refactor: improve resource naming (#1)

Author: MickVanDuijn

modules/_common/group.tf

@@ -1,6 +1,5 @@
 resource "aws_resourcegroups_group" "stack" {
-  count = var.default_tags["StackType"] != null ? 1 : 0
-  name  = "${var.config.stack}-${lower(var.default_tags["StackType"])}"
+  name = try("${var.config.stack}-${lower(var.default_tags["StackType"])}", var.config.stack)
   tags = {
     Name  = var.config.project_name
     Stack = ""
@@ -9,20 +8,23 @@ resource "aws_resourcegroups_group" "stack" {
   resource_query {
     query = jsonencode({
       ResourceTypeFilters = ["AWS::AllSupported"],
-      TagFilters = [
-        {
-          Key    = "Name"
-          Values = [var.config.project_name]
-        },
-        {
-          Key    = "Stack"
-          Values = [var.config.stack]
-        },
-        {
+      TagFilters = concat(
+        [
+          {
+            Key    = "Name"
+            Values = [var.config.project_name]
+          },
+          {
+            Key    = "Stack"
+            Values = [var.config.stack]
+          },
+        ],
+        try([{
           Key    = "StackType"
           Values = [var.default_tags["StackType"]]
-        }
-      ]
+          }
+        ], [])
+      )
     })
   }
 }

modules/_config/output.tf

@@ -21,11 +21,3 @@ output "domain" {
 output "repo_root" {
   value = var.repo_root
 }
-
-output "stack_prefix" {
-  value = var.stack
-}
-
-output "resource_prefix" {
-  value = "${var.environment}-${var.project_identifier}-${var.stack}"
-}

modules/aws-http-api/spec.tf

@@ -15,14 +15,15 @@ locals {
         [path_item.authorizer.name],
         [{
           type = "apiKey"
-          "x-amazon-apigateway-authtype" : "custom"
           in   = "header"
           name = coalesce(try(path_item.authorizer.header, null), "Authorization")
           "x-amazon-apigateway-authorizer" = merge(
             {
-              type                         = coalesce(try(path_item.authorizer.authorizerType, null), "request")
-              identitySource               = coalesce(try(path_item.authorizer.identitySource, null), "method.request.header.${coalesce(try(path_item.authorizer.header, null), "Authorization")}")
-              authorizerResultTtlInSeconds = coalesce(try(path_item.authorizer.resultTtlInSeconds, null), 0)
+              type                           = coalesce(try(path_item.authorizer.authorizerType, null), "request")
+              identitySource                 = coalesce(try(path_item.authorizer.identitySource, null), "method.request.header.${coalesce(try(path_item.authorizer.header, null), "Authorization")}")
+              authorizerResultTtlInSeconds   = coalesce(try(path_item.authorizer.resultTtlInSeconds, null), 0)
+              enableSimpleResponses          = coalesce(try(path_item.authorizer.enableSimpleResponses, null), false)
+              authorizerPayloadFormatVersion = coalesce(try(path_item.authorizer.authorizerPayloadFormatVersion, null), "2.0")
             },
             try({ authorizerUri = local.invoke_arns[path_item.authorizer.lambda.function_name] }, {}),
             try(jsondecode(path_item.authorizer["x-amazon-apigateway-authorizer"]), {})

modules/aws-http-api/variables.tf

@@ -31,12 +31,14 @@ variable "definition" {
       lambda = optional(object({
         function_name = string
       }))
-      name               = string
-      authorizerType     = optional(string)
-      identitySource     = optional(string)
-      header             = optional(string)
-      resultTtlInSeconds = optional(number)
-      security           = optional(list(any))
+      name                           = string
+      authorizerType                 = optional(string)
+      identitySource                 = optional(string)
+      header                         = optional(string)
+      resultTtlInSeconds             = optional(number)
+      security                       = optional(list(any))
+      authorizerPayloadFormatVersion = optional(string)
+      enableSimpleResponses          = optional(bool)
     }))
   })))
 }

