diff --git a/examples/sfn-state-machine-hello-world/main.tf b/examples/sfn-state-machine-hello-world/main.tf index f4715e6..ae45738 100644 --- a/examples/sfn-state-machine-hello-world/main.tf +++ b/examples/sfn-state-machine-hello-world/main.tf @@ -33,6 +33,11 @@ module "state_machine" { iam_role = { enabled = true } + service_integrations = { + "lambda" = { + enabled = true + } + } tags = { "project" = "terraform-aws-lambda-examples" diff --git a/examples/sfn-state-machine-logging/main.tf b/examples/sfn-state-machine-logging/main.tf index dc9bb4f..c2ec615 100644 --- a/examples/sfn-state-machine-logging/main.tf +++ b/examples/sfn-state-machine-logging/main.tf @@ -46,6 +46,11 @@ module "state_machine" { iam_role = { enabled = true } + service_integrations = { + "lambda" = { + enabled = true + } + } tags = { diff --git a/examples/sfn-state-machine-tracing/main.tf b/examples/sfn-state-machine-tracing/main.tf index f28cdb6..d08db90 100644 --- a/examples/sfn-state-machine-tracing/main.tf +++ b/examples/sfn-state-machine-tracing/main.tf @@ -40,6 +40,11 @@ module "state_machine" { iam_role = { enabled = true } + service_integrations = { + "lambda" = { + enabled = true + } + } tags = { diff --git a/modules/sfn-state-machine/README.md b/modules/sfn-state-machine/README.md index 616fb15..4b43107 100644 --- a/modules/sfn-state-machine/README.md +++ b/modules/sfn-state-machine/README.md @@ -53,6 +53,7 @@ This module creates following resources. | [resource\_group\_description](#input\_resource\_group\_description) | (Optional) The description of Resource Group. | `string` | `"Managed by Terraform."` | no | | [resource\_group\_enabled](#input\_resource\_group\_enabled) | (Optional) Whether to create Resource Group to find and group AWS resources which are created by this module. | `bool` | `true` | no | | [resource\_group\_name](#input\_resource\_group\_name) | (Optional) The name of Resource Group. A Resource Group name can have a maximum of 127 characters, including letters, numbers, hyphens, dots, and underscores. The name cannot start with `AWS` or `aws`. | `string` | `""` | no | +| [service\_integrations](#input\_service\_integrations) | (Optional) A configuration of AWS service integrations to allow in the resource policy of the state machine. Supported AWS services are `lambda`. `service_integrations` as defined below.
(Optional) `lambda` - A configuration to integrate the state machine to AWS Lambda functions. `lambda` as defined below.
(Optional) `enabled` - Whether to enable the integration to AWS Lambda functions. |
object({
lambda = optional(object({
enabled = optional(bool, false)
functions = optional(list(string), [])
}), {})
})
| `{}` | no | | [tags](#input\_tags) | (Optional) A map of tags to add to all resources. | `map(string)` | `{}` | no | | [timeouts](#input\_timeouts) | (Optional) How long to wait for the state machine to be created/updated/deleted. |
object({
create = optional(string, "5m")
update = optional(string, "1m")
delete = optional(string, "5m")
})
| `{}` | no | | [tracing](#input\_tracing) | (Optional) The configuration of AWS X-Ray tracing for the state machine. Step Functions will send traces to AWS X-Ray for state machine executions, even when a trace ID is not passed by an upstream service. Standard X-Ray charges apply. `tracing` as defined below.
(Optional) `enabled` - Whether to enable X-Ray tracing. |
object({
enabled = optional(bool, false)
})
| `{}` | no | diff --git a/modules/sfn-state-machine/iam.tf b/modules/sfn-state-machine/iam.tf index 40cf0eb..218454d 100644 --- a/modules/sfn-state-machine/iam.tf +++ b/modules/sfn-state-machine/iam.tf @@ -54,7 +54,7 @@ module "role" { var.tracing.enabled ? { "xray" = data.aws_iam_policy_document.xray[0].json, } : {}, - local.lambda_integration_detected ? { + var.service_integrations["lambda"].enabled ? { "lambda" = data.aws_iam_policy_document.lambda[0].json, } : {}, var.iam_role.inline_policies, @@ -139,15 +139,15 @@ data "aws_iam_policy_document" "xray" { ################################################### locals { - lambda_integration_functions = distinct(flatten(regexall( + lambda_integration_detected_functions = distinct(flatten(regexall( "\"(arn:aws:lambda:[a-z0-9-]+:[0-9]+:function:[a-zA-Z0-9-_./]+)\"", var.definition ))) - lambda_integration_detected = length(local.lambda_integration_functions) > 0 + lambda_integration_functions = coalescelist(var.service_integrations["lambda"].functions, local.lambda_integration_detected_functions) } data "aws_iam_policy_document" "lambda" { - count = (!local.custom_iam_role_enabled && local.lambda_integration_detected) ? 1 : 0 + count = (!local.custom_iam_role_enabled && var.service_integrations["lambda"].enabled) ? 1 : 0 statement { sid = "InvokeLambdaFunctions" diff --git a/modules/sfn-state-machine/variables.tf b/modules/sfn-state-machine/variables.tf index a331df1..573f92f 100644 --- a/modules/sfn-state-machine/variables.tf +++ b/modules/sfn-state-machine/variables.tf @@ -95,6 +95,22 @@ variable "iam_role" { nullable = false } +variable "service_integrations" { + description = <