :slightly_smiling_face:
Additional context
If you agree with my suggestion, I'm happy to create a PR with the necessary changes :upside_down_face:
This improvement sounds good. Please make a PR, which will be included as a breaking change in the upcoming major release.
This issue has been automatically marked as stale because it has been open 30 days with no activity. Remove stale label or comment or this issue will be closed in 10 days
![github-actions[bot] avatar](https://avatars.githubusercontent.com/in/15368?v=4 "Published by a pub.dev verified publisher"){kind=small}
I'm just waiting on a response on my PR :slightly_smiling_face: - no reason for going stale.
This issue has been automatically marked as stale because it has been open 30 days with no activity. Remove stale label or comment or this issue will be closed in 10 days
I would very much appreciate a (second) review of my PR, @antonbabenko π
This issue has been automatically marked as stale because it has been open 30 days with no activity. Remove stale label or comment or this issue will be closed in 10 days
I agree with this too. It's far better to use inline if it's for a specific purpose otherwise the policies can be reused for other roles by mistake. Inline policies prevent reuse.
Out of curiosity, what's your take on https://docs.aws.amazon.com/config/latest/developerguide/iam-no-inline-policy-check.html ? This change makes the rule NON_COMPLIANT.
@oskar-pgt What about the opposite check https://docs.aws.amazon.com/config/latest/developerguide/iam-policy-in-use.html?
I'm going to lock this issue because it has been closed for 30 days β³. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.