support cross account lambda triggering for s3 notifications
lukevo247 opened this issue · comments
Is your request related to a new offering from AWS?
Is this functionality available in the AWS provider for Terraform?
- Yes ✅: This is a standard functionality that has been available in AWS for years.
Is your request related to a problem? Please describe.
The current s3 notification module supports various triggers including lambda. However, when a lambda function exists in another AWS account, the module attempts to add aws_lambda_permissions to grant the invoke action and subsequently fails. This is because the s3 notification account does not have access to add the lambda invocation permission to the function in the cross account.
Describe the solution you'd like.
Add a variable (e.g. bypass_lambda_permissions) that allows users to bypass the resource linked below so that the module does not fail. The AWS account with the lambda function should take care of provisioning this resource.
Update the resource for_each argument so that if the variable is set to true, then the resource is passed an empty map and does not create any resources. If false, then use the var.lambda_notifications argument.
Default the new variable to false.
Describe alternatives you've considered.
You can take the alternative approach and create a variable such as create_lambda_permissions and default that to true. Aside from adding this logic to support cross account lambda functions there is no real solution. Perhaps the user applying the TF module can assume a role with permissions to both accounts, but that varies by organization and is not always possible.
Additional context
This issue has been automatically marked as stale because it has been open 30 days
with no activity. Remove stale label or comment or this issue will be closed in 10 days
This issue was automatically closed because of stale in 10 days