CCM-10464: add configurable lambda resource policies

infrastructure/modules/lambda/README.md

@@ -41,6 +41,7 @@
 | <a name="input_log_subscription_lambda_create_permission"></a> [log\_subscription\_lambda\_create\_permission](#input\_log\_subscription\_lambda\_create\_permission) | Whether to create a permission for the log forwarder. Set to false if using a generic one. | `bool` | `true` | no |
 | <a name="input_log_subscription_role_arn"></a> [log\_subscription\_role\_arn](#input\_log\_subscription\_role\_arn) | The ARN of the IAM role to use for the log subscription filter | `string` | `""` | no |
 | <a name="input_memory"></a> [memory](#input\_memory) | The amount of memory to apply to the created Lambda | `number` | n/a | yes |
+| <a name="input_permission_statements"></a> [permission\_statements](#input\_permission\_statements) | Statements giving an external source permission to invoke the Lambda function | <pre>list(object({<br/>    action         = optional(string)<br/>    principal      = string<br/>    source_arn     = optional(string)<br/>    source_account = optional(string)<br/>    statement_id   = string<br/>  }))</pre> | `[]` | no |
 | <a name="input_project"></a> [project](#input\_project) | The name of the tfscaffold project | `string` | n/a | yes |
 | <a name="input_region"></a> [region](#input\_region) | The AWS Region | `string` | n/a | yes |
 | <a name="input_runtime"></a> [runtime](#input\_runtime) | The runtime to use for the lambda function | `string` | n/a | yes |

infrastructure/modules/lambda/lambda_permissions.tf

@@ -0,0 +1,10 @@
+resource "aws_lambda_permission" "main" {
+  for_each = { for statement in var.permission_statements : statement.statement_id => statement }
+
+  action         = try(each.value.action, "lambda:InvokeFunction")
+  function_name  = local.csi
+  principal      = each.value.principal
+  source_arn     = try(each.value.source_arn, null)
+  source_account = try(each.value.source_account, null)
+  statement_id   = each.value.statement_id
+}

infrastructure/modules/lambda/variables.tf

@@ -236,3 +236,15 @@ variable "log_subscription_role_arn" {
   description = "The ARN of the IAM role to use for the log subscription filter"
   default     = ""
 }
+
+variable "permission_statements" {
+  type = list(object({
+    action         = optional(string)
+    principal      = string
+    source_arn     = optional(string)
+    source_account = optional(string)
+    statement_id   = string
+  }))
+  description = "Statements giving an external source permission to invoke the Lambda function"
+  default     = []
+}