-
Notifications
You must be signed in to change notification settings - Fork 18
/
Copy pathrole-lambda.tf
82 lines (69 loc) · 2.74 KB
/
role-lambda.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
locals {
# If the user provides a custom lambda role, don't create the default role,
# but still attach the policies that we'd attach to the default role.
# This means we should check `var.lambda_role_name` **not** `local.`.
count = var.lambda_role_name != "" ? 0 : 1
}
resource "aws_iam_role" "lambda" {
count = local.count
name = "tf-${local.service_name}-${local.stage}-lambda-execution"
assume_role_policy = data.aws_iam_policy_document.lambda_assume.json
tags = local.tags
}
data "aws_iam_policy_document" "lambda_assume" {
statement {
principals {
type = "Service"
identifiers = ["lambda.amazonaws.com"]
}
actions = ["sts:AssumeRole"]
}
}
resource "aws_iam_policy" "lambda" {
name = "tf-${local.service_name}-${local.stage}-lambda-execution"
policy = data.aws_iam_policy_document.lambda.json
}
# Replicate the log permissions from the default Serverless role.
data "aws_iam_policy_document" "lambda" {
statement {
actions = ["logs:CreateLogStream"]
resources = ["arn:${local.iam_partition}:logs:${local.iam_region}:${local.iam_account_id}:log-group:/aws/lambda/${local.sls_service_name}-${local.iam_stage}*:*"]
}
statement {
actions = ["logs:PutLogEvents"]
resources = ["arn:${local.iam_partition}:logs:${local.iam_region}:${local.iam_account_id}:log-group:/aws/lambda/${local.sls_service_name}-${local.iam_stage}*:*:*"]
}
}
resource "aws_iam_role_policy_attachment" "lambda" {
role = local.lambda_role_name
policy_arn = aws_iam_policy.lambda.arn
}
# Use a small CloudFormation stack to expose outputs for
# consumption in Serverless. (There are _many_ ways to do this, we just
# like this as there's no local disk state needed to deploy.)
#
# _Note_: CF **requires** 1+ `Resources`, so we throw in the SSM param of the
# role ARN because it's small and we need "something". It's otherwise unused.
#
# See: https://theburningmonk.com/2019/03/making-terraform-and-serverless-framework-work-together/
resource "aws_cloudformation_stack" "outputs_lambda_role" {
# Only create the stack if we create the default role
count = local.count
name = "tf-${local.service_name}-${local.stage}-outputs-lambda-role"
template_body = <<STACK
Resources:
LambdaExecutionRoleArn:
Type: AWS::SSM::Parameter
Properties:
Name: "tf-${local.service_name}-${local.stage}-LambdaExecutionRoleArn"
Value: "${aws_iam_role.lambda[count.index].arn}"
Type: String
Outputs:
LambdaExecutionRoleArn:
Description: "The ARN of the lambda execution role for Serverless to apply"
Value: "${aws_iam_role.lambda[count.index].arn}"
Export:
Name: "tf-${local.service_name}-${local.stage}-LambdaExecutionRoleArn"
STACK
tags = local.tags
}