-
Notifications
You must be signed in to change notification settings - Fork 2
/
policy-roles.tf
128 lines (123 loc) · 3.5 KB
/
policy-roles.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
/**
* @fileoverview This Terraform file creates an AWS IAM role and policy to be used by Lambda functions and API Gateway.
* The IAM role has permissions to access various AWS services and resources.
*
* The main components of this file include:
* 1. AWS IAM Role: Creates a default IAM role for Lambda functions and API Gateway.
* 2. AWS IAM Role Policy: Defines a policy with the necessary permissions for the IAM role.
* 3. Output: Exports the ARN of the created IAM role.
*
* The policy provides permissions for the following services and resources:
* - Lambda: Invocation of Lambda functions.
* - CloudWatch Logs: Creating log streams, log deliveries, and putting log events.
* - Amazon SES: Sending emails.
* - Amazon SQS: Sending and receiving messages, managing message visibility, getting queue URLs, and deleting messages.
* - Amazon S3: Getting, tagging, listing, deleting, and putting objects.
*/
resource "aws_iam_role" "default-lambda-role" {
name = "default-lambda-role"
description = "${local.config.AWS_PROFILE}: IAM Role for the Lambdas."
assume_role_policy = jsonencode({
"Version": "2012-10-17",
"Statement": [{
"Action": "sts:AssumeRole",
"Principal": {
"Service": [
"lambda.amazonaws.com",
"apigateway.amazonaws.com"
]
},
"Effect": "Allow",
"Sid": ""
}]
})
}
# Create an IAM policy for a role
resource "aws_iam_role_policy" "default-lambda-policy" {
name = "AWSLambdaBasicExecutionRole"
# ID of lambda role from above
role = aws_iam_role.default-lambda-role.id
policy = jsonencode({
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": ["lambda:InvokeFunction"],
"Resource": "arn:aws:lambda:*:*:*"
},
{
"Action": [
"logs:CreateLogStream",
"logs:CreateLogDelivery",
"logs:PutLogEvents"
],
"Effect": "Allow",
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"ses:SendEmail",
"ses:ListIdentities",
"ses:GetIdentityVerificationAttributes"
]
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "sqs:SendMessage",
"Resource": "*"
},
{
"Action": [
"sqs:ReceiveMessage",
"sqs:ChangeMessageVisibility",
"sqs:GetQueueUrl",
"sqs:DeleteMessage",
"sqs:GetQueueAttributes"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"s3:GetObject",
"s3:GetObjectTagging",
"s3:ListBucket",
"s3:DeleteObject",
"s3:PutObject",
"s3:PutObjectTagging"
],
"Effect": "Allow",
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"execute-api:Invoke",
"execute-api:ManageConnections"
],
"Resource": "*"
},
{
"Effect" : "Allow",
"Action" : [
"cloudfront:CreateInvalidation",
"cloudfront:GetInvalidation",
"cloudfront:ListInvalidations"
],
"Resource" : "*"
},
{
"Effect": "Allow",
"Action": [
"ec2:CreateNetworkInterface",
"ec2:DescribeNetworkInterfaces",
"ec2:DeleteNetworkInterface"
],
"Resource": "*"
}
]
})
}
output "default_lambda_role_arn" { value = aws_iam_role.default-lambda-role.arn }