boilerplate-lambda-container/terraform/main.tf

85 lines
2.1 KiB
Terraform
Raw Normal View History

provider "aws" {
region = "us-west-1"
profile = "playground"
}
# ECR Repository
resource "aws_ecr_repository" "hello_docker" {
name = "hello-docker"
image_scanning_configuration {
scan_on_push = true
}
}
# IAM Role for Lambda
resource "aws_iam_role" "hello_docker_role" {
name = "hello_docker_lambda_role"
assume_role_policy = jsonencode({
Version = "2012-10-17"
Statement = [{
Action = "sts:AssumeRole"
Effect = "Allow"
Principal = {
Service = "lambda.amazonaws.com"
}
}]
})
}
# IAM Policy for Secrets Manager access
resource "aws_iam_role_policy" "hello_docker_policy" {
name = "hello_docker_function_access"
role = aws_iam_role.hello_docker_role.id
policy = jsonencode({
Version = "2012-10-17"
Statement = [{
Effect = "Allow"
Action = ["secretsmanager:GetSecretValue"]
Resource = ["arn:aws:secretsmanager:us-west-1:003525187774:secret:*"]
}]
})
}
# Attach CloudWatch Logs policy
resource "aws_iam_role_policy_attachment" "hello_docker_logs" {
role = aws_iam_role.hello_docker_role.name
policy_arn = "arn:aws:iam::aws:policy/AWSOpsWorksCloudWatchLogs"
}
# Lambda Function
resource "aws_lambda_function" "hello_docker" {
function_name = "hello-docker"
role = aws_iam_role.hello_docker_role.arn
package_type = "Image"
image_uri = "${aws_ecr_repository.hello_docker.repository_url}:latest"
architectures = ["x86_64"]
timeout = 10
environment {
variables = {
PORT = "8000"
}
}
}
# Lambda Function URL
resource "aws_lambda_function_url" "hello_docker_url" {
function_name = aws_lambda_function.hello_docker.function_name
authorization_type = "NONE"
cors {
allow_origins = ["*"]
}
}
# Lambda permission for Function URL
resource "aws_lambda_permission" "function_url" {
statement_id = "AllowExecutionFromFunctionURL"
action = "lambda:InvokeFunctionUrl"
function_name = aws_lambda_function.hello_docker.function_name
principal = "*"
function_url_auth_type = "NONE"
}