Update docs for added context

ianbender · ianbender · commit 5576a240ffd1 · 2021-12-02T13:56:20.000-05:00
diff --git a/README.md b/README.md
@@ -41,23 +41,23 @@ No modules.
 | [aws_cloudwatch_log_group.lambda](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_group) | resource |
 | [aws_cloudwatch_metric_alarm.lambda_errors](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_metric_alarm) | resource |
 | [aws_iam_role_policy_attachment.lambda_basic_execution](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
+| [aws_iam_role_policy_attachment.lambda_insights](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
 | [aws_iam_role_policy_attachment.lambda_networking](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
 | [aws_iam_role_policy_attachment.lambda_xray](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
 | [aws_lambda_function.lambda](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_function) | resource |
-| [aws_s3_bucket.lambda_deploy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket) | resource |
 | [aws_s3_bucket_object.lambda_deploy_object](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_object) | resource |
-| [aws_s3_bucket_policy.lambda_deploy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_policy) | resource |
-| [aws_s3_bucket_public_access_block.lambda_deploy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block) | resource |
 | [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
-| [aws_iam_policy_document.lambda_deploy_bucket_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [aws_ssm_parameter.deployment_bucket_id](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ssm_parameter) | data source |
 
 ## Inputs
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
+| <a name="input_deployment_bucket_id"></a> [deployment\_bucket\_id](#input\_deployment\_bucket\_id) | ID of S3 bucket that should store our deployment artifacts. Will use the /account/DEPLOYMENT\_BUCKET\_ID value from SSM unless specified otherwise. | `string` | `null` | no |
 | <a name="input_description"></a> [description](#input\_description) | Description of the Lambda Function | `string` | `null` | no |
 | <a name="input_environment"></a> [environment](#input\_environment) | Environment variables to be passed to the function | `map(string)` | `{}` | no |
 | <a name="input_error_rate_alarm_threshold"></a> [error\_rate\_alarm\_threshold](#input\_error\_rate\_alarm\_threshold) | Error rate (in percent, 1-100) at which to trigger an alarm notification | `number` | `25` | no |
+| <a name="input_git_sha"></a> [git\_sha](#input\_git\_sha) | Hash generated by `git hash-object` in source repo and used to determine whether a lambda needs to be updated | `string` | `null` | no |
 | <a name="input_handler"></a> [handler](#input\_handler) | Name of the handler function inside the artifact (https://docs.aws.amazon.com/lambda/latest/dg/configuration-console.html) | `string` | n/a | yes |
 | <a name="input_layer_arns"></a> [layer\_arns](#input\_layer\_arns) | List of ARNs for layers to use with the function | `list(string)` | `[]` | no |
 | <a name="input_log_retention_in_days"></a> [log\_retention\_in\_days](#input\_log\_retention\_in\_days) | Number of days to keep function logs in Cloudwatch | `number` | `365` | no |
diff --git a/main.tf b/main.tf
@@ -23,9 +23,10 @@
  */
 
 locals {
-  deploy_artifact_key = "deploy.zip"
-  source_hash         = coalesce(var.git_sha, filebase64sha256(var.path))
-  role_arn            = "arn:aws:iam::${data.aws_caller_identity.current.account_id}:role/${var.role_name}"
+  deploy_artifact_key  = "deploy.zip"
+  deployment_bucket_id = coalesce(var.deployment_bucket_id, data.aws_ssm_parameter.deployment_bucket_id.value)
+  source_hash          = coalesce(var.git_sha, filebase64sha256(var.path))
+  role_arn             = "arn:aws:iam::${data.aws_caller_identity.current.account_id}:role/${var.role_name}"
 }
 
 # Configure default role permissions
@@ -51,7 +52,7 @@ resource "aws_iam_role_policy_attachment" "lambda_insights" {
 
 # S3 object to hold the deployed artifact
 resource "aws_s3_bucket_object" "lambda_deploy_object" {
-  bucket      = data.aws_ssm_parameter.deployment_bucket_id.value
+  bucket      = local.deployment_bucket_id
   key         = "${var.name}/${local.deploy_artifact_key}"
   source      = var.path
   source_hash = md5(local.source_hash)
@@ -74,7 +75,7 @@ resource "aws_lambda_function" "lambda" {
   reserved_concurrent_executions = var.reserved_concurrent_executions
   role                           = local.role_arn
   runtime                        = var.runtime
-  s3_bucket                      = data.aws_ssm_parameter.deployment_bucket_id.value
+  s3_bucket                      = local.deployment_bucket_id
   s3_key                         = aws_s3_bucket_object.lambda_deploy_object.key
   s3_object_version              = aws_s3_bucket_object.lambda_deploy_object.version_id
   tags                           = var.tags
diff --git a/vars.tf b/vars.tf
@@ -4,6 +4,12 @@ variable "description" {
   type        = string
 }
 
+variable "deployment_bucket_id" {
+  default     = null
+  description = "ID of S3 bucket that should store our deployment artifacts. Will use the /account/DEPLOYMENT_BUCKET_ID value from SSM unless specified otherwise."
+  type        = string
+}
+
 variable "environment" {
   default     = {}
   description = "Environment variables to be passed to the function"
@@ -17,9 +23,9 @@ variable "error_rate_alarm_threshold" {
 }
 
 variable "git_sha" {
-  type        = string
-  description = "Git SHA hash for lambda source code"
   default     = null
+  description = "Hash generated by `git hash-object` in source repo and used to determine whether a lambda needs to be updated"
+  type        = string
 }
 
 variable "handler" {
