-
Notifications
You must be signed in to change notification settings - Fork 1
Expand file tree
/
Copy pathlambda.tf
More file actions
149 lines (134 loc) · 3.79 KB
/
Copy pathlambda.tf
File metadata and controls
149 lines (134 loc) · 3.79 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
resource "aws_lambda_function" "this" {
filename = var.lambda_filename
description = var.description
function_name = var.name
handler = var.lambda_handler
layers = var.layers
memory_size = var.lambda_memory_size
reserved_concurrent_executions = -1 #?
role = aws_iam_role.lambda.arn
runtime = var.lambda_runtime
timeout = 60
dynamic "environment" {
for_each = local.environment_map
content {
variables = environment.value
}
}
timeouts {}
tracing_config {
mode = "Active"
}
tags = merge(
local.common_tags,
{
},
)
lifecycle { #todo: remove or add aditional things?
ignore_changes = [
filename,
last_modified,
source_code_hash
]
}
}
### IAM ROLES, POLICIES AND ATTACHMENTS ###
resource "aws_iam_role" "lambda" {
name = var.name
description = "Allows Lambda functions to call AWS services on your behalf."
assume_role_policy = <<EOF
{
"Version": "2012-10-17",
"Statement":
{
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Principal": {
"AWS" : [
"arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"
],
"Service": "lambda.amazonaws.com"
}
}
}
EOF
tags = merge(
local.common_tags,
{
},
)
}
locals {
policies = {
for param, policy in var.policy_configs_map : param => policy.arn if policy.enabled
}
}
resource "aws_iam_role_policy_attachment" "lambda" {
role = aws_iam_role.lambda.name
for_each = local.policies
policy_arn = each.value
}
resource "aws_cloudwatch_log_group" "lambda" {
name = var.name
kms_key_id = aws_kms_key.this.arn
tags = merge(local.common_tags, {})
}
resource "aws_kms_key" "this" {
description = "Key used to encrypt log groups"
tags = merge(local.common_tags, {})
policy = data.aws_iam_policy_document.this.json
enable_key_rotation = true
}
#data "aws_iam_policy" "aws_lambda_execute" {
# arn = "arn:aws:iam::aws:policy/AWSLambdaExecute"
#}
#
#data "aws_iam_policy" "amazon_ssm_read_only_access" {
# arn = "arn:aws:iam::aws:policy/AmazonSSMReadOnlyAccess"
#}
#
#data "aws_iam_policy" "aws_xray_full_access" {
# arn = "arn:aws:iam::aws:policy/AWSXrayFullAccess"
#}
#
#data "aws_iam_policy" "aws_secretmanager_readwrite" {
# arn = "arn:aws:iam::aws:policy/SecretsManagerReadWrite"
#}
#
#data "aws_iam_policy" "lambda_s3_policy" {
# arn = "arn:aws:iam::aws:policy/AmazonS3FullAccess"
#}
#
#data "aws_iam_policy" "lambda_sqs_policy" {
# arn = "arn:aws:iam::aws:policy/AmazonSQSFullAccess"
#}
#
#resource "aws_iam_role_policy_attachment" "role_policy_attachment" {
# role = aws_iam_role.lambda.name
# policy_arn = data.aws_iam_policy.lambda_s3_policy.arn
#}
#
#resource "aws_iam_role_policy_attachment" "aws_secretmanager_readwrite" {
# role = aws_iam_role.lambda.name
# policy_arn = data.aws_iam_policy.aws_secretmanager_readwrite.arn
#}
#
#resource "aws_iam_role_policy_attachment" "aws_lambda_execute" {
# role = aws_iam_role.lambda.name
# policy_arn = data.aws_iam_policy.aws_lambda_execute.arn
#}
#
#resource "aws_iam_role_policy_attachment" "amazon_ssm_read_only_access" {
# role = aws_iam_role.lambda.name
# policy_arn = data.aws_iam_policy.amazon_ssm_read_only_access.arn
#}
#
#resource "aws_iam_role_policy_attachment" "aws_xray_full_access" {
# role = aws_iam_role.lambda.name
# policy_arn = data.aws_iam_policy.aws_xray_full_access.arn
#}
#
#resource "aws_iam_role_policy_attachment" "aws_sqs_excecution" {
# role = aws_iam_role.lambda.name
# policy_arn = data.aws_iam_policy.lambda_sqs_policy.arn
#}