modules/config-appsync/variables.tf

@@ -28,10 +28,10 @@ variable "template_variables" {
 
 variable "resources" {
   type = object({
-    secrets        = optional(map(object({ arn = string })), {})
-    ssm_parameters = optional(map(object({ arn = string })), {})
-    s3             = optional(map(object({ arn = string, id = string })), {})
-    dynamodb       = optional(map(object({ arn = string, id = string })), {})
+    secret        = optional(map(object({ arn = string })), {})
+    ssm_parameter = optional(map(object({ arn = string })), {})
+    s3            = optional(map(object({ arn = string, id = string })), {})
+    dynamodb      = optional(map(object({ arn = string, id = string })), {})
   })
   default = {}
 

modules/config-lambda/lambda.tf

@@ -17,10 +17,10 @@ locals {
           for resource in try(local.publishes[function_id].eventbridge, [])
           : var.resources.eventbridge[resource.eventBusId].env
         ]...),
-        {
+        merge([
           for event in try(local.publishes[function_id].sqs, [])
-          : "STARCHART_SQS_${upper(replace(event.queueId, "/[^a-zA-Z0-9]+/", "_"))}_QUEUE_URL" => var.sqs[event.queueId].queue.url
-        },
+          : var.resources.sqs_queue[event.queueId].env
+        ]...),
         merge([
           for resource in try(local.function_resources[function_id].s3, [])
           : var.resources.s3[resource.bucketId].env
@@ -43,10 +43,10 @@ locals {
         length(try(local.function_resources[function_id].s3, [])) == 0 ? {} : {
           starchart_s3_access = data.aws_iam_policy_document.s3_access[function_id]
         },
-        length(try(local.function_resources[function_id].ssm_parameters, [])) == 0 ? {} : {
+        length(try(local.function_resources[function_id].ssm_parameter, [])) == 0 ? {} : {
           starchart_ssm_access = data.aws_iam_policy_document.ssm_parameters_access[function_id]
         },
-        length(try(local.function_resources[function_id].secrets, [])) == 0 ? {} : {
+        length(try(local.function_resources[function_id].secret, [])) == 0 ? {} : {
           starchart_secrets_access = data.aws_iam_policy_document.secrets_access[function_id]
         },
         length(try(local.function_resources[function_id].dynamodb, [])) == 0 ? {} : {
@@ -55,6 +55,9 @@ locals {
         length(try(local.function_resources[function_id].appconfig, [])) == 0 ? {} : {
           appconfig_configuration_profile_access = data.aws_iam_policy_document.appconfig_configuration_profile_access[function_id]
         },
+        length(try(local.function_resources[function_id].custom, [])) == 0 ? {} : {
+          starchart_custom_access = data.aws_iam_policy_document.custom_access[function_id]
+        },
       )
     }
   }

modules/config-lambda/publishes.tf

@@ -50,12 +50,12 @@ data "aws_iam_policy_document" "sqs_publish" {
     ]
 
     resources = [
-      for queue in each.value : var.sqs[queue.queueId].queue.arn
+      for queue in each.value : var.resources.sqs_queue[queue.queueId].arn
     ]
   }
 
   dynamic "statement" {
-    for_each = toset(flatten([for queue in each.value : var.sqs[queue.queueId].queue.kms_master_key_id if var.sqs[queue.queueId].queue.kms_master_key_id != "alias/aws/sqs"]))
+    for_each = toset(flatten([for queue in each.value : var.resources.sqs_queue[queue.queueId].kms_master_key_id if var.resources.sqs_queue[queue.queueId].kms_master_key_id != "alias/aws/sqs"]))
 
     content {
       effect = "Allow"

