-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathlambdarole.tf
60 lines (54 loc) · 1.45 KB
/
lambdarole.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
# IAM role which dictates what other AWS services the Lambda function may access.
# In our case, lambda access CloudWatch_log_group to write logs and Polly to tranlate text
resource "aws_iam_role" "lambda_exec" {
name = "texttospeech_lambda_role"
assume_role_policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Action": "sts:AssumeRole",
"Principal": {
"Service": "lambda.amazonaws.com"
},
"Effect": "Allow",
"Sid": ""
}
]
}
EOF
}
# with terraform we can't attach directly more than one managed permission to a role
# so we need to create an IAM policy with the needed permissions and attach it to the created IAM role
# In real cases, the permissions should be more restrictive!
resource "aws_iam_policy" "iam_policy_for_lambda" {
name = "aws_iam_policy_for_terraform_aws_lambda_role"
path = "/"
description = "AWS IAM Policy for managing aws lambda role"
policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Resource": "arn:aws:logs:*:*:*",
"Effect": "Allow"
},
{
"Effect": "Allow",
"Action": "polly:*",
"Resource": "*"
}
]
}
EOF
}
#Attach the role to the policy
resource "aws_iam_role_policy_attachment" "lambda_policy" {
role = aws_iam_role.lambda_exec.name
policy_arn = aws_iam_policy.iam_policy_for_lambda.arn
}