diff --git a/README.md b/README.md
index dbbf0fb1..a037d9ac 100644
--- a/README.md
+++ b/README.md
@@ -689,25 +689,17 @@ No modules.
| Name | Type |
|------|------|
| [aws_cloudwatch_log_group.lambda](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_group) | resource |
-| [aws_iam_policy.additional_inline](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
-| [aws_iam_policy.additional_json](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
-| [aws_iam_policy.additional_jsons](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
-| [aws_iam_policy.async](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
-| [aws_iam_policy.dead_letter](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
-| [aws_iam_policy.logs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
-| [aws_iam_policy.tracing](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
-| [aws_iam_policy.vpc](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
| [aws_iam_role.lambda](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
-| [aws_iam_role_policy_attachment.additional_inline](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
-| [aws_iam_role_policy_attachment.additional_json](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
-| [aws_iam_role_policy_attachment.additional_jsons](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
+| [aws_iam_role_policy.additional_inline](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource |
+| [aws_iam_role_policy.additional_json](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource |
+| [aws_iam_role_policy.additional_jsons](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource |
+| [aws_iam_role_policy.async](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource |
+| [aws_iam_role_policy.dead_letter](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource |
+| [aws_iam_role_policy.logs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource |
+| [aws_iam_role_policy.tracing](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource |
+| [aws_iam_role_policy.vpc](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource |
| [aws_iam_role_policy_attachment.additional_many](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
| [aws_iam_role_policy_attachment.additional_one](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
-| [aws_iam_role_policy_attachment.async](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
-| [aws_iam_role_policy_attachment.dead_letter](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
-| [aws_iam_role_policy_attachment.logs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
-| [aws_iam_role_policy_attachment.tracing](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
-| [aws_iam_role_policy_attachment.vpc](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
| [aws_lambda_event_source_mapping.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_event_source_mapping) | resource |
| [aws_lambda_function.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_function) | resource |
| [aws_lambda_function_event_invoke_config.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_function_event_invoke_config) | resource |
@@ -828,7 +820,6 @@ No modules.
| [policy\_json](#input\_policy\_json) | An additional policy document as JSON to attach to the Lambda Function role | `string` | `null` | no |
| [policy\_jsons](#input\_policy\_jsons) | List of additional policy documents as JSON to attach to Lambda Function role | `list(string)` | `[]` | no |
| [policy\_name](#input\_policy\_name) | IAM policy name. It override the default value, which is the same as role\_name | `string` | `null` | no |
-| [policy\_path](#input\_policy\_path) | Path of policies to that should be added to IAM role for Lambda Function | `string` | `null` | no |
| [policy\_statements](#input\_policy\_statements) | Map of dynamic policy statements to attach to Lambda Function role | `any` | `{}` | no |
| [provisioned\_concurrent\_executions](#input\_provisioned\_concurrent\_executions) | Amount of capacity to allocate. Set to 1 or greater to enable, or set to 0 to disable provisioned concurrency. | `number` | `-1` | no |
| [publish](#input\_publish) | Whether to publish creation/change as new Lambda Function Version. | `bool` | `false` | no |
diff --git a/iam.tf b/iam.tf
index 436a4398..8b0440e1 100644
--- a/iam.tf
+++ b/iam.tf
@@ -131,20 +131,12 @@ data "aws_iam_policy_document" "logs" {
}
}
-resource "aws_iam_policy" "logs" {
+resource "aws_iam_role_policy" "logs" {
count = local.create_role && var.attach_cloudwatch_logs_policy ? 1 : 0
name = "${local.policy_name}-logs"
- path = var.policy_path
+ role = aws_iam_role.lambda[0].name
policy = data.aws_iam_policy_document.logs[0].json
- tags = var.tags
-}
-
-resource "aws_iam_role_policy_attachment" "logs" {
- count = local.create_role && var.attach_cloudwatch_logs_policy ? 1 : 0
-
- role = aws_iam_role.lambda[0].name
- policy_arn = aws_iam_policy.logs[0].arn
}
#####################
@@ -168,20 +160,12 @@ data "aws_iam_policy_document" "dead_letter" {
}
}
-resource "aws_iam_policy" "dead_letter" {
+resource "aws_iam_role_policy" "dead_letter" {
count = local.create_role && var.attach_dead_letter_policy ? 1 : 0
name = "${local.policy_name}-dl"
- path = var.policy_path
+ role = aws_iam_role.lambda[0].name
policy = data.aws_iam_policy_document.dead_letter[0].json
- tags = var.tags
-}
-