modules/config-lambda/resources.tf

@@ -1,10 +1,12 @@
 variable "resources" {
   type = object({
-    secrets        = optional(map(object({ arn = string })), {})
-    ssm_parameters = optional(map(object({ arn = string })), {})
-    s3             = optional(map(object({ arn = string, id = string, env = map(string) })), {})
-    dynamodb       = optional(map(object({ arn = string, id = string, env = map(string) })), {})
-    eventbridge    = optional(map(object({ arn = string, id = string, env = map(string) })), {})
+    secret        = optional(map(object({ arn = string })), {})
+    ssm_parameter = optional(map(object({ arn = string })), {})
+    s3            = optional(map(object({ arn = string, id = string, env = map(string) })), {})
+    dynamodb      = optional(map(object({ arn = string, id = string, env = map(string) })), {})
+    eventbridge   = optional(map(object({ arn = string, id = string, env = map(string) })), {})
+    sqs_queue     = optional(map(object({ name = optional(string), name_prefix = optional(string), arn = string, url = string, kms_master_key_id = string, visibility_timeout_seconds = number, env = map(string) })), {})
+    sqs_dlq       = optional(map(object({ name = optional(string), name_prefix = optional(string), arn = string, url = string, kms_master_key_id = string, visibility_timeout_seconds = number, env = map(string) })), {})
 
     appconfig = optional(object({
       configuration_profiles = map(object({ configuration_profile_id = string })),
@@ -36,14 +38,14 @@ variable "appconfig_application_arn" {
 locals {
   function_resources = {
     for function_id, definition in local.handlers : function_id => {
-      secrets = [
+      secret = [
         for resource in try(definition.resources, []) : {
           path           = try(resource.secret.path, resource.secret)
           actions        = try(resource.secret.actions, ["read"])
           actions_string = join(",", sort(toset(try(resource.secret.actions, ["read"]))))
         } if try(resource.secret, null) != null
       ]
-      ssm_parameters = [
+      ssm_parameter = [
         for resource in try(definition.resources, []) : {
           path           = try(resource.parameter.path, resource.parameter)
           actions        = try(resource.parameter.actions, ["read"])
@@ -61,9 +63,17 @@ locals {
         for resource in try(definition.resources, []) : {
           tableId        = resource.dynamodb.tableId
           actions        = resource.dynamodb.actions
-          actions_string = join(",", sort(toset(resource.dynamodb.actions)))
+          iamActions     = try(flatten([resource.dynamodb.iamActions]), [])
+          actions_string = join(",", sort(toset(flatten([resource.dynamodb.actions, try(resource.dynamodb.iamActions, [])]))))
         } if try(resource.dynamodb, null) != null
       ]
+      custom = [
+        for resource in try(definition.resources, []) : {
+          arn                = resource.custom.arn
+          iam_actions        = flatten([resource.custom.iamActions])
+          iam_actions_string = join(",", sort(toset(flatten([resource.custom.iamActions]))))
+        } if try(resource.custom, null) != null
+      ]
       appconfig = concat(try(var.resources.appconfig.configuration_profiles.default, null) != null ? [{ configuration_profile_id = "default" }] : [], [
         # TODO: Add support for multiple configuration profiles
       ])
@@ -72,7 +82,7 @@ locals {
 }
 
 data "aws_iam_policy_document" "secrets_access" {
-  for_each = { for function_id, definition in local.function_resources : function_id => definition.secrets if length(try(definition.secrets, [])) > 0 }
+  for_each = { for function_id, definition in local.function_resources : function_id => definition.secret if length(try(definition.secret, [])) > 0 }
 
   dynamic "statement" {
     for_each = merge([
@@ -100,14 +110,14 @@ data "aws_iam_policy_document" "secrets_access" {
       ))
 
       resources = [
-        for secret in each.value : var.resources.secrets[secret.path].arn if secret.actions_string == statement.key
+        for secret in each.value : var.resources.secret[secret.path].arn if secret.actions_string == statement.key
       ]
     }
   }
 }
 
 data "aws_iam_policy_document" "ssm_parameters_access" {
-  for_each = { for function_id, definition in local.function_resources : function_id => definition.ssm_parameters if length(try(definition.ssm_parameters, [])) > 0 }
+  for_each = { for function_id, definition in local.function_resources : function_id => definition.ssm_parameter if length(try(definition.ssm_parameter, [])) > 0 }
 
