Terraform updates

Attempting to do some log parsing into cloudwatch logs
2025-11-25 20:42:40 +00:00 · 2021-03-01 12:40:35 -08:00
parent ab28508bca
commit 3f6077eb18
15 changed files with 2062 additions and 126 deletions
--- a/terraform/lambda.tf
+++ b/terraform/lambda.tf
@@ -33,67 +33,70 @@ EOF
 # -----------------------------------------------------------------------------------------------------------
 # IAM Role for Log Parsing Lambda

-resource "aws_iam_role" "lambda" {
-  name = "${var.site}-lambda-role"
-  assume_role_policy = <<EOF
-{
-  "Version": "2012-10-17",
-  "Statement": [
-    {
-      "Action": "sts:AssumeRole",
-      "Principal": {
-        "Service": [
-          "edgelambda.amazonaws.com",
-          "lambda.amazonaws.com"
-        ]
-      },
-      "Effect": "Allow",
-      "Sid": ""
-    }
-  ]
-}
-EOF
+data "aws_iam_policy_document" "s3_bucket_readonly" {
+  statement {
+    actions = [
+      "s3:Get*",
+      "s3:List*",
+    ]

-  tags = {
-    Site = var.site
+    resources = [
+      aws_s3_bucket.ipixel_logs.arn,
+      "${aws_s3_bucket.ipixel_logs.arn}/*",
+    ]
  }
 }

-resource "aws_iam_role_policy" "lambda" {
-  name = "${var.site}-lambda-execution-policy"
-  role = aws_iam_role.lambda.id
+data "aws_iam_policy_document" "lambda_assume_role" {
+  statement {
+    actions = ["sts:AssumeRole"]

-  policy = <<EOF
-{
-  "Version": "2012-10-17",
-  "Statement": [
-    {
-      "Action": [
-        "logs:CreateLogStream",
-        "logs:PutLogEvents",
-        "logs:CreateLogGroup"
-      ],
-      "Effect": "Allow",
-      "Resource": "*"
-    },
-    {
-      "Effect": "Allow",
-      "Action": [
-        "s3:*"
-      ],
-      "Resource": "arn:aws:s3:::*"
-    },
-    {
-      "Sid": "Invoke",
-      "Effect": "Allow",
-      "Action": [
-        "lambda:InvokeFunction"
-      ],
-      "Resource": "arn:aws:lambda:*"
+    principals {
+      type        = "Service"
+      identifiers = [
+        "edgelambda.amazonaws.com",
+        "lambda.amazonaws.com"
+      ]
    }
-  ]
-}
-EOF
+  }
 }


+
+
+resource "aws_iam_role" "ipixel_parser" {
+  name = "lambda-${var.site}-ipixel"
+
+  assume_role_policy = data.aws_iam_policy_document.lambda_assume_role.json
+
+  tags = {
+    Site = var.site,
+    Role = "ipixel"
+  }
+}
+
+resource "aws_iam_role_policy_attachment" "ipixel_parser" {
+  role       = aws_iam_role.ipixel_parser.name
+  policy_arn = "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"
+}
+
+resource "aws_iam_role_policy" "ipixel_parser_cloudwatch_log_group" {
+  name   = "cloudwatch-log-group"
+  role   = aws_iam_role.ipixel_parser.name
+  policy = data.aws_iam_policy_document.ipixel_parser_cloudwatch_log_group.json
+}
+
+resource "aws_iam_role_policy" "lambda_s3_bucket_readonly" {
+  name   = "s3-bucket-readonly"
+  role   = aws_iam_role.ipixel_parser.name
+  policy = data.aws_iam_policy_document.s3_bucket_readonly.json
+}
+
+resource "aws_lambda_permission" "s3_bucket_invoke_function" {
+  function_name = aws_lambda_function.ipixel_parser.arn
+  action        = "lambda:InvokeFunction"
+
+  principal  = "s3.amazonaws.com"
+  source_arn = aws_s3_bucket.ipixel_logs.arn
+}
+