chore: better describe permission boundary input

JuroUhlar · JuroUhlar · commit 82c09ab57c22 · 2024-08-13T16:38:29.000+02:00
diff --git a/examples/existing-ditribution/fingerprint.tf b/examples/existing-ditribution/fingerprint.tf
@@ -6,5 +6,6 @@ module "fingerprint_cloudfront_integration" {
   fpjs_shared_secret       = var.fpjs_shared_secret
 
   // You can define the proxy function's [permission boundary](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_boundaries.html)
-  // fpjs_proxy_lambda_role_permissions_boundary_arn = "arn:aws:iam::aws:policy/AWSLambda_FullAccess"
+  // See https://dev.fingerprint.com/docs/aws-cloudfront-integration-via-terraform#defining-a-permission-boundary-for-the-proxy-function
+  // fpjs_proxy_lambda_role_permissions_boundary_arn = "arn:aws:iam::<YOUR_ACCOUNT_ID>:policy/YOUR_POLICY_NAME"
 }
diff --git a/examples/standalone-distribution/fingerprint.tf b/examples/standalone-distribution/fingerprint.tf
@@ -6,5 +6,6 @@ module "fingerprint_cloudfront_integration" {
   fpjs_shared_secret       = var.fpjs_shared_secret
 
   // You can define the proxy function's [permission boundary](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_boundaries.html)
-  // fpjs_proxy_lambda_role_permissions_boundary_arn = "arn:aws:iam::aws:policy/AWSLambda_FullAccess"
+  // See https://dev.fingerprint.com/docs/aws-cloudfront-integration-via-terraform#defining-a-permission-boundary-for-the-proxy-function
+  // fpjs_proxy_lambda_role_permissions_boundary_arn = "arn:aws:iam::<YOUR_ACCOUNT_ID>:policy/YOUR_POLICY_NAME"
 }
diff --git a/variables.tf b/variables.tf
@@ -10,7 +10,7 @@ variable "fpjs_get_result_path" {
 
 variable "fpjs_agent_download_path" {
   type        = string
-  description = "request path used to send ProCDN requests (aka FPJS_AGENT_DOWNLOAD_PATH)"
+  description = "request path used to send agent download requests (aka FPJS_AGENT_DOWNLOAD_PATH)"
 
   validation {
     condition     = can(regex("^([a-zA-Z0-9\\-])+$", var.fpjs_agent_download_path))
@@ -31,6 +31,6 @@ variable "fpjs_shared_secret" {
 
 variable "fpjs_proxy_lambda_role_permissions_boundary_arn" {
   type        = string
-  description = "permissions boundary ARN for the role assumed by the Proxy lambda"
+  description = "Permissions boundary ARN for the role assumed by the Proxy lambda. Make sure your permissions boundary allows the function to access the Secret manager secret created for the integration (`secretsmanager:GetSecretValue`) and create logs (`logs:CreateLogStream`, `logs:CreateLogGroup`, `logs:PutLogEvents`)."
   default     = null
 }

Original file line number	Diff line number	Diff line change
`@@ -6,5 +6,6 @@ module "fingerprint_cloudfront_integration" {`
`6`	`6`	`fpjs_shared_secret = var.fpjs_shared_secret`
`7`	`7`
`8`	`8`	`// You can define the proxy function's [permission boundary](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_boundaries.html)`
`9`		`- // fpjs_proxy_lambda_role_permissions_boundary_arn = "arn:aws:iam::aws:policy/AWSLambda_FullAccess"`
	`9`	`+ // See https://dev.fingerprint.com/docs/aws-cloudfront-integration-via-terraform#defining-a-permission-boundary-for-the-proxy-function`
	`10`	`+ // fpjs_proxy_lambda_role_permissions_boundary_arn = "arn:aws:iam::<YOUR_ACCOUNT_ID>:policy/YOUR_POLICY_NAME"`
`10`	`11`	`}`