   dynamic "statement" {
     for_each = merge([
@@ -129,7 +139,7 @@ data "aws_iam_policy_document" "ssm_parameters_access" {
       ))
 
       resources = [
-        for parameter in each.value : var.resources.ssm_parameters[parameter.path].arn if parameter.actions_string == statement.key
+        for parameter in each.value : var.resources.ssm_parameter[parameter.path].arn if parameter.actions_string == statement.key
       ]
     }
   }
@@ -181,37 +191,41 @@ data "aws_iam_policy_document" "dynamodb_access" {
     for_each = merge([
       for table in each.value : zipmap(
         [table.actions_string],
-        [table.actions]
+        [{ actions = table.actions, iamActions = table.iamActions }]
       )
     ]...)
 
     content {
       effect = "Allow"
 
       actions = toset(concat(
-        anytrue([for action in ["read", "get"] : contains(statement.value, action)]) ? [
+        anytrue([for action in ["read", "get"] : contains(statement.value.actions, action)]) ? [
           "dynamodb:GetItem",
         ] : [],
-        anytrue([for action in ["read", "query"] : contains(statement.value, action)]) ? [
+        anytrue([for action in ["read", "query"] : contains(statement.value.actions, action)]) ? [
           "dynamodb:Query",
         ] : [],
-        anytrue([for action in ["write", "put"] : contains(statement.value, action)]) ? [
+        anytrue([for action in ["write", "put"] : contains(statement.value.actions, action)]) ? [
           "dynamodb:PutItem",
         ] : [],
-        anytrue([for action in ["write", "update"] : contains(statement.value, action)]) ? [
+        anytrue([for action in ["write", "update"] : contains(statement.value.actions, action)]) ? [
           "dynamodb:UpdateItem",
         ] : [],
-        contains(statement.value, "delete") ? [
+        contains(statement.value.actions, "delete") ? [
           "dynamodb:DeleteItem",
         ] : [],
-        contains(statement.value, "scan") ? [
+        contains(statement.value.actions, "scan") ? [
           "dynamodb:Scan",
         ] : [],
+        statement.value.iamActions,
       ))
 
-      resources = [
-        for table in each.value : var.resources.dynamodb[table.tableId].arn if table.actions_string == statement.key
-      ]
+      resources = flatten([
+        for arn in [for table in each.value : var.resources.dynamodb[table.tableId].arn if table.actions_string == statement.key] : [
+          arn,
+          "${arn}/index/*",
+        ]
+      ])
     }
   }
 }
@@ -233,6 +247,30 @@ data "aws_iam_policy_document" "appconfig_configuration_profile_access" {
   }
 }
 
+data "aws_iam_policy_document" "custom_access" {
+  for_each = { for function_id, definition in local.function_resources : function_id => definition.custom if length(try(definition.custom, [])) > 0 }
+
+  dynamic "statement" {
+    for_each = merge([
+      for custom in each.value : zipmap(
+        [custom.iam_actions_string],
+        [custom.iam_actions]
+      )
+    ]...)
+
+    content {
+      effect = "Allow"
+
+      actions = statement.value
+
+      resources = flatten([
+        for custom in each.value : custom.arn if custom.iam_actions_string == statement.key
+      ])
+    }
+
+  }
+}
+
 output "resources_env" {
   value = local.resources_env
 }

modules/config-lambda/variables.tf

@@ -26,12 +26,3 @@ variable "inline_policies" {
   description = "The inline policies to be attached to the functions."
   default     = {}
 }
-
-variable "sqs" {
-  type = map(object({
-    queue = object({ arn = string, url = string, kms_master_key_id = string })
-    dlq   = object({ arn = string, url = string, kms_master_key_id = string })
-  }))
-  description = "The SQS queues that can possibly be used by the functions."
-  default     = {}
-}