Aws_lambda_permission conditions

mwarner1 · October 13, 2020, 7:51pm

Hello everyone. I’m trying to create a Lambda Resource Policy in AWS using TF. Per the documentation, aws_lambda_permission seems to be the way to do this. However, what seems to be missing is the ability to use conditions.

How can a Lambda resource policy with a condition be created using Terraform?

For example, a resource policy that denies invoking the Lambda based on IP address or originating organization ID:

{
  "Version":"2012-10-17",
  "Statement":[
    {
      "Action": [
        "*"
      ],
      "Effect": "Deny",
      "Resource": ["*"],
      "Condition": {
        "NotIpAddress": {
          "aws:SourceIp": [
            "10.0.0.0/8",
            "172.16.0.0/12",
            "192.168.0.0/16"
          ]
        },
        "StringNotEquals": {
          "aws:PrincipalOrgID": "some_value_here"
        }
      }
    }
  ]
}

ctj3 · October 13, 2020, 8:27pm

It appears the condition is defined in your json block, have you tried running the above into the resource_iam_role -> assume_role_policy? I could be entirely wrong I lean more towards Azure. I can try and spin it up later my AWS and get back to you.

Edited to remove bad code

mwarner1 · October 13, 2020, 9:36pm

I understand the assume_role_policy to be separate from the resource policy (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_compare-resource-policies.html). Per that doc, “Unlike an identity-based policy, a resource-based policy specifies who (which principal) can access that resource.”

The resource policy shows up on the Lambda page in the console (under permissions) whereas the assume_role_policy is found on the IAM page.

mwarner1 · October 13, 2020, 10:34pm

To answer my own question, it appears that AWS itself does not allow for explicit deny statements nor conditions:

What threw me off is that the CDK implies that it can be done and it looks like there’s an open issue on it:

ctj3 · October 14, 2020, 12:30am

Nice find, sorry I wasn’t much help I was actually hacking away right now to see what I came up with.

mwarner1 · October 14, 2020, 12:34am

I’d love to hear that conditions really are supported as I think the open issue implies, but none of the AWS docs I found reference it.

I appreciate the help all the same!

Topic		Replies	Views
How to create Resource based policy? AWS	2	2620	April 18, 2023
Terraform and OPA HCP Terraform	4	347	July 12, 2023
True false condition not working in for_each for IAM Role condition AWS hcp-terraform	1	732	June 9, 2022
IAM policy with both an array Statement and single Statement Sentinel	1	599	May 23, 2022
Terraform iam role and policy - error on create a policy AWS hcp-terraform	0	528	July 27, 2020

Aws_lambda_permission conditions

Related topics