From c7582aa0e16aa78205e7307550f624c4cd473887 Mon Sep 17 00:00:00 2001
From: niyatir2608 <niyati.ranpara@techholding.co>
Date: Tue, 20 Feb 2024 17:35:13 +0530
Subject: [PATCH] Add variables for lambda permissions

---
 EXAMPLE.md   | 17 +++++++++--------
 README.md    |  6 ++++++
 main.tf      | 12 ++++++------
 variables.tf | 32 +++++++++++++++++++++++++++++++-
 4 files changed, 52 insertions(+), 15 deletions(-)

diff --git a/EXAMPLE.md b/EXAMPLE.md
index 2432651..61bc573 100644
--- a/EXAMPLE.md
+++ b/EXAMPLE.md
@@ -40,14 +40,15 @@ module "lambda_test" {
 Api gateway will invoke the lambda function where function is created from zip file named lambda.zip uploaded in s3 bucket where key is path for zip file in the bucket. 
 ```
 module "lambda_test" {
-  source                  = "./lambda"
-  function_name           = "${var.prefix}-test-lambda"
-  handler                 = "lambda.handler"
-  lambda_runtime          = "python3.x"
-  s3_bucket               = "${var.prefix}-test-lambda"
-  s3_key                  = "lambda.zip"
-  description             = "Allow apigw to invoke lambda"
-  apigw_execution_arn     = "arn:aws:apigateway:region::resource-path-specifier" 
+  source                       = "./lambda"
+  function_name                = "${var.prefix}-test-lambda"
+  handler                      = "lambda.handler"
+  lambda_runtime               = "python3.x"
+  s3_bucket                    = "${var.prefix}-test-lambda"
+  s3_key                       = "lambda.zip"
+  description                  = "Allow apigw to invoke lambda"
+  enable_api_invoke_permission = true
+  apigw_execution_arn          = "arn:aws:apigateway:region::resource-path-specifier" 
   logs_retention = 14
 }
 ```
diff --git a/README.md b/README.md
index 64f25e6..c18d2e4 100644
--- a/README.md
+++ b/README.md
@@ -45,6 +45,12 @@ No modules.
 | <a name="input_cloudwatch_scheduler_arn"></a> [cloudwatch\_scheduler\_arn](#input\_cloudwatch\_scheduler\_arn) | Cloudwatch scheduler arn | `string` | `""` | no |
 | <a name="input_cognito_pool_arn"></a> [cognito\_pool\_arn](#input\_cognito\_pool\_arn) | Cognito pool arn | `string` | `""` | no |
 | <a name="input_description"></a> [description](#input\_description) | Lambda function description | `any` | n/a | yes |
+| <a name="input_enable_api_invoke_permission"></a> [enable\_api\_invoke\_permission](#input\_enable\_api\_invoke\_permission) | Enable api invoke permission | `bool` | `false` | no |
+| <a name="input_enable_cognito_invoke_permission"></a> [enable\_cognito\_invoke\_permission](#input\_enable\_cognito\_invoke\_permission) | Enable cognito invoke permission | `bool` | `false` | no |
+| <a name="input_enable_eventbridge_invoke_permission"></a> [enable\_eventbridge\_invoke\_permission](#input\_enable\_eventbridge\_invoke\_permission) | Enable eventbridge invoke permission | `bool` | `false` | no |
+| <a name="input_enable_scheduler_invoke_permission"></a> [enable\_scheduler\_invoke\_permission](#input\_enable\_scheduler\_invoke\_permission) | Enable scheduler invoke permission | `bool` | `false` | no |
+| <a name="input_enable_sns_invoke_permission"></a> [enable\_sns\_invoke\_permission](#input\_enable\_sns\_invoke\_permission) | Enable sns invoke permission | `bool` | `false` | no |
+| <a name="input_enable_sqs_invoke_permission"></a> [enable\_sqs\_invoke\_permission](#input\_enable\_sqs\_invoke\_permission) | Enable sqs invoke permission | `bool` | `false` | no |
 | <a name="input_env_vars_from_parameter_store"></a> [env\_vars\_from\_parameter\_store](#input\_env\_vars\_from\_parameter\_store) | Lambda environment variables from SSM parameter store | `map(any)` | `{}` | no |
 | <a name="input_environment_variables"></a> [environment\_variables](#input\_environment\_variables) | Environment Variables for Lambda Functions | `map(any)` | `{}` | no |
 | <a name="input_eventbridge_rule_arn"></a> [eventbridge\_rule\_arn](#input\_eventbridge\_rule\_arn) | Eventbridge rule arn | `string` | `""` | no |
diff --git a/main.tf b/main.tf
index b7bc4af..3a5b151 100644
--- a/main.tf
+++ b/main.tf
@@ -70,7 +70,7 @@ resource "aws_lambda_function" "lambda" {
 # ------------------------------------------------------------------------------------------
 
 resource "aws_lambda_permission" "api" {
-  count         = length(var.apigw_execution_arn) > 0 ? 1 : 0
+  count         = var.enable_api_invoke_permission ? 1 : 0
   statement_id  = "AllowAPIGWLambdaInvoke"
   action        = "lambda:InvokeFunction"
   function_name = aws_lambda_function.lambda.function_name
@@ -79,7 +79,7 @@ resource "aws_lambda_permission" "api" {
 }
 
 resource "aws_lambda_permission" "cognito" {
-  count         = length(var.cognito_pool_arn) > 0 ? 1 : 0
+  count         = var.enable_cognito_invoke_permission ? 1 : 0
   statement_id  = "AllowCognitoPoolLambdaInvoke"
   action        = "lambda:InvokeFunction"
   function_name = aws_lambda_function.lambda.function_name
@@ -88,7 +88,7 @@ resource "aws_lambda_permission" "cognito" {
 }
 
 resource "aws_lambda_permission" "sqs" {
-  count         = length(var.sqs_queue_arn) > 0 ? 1 : 0
+  count         = var.enable_sqs_invoke_permission ? 1 : 0
   statement_id  = "AllowExecutionFromSQS"
   action        = "lambda:InvokeFunction"
   function_name = aws_lambda_function.lambda.function_name
@@ -97,7 +97,7 @@ resource "aws_lambda_permission" "sqs" {
 }
 
 resource "aws_lambda_permission" "eventbridge" {
-  count         = length(var.eventbridge_rule_arn) > 0 ? 1 : 0
+  count         = var.enable_eventbridge_invoke_permission ? 1 : 0
   statement_id  = "AllowExecutionFromEventBridge"
   action        = "lambda:InvokeFunction"
   function_name = aws_lambda_function.lambda.function_name
@@ -106,7 +106,7 @@ resource "aws_lambda_permission" "eventbridge" {
 }
 
 resource "aws_lambda_permission" "sns" {
-  count         = length(var.sns_topic_arn) > 0 ? 1 : 0
+  count         = var.enable_sns_invoke_permission ? 1 : 0
   statement_id  = "AllowInvocationFromSNS"
   action        = "lambda:InvokeFunction"
   function_name = aws_lambda_function.lambda.function_name
@@ -115,7 +115,7 @@ resource "aws_lambda_permission" "sns" {
 }
 
 resource "aws_lambda_permission" "cloudwatch_scheduler" {
-  count         = length(var.cloudwatch_scheduler_arn) > 0 ? 1 : 0
+  count         = var.enable_scheduler_invoke_permission ? 1 : 0
   statement_id  = "AllowExecutionFromEventbridge"
   action        = "lambda:InvokeFunction"
   function_name = aws_lambda_function.lambda.function_name
diff --git a/variables.tf b/variables.tf
index 6001af7..7dea15a 100644
--- a/variables.tf
+++ b/variables.tf
@@ -134,4 +134,34 @@ variable "eventbridge_rule_arn" {
 variable "cloudwatch_scheduler_arn" {
   description = "Cloudwatch scheduler arn"
   default     = ""
-}
\ No newline at end of file
+}
+
+variable "enable_api_invoke_permission" {
+  description = "Enable api invoke permission"
+  default     = false
+}
+
+variable "enable_cognito_invoke_permission" {
+  description = "Enable cognito invoke permission"
+  default     = false
+}
+
+variable "enable_sqs_invoke_permission" {
+  description = "Enable sqs invoke permission"
+  default     = false
+}
+
+variable "enable_eventbridge_invoke_permission" {
+  description = "Enable eventbridge invoke permission"
+  default     = false
+}
+
+variable "enable_sns_invoke_permission" {
+  description = "Enable sns invoke permission"
+  default     = false
+}
+
+variable "enable_scheduler_invoke_permission" {
+  description = "Enable scheduler invoke permission"
+  default     = false
+}