haarchri/iam.yaml

## iam.yaml
---
apiVersion: identity.aws.crossplane.io/v1beta1
kind: IAMRole
metadata:
  name: lambda-exec-role
spec:
  forProvider:
    description: role for lambda execution
    assumeRolePolicyDocument:  |
      {
              "Version": "2012-10-17",
              "Statement": [
                      {
                              "Effect": "Allow",
                              "Principal": {
                                      "Service": "lambda.amazonaws.com"
                              },
                              "Action": "sts:AssumeRole"
                      }
              ]
      }
  providerConfigRef:
    name: default
---
apiVersion: identity.aws.crossplane.io/v1alpha1
kind: IAMPolicy
metadata:
  name: lambda-exec-policy
spec:
  deletionPolicy: Delete
  forProvider:
    name: lambda-exec-policy
    description: Allow the lambda exec role to access s3 bucket
    document: |
      {
        "Version": "2012-10-17",
        "Statement": [
                {
                    "Sid": "S3ManageBucket",
                    "Effect": "Allow",
                    "Action": [
                        "s3:*"
                    ],
                    "Resource": [
                        "arn:aws:s3:::255932642927-lambda-bucket-*/*",
                        "arn:aws:s3:::255932642927-lambda-bucket-*"
                    ]
                }
        ]
      }
  providerConfigRef:
    name: default

---
apiVersion: identity.aws.crossplane.io/v1beta1
kind: IAMRolePolicyAttachment
metadata:
  name: lambda-exec-role
spec:
  forProvider:
    policyArnRef:
      name: lambda-exec-policy
    roleNameRef:
      name: lambda-exec-role
  providerConfigRef:
    name: default

## lambda.yaml
apiVersion: lambda.aws.crossplane.io/v1alpha1
kind: Function
metadata:
  name: lambda
spec:
  deletionPolicy: Delete
  forProvider:
    region: eu-central-1
    code:
      s3Bucket: 255932642927-lambda-bucket
      s3Key: test.zip
    runtime: go1.x
    handler: main
    roleRef:
      name: lambda-exec-role
  providerConfigRef:
    name: default

## s3-bucket.yaml
---
apiVersion: s3.aws.crossplane.io/v1beta1
kind: Bucket
metadata:
  name: 255932642927-lambda-bucket
spec:
  forProvider:
    acl: private
    locationConstraint: eu-central-1
    accelerateConfiguration:
      status: Enabled
    versioningConfiguration:
      status: Enabled
    notificationConfiguration:
      lambdaFunctionConfigurations:
        - events: ["s3:ObjectCreated:*"]
          lambdaFunctionArn: arn:aws:lambda:eu-central-1:255932642927:function:lambda
    paymentConfiguration:
      payer: BucketOwner
    tagging:
      tagSet:
        - key: s3-bucket
          value: lambda-bucket
    objectLockEnabledForBucket: false
  providerConfigRef:
    name: default
	---
	apiVersion: identity.aws.crossplane.io/v1beta1
	kind: IAMRole
	metadata:
	name: lambda-exec-role
	spec:
	forProvider:
	description: role for lambda execution
	assumeRolePolicyDocument: \|
	{
	"Version": "2012-10-17",
	"Statement": [
	{
	"Effect": "Allow",
	"Principal": {
	"Service": "lambda.amazonaws.com"
	},
	"Action": "sts:AssumeRole"
	}
	]
	}
	providerConfigRef:
	name: default
	---
	apiVersion: identity.aws.crossplane.io/v1alpha1
	kind: IAMPolicy
	metadata:
	name: lambda-exec-policy
	spec:
	deletionPolicy: Delete
	forProvider:
	name: lambda-exec-policy
	description: Allow the lambda exec role to access s3 bucket
	document: \|
	{
	"Version": "2012-10-17",
	"Statement": [
	{
	"Sid": "S3ManageBucket",
	"Effect": "Allow",
	"Action": [
	"s3:*"
	],
	"Resource": [
	"arn:aws:s3:::255932642927-lambda-bucket-/",
	"arn:aws:s3:::255932642927-lambda-bucket-*"
	]
	}
	]
	}
	providerConfigRef:
	name: default

	---
	apiVersion: identity.aws.crossplane.io/v1beta1
	kind: IAMRolePolicyAttachment
	metadata:
	name: lambda-exec-role
	spec:
	forProvider:
	policyArnRef:
	name: lambda-exec-policy
	roleNameRef:
	name: lambda-exec-role
	providerConfigRef:
	name: default
	apiVersion: lambda.aws.crossplane.io/v1alpha1
	kind: Function
	metadata:
	name: lambda
	spec:
	deletionPolicy: Delete
	forProvider:
	region: eu-central-1
	code:
	s3Bucket: 255932642927-lambda-bucket
	s3Key: test.zip
	runtime: go1.x
	handler: main
	roleRef:
	name: lambda-exec-role
	providerConfigRef:
	name: default
	---
	apiVersion: s3.aws.crossplane.io/v1beta1
	kind: Bucket
	metadata:
	name: 255932642927-lambda-bucket
	spec:
	forProvider:
	acl: private
	locationConstraint: eu-central-1
	accelerateConfiguration:
	status: Enabled
	versioningConfiguration:
	status: Enabled
	notificationConfiguration:
	lambdaFunctionConfigurations:
	- events: ["s3:ObjectCreated:*"]
	lambdaFunctionArn: arn:aws:lambda:eu-central-1:255932642927:function:lambda
	paymentConfiguration:
	payer: BucketOwner
	tagging:
	tagSet:
	- key: s3-bucket
	value: lambda-bucket
	objectLockEnabledForBucket: false
	providerConfigRef:
	name: default