-resource "aws_iam_role_policy_attachment" "dead_letter" {
- count = local.create_role && var.attach_dead_letter_policy ? 1 : 0
-
- role = aws_iam_role.lambda[0].name
- policy_arn = aws_iam_policy.dead_letter[0].arn
}
######
@@ -195,20 +179,12 @@ data "aws_iam_policy" "vpc" {
arn = "arn:${data.aws_partition.current.partition}:iam::aws:policy/service-role/AWSLambdaENIManagementAccess"
}
-resource "aws_iam_policy" "vpc" {
+resource "aws_iam_role_policy" "vpc" {
count = local.create_role && var.attach_network_policy ? 1 : 0
name = "${local.policy_name}-vpc"
- path = var.policy_path
+ role = aws_iam_role.lambda[0].name
policy = data.aws_iam_policy.vpc[0].policy
- tags = var.tags
-}
-
-resource "aws_iam_role_policy_attachment" "vpc" {
- count = local.create_role && var.attach_network_policy ? 1 : 0
-
- role = aws_iam_role.lambda[0].name
- policy_arn = aws_iam_policy.vpc[0].arn
}
#####################
@@ -222,20 +198,12 @@ data "aws_iam_policy" "tracing" {
arn = "arn:${data.aws_partition.current.partition}:iam::aws:policy/AWSXRayDaemonWriteAccess"
}
-resource "aws_iam_policy" "tracing" {
+resource "aws_iam_role_policy" "tracing" {
count = local.create_role && var.attach_tracing_policy ? 1 : 0
name = "${local.policy_name}-tracing"
- path = var.policy_path
+ role = aws_iam_role.lambda[0].name
policy = data.aws_iam_policy.tracing[0].policy
- tags = var.tags
-}
-
-resource "aws_iam_role_policy_attachment" "tracing" {
- count = local.create_role && var.attach_tracing_policy ? 1 : 0
-
- role = aws_iam_role.lambda[0].name
- policy_arn = aws_iam_policy.tracing[0].arn
}
###############################
@@ -259,60 +227,36 @@ data "aws_iam_policy_document" "async" {
}
}
-resource "aws_iam_policy" "async" {
+resource "aws_iam_role_policy" "async" {
count = local.create_role && var.attach_async_event_policy ? 1 : 0
name = "${local.policy_name}-async"
- path = var.policy_path
+ role = aws_iam_role.lambda[0].name
policy = data.aws_iam_policy_document.async[0].json
- tags = var.tags
-}
-
-resource "aws_iam_role_policy_attachment" "async" {
- count = local.create_role && var.attach_async_event_policy ? 1 : 0
-
- role = aws_iam_role.lambda[0].name
- policy_arn = aws_iam_policy.async[0].arn
}
###########################
# Additional policy (JSON)
###########################
-resource "aws_iam_policy" "additional_json" {
+resource "aws_iam_role_policy" "additional_json" {
count = local.create_role && var.attach_policy_json ? 1 : 0
name = local.policy_name
- path = var.policy_path
+ role = aws_iam_role.lambda[0].name
policy = var.policy_json
- tags = var.tags
-}
-
-resource "aws_iam_role_policy_attachment" "additional_json" {
- count = local.create_role && var.attach_policy_json ? 1 : 0
-
- role = aws_iam_role.lambda[0].name
- policy_arn = aws_iam_policy.additional_json[0].arn
}
#####################################
# Additional policies (list of JSON)
#####################################
-resource "aws_iam_policy" "additional_jsons" {
+resource "aws_iam_role_policy" "additional_jsons" {
count = local.create_role && var.attach_policy_jsons ? var.number_of_policy_jsons : 0
name = "${local.policy_name}-${count.index}"
- path = var.policy_path
+ role = aws_iam_role.lambda[0].name
policy = var.policy_jsons[count.index]
- tags = var.tags
-}
-
-resource "aws_iam_role_policy_attachment" "additional_jsons" {
- count = local.create_role && var.attach_policy_jsons ? var.number_of_policy_jsons : 0
-
- role = aws_iam_role.lambda[0].name
- policy_arn = aws_iam_policy.additional_jsons[count.index].arn
}
###########################
@@ -383,18 +327,10 @@ data "aws_iam_policy_document" "additional_inline" {
}
}
-resource "aws_iam_policy" "additional_inline" {
+resource "aws_iam_role_policy" "additional_inline" {
count = local.create_role && var.attach_policy_statements ? 1 : 0
name = "${local.policy_name}-inline"
- path = var.policy_path
+ role = aws_iam_role.lambda[0].name
policy = data.aws_iam_policy_document.additional_inline[0].json
- tags = var.tags
-}
-
-resource "aws_iam_role_policy_attachment" "additional_inline" {
- count = local.create_role && var.attach_policy_statements ? 1 : 0
-
- role = aws_iam_role.lambda[0].name
- policy_arn = aws_iam_policy.additional_inline[0].arn
}
diff --git a/main.tf b/main.tf
index fc231abe..d30b16e2 100644
--- a/main.tf
+++ b/main.tf
@@ -153,16 +153,8 @@ resource "aws_lambda_function" "this" {
aws_cloudwatch_log_group.lambda,
# Before the lambda is created the execution role with all its policies should be ready
- aws_iam_role_policy_attachment.additional_inline,
- aws_iam_role_policy_attachment.additional_json,
- aws_iam_role_policy_attachment.additional_jsons,
aws_iam_role_policy_attachment.additional_many,
aws_iam_role_policy_attachment.additional_one,
- aws_iam_role_policy_attachment.async,
- aws_iam_role_policy_attachment.logs,
- aws_iam_role_policy_attachment.dead_letter,
- aws_iam_role_policy_attachment.vpc,
- aws_iam_role_policy_attachment.tracing,
]
}
diff --git a/variables.tf b/variables.tf
index 829019c7..259b8374 100644
--- a/variables.tf
+++ b/variables.tf
@@ -572,12 +572,6 @@ variable "attach_policies" {
default = false
}
-variable "policy_path" {
- description = "Path of policies to that should be added to IAM role for Lambda Function"
- type = string
- default = null
-}
-
variable "number_of_policy_jsons" {
description = "Number of policies JSON to attach to IAM role for Lambda Function"
type = number