Skip to content

Enable Lambda scope + bump tofu-modules to v4.5.2#7

Merged
agustincelentano merged 2 commits into
mainfrom
feat/lambda-iam-provider
Jun 25, 2026
Merged

Enable Lambda scope + bump tofu-modules to v4.5.2#7
agustincelentano merged 2 commits into
mainfrom
feat/lambda-iam-provider

Conversation

@agustincelentano

@agustincelentano agustincelentano commented Jun 23, 2026

Copy link
Copy Markdown
Contributor

Summary

  • Enable the AWS Lambda deployment scope on the aws-services cluster (scope, S3 assets, Lambda@Edge).
  • Wire the Lambda scope-configuration in the nullplatform layer: placeholder image URI (235494813897...latest-amd64) + tofu state bucket.
  • Move the Lambda defaults out of the agent module's extra_envs (ASSUME_ROLE_ARN_DEFAULT, PLACEHOLDER_IMAGE_URI_DEFAULT) — now provided through the scope-configuration.
  • Bump all tagged tofu-modules refs (v4.3.0/v4.5.1) to v4.5.2. Feature-branch refs (feat/separate-build-user-from-asset-repositories) left untouched on purpose.
  • tofu fmt -recursive.

Applied

All three layers applied against the Implementations account (235494813897):

  • infrastructure/aws — 3 changed (agent + base helm releases + tools namespace).
  • nullplatform — scope_configuration_lambda created; bump = no further changes.
  • nullplatform-bindings — recreated a zombie aws-iam-configuration provider config (was 404 in the platform, removed from state and re-added); bump = no further changes.

Notes

  • The bump on the infrastructure/aws helm releases shows values as (sensitive value) in the plan, so the per-key diff isn't visible — non-destructive (0 destroy).

🤖 Generated with Claude Code

agustin.celentano added 2 commits June 23, 2026 17:54
- iam: separate the build workflow user into the build-user module and grant
  S3 publish permissions via s3-assets; ecr now receives build_workflow_group_name
  and the build credentials come from build-user (tofu-modules v5 layout)
- bindings: register the S3 asset repository (asset/s3, bucket
  lambda-files-aws-services) and the AWS IAM provider (identity-access-control)
  that publishes the lambda assume-role by selector
- agent: add lambda:GetFunction / EnableReplication* so CloudFront can validate
  Lambda@Edge function associations
- scope config: add a Lambda@Edge function association (viewer-response) to the
  static-files scope configuration

Note: tofu-modules refs point to the feature branch
(feat/separate-build-user-from-asset-repositories); update to the released tag
once nullplatform/tofu-modules#402 is merged.
- Bump all tagged tofu-modules refs (v4.3.0/v4.5.1) to v4.5.2; feature-branch refs left untouched
- Add scope_configuration_lambda module in nullplatform layer (placeholder image + state bucket)
- Remove extra_envs (ASSUME_ROLE_ARN_DEFAULT, PLACEHOLDER_IMAGE_URI_DEFAULT) from agent module; now provided via lambda scope-configuration
- Run tofu fmt -recursive
@agustincelentano agustincelentano changed the title feat: enable lambda scope, S3 assets and Lambda@Edge on aws-services Enable Lambda scope + bump tofu-modules to v4.5.2 Jun 25, 2026
@agustincelentano agustincelentano merged commit 8e86060 into main Jun 25, 2026
@agustincelentano agustincelentano deleted the feat/lambda-iam-provider branch June 25, 2026 13:16
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant