DF-2391 - Allow codebuild job to invoke lambda in some environments (#16

) DF-2391 - Add an optional variable that defaults to false and if true gives the codebuild job for the lambda function the ability to invoke the lambda function (for integration testing purposes) - propagate the switch as an env variable available to the codebuild job so it can decide to run an integration test or not - Update readme to document new functionality and environment variable that exposes said functionality
PatientPing · Apr 7, 2021 · 817f878 · 817f878
1 parent 834478e
commit 817f878
Show file tree

Hide file tree

Showing 3 changed files with 52 additions and 27 deletions.
diff --git a/README.md b/README.md
@@ -63,6 +63,7 @@ Additional arguments:
 | create_empty_layer        | Create an empty lambda layer without the actual code if set to true       | True         |
 | codebuild_image           | Specify Codebuild's [image](https://docs.aws.amazon.com/codebuild/latest/userguide/build-env-ref-available.html) | "aws/codebuild/standard:1.0" |
 | privileged_mode           | Run the docker container with [privilege](https://docs.docker.com/engine/reference/run/#runtime-privilege-and-linux-capabilities)               | False         |
+| codebuild_can_run_integration_test | Specifies whether or not codebuild job can invoke lambda function and is passed through to the job as an env variable (run_integration_test) | False
 
 # CodeBuild
 
@@ -123,3 +124,16 @@ Ensure you add the following permissions to the lambda role
 
 
 []: https://www.terraform.io/docs/providers/aws/r/lambda_function.html
+
+## Codebuild and Integration Testing
+
+If invoking this module within an environment where Integration testing makes sense as part of CI, by setting the "codebuild_can_run_integration_test" argument to true
+ * The codebuild job that accompanies lambda ci is now able to invoke the lambda function
+ * The codebuild job will know if it's appropriate to perform integration testing in the environment it's running in according to env variable "run_integration_test"
+
+For an example implementation of a lambda-codebuild job setup to conditionally run integration tests see this buildspec.yml excerpt:
+
+    if [ "$run_integration_test" = true ]; then
+          aws lambda wait function-updated --function-name $lambda_name;
+          aws lambda invoke --function-name $lambda_name --payload file://tests/testEvent.json response.json | jq -e 'has("FunctionError")|not';
+    fi
diff --git a/lambda_function/ci.tf b/lambda_function/ci.tf
@@ -24,36 +24,38 @@ EOF
 
 resource "aws_iam_role_policy" "codebuild" {
   count = var.github_url == "" ? 0 : 1
-
   role = aws_iam_role.codebuild[0].name
+  policy = data.aws_iam_policy_document.policy.json
+}
 
-  policy = <<EOF
-{
-  "Version": "2012-10-17",
-  "Statement": [
-    {
-      "Effect": "Allow",
-      "Resource": [
-        "*"
-      ],
-      "Action": [
-        "logs:CreateLogGroup",
-        "logs:CreateLogStream",
-        "logs:PutLogEvents"
-      ]
-    },
-    {
-      "Effect": "Allow",
-      "Resource": "${aws_lambda_function.lambda.arn}",
-      "Action": [
-        "lambda:UpdateFunctionCode",
-        "lambda:ListVersionsByFunction",
-        "lambda:UpdateAlias"
-      ]
+data "aws_iam_policy_document" "policy" {
+  statement {
+    effect = "Allow"
+    resources = ["*"]
+    actions = [
+      "logs:CreateLogGroup",
+      "logs:CreateLogStream",
+      "logs:PutLogEvents"]
+  }
+  statement {
+    effect = "Allow"
+    resources = [
+      aws_lambda_function.lambda.arn]
+    actions = [
+      "lambda:UpdateFunctionCode",
+      "lambda:ListVersionsByFunction",
+      "lambda:UpdateAlias"
+    ]
+  }
+  dynamic "statement" {
+    for_each = var.codebuild_can_run_integration_test ? ["allow_invoke"] : []
+    content {
+      effect = "Allow"
+      resources = [aws_lambda_function.lambda.arn]
+      actions = ["lambda:InvokeFunction", "lambda:GetFunctionConfiguration"]
     }
-  ]
-}
-EOF
+  }
+
 }
 
 resource "aws_codebuild_project" "lambda" {
@@ -72,6 +74,10 @@ resource "aws_codebuild_project" "lambda" {
     image                       = "aws/codebuild/standard:4.0"
     type                        = "LINUX_CONTAINER"
     image_pull_credentials_type = "CODEBUILD"
+    environment_variable {
+      name = "run_integration_test"
+      value = var.codebuild_can_run_integration_test
+    }
   }
 
   source {

diff --git a/lambda_function/variables.tf b/lambda_function/variables.tf
@@ -119,6 +119,11 @@ variable "codebuild_credential_arn" {
   default = ""
 }
 
+variable "codebuild_can_run_integration_test" {
+  type    = bool
+  default = false
+}
+
 variable "build_timeout" {
   type    = string
   default = "60"