-
Notifications
You must be signed in to change notification settings - Fork 0
/
iam.tf
128 lines (117 loc) · 3.26 KB
/
iam.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
# IAM assume role policy document for the role we're creating
data "aws_iam_policy_document" "assume_role" {
statement {
actions = ["sts:AssumeRole"]
effect = "Allow"
principals {
identifiers = ["lambda.amazonaws.com"]
type = "Service"
}
}
}
# The role we're creating
resource "aws_iam_role" "lambda" {
assume_role_policy = data.aws_iam_policy_document.assume_role.json
}
# IAM policy document that that allows some S3 permissions on our
# temporary dmarc-import bucket. This will be applied to the role we
# are creating.
data "aws_iam_policy_document" "s3_lambda" {
statement {
actions = [
"s3:DeleteObject",
"s3:GetObject",
]
effect = "Allow"
resources = [
"${aws_s3_bucket.temporary.arn}/*",
]
}
}
# The S3 policy for our role
resource "aws_iam_role_policy" "s3_lambda" {
policy = data.aws_iam_policy_document.s3_lambda.json
role = aws_iam_role.lambda.id
}
# IAM policy document that allows HEADing, POSTing, and PUTting to
# Elasticsearch. This will be applied to the role we are creating.
data "aws_iam_policy_document" "es_lambda" {
statement {
actions = [
"es:ESHttpHead",
"es:ESHttpPost",
"es:ESHttpPut",
]
effect = "Allow"
resources = [
aws_elasticsearch_domain.es.arn,
"${aws_elasticsearch_domain.es.arn}/*",
]
}
}
# The Elasticsearch policy for our role
resource "aws_iam_role_policy" "es_policy" {
policy = data.aws_iam_policy_document.es_lambda.json
role = aws_iam_role.lambda.id
}
# IAM policy document that that allows some SQS permissions on our
# dmarc-import queue. This will be applied to the role we are
# creating.
data "aws_iam_policy_document" "sqs_lambda" {
statement {
actions = [
"sqs:DeleteMessage",
"sqs:ReceiveMessage",
]
effect = "Allow"
resources = [
aws_sqs_queue.dmarc_reports.arn,
]
}
}
# The SQS policy for our role
resource "aws_iam_role_policy" "sqs_policy" {
policy = data.aws_iam_policy_document.sqs_lambda.json
role = aws_iam_role.lambda.id
}
# IAM policy document that that allows some Cloudwatch permissions for
# our Lambda function. This will allow the Lambda function to
# generate log output in Cloudwatch. This will be applied to the role
# we are creating.
data "aws_iam_policy_document" "cloudwatch_lambda" {
statement {
actions = [
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:PutLogEvents",
]
effect = "Allow"
resources = [
aws_cloudwatch_log_group.logs.arn,
"${aws_cloudwatch_log_group.logs.arn}:*",
]
}
}
# The CloudWatch policy for our role
resource "aws_iam_role_policy" "cloudwatch_policy" {
policy = data.aws_iam_policy_document.cloudwatch_lambda.json
role = aws_iam_role.lambda.id
}
# IAM policy document that that allows the Lambda function to invoke
# itself. This will be applied to the role we are creating.
data "aws_iam_policy_document" "lambda_lambda" {
statement {
actions = [
"lambda:InvokeFunction",
]
effect = "Allow"
resources = [
aws_lambda_function.lambda.arn,
]
}
}
# The Lambda policy for our role
resource "aws_iam_role_policy" "lambda_lambda" {
policy = data.aws_iam_policy_document.lambda_lambda.json
role = aws_iam_role.lambda.id
}