Consolidate various changes across forks to one PR

examples/minimal/main.tf

@@ -3,15 +3,15 @@
 #
 
 provider "aws" {
-  access_key = "${var.aws_access_key}"
-  secret_key = "${var.aws_secret_key}"
-  region     = "${var.region}"
+  access_key = var.aws_access_key
+  secret_key = var.aws_secret_key
+  region     = var.region
 }
 
 provider "aws" {
   alias      = "us-east-1"
-  access_key = "${var.aws_access_key}"
-  secret_key = "${var.aws_secret_key}"
+  access_key = var.aws_access_key
+  secret_key = var.aws_secret_key
   region     = "us-east-1"
 }
 
@@ -21,7 +21,7 @@ provider "aws" {
 
 module "basic_auth" {
   source                 = "../../module"
-  basic_auth_credentials = "${var.basic_auth_credentials}"
+  basic_auth_credentials = var.basic_auth_credentials
 
   # All Lambda@Edge functions must be put on us-east-1.
   providers = {
@@ -34,7 +34,7 @@ module "basic_auth" {
 #
 
 resource "aws_s3_bucket" "test" {
-  bucket = "${var.s3_bucket_name}"
+  bucket = var.s3_bucket_name
   acl    = "private"
 
   policy = <<EOF
@@ -57,11 +57,11 @@ EOF
 }
 
 resource "aws_s3_bucket_object" "test" {
-  bucket       = "${aws_s3_bucket.test.id}"
+  bucket       = aws_s3_bucket.test.id
   key          = "index.html"
   source       = "index.html"
   content_type = "text/html"
-  etag         = "${md5(file("index.html"))}"
+  etag         = md5(file("index.html"))
 }
 
 ###
@@ -72,11 +72,11 @@ resource "aws_cloudfront_origin_access_identity" "test" {}
 
 resource "aws_cloudfront_distribution" "test" {
   origin {
-    domain_name = "${aws_s3_bucket.test.bucket_regional_domain_name}"
+    domain_name = aws_s3_bucket.test.bucket_regional_domain_name
     origin_id   = "S3-${aws_s3_bucket.test.id}"
 
     s3_origin_config {
-      origin_access_identity = "${aws_cloudfront_origin_access_identity.test.cloudfront_access_identity_path}"
+      origin_access_identity = aws_cloudfront_origin_access_identity.test.cloudfront_access_identity_path
     }
   }
 
@@ -104,7 +104,7 @@ resource "aws_cloudfront_distribution" "test" {
 
     lambda_function_association {
       event_type   = "viewer-request"
-      lambda_arn   = "${module.basic_auth.lambda_arn}"
+      lambda_arn   = module.basic_auth.lambda_arn
       include_body = false
     }
   }

examples/minimal/outputs.tf

@@ -1,3 +1,3 @@
 output "url" {
-  value = "${format("https://%s", "${aws_cloudfront_distribution.test.domain_name}")}"
+  value = format("https://%s", "${aws_cloudfront_distribution.test.domain_name}")
 }

examples/minimal/variables.tf

@@ -1,24 +1,24 @@
 variable "aws_access_key" {
-  type = "string"
+  type        = string
   description = "AWS Access Key"
 }
 
 variable "aws_secret_key" {
-  type = "string"
+  type        = string
   description = "AWS Secret Key"
 }
 
 variable "region" {
-  type = "string"
+  type        = string
   description = "AWS Region"
 }
 
 variable "s3_bucket_name" {
-  type = "string"
+  type        = string
   description = "AWS S3 Bucket name for static web hosting"
 }
 
 variable "basic_auth_credentials" {
-  type        = "map"
+  type        = map(string)
   description = "Credentials for Basic Authentication. Pass a map composed of 'user' and 'password'."
 }

module/main.tf

@@ -6,76 +6,65 @@
 # lambda.amazonaws.com and edgelambda.amazonaws.com.
 # See: https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/lambda-edge-permissions.html
 resource "aws_iam_role" "lambda" {
-  assume_role_policy = <<EOF
-{
-  "Version": "2012-10-17",
-  "Statement": [
-    {
-      "Effect": "Allow",
-      "Principal": {
-        "Service": [
-          "lambda.amazonaws.com",
-          "edgelambda.amazonaws.com"
-        ]
-      },
-      "Action": "sts:AssumeRole"
-    }
-  ]
-}
-EOF
+  name_prefix        = "basicAuth-"
+  assume_role_policy = data.aws_iam_policy_document.assume_role.json
+  inline_policy {
+    name   = "CloudWatchLogsAccess"
+    policy = data.aws_iam_policy_document.lambda.json
+  }
 }
 
