-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathlambda.tf
148 lines (131 loc) · 3.75 KB
/
lambda.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
data "archive_file" "zip" {
type = "zip"
source_file = "${path.module}/index.mjs"
output_path = "${path.module}/index.zip"
}
resource "random_string" "random_suffix" {
length = 8
special = false
lower = true
upper = false
numeric = false
}
resource "aws_s3_bucket" "code" {
bucket = local.lambda_function_name
force_destroy = true
tags = local.tags
}
resource "aws_s3_object" "code_package" {
bucket = aws_s3_bucket.code.id
key = "index.zip"
source = data.archive_file.zip.output_path
source_hash = filebase64sha256(data.archive_file.zip.output_path)
tags = local.tags
}
resource "aws_lambda_function" "edge_lambda" {
function_name = local.lambda_function_name
s3_bucket = aws_s3_bucket.code.id
s3_key = aws_s3_object.code_package.key
source_code_hash = aws_s3_object.code_package.source_hash
role = aws_iam_role.lambda_role.arn
handler = "index.handler"
runtime = "nodejs20.x"
timeout = 5
memory_size = 128
package_type = "Zip"
publish = true
description = "A Lambda@Edge function that modifies the origin request."
tags = local.tags
logging_config {
log_format = "JSON"
system_log_level = "WARN"
log_group = aws_cloudwatch_log_group.log_group.name
}
lifecycle {
# Ignored changes to these as they are managed internally by the provider and are causing unnecessary drifts in the plan
ignore_changes = [qualified_arn, qualified_invoke_arn, version]
}
}
resource "aws_cloudwatch_log_group" "log_group" {
name = "/aws/lambda/${local.lambda_function_name}"
retention_in_days = var.lambda_log_retention
tags = local.tags
lifecycle {
prevent_destroy = false
}
}
data "aws_iam_policy_document" "lambda_assume_role_policy" {
statement {
sid = "LambdaServiceAssumeRole"
actions = ["sts:AssumeRole"]
principals {
type = "Service"
identifiers = [
"lambda.amazonaws.com",
"edgelambda.amazonaws.com",
"replicator.lambda.amazonaws.com",
]
}
}
}
data "aws_iam_policy_document" "lambda_exec_role_policy" {
statement {
sid = "AllowLambdaToWriteLogs"
actions = [
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:PutLogEvents"
]
resources = [
"${aws_cloudwatch_log_group.log_group.arn}:*",
"arn:aws:logs:*:*:log-group:/aws/cloudfront/*"
]
}
statement {
sid = "LambdaCreateDeletePermission"
effect = "Allow"
actions = [
"lambda:CreateFunction",
"lambda:DeleteFunction",
"lambda:DisableReplication"
]
resources = [
"arn:aws:lambda:*:*:function:*"
]
}
statement {
sid = "IamPassRolePermission"
effect = "Allow"
actions = [
"iam:PassRole"
]
resources = ["*"]
condition {
test = "StringEqualsIfExists"
variable = "iam:PassedToService"
values = ["lambda.amazonaws.com"]
}
}
statement {
sid = "CloudFrontListDistributions"
effect = "Allow"
actions = [
"cloudfront:ListDistributionsByLambdaFunction"
]
resources = ["*"]
}
}
resource "aws_iam_role" "lambda_role" {
name = "${local.lambda_function_name}-role"
assume_role_policy = data.aws_iam_policy_document.lambda_assume_role_policy.json
tags = local.tags
}
resource "aws_iam_policy" "policy" {
name = "${local.lambda_function_name}-policy"
policy = data.aws_iam_policy_document.lambda_exec_role_policy.json
tags = local.tags
}
resource "aws_iam_role_policy_attachment" "lambda_policy_attachment" {
role = aws_iam_role.lambda_role.name
policy_arn = aws_iam_policy.policy.arn
}