dale-c-anderson · November 8, 2023 00:51
diff --git a/lambda_my_script.tf b/lambda_my_script.tf
 # Generic role to allow lambda to execute
 resource "aws_iam_role" "lambda_exec" {
  name               = "lambda_assume_role"
  assume_role_policy = jsonencode({
    Version   = "2012-10-17"
    Statement = [
      {
        Action    = "sts:AssumeRole"
        Effect    = "Allow"
        Sid       = ""
        Principal = {
          Service = "lambda.amazonaws.com"
        }
      }
    ]
  })
 }

 # Attach an aws-managed policy
 resource "aws_iam_role_policy_attachment" "lambda_policy" {
  role       = aws_iam_role.lambda_exec.name
  policy_arn = "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"
 }

 # Let the lambda function read parameters
 resource "aws_iam_policy" "lambda_read_ssm" {
  name        = "lambda_read_ssm"
  description = "Allows lambda to read SSM parameters"
  policy      = jsonencode({
      Version   = "2012-10-17"
      Statement = [
      {
          Action   = [
          "ssm:GetParameter",
          "ssm:GetParameters",
          "ssm:GetParametersByPath"
          ]
          Effect   = "Allow"
          Resource = "arn:aws:ssm:ca-central-1:888888888888:parameter/my/param/path/*"
      }
      ]
  })
 }

 # Attach ssm policy to role
 resource "aws_iam_role_policy_attachment" "lambda_read_ssm_policy" {
  role       = aws_iam_role.lambda_exec.name
  policy_arn = aws_iam_policy.lambda_read_ssm.arn
 }


 # This expects a directory named "my_script" beside this file, 
 # and a script named "my_script.py" within that directory.
 data "archive_file" "my_script" {
  type        = "zip"
  source_dir  = "${path.module}/my_script"
  output_path = "${path.module}/my_script.zip"
 }

 # Define the function in AWS Lambda and upload the bundle
 resource "aws_lambda_function" "my_script" {
  function_name    = "my_script"
  handler          = "my_script.lambda_handler"  # file_name.main_function_name
  runtime          = "python3.11"
  timeout          = 60
  filename         = data.archive_file.my_script.output_path
  source_code_hash = data.archive_file.my_script.output_base64sha256
  role             = aws_iam_role.lambda_exec.arn
 }

 # Define a schedule
 resource "aws_cloudwatch_event_rule" "my_script" {
  name                = "my_script_schedule"
  description         = "Schedule for Lambda Function"
  schedule_expression = "cron(*/5 * * * ? *)"  # See aws docs for cron formatting. it's not quite the same as linux.
  # https://docs.aws.amazon.com/eventbridge/latest/userguide/eb-create-rule-schedule.html
 }

 # Connect the schedule to the function
 resource "aws_cloudwatch_event_target" "my_script" {
  rule      = aws_cloudwatch_event_rule.my_script.name
  target_id = "processing_lambda"
  arn       = aws_lambda_function.my_script.arn
 }

 # Allow the schedule to trigger the function
 resource "aws_lambda_permission" "my_script" {
  statement_id  = "AllowExecutionFromCloudWatch"
  action        = "lambda:InvokeFunction"
  function_name = aws_lambda_function.my_script.function_name
  principal     = "events.amazonaws.com"
 }
	# Generic role to allow lambda to execute
	resource "aws_iam_role" "lambda_exec" {
	name = "lambda_assume_role"
	assume_role_policy = jsonencode({
	Version = "2012-10-17"
	Statement = [
	{
	Action = "sts:AssumeRole"
	Effect = "Allow"
	Sid = ""
	Principal = {
	Service = "lambda.amazonaws.com"
	}
	}
	]
	})
	}

	# Attach an aws-managed policy
	resource "aws_iam_role_policy_attachment" "lambda_policy" {
	role = aws_iam_role.lambda_exec.name
	policy_arn = "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"
	}

	# Let the lambda function read parameters
	resource "aws_iam_policy" "lambda_read_ssm" {
	name = "lambda_read_ssm"
	description = "Allows lambda to read SSM parameters"
	policy = jsonencode({
	Version = "2012-10-17"
	Statement = [
	{
	Action = [
	"ssm:GetParameter",
	"ssm:GetParameters",
	"ssm:GetParametersByPath"
	]
	Effect = "Allow"
	Resource = "arn:aws:ssm:ca-central-1:888888888888:parameter/my/param/path/*"
	}
	]
	})
	}

	# Attach ssm policy to role
	resource "aws_iam_role_policy_attachment" "lambda_read_ssm_policy" {
	role = aws_iam_role.lambda_exec.name
	policy_arn = aws_iam_policy.lambda_read_ssm.arn
	}


	# This expects a directory named "my_script" beside this file,
	# and a script named "my_script.py" within that directory.
	data "archive_file" "my_script" {
	type = "zip"
	source_dir = "${path.module}/my_script"
	output_path = "${path.module}/my_script.zip"
	}

	# Define the function in AWS Lambda and upload the bundle
	resource "aws_lambda_function" "my_script" {
	function_name = "my_script"
	handler = "my_script.lambda_handler" # file_name.main_function_name
	runtime = "python3.11"
	timeout = 60
	filename = data.archive_file.my_script.output_path
	source_code_hash = data.archive_file.my_script.output_base64sha256
	role = aws_iam_role.lambda_exec.arn
	}

	# Define a schedule
	resource "aws_cloudwatch_event_rule" "my_script" {
	name = "my_script_schedule"
	description = "Schedule for Lambda Function"
	schedule_expression = "cron(/5 * * ? *)" # See aws docs for cron formatting. it's not quite the same as linux.
	# https://docs.aws.amazon.com/eventbridge/latest/userguide/eb-create-rule-schedule.html
	}

	# Connect the schedule to the function
	resource "aws_cloudwatch_event_target" "my_script" {
	rule = aws_cloudwatch_event_rule.my_script.name
	target_id = "processing_lambda"
	arn = aws_lambda_function.my_script.arn
	}

	# Allow the schedule to trigger the function
	resource "aws_lambda_permission" "my_script" {
	statement_id = "AllowExecutionFromCloudWatch"
	action = "lambda:InvokeFunction"
	function_name = aws_lambda_function.my_script.function_name
	principal = "events.amazonaws.com"
	}