 ###
 # IAM Role Policies
 #
 
-resource "aws_iam_role_policy" "lambda" {
-  role = "${aws_iam_role.lambda.id}"
+data "aws_iam_policy_document" "assume_role" {
+  statement {
+    actions = ["sts:AssumeRole"]
 
-  policy = <<EOF
-{
-  "Version": "2012-10-17",
-  "Statement": [
-    {
-      "Effect": "Allow",
-      "Action": [
-        "logs:CreateLogGroup",
-        "logs:CreateLogStream",
-        "logs:PutLogEvents"
-      ],
-      "Resource": "arn:aws:logs:*:*:*"
+    principals {
+      type        = "Service"
+      identifiers = ["lambda.amazonaws.com", "edgelambda.amazonaws.com"]
     }
-  ]
+  }
 }
-EOF
+
+data "aws_iam_policy_document" "lambda" {
+  statement {
+    effect = "Allow"
+    actions = [
+      "logs:CreateLogGroup",
+      "logs:CreateLogStream",
+      "logs:PutLogEvents"
+    ]
+    resources = [
+      "arn:aws:logs:*:*:*",
+    ]
+  }
 }
 
 ###
 # Lambda functions
 #
 
-data "template_file" "basic_auth_function" {
-  template = "${file("${path.module}/functions/basic-auth.js")}"
-  vars = "${var.basic_auth_credentials}"
-}
-
 data "archive_file" "basic_auth_function" {
-  type = "zip"
+  type        = "zip"
   output_path = "${path.module}/functions/basic-auth.zip"
 
   source {
-    content = "${data.template_file.basic_auth_function.rendered}"
+    content  = templatefile("${path.module}/functions/basic-auth.js", var.basic_auth_credentials)
     filename = "basic-auth.js"
   }
 }
 
 resource "aws_lambda_function" "basic_auth" {
+  count            = var.create ? 1 : 0
   filename         = "${path.module}/functions/basic-auth.zip"
-  function_name    = "${var.function_name}"
-  role             = "${aws_iam_role.lambda.arn}"
+  function_name    = var.function_name
+  role             = aws_iam_role.lambda.arn
   handler          = "basic-auth.handler"
-  source_code_hash = "${data.archive_file.basic_auth_function.output_base64sha256}"
-  runtime          = "nodejs12.x"
+  source_code_hash = data.archive_file.basic_auth_function.output_base64sha256
+  runtime          = "nodejs16.x"
   description      = "Protect CloudFront distributions with Basic Authentication"
   publish          = true
 }

module/outputs.tf

@@ -1,4 +1,4 @@
 output "lambda_arn" {
-  value       = "${aws_lambda_function.basic_auth.qualified_arn}"
+  value       = length(aws_lambda_function.basic_auth[*].qualified_arn) > 0 ? aws_lambda_function.basic_auth[0].qualified_arn : null 
   description = "Lambda function ARN with version"
 }

module/providers.tf

@@ -0,0 +1,8 @@
+terraform {
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = "~> 4.0"
+    }
+  }
+}

module/variables.tf

@@ -1,10 +1,16 @@
+variable "create" {
+  type        = bool
+  default     = true
+  description = "Whether to create this module"
+}
+
 variable "function_name" {
   type        = string
   default     = "basicAuth"
   description = "Lambda function name"
 }
 
 variable "basic_auth_credentials" {
-  type        = map
+  type        = map(any)
   description = "Credentials for Basic Authentication. Pass a map composed of 'user' and 'password'."
 }