Add read permissions for blacklist file (#16)

* Add read permissions for blacklist file

* fmt

* remove redudant if statements

* remove empty string/ comparison

Author: ChengaDev

locals.tf

@@ -13,5 +13,6 @@ locals {
   # Please do not change or replace the 'frontend' suffix since there a logic in the bot based in it
   api_triggered_function_name = local.single_lambda_integration ? local.resource_name_pattern : "${local.resource_name_pattern}-frontend"
   # Merge user env vars with env vars which are not based on user input
-  env_vars = merge(var.env_vars, { HOME = "/tmp" })
+  env_vars           = merge(var.env_vars, { HOME = "/tmp" })
+  blacklist_file_arn = contains(keys(var.env_vars), "S3_BLACK_LIST_OBJECT_KEY") && contains(keys(var.env_vars), "S3_BLACK_LIST_BUCKET_NAME") ? "arn:aws:s3:::${var.env_vars.S3_BLACK_LIST_BUCKET_NAME}/${var.env_vars.S3_BLACK_LIST_OBJECT_KEY}" : null
 }

modules/role/role.tf

@@ -1,3 +1,8 @@
+locals {
+  should_create_s3_policy = var.blacklist_object_arn != null ? 1 : 0
+}
+
+
 data "aws_iam_policy_document" "assume_role_policy" {
   statement {
     sid    = ""
@@ -22,6 +27,32 @@ resource "aws_iam_role" "lambda_execution_role" {
   )
 }
 
+data "aws_iam_policy_document" "s3_policy_document" {
+  count = local.should_create_s3_policy
+  statement {
+    sid       = ""
+    effect    = "Allow"
+    actions   = ["s3:GetObject"]
+    resources = [var.blacklist_object_arn]
+  }
+}
+
+resource "aws_iam_policy" "s3_iam_policy" {
+  count  = local.should_create_s3_policy
+  policy = data.aws_iam_policy_document.s3_policy_document[count.index].json
+
+  tags = merge(
+    var.global_tags,
+    lookup(var.tags, "iam", {}),
+  )
+}
+
+resource "aws_iam_role_policy_attachment" "s3_policy_attachment" {
+  count      = local.should_create_s3_policy
+  role       = aws_iam_role.lambda_execution_role.name
+  policy_arn = aws_iam_policy.s3_iam_policy[count.index].arn
+}
+
 data "aws_iam_policy_document" "secrets_policy_document" {
   statement {
     sid       = ""

modules/role/variables.tf

@@ -9,6 +9,12 @@ variable "secrets_arns" {
   default     = []
 }
 
+variable "blacklist_object_arn" {
+  description = "Arn of the blacklist file"
+  type        = string
+  default     = null
+}
+
 variable "global_tags" {
   type        = map(string)
   description = "A list of tags to apply on all newly created resources."

shared.tf

@@ -30,4 +30,5 @@ module "lambda_role" {
   tags                            = var.tags
   global_tags                     = var.global_tags
   multiple_lambda_integration     = local.multiple_lambda_integration
+  blacklist_object_arn            = local.blacklist_file_arn
 }