From 82c09ab57c2240dee6f460c7ec8befe6272912ee Mon Sep 17 00:00:00 2001
From: Juraj Uhlar <juro.uhlar@gmail.com>
Date: Tue, 13 Aug 2024 16:38:29 +0200
Subject: [PATCH 1/2] chore: better describe permission boundary input

---
 examples/existing-ditribution/fingerprint.tf    | 3 ++-
 examples/standalone-distribution/fingerprint.tf | 3 ++-
 variables.tf                                    | 4 ++--
 3 files changed, 6 insertions(+), 4 deletions(-)

diff --git a/examples/existing-ditribution/fingerprint.tf b/examples/existing-ditribution/fingerprint.tf
index e14e110..f8866c5 100644
--- a/examples/existing-ditribution/fingerprint.tf
+++ b/examples/existing-ditribution/fingerprint.tf
@@ -6,5 +6,6 @@ module "fingerprint_cloudfront_integration" {
   fpjs_shared_secret       = var.fpjs_shared_secret
 
   // You can define the proxy function's [permission boundary](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_boundaries.html)
-  // fpjs_proxy_lambda_role_permissions_boundary_arn = "arn:aws:iam::aws:policy/AWSLambda_FullAccess"
+  // See https://dev.fingerprint.com/docs/aws-cloudfront-integration-via-terraform#defining-a-permission-boundary-for-the-proxy-function
+  // fpjs_proxy_lambda_role_permissions_boundary_arn = "arn:aws:iam::<YOUR_ACCOUNT_ID>:policy/YOUR_POLICY_NAME"
 }
diff --git a/examples/standalone-distribution/fingerprint.tf b/examples/standalone-distribution/fingerprint.tf
index e14e110..f8866c5 100644
--- a/examples/standalone-distribution/fingerprint.tf
+++ b/examples/standalone-distribution/fingerprint.tf
@@ -6,5 +6,6 @@ module "fingerprint_cloudfront_integration" {
   fpjs_shared_secret       = var.fpjs_shared_secret
 
   // You can define the proxy function's [permission boundary](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_boundaries.html)
-  // fpjs_proxy_lambda_role_permissions_boundary_arn = "arn:aws:iam::aws:policy/AWSLambda_FullAccess"
+  // See https://dev.fingerprint.com/docs/aws-cloudfront-integration-via-terraform#defining-a-permission-boundary-for-the-proxy-function
+  // fpjs_proxy_lambda_role_permissions_boundary_arn = "arn:aws:iam::<YOUR_ACCOUNT_ID>:policy/YOUR_POLICY_NAME"
 }
diff --git a/variables.tf b/variables.tf
index fb5264c..fd8cf56 100644
--- a/variables.tf
+++ b/variables.tf
@@ -10,7 +10,7 @@ variable "fpjs_get_result_path" {
 
 variable "fpjs_agent_download_path" {
   type        = string
-  description = "request path used to send ProCDN requests (aka FPJS_AGENT_DOWNLOAD_PATH)"
+  description = "request path used to send agent download requests (aka FPJS_AGENT_DOWNLOAD_PATH)"
 
   validation {
     condition     = can(regex("^([a-zA-Z0-9\\-])+$", var.fpjs_agent_download_path))
@@ -31,6 +31,6 @@ variable "fpjs_shared_secret" {
 
 variable "fpjs_proxy_lambda_role_permissions_boundary_arn" {
   type        = string
-  description = "permissions boundary ARN for the role assumed by the Proxy lambda"
+  description = "Permissions boundary ARN for the role assumed by the Proxy lambda. Make sure your permissions boundary allows the function to access the Secret manager secret created for the integration (`secretsmanager:GetSecretValue`) and create logs (`logs:CreateLogStream`, `logs:CreateLogGroup`, `logs:PutLogEvents`)."
   default     = null
 }

From ac3e186e0846b768724aaa1bbc63d2e580cba84c Mon Sep 17 00:00:00 2001
From: Juraj Uhlar <juro.uhlar@gmail.com>
Date: Tue, 13 Aug 2024 16:54:43 +0200
Subject: [PATCH 2/2] chore: fix typo

---
 variables.tf | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/variables.tf b/variables.tf
index fd8cf56..b055766 100644
--- a/variables.tf
+++ b/variables.tf
@@ -31,6 +31,6 @@ variable "fpjs_shared_secret" {
 
 variable "fpjs_proxy_lambda_role_permissions_boundary_arn" {
   type        = string
-  description = "Permissions boundary ARN for the role assumed by the Proxy lambda. Make sure your permissions boundary allows the function to access the Secret manager secret created for the integration (`secretsmanager:GetSecretValue`) and create logs (`logs:CreateLogStream`, `logs:CreateLogGroup`, `logs:PutLogEvents`)."
+  description = "Permissions boundary ARN for the role assumed by the Proxy lambda. Make sure your permissions boundary allows the function to access the Secrets Manager secret created for the integration (`secretsmanager:GetSecretValue`) and create logs (`logs:CreateLogStream`, `logs:CreateLogGroup`, `logs:PutLogEvents`)."
   default     = null
 }