Skip to content

Instantly share code, notes, and snippets.

@dale-c-anderson
Last active November 8, 2023 00:51
Show Gist options
  • Save dale-c-anderson/d1750538cad5c14232350d8d949316b0 to your computer and use it in GitHub Desktop.
Save dale-c-anderson/d1750538cad5c14232350d8d949316b0 to your computer and use it in GitHub Desktop.
lambda terraform example
# Generic role to allow lambda to execute
resource "aws_iam_role" "lambda_exec" {
name = "lambda_assume_role"
assume_role_policy = jsonencode({
Version = "2012-10-17"
Statement = [
{
Action = "sts:AssumeRole"
Effect = "Allow"
Sid = ""
Principal = {
Service = "lambda.amazonaws.com"
}
}
]
})
}
# Attach an aws-managed policy
resource "aws_iam_role_policy_attachment" "lambda_policy" {
role = aws_iam_role.lambda_exec.name
policy_arn = "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"
}
# Let the lambda function read parameters
resource "aws_iam_policy" "lambda_read_ssm" {
name = "lambda_read_ssm"
description = "Allows lambda to read SSM parameters"
policy = jsonencode({
Version = "2012-10-17"
Statement = [
{
Action = [
"ssm:GetParameter",
"ssm:GetParameters",
"ssm:GetParametersByPath"
]
Effect = "Allow"
Resource = "arn:aws:ssm:ca-central-1:888888888888:parameter/my/param/path/*"
}
]
})
}
# Attach ssm policy to role
resource "aws_iam_role_policy_attachment" "lambda_read_ssm_policy" {
role = aws_iam_role.lambda_exec.name
policy_arn = aws_iam_policy.lambda_read_ssm.arn
}
# This expects a directory named "my_script" beside this file,
# and a script named "my_script.py" within that directory.
data "archive_file" "my_script" {
type = "zip"
source_dir = "${path.module}/my_script"
output_path = "${path.module}/my_script.zip"
}
# Define the function in AWS Lambda and upload the bundle
resource "aws_lambda_function" "my_script" {
function_name = "my_script"
handler = "my_script.lambda_handler" # file_name.main_function_name
runtime = "python3.11"
timeout = 60
filename = data.archive_file.my_script.output_path
source_code_hash = data.archive_file.my_script.output_base64sha256
role = aws_iam_role.lambda_exec.arn
}
# Define a schedule
resource "aws_cloudwatch_event_rule" "my_script" {
name = "my_script_schedule"
description = "Schedule for Lambda Function"
schedule_expression = "cron(*/5 * * * ? *)" # See aws docs for cron formatting. it's not quite the same as linux.
# https://docs.aws.amazon.com/eventbridge/latest/userguide/eb-create-rule-schedule.html
}
# Connect the schedule to the function
resource "aws_cloudwatch_event_target" "my_script" {
rule = aws_cloudwatch_event_rule.my_script.name
target_id = "processing_lambda"
arn = aws_lambda_function.my_script.arn
}
# Allow the schedule to trigger the function
resource "aws_lambda_permission" "my_script" {
statement_id = "AllowExecutionFromCloudWatch"
action = "lambda:InvokeFunction"
function_name = aws_lambda_function.my_script.function_name
principal = "events.amazonaws.com"
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment