coralogix · guyrenny · Nov 26, 2024 · Nov 24, 2024 · Nov 24, 2024 · Nov 24, 2024
@@ -1,5 +1,12 @@
 # Changelog
 
+## v2.2.2
+#### **coralogix-aws-shipper**
+### 💡 Enhancements 
+- Add `reserved_concurrent_executions` variable to allow user to define lambda Function concurrency.
+- Add `execution_role_name` variable, when deffined the lambda will use this role as execution role. The module will add to this variable the necessary permissions to run the lambda.
+- Add `lambda_assume_role_arn` variable, when set the lambda will assume this role in the code level.
+
 ## v2.1.2
 #### **coralogix-aws-shipper**
 ### 🧰 Bug fixes 🧰 

@@ -329,6 +329,23 @@ variable "custom_metadata" {
   type        = string
 }
 
+variable "lambda_assume_role_arn" {
+  default     = null
+  description = "The ARN of the role that the lambda function will assume. "
+  type        = string
+}
+
+variable "execution_role_name" {
+  default     = null
+  description = "The arn of a user defined role that will be used as the execution role for the lambda function. "
+  type        = string
+}
+
+variable "reserved_concurrent_executions" {
+  default     = 0
+  description = "The number of concurrent executions that are reserved for this function, leave as default to use unreserved account concurrency"
+  type        = number
+
 variable "govcloud_deployment" {
   description = "Enable if you deploy the integration in govcloud"
   type        = bool

@@ -1,65 +1,3 @@
-resource "aws_iam_role" "role_for_msk" {
-  count              = var.msk_cluster_arn != null ? 1 : 0
-  name               = "coralogix_role_msk_lambda_trigger"
-  assume_role_policy = <<EOF
-{
-  "Version": "2012-10-17",
-  "Statement": [
-    {
-      "Effect": "Allow",
-      "Principal": {
-        "Service": "lambda.amazonaws.com"
-      },
-      "Action": "sts:AssumeRole"
-    }
-  ]
-}
-EOF
-}
-resource "aws_iam_role_policy" "secrets_policy" {
-  count      = (var.store_api_key_in_secrets_manager || local.api_key_is_arn) && var.msk_cluster_arn != null ? 1 : 0
-  depends_on = [aws_iam_role.role_for_msk]
-  name       = "secrets_policy"
-  role       = aws_iam_role.role_for_msk[count.index].name
-  policy = jsonencode({
-    Version = "2012-10-17"
-    Statement = [
-      {
-        Action = [
-          "secretsmanager:GetSecretValue",
-        ]
-        Effect   = "Allow"
-        Resource = local.api_key_is_arn ? [var.api_key] : [aws_secretsmanager_secret.coralogix_secret[0].arn]
-      },
-    ]
-  })
-}
-
-resource "aws_iam_role_policy" "destination_policy" {
-  for_each = {
-    for key, integration_info in var.integration_info != null ? var.integration_info : local.integration_info : key => integration_info
-    if var.notification_email != null && var.msk_cluster_arn != null
-  }
-  name = "destination_policy"
-  role = aws_iam_role.role_for_msk[0].name
-  policy = jsonencode({
-    Version = "2012-10-17"
-    Statement = [
-      {
-        Action   = ["sns:publish"]
-        Effect   = "Allow",
-        Resource = [aws_sns_topic.this[each.key].arn]
-      },
-    ]
-  })
-}
-
-resource "aws_iam_role_policy_attachment" "msk-role-policy-attach" {
-  count      = var.msk_cluster_arn != null ? 1 : 0
-  role       = aws_iam_role.role_for_msk[0].name
-  policy_arn = data.aws_iam_policy.AWSLambdaMSKExecutionRole[0].arn
-}
-
 resource "aws_lambda_event_source_mapping" "msk_event_mapping" {
   for_each          = var.msk_topic_name != null ? toset(var.msk_topic_name) : toset([])
   event_source_arn  = var.msk_cluster_arn

@@ -147,6 +147,9 @@ When using this variable you will need to create an S3 bucket in the region wher
 | <a name="log_level"></a> [log_level](#input\_log\_level) | Specify the log level for the Lambda function, choosing from the following options: INFO, WARN, ERROR, DEBUG. | `string` | INFO | no |
 | <a name="cpu_arch"></a> [cpu_arch](#input\_cpu\_arch) | Lambda function CPU architecture could be: arm64 or x86_64 | `string` | arm64 | no |
 | <a name="runtime"></a> [runtime](#input\_runtime) | Lambda function runtime. E.g.: 'provided.al2023', 'provided.al2' | `string` | provided.al2023 | no |
+| <a name="reserved_concurrent_executions"></a> [reserved_concurrent_executions](#input\_reserved_concurrent_executions) | The number of concurrent executions that are reserved for the function, leave empty so the lambda will use unreserved account concurrency.	 | `number` | n/a | no |
+| <a name="execution_role_name"></a> [execution_role_name](#input\_execution_role_name) | The arn of a user defined role that will be used as the execution role for the lambda function | `string` | n/a | no |
+| <a name="lambda_assume_role_arn"></a> [lambda_assume_role_arn](#input\_lambda_assume_role_arn) | A role that the lambda will assume, leave empty to use the default permissions. Note that if this Parameter is used, all S3 and ECR API calls from the lambda will be made with the permissions of the Assumed Role. | `string` | n/a | no |
 
 ### VPC Configuration (Optional)
 

@@ -62,3 +62,8 @@ data "aws_iam_policy" "AWSLambdaMSKExecutionRole" {
   count = var.msk_cluster_arn != null ? 1 : 0
   arn   = "${local.arn_prefix}:iam::aws:policy/service-role/AWSLambdaMSKExecutionRole"
 }
+
+data "aws_iam_role" "LambdaExecutionRole" {
+  count = var.execution_role_name != null ? 1 : 0
+  name = var.execution_role_name
+}