From 2a393addbfc70f69e332ee35290f32526f14cb94 Mon Sep 17 00:00:00 2001
From: Michael Harrison <michael.harrison@bjss.com>
Date: Tue, 10 Jun 2025 18:04:55 +0100
Subject: [PATCH] CCM-10464: add configurable lambda resource permissions

---
 infrastructure/modules/lambda/README.md             |  1 +
 infrastructure/modules/lambda/lambda_permissions.tf | 10 ++++++++++
 infrastructure/modules/lambda/variables.tf          | 12 ++++++++++++
 3 files changed, 23 insertions(+)
 create mode 100644 infrastructure/modules/lambda/lambda_permissions.tf

diff --git a/infrastructure/modules/lambda/README.md b/infrastructure/modules/lambda/README.md
index f84af40..c7329c6 100644
--- a/infrastructure/modules/lambda/README.md
+++ b/infrastructure/modules/lambda/README.md
@@ -41,6 +41,7 @@
 | <a name="input_log_subscription_lambda_create_permission"></a> [log\_subscription\_lambda\_create\_permission](#input\_log\_subscription\_lambda\_create\_permission) | Whether to create a permission for the log forwarder. Set to false if using a generic one. | `bool` | `true` | no |
 | <a name="input_log_subscription_role_arn"></a> [log\_subscription\_role\_arn](#input\_log\_subscription\_role\_arn) | The ARN of the IAM role to use for the log subscription filter | `string` | `""` | no |
 | <a name="input_memory"></a> [memory](#input\_memory) | The amount of memory to apply to the created Lambda | `number` | n/a | yes |
+| <a name="input_permission_statements"></a> [permission\_statements](#input\_permission\_statements) | Statements giving an external source permission to invoke the Lambda function | <pre>list(object({<br/>    action         = optional(string)<br/>    principal      = string<br/>    source_arn     = optional(string)<br/>    source_account = optional(string)<br/>    statement_id   = string<br/>  }))</pre> | `[]` | no |
 | <a name="input_project"></a> [project](#input\_project) | The name of the tfscaffold project | `string` | n/a | yes |
 | <a name="input_region"></a> [region](#input\_region) | The AWS Region | `string` | n/a | yes |
 | <a name="input_runtime"></a> [runtime](#input\_runtime) | The runtime to use for the lambda function | `string` | n/a | yes |
diff --git a/infrastructure/modules/lambda/lambda_permissions.tf b/infrastructure/modules/lambda/lambda_permissions.tf
new file mode 100644
index 0000000..c6ebea8
--- /dev/null
+++ b/infrastructure/modules/lambda/lambda_permissions.tf
@@ -0,0 +1,10 @@
+resource "aws_lambda_permission" "main" {
+  for_each = { for statement in var.permission_statements : statement.statement_id => statement }
+
+  action         = try(each.value.action, "lambda:InvokeFunction")
+  function_name  = local.csi
+  principal      = each.value.principal
+  source_arn     = try(each.value.source_arn, null)
+  source_account = try(each.value.source_account, null)
+  statement_id   = each.value.statement_id
+}
diff --git a/infrastructure/modules/lambda/variables.tf b/infrastructure/modules/lambda/variables.tf
index c1cc728..ab25d92 100644
--- a/infrastructure/modules/lambda/variables.tf
+++ b/infrastructure/modules/lambda/variables.tf
@@ -236,3 +236,15 @@ variable "log_subscription_role_arn" {
   description = "The ARN of the IAM role to use for the log subscription filter"
   default     = ""
 }
+
+variable "permission_statements" {
+  type = list(object({
+    action         = optional(string)
+    principal      = string
+    source_arn     = optional(string)
+    source_account = optional(string)
+    statement_id   = string
+  }))
+  description = "Statements giving an external source permission to invoke the Lambda function"
+  default     = []
+}