Skip to content

Commit

Permalink
iam resources to allow events to invoke lambda
Browse files Browse the repository at this point in the history
  • Loading branch information
timburke-hackit committed Oct 2, 2023
1 parent 34ddb83 commit 685f68e
Showing 1 changed file with 36 additions and 14 deletions.
50 changes: 36 additions & 14 deletions terraform/modules/rds-snapshot-to-s3/iam.tf
Original file line number Diff line number Diff line change
@@ -1,19 +1,41 @@
data "aws_iam_policy_document" "ecs_execution_role" {
statement {
actions = [
"sts:AssumeRole",
]
resource "aws_lambda_permission" "allow_cloudwatch" {
for_each = { for instance in local.rds_instances : instance.id => instance }

action = "lambda:InvokeFunction"
function_name = module.rds-to-s3-copier.lambda_function_arn
principal = "events.amazonaws.com"
source_arn = aws_cloudwatch_event_rule.rds_event_rule[each.key].arn
}

effect = "Allow"
resource "aws_iam_role" "cloudwatch_events_role" {
name = "cloudwatch-events-invocation-role"

principals {
type = "Service"
identifiers = ["ecs.amazonaws.com"]
}
}
assume_role_policy = jsonencode({
Version = "2012-10-17",
Statement = [
{
Action = "sts:AssumeRole",
Effect = "Allow",
Principal = {
Service = "events.amazonaws.com"
}
}
]
})
}

resource "aws_iam_role" "ecs_execution_role" {
name = "${var.identifier_prefix}-ecs-execution-role"
assume_role_policy = data.aws_iam_policy_document.ecs_execution_role.json
resource "aws_iam_role_policy" "cloudwatch_events_policy" {
name = "cloudwatch-events-invocation-policy"
role = aws_iam_role.cloudwatch_events_role.id

policy = jsonencode({
Version = "2012-10-17",
Statement = [
{
Effect = "Allow",
Action = "lambda:InvokeFunction",
Resource = module.rds-to-s3-copier.lambda_function_arn,
}
]
})
}

0 comments on commit 685f68e

Please sign in to comment.