An example of using AWS Code Signing with a Lambda

option-3.tf

#######################################
# Lambda Resources Option 3
#######################################
#In this scenario the Lambda is zipped and upload outside of the terraform execution
resource "aws_lambda_function" "test_lambda" {
  s3_bucket = var.code-bucket
  # s3_key        = aws_signer_signing_job.build_signing_job.signed_object[0]["s3"][0]["key"] 
  s3_key        = local.lambdaSource
  function_name = var.lambda-name
  handler       = "lambda_function.lambda_handler"
  memory_size   = 128
  runtime       = "python3.8"
  role          = var.lambda-role
  timeout       = 45

  code_signing_config_arn = aws_lambda_code_signing_config.abc-signer-profile-config.arn
  # For option 1
  # depends_on = [data.archive_file.lambda_zip]

  # For option 2
  # depends_on = [null_resource.build_upload]
  tags = var.tags

}

data "aws_s3_bucket_objects" "signedLambdas" {
  bucket = var.code-bucket
  prefix = "signed/"
}

locals {
  signedSourceList = data.aws_s3_bucket_objects.signedLambdas.keys
  lambdaSource     = try(local.signedSourceList[0], null)
}