Fix lambda integration issue (#7)

examples/sfn-state-machine-hello-world/main.tf

@@ -33,6 +33,11 @@ module "state_machine" {
   iam_role = {
     enabled = true
   }
+  service_integrations = {
+    "lambda" = {
+      enabled = true
+    }
+  }
 
   tags = {
     "project" = "terraform-aws-lambda-examples"

examples/sfn-state-machine-logging/main.tf

@@ -46,6 +46,11 @@ module "state_machine" {
   iam_role = {
     enabled = true
   }
+  service_integrations = {
+    "lambda" = {
+      enabled = true
+    }
+  }
 
 
   tags = {

examples/sfn-state-machine-tracing/main.tf

@@ -40,6 +40,11 @@ module "state_machine" {
   iam_role = {
     enabled = true
   }
+  service_integrations = {
+    "lambda" = {
+      enabled = true
+    }
+  }
 
 
   tags = {

modules/sfn-state-machine/README.md

@@ -53,6 +53,7 @@ This module creates following resources.
 | <a name="input_resource_group_description"></a> [resource\_group\_description](#input\_resource\_group\_description) | (Optional) The description of Resource Group. | `string` | `"Managed by Terraform."` | no |
 | <a name="input_resource_group_enabled"></a> [resource\_group\_enabled](#input\_resource\_group\_enabled) | (Optional) Whether to create Resource Group to find and group AWS resources which are created by this module. | `bool` | `true` | no |
 | <a name="input_resource_group_name"></a> [resource\_group\_name](#input\_resource\_group\_name) | (Optional) The name of Resource Group. A Resource Group name can have a maximum of 127 characters, including letters, numbers, hyphens, dots, and underscores. The name cannot start with `AWS` or `aws`. | `string` | `""` | no |
+| <a name="input_service_integrations"></a> [service\_integrations](#input\_service\_integrations) | (Optional) A configuration of AWS service integrations to allow in the resource policy of the state machine. Supported AWS services are `lambda`. `service_integrations` as defined below.<br>    (Optional) `lambda` - A configuration to integrate the state machine to AWS Lambda functions. `lambda` as defined below.<br>      (Optional) `enabled` - Whether to enable the integration to AWS Lambda functions. | <pre>object({<br>    lambda = optional(object({<br>      enabled   = optional(bool, false)<br>      functions = optional(list(string), [])<br>    }), {})<br>  })</pre> | `{}` | no |
 | <a name="input_tags"></a> [tags](#input\_tags) | (Optional) A map of tags to add to all resources. | `map(string)` | `{}` | no |
 | <a name="input_timeouts"></a> [timeouts](#input\_timeouts) | (Optional) How long to wait for the state machine to be created/updated/deleted. | <pre>object({<br>    create = optional(string, "5m")<br>    update = optional(string, "1m")<br>    delete = optional(string, "5m")<br>  })</pre> | `{}` | no |
 | <a name="input_tracing"></a> [tracing](#input\_tracing) | (Optional) The configuration of AWS X-Ray tracing for the state machine. Step Functions will send traces to AWS X-Ray for state machine executions, even when a trace ID is not passed by an upstream service. Standard X-Ray charges apply. `tracing` as defined below.<br>    (Optional) `enabled` - Whether to enable X-Ray tracing. | <pre>object({<br>    enabled = optional(bool, false)<br>  })</pre> | `{}` | no |

modules/sfn-state-machine/iam.tf

@@ -54,7 +54,7 @@ module "role" {
     var.tracing.enabled ? {
       "xray" = data.aws_iam_policy_document.xray[0].json,
     } : {},
-    local.lambda_integration_detected ? {
+    var.service_integrations["lambda"].enabled ? {
       "lambda" = data.aws_iam_policy_document.lambda[0].json,
     } : {},
     var.iam_role.inline_policies,
@@ -139,15 +139,15 @@ data "aws_iam_policy_document" "xray" {
 ###################################################
 
 locals {
-  lambda_integration_functions = distinct(flatten(regexall(
+  lambda_integration_detected_functions = distinct(flatten(regexall(
     "\"(arn:aws:lambda:[a-z0-9-]+:[0-9]+:function:[a-zA-Z0-9-_./]+)\"",
     var.definition
   )))
-  lambda_integration_detected = length(local.lambda_integration_functions) > 0
+  lambda_integration_functions = coalescelist(var.service_integrations["lambda"].functions, local.lambda_integration_detected_functions)
 }
 
 data "aws_iam_policy_document" "lambda" {
-  count = (!local.custom_iam_role_enabled && local.lambda_integration_detected) ? 1 : 0
+  count = (!local.custom_iam_role_enabled && var.service_integrations["lambda"].enabled) ? 1 : 0
 
   statement {
     sid = "InvokeLambdaFunctions"

modules/sfn-state-machine/variables.tf

@@ -95,6 +95,22 @@ variable "iam_role" {
   nullable = false
 }
 
+variable "service_integrations" {
+  description = <<EOF
+  (Optional) A configuration of AWS service integrations to allow in the resource policy of the state machine. Supported AWS services are `lambda`. `service_integrations` as defined below.
+    (Optional) `lambda` - A configuration to integrate the state machine to AWS Lambda functions. `lambda` as defined below.
+      (Optional) `enabled` - Whether to enable the integration to AWS Lambda functions.
+  EOF
+  type = object({
+    lambda = optional(object({
+      enabled   = optional(bool, false)
+      functions = optional(list(string), [])
+    }), {})
+  })
+  default  = {}
+  nullable = false
+}
+
 variable "logging" {
   description = <<EOF
   (Optional) The configuration to define what execution history events are logged and where they are logged. Standard Workflows record execution history in AWS Step Functions, although you can optionally configure logging to Amazon CloudWatch Logs. For Express state machines, you must enable logging to inspect and debug executions. `logging` as defined below.