Aws_lambda_permission conditions

Hello everyone. I’m trying to create a Lambda Resource Policy in AWS using TF. Per the documentation, aws_lambda_permission seems to be the way to do this. However, what seems to be missing is the ability to use conditions.

How can a Lambda resource policy with a condition be created using Terraform?

For example, a resource policy that denies invoking the Lambda based on IP address or originating organization ID:

{
  "Version":"2012-10-17",
  "Statement":[
    {
      "Action": [
        "*"
      ],
      "Effect": "Deny",
      "Resource": ["*"],
      "Condition": {
        "NotIpAddress": {
          "aws:SourceIp": [
            "10.0.0.0/8",
            "172.16.0.0/12",
            "192.168.0.0/16"
          ]
        },
        "StringNotEquals": {
          "aws:PrincipalOrgID": "some_value_here"
        }
      }
    }
  ]
}

It appears the condition is defined in your json block, have you tried running the above into the resource_iam_role -> assume_role_policy? I could be entirely wrong I lean more towards Azure. I can try and spin it up later my AWS and get back to you.

Edited to remove bad code

I understand the assume_role_policy to be separate from the resource policy (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_compare-resource-policies.html). Per that doc, “Unlike an identity-based policy, a resource-based policy specifies who (which principal) can access that resource.”

The resource policy shows up on the Lambda page in the console (under permissions) whereas the assume_role_policy is found on the IAM page.

To answer my own question, it appears that AWS itself does not allow for explicit deny statements nor conditions:

What threw me off is that the CDK implies that it can be done and it looks like there’s an open issue on it:

Nice find, sorry I wasn’t much help I was actually hacking away right now to see what I came up with.

I’d love to hear that conditions really are supported as I think the open issue implies, but none of the AWS docs I found reference it.

I appreciate the help all the same!