Webhook for Data Cloud Data Action. Create a lambda function to take a request and store it in an S3 bucket. Create the destination S3 bucket. Assign roles and policies. Output the new webhook endpoint

Webhook_for_DataCloud

# Webhook for Data Cloud Data Action
# Create a lambda function to take a request and store it in an S3 bucket
# Create the destination S3 bucket
# Assign roles and policies
# Output the new webhook endpoint
terraform {
  required_version = ">= 1.0.0"
  required_providers {
    aws = {
      source  = "hashicorp/aws"
      version = "~> 5.29.0"
    }
  }
}

provider "aws" {

}


# Our Lambda function
resource "aws_lambda_function" "lambda-webhook" {
  filename      = "${path.module}/lambda/webhook/webhook.zip"
  function_name = "webhook"
  role          = aws_iam_role.iam_for_lambda.arn
  handler       = "webhook.lambda_handler"
  runtime       = "python3.9"
  timeout       = 120
  kms_key_arn   = "${aws_kms_key.key.arn}"
  environment {
    variables = {
      BUCKET_NAME = "${aws_s3_bucket.bucket.id}"
    }
  }
}

# A ZIP archive containing python code
data "archive_file" "lambda-webhook" {
  type        = "zip"
  source_dir  = "${path.module}/lambda/webhook/"
  output_path = "${path.module}/lambda/webhook/webhook.zip"
}

# Our public HTTPS endpoint
resource "aws_lambda_function_url" "lambda_function_url" {
  function_name      = aws_lambda_function.lambda-webhook.arn
  authorization_type = "NONE"
}

output "function_url" {
  description = "Function URL."
  value       = aws_lambda_function_url.lambda_function_url.function_url
}

# A Cloudwatch Log Group to be able to see Lambda's logs
resource "aws_cloudwatch_log_group" "lambda-webhook" {
  name = "/aws/lambda/${aws_lambda_function.lambda-webhook.function_name}"
  retention_in_days = 3
}

# A KMS Key to encrypt / decryt environment variables
resource "aws_kms_key" "key" {
  description             = "KMS key for Lambda Webhook"
  deletion_window_in_days = 7
}

# IAM Role for Lambda
resource "aws_iam_role" "iam_for_lambda" {
  name = "LambdaWebhookRole"
  assume_role_policy = <<EOF
{
  "Version": "2012-10-17",
  "Statement": [
    {
        "Action": "sts:AssumeRole",
        "Principal": {
            "Service": "lambda.amazonaws.com"
        },
        "Effect": "Allow",
        "Sid": ""
    }
  ]
}
EOF
}

# IAM Policy for our Lambda
resource "aws_iam_policy" "iam_for_lambda_policy" {
  name   = "iam_for_lambda_policy"
  policy = jsonencode(
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "logs:CreateLogGroup",
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "logs:CreateLogStream",
                "logs:PutLogEvents"
            ],
            "Resource": [
                "*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": "kms:Decrypt",
            "Resource": "${aws_kms_key.key.arn}"
        },
        {
            "Action": [
                "s3:PutObject"
            ],
            "Resource": [
                "arn:aws:s3:::${aws_s3_bucket.bucket.id}",
                "arn:aws:s3:::${aws_s3_bucket.bucket.id}/*"
            ],
            "Effect": "Allow",
        }
    ]
}
)
}

resource "aws_iam_policy_attachment" "policy_attachment_lambda" {
  name       = "attachmentLambdaWebhoo"
  roles      = ["${aws_iam_role.iam_for_lambda.name}"]
  policy_arn = aws_iam_policy.iam_for_lambda_policy.arn
}

resource "aws_s3_bucket" "bucket" {
  bucket = "webhook-results"
}