gungoren/rekognition_index_function_role.tf

## rekognition_index_function_role.tf
data "aws_iam_policy_document" "index_role_policy" {
  version = "2012-10-17"
  statement {
    effect = "Allow"
    actions = [
      "logs:CreateLogGroup",
      "logs:CreateLogStream",
      "logs:PutLogEvents",
      "rekognition:DescribeCollection",
      "rekognition:IndexFaces",
      "dynamodb:PutItem",
      "s3:GetObject",
      "s3:ListBucket"
    ]
    resources = [
      "arn:aws:logs:*:*:*",
      "arn:aws:rekognition:*:*:collection/${var.collection_id}",
      "arn:aws:dynamodb:*:*:table/${local.table_name}",
      module.personnel_bucket.s3_bucket_arn,
      "${module.personnel_bucket.s3_bucket_arn}/*"
    ]
  }
}

resource "aws_iam_role" "index_function" {
  name               = "faces-index-function-lambda-role"
  assume_role_policy = data.aws_iam_policy_document.assume_role_policy.json
}

resource "aws_iam_role_policy" "index_function" {
  name   = "cloudwatch_index"
  role   = aws_iam_role.index_function.id
  policy = data.aws_iam_policy_document.index_role_policy.json
}
	data "aws_iam_policy_document" "index_role_policy" {
	version = "2012-10-17"
	statement {
	effect = "Allow"
	actions = [
	"logs:CreateLogGroup",
	"logs:CreateLogStream",
	"logs:PutLogEvents",
	"rekognition:DescribeCollection",
	"rekognition:IndexFaces",
	"dynamodb:PutItem",
	"s3:GetObject",
	"s3:ListBucket"
	]
	resources = [
	"arn:aws:logs:::*",
	"arn:aws:rekognition:::collection/${var.collection_id}",
	"arn:aws:dynamodb:::table/${local.table_name}",
	module.personnel_bucket.s3_bucket_arn,
	"${module.personnel_bucket.s3_bucket_arn}/*"
	]
	}
	}

	resource "aws_iam_role" "index_function" {
	name = "faces-index-function-lambda-role"
	assume_role_policy = data.aws_iam_policy_document.assume_role_policy.json
	}

	resource "aws_iam_role_policy" "index_function" {
	name = "cloudwatch_index"
	role = aws_iam_role.index_function.id
	policy = data.aws_iam_policy_document.index_role_policy.json
	}