From 817f87885f4cebbd46daccb176783db9a64047b4 Mon Sep 17 00:00:00 2001
From: bugs404 <jeid@patientping.com>
Date: Wed, 7 Apr 2021 12:36:21 -0400
Subject: [PATCH] DF-2391 - Allow codebuild job to invoke lambda in some
 environments (#16)

DF-2391
- Add an optional variable that defaults to false and if true gives the codebuild job for the lambda function the ability to invoke the lambda function (for integration testing purposes)
- propagate the switch as an env variable available to the codebuild job so it can decide to run an integration test or not
- Update readme to document new functionality and environment variable that exposes said functionality
---
 README.md                    | 14 +++++++++
 lambda_function/ci.tf        | 60 ++++++++++++++++++++----------------
 lambda_function/variables.tf |  5 +++
 3 files changed, 52 insertions(+), 27 deletions(-)

diff --git a/README.md b/README.md
index ecc17d5..bb731eb 100644
--- a/README.md
+++ b/README.md
@@ -63,6 +63,7 @@ Additional arguments:
 | create_empty_layer        | Create an empty lambda layer without the actual code if set to true       | True         |
 | codebuild_image           | Specify Codebuild's [image](https://docs.aws.amazon.com/codebuild/latest/userguide/build-env-ref-available.html) | "aws/codebuild/standard:1.0" |
 | privileged_mode           | Run the docker container with [privilege](https://docs.docker.com/engine/reference/run/#runtime-privilege-and-linux-capabilities)               | False         |
+| codebuild_can_run_integration_test | Specifies whether or not codebuild job can invoke lambda function and is passed through to the job as an env variable (run_integration_test) | False
 
 # CodeBuild
 
@@ -123,3 +124,16 @@ Ensure you add the following permissions to the lambda role
 
 
 []: https://www.terraform.io/docs/providers/aws/r/lambda_function.html
+
+## Codebuild and Integration Testing
+
+If invoking this module within an environment where Integration testing makes sense as part of CI, by setting the "codebuild_can_run_integration_test" argument to true
+ * The codebuild job that accompanies lambda ci is now able to invoke the lambda function
+ * The codebuild job will know if it's appropriate to perform integration testing in the environment it's running in according to env variable "run_integration_test"
+
+For an example implementation of a lambda-codebuild job setup to conditionally run integration tests see this buildspec.yml excerpt:
+
+    if [ "$run_integration_test" = true ]; then
+          aws lambda wait function-updated --function-name $lambda_name;
+          aws lambda invoke --function-name $lambda_name --payload file://tests/testEvent.json response.json | jq -e 'has("FunctionError")|not';
+    fi
\ No newline at end of file
diff --git a/lambda_function/ci.tf b/lambda_function/ci.tf
index 3592f7d..9a90143 100644
--- a/lambda_function/ci.tf
+++ b/lambda_function/ci.tf
@@ -24,36 +24,38 @@ EOF
 
 resource "aws_iam_role_policy" "codebuild" {
   count = var.github_url == "" ? 0 : 1
-
   role = aws_iam_role.codebuild[0].name
+  policy = data.aws_iam_policy_document.policy.json
+}
 
-  policy = <<EOF
-{
-  "Version": "2012-10-17",
-  "Statement": [
-    {
-      "Effect": "Allow",
-      "Resource": [
-        "*"
-      ],
-      "Action": [
-        "logs:CreateLogGroup",
-        "logs:CreateLogStream",
-        "logs:PutLogEvents"
-      ]
-    },
-    {
-      "Effect": "Allow",
-      "Resource": "${aws_lambda_function.lambda.arn}",
-      "Action": [
-        "lambda:UpdateFunctionCode",
-        "lambda:ListVersionsByFunction",
-        "lambda:UpdateAlias"
-      ]
+data "aws_iam_policy_document" "policy" {
+  statement {
+    effect = "Allow"
+    resources = ["*"]
+    actions = [
+      "logs:CreateLogGroup",
+      "logs:CreateLogStream",
+      "logs:PutLogEvents"]
+  }
+  statement {
+    effect = "Allow"
+    resources = [
+      aws_lambda_function.lambda.arn]
+    actions = [
+      "lambda:UpdateFunctionCode",
+      "lambda:ListVersionsByFunction",
+      "lambda:UpdateAlias"
+    ]
+  }
+  dynamic "statement" {
+    for_each = var.codebuild_can_run_integration_test ? ["allow_invoke"] : []
+    content {
+      effect = "Allow"
+      resources = [aws_lambda_function.lambda.arn]
+      actions = ["lambda:InvokeFunction", "lambda:GetFunctionConfiguration"]
     }
-  ]
-}
-EOF
+  }
+
 }
 
 resource "aws_codebuild_project" "lambda" {
@@ -72,6 +74,10 @@ resource "aws_codebuild_project" "lambda" {
     image                       = "aws/codebuild/standard:4.0"
     type                        = "LINUX_CONTAINER"
     image_pull_credentials_type = "CODEBUILD"
+    environment_variable {
+      name = "run_integration_test"
+      value = var.codebuild_can_run_integration_test
+    }
   }
 
   source {
diff --git a/lambda_function/variables.tf b/lambda_function/variables.tf
index 11202af..6654daa 100644
--- a/lambda_function/variables.tf
+++ b/lambda_function/variables.tf
@@ -119,6 +119,11 @@ variable "codebuild_credential_arn" {
   default = ""
 }
 
+variable "codebuild_can_run_integration_test" {
+  type    = bool
+  default = false
+}
+
 variable "build_timeout" {
   type    = string
   default = "60"