-
Notifications
You must be signed in to change notification settings - Fork 9
/
Copy pathlambda.tf
116 lines (101 loc) · 3.13 KB
/
lambda.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
data "archive_file" "phpserver_payload" {
type = "zip"
source_dir = "${path.module}/src"
output_path = "${path.module}/lambda_function_payload.zip"
}
resource "aws_lambda_function" "phpserver" {
filename = "lambda_function_payload.zip"
function_name = local.lambda_function_name
role = aws_iam_role.phpserver.arn
handler = "handler.php"
memory_size = 1024
timeout = 30
source_code_hash = data.archive_file.phpserver_payload.output_base64sha256
runtime = "provided"
layers = [
local.php_lambda_layer_arn
]
environment {
variables = {
"UPLOADS_S3_BUCKET" = aws_s3_bucket.assets.bucket
"CF_SHARED_SECERT" = random_string.cf_shared_secret.result
}
}
vpc_config {
subnet_ids = var.subnet_ids
security_group_ids = local.security_group_ids
}
file_system_config {
arn = aws_efs_access_point.lambda.arn
local_mount_path = "/mnt/root"
}
depends_on = [
aws_efs_mount_target.main
]
}
data "aws_iam_policy_document" "lambda_assume_role" {
statement {
actions = ["sts:AssumeRole"]
principals {
type = "Service"
identifiers = ["lambda.amazonaws.com"]
}
effect = "Allow"
}
}
resource "aws_iam_role" "phpserver" {
name = "wp-on-lambda-efs-${random_string.namespace.result}"
assume_role_policy = data.aws_iam_policy_document.lambda_assume_role.json
}
resource "aws_iam_role_policy_attachment" "phpserver_eni_mgmt_access" {
role = aws_iam_role.phpserver.id
policy_arn = "arn:aws:iam::aws:policy/service-role/AWSLambdaENIManagementAccess"
}
data "aws_iam_policy_document" "phpserver_main" {
statement {
sid = "1"
effect = "Allow"
actions = [
"logs:CreateLogStream",
"logs:PutLogEvents"
]
resources = [
"arn:aws:logs:${var.region}:${data.aws_caller_identity.current.account_id}:log-group:${aws_cloudwatch_log_group.phpserver.name}",
"arn:aws:logs:${var.region}:${data.aws_caller_identity.current.account_id}:log-group:${aws_cloudwatch_log_group.phpserver.name}:log-stream:*"
]
}
# The policy to allow WordPress to interact with this bucket.
# See https://github.com/humanmade/S3-Uploads/blob/539d0c16d4fb778caeb4fd2b12f5718fb48baea0/inc/class-s3-uploads-wp-cli-command.php#L112-L134
# for the original policy.
statement {
sid = "2"
effect = "Allow"
actions = [
"s3:AbortMultipartUpload",
"s3:DeleteObject",
"s3:GetBucketAcl",
"s3:GetBucketLocation",
"s3:GetBucketPolicy",
"s3:GetObject",
"s3:GetObjectAcl",
"s3:ListBucket",
"s3:ListBucketMultipartUploads",
"s3:ListMultipartUploadParts",
"s3:PutObject",
"s3:PutObjectAcl"
]
resources = [
aws_s3_bucket.assets.arn,
"${aws_s3_bucket.assets.arn}/*"
]
}
}
resource "aws_iam_role_policy" "phpserver_main" {
name = "WpOnLambdaMainRole"
role = aws_iam_role.phpserver.id
policy = data.aws_iam_policy_document.phpserver_main.json
}
resource "aws_cloudwatch_log_group" "phpserver" {
name = "/aws/lambda/${local.lambda_function_name}"
retention_in_days = 30
}