70 lines
1.8 KiB
HCL
70 lines
1.8 KiB
HCL
resource "aws_iam_role" "lambda" {
|
|
name = "${var.project}-lambda-role-${var.environment}"
|
|
assume_role_policy = jsonencode({
|
|
Version = "2012-10-17"
|
|
Statement = [{
|
|
Action = "sts:AssumeRole"
|
|
Effect = "Allow"
|
|
Principal = { Service = "lambda.amazonaws.com" }
|
|
}]
|
|
})
|
|
tags = local.tags
|
|
}
|
|
|
|
resource "aws_iam_role_policy" "lambda" {
|
|
name = "${var.project}-lambda-policy-${var.environment}"
|
|
role = aws_iam_role.lambda.id
|
|
policy = jsonencode({
|
|
Version = "2012-10-17"
|
|
Statement = [
|
|
{
|
|
Effect = "Allow"
|
|
Action = ["s3:GetObject", "s3:PutObject"]
|
|
Resource = "${aws_s3_bucket.images.arn}/uploads/*"
|
|
},
|
|
{
|
|
Effect = "Allow"
|
|
Action = "s3:PutObject"
|
|
Resource = "${aws_s3_bucket.images.arn}/processed/*"
|
|
},
|
|
{
|
|
Effect = "Allow"
|
|
Action = "dynamodb:PutItem"
|
|
Resource = aws_dynamodb_table.metadata.arn
|
|
},
|
|
{
|
|
Effect = "Allow"
|
|
Action = "sns:Publish"
|
|
Resource = aws_sns_topic.notifications.arn
|
|
},
|
|
{
|
|
Effect = "Allow"
|
|
Action = ["kms:Decrypt", "kms:GenerateDataKey"]
|
|
Resource = local.kms_key_arn
|
|
},
|
|
{
|
|
Effect = "Allow"
|
|
Action = ["logs:CreateLogGroup", "logs:CreateLogStream", "logs:PutLogEvents"]
|
|
Resource = "${aws_cloudwatch_log_group.lambda.arn}:*"
|
|
}
|
|
]
|
|
})
|
|
}
|
|
|
|
resource "aws_iam_role" "config" {
|
|
name = "${var.project}-config-role"
|
|
assume_role_policy = jsonencode({
|
|
Version = "2012-10-17"
|
|
Statement = [{
|
|
Action = "sts:AssumeRole"
|
|
Effect = "Allow"
|
|
Principal = { Service = "config.amazonaws.com" }
|
|
}]
|
|
})
|
|
}
|
|
|
|
resource "aws_iam_role_policy_attachment" "config" {
|
|
role = aws_iam_role.config.name
|
|
policy_arn = "arn:aws:iam::aws:policy/service-role/AWS_ConfigRole"
|
|
}
|