data "aws_iam_policy_document" "lambda_assume_role" {
statement {
effect = "Allow"
principals {
type = "Service"
identifiers = ["lambda.amazonaws.com"]
}
actions = ["sts:AssumeRole"]
}
}
data "aws_iam_policy_document" "lambda_policy" {
statement {
effect = "Allow"
actions = [
"ec2:*",
"config:PutEvaluations",
"logs:CreateLogStream",
"logs:CreateLogGroup",
"logs:PutLogEvents"
]
resources = ["*"]
}
statement {
effect = "Allow"
actions = [
"logs:CreateLogStream",
"logs:CreateLogGroup",
"logs:PutLogEvents"
]
resources = ["arn:aws:logs:*:*:*"]
}
}
resource "aws_iam_role" "lambda" {
name = "Lambda-role"
assume_role_policy = data.aws_iam_policy_document.lambda_assume_role.json
}
resource "aws_iam_role_policy" "lambda_policy" {
name = "LambdaPolicy"
role = aws_iam_role.lambda.id
policy = data.aws_iam_policy_document.lambda_policy.json
}
data "archive_file" "lambda" {
type = "zip"
source_file = "./src/lambda_function.py"
output_path = "lambda_function_payload.zip"
}
resource "aws_lambda_function" "lambda" {
filename = "lambda_function_payload.zip"
function_name = "wsi-sg-function"
role = aws_iam_role.lambda.arn
handler = "lambda_function.lambda_handler"
timeout = "5"
source_code_hash = data.archive_file.lambda.output_base64sha256
runtime = "python3.12"
}
resource "aws_lambda_permission" "permission" {
action = "lambda:InvokeFunction"
function_name = aws_lambda_function.lambda.arn
principal = "config.amazonaws.com"
statement_id = "AllowExecutionFromConfig"
}