-
Notifications
You must be signed in to change notification settings - Fork 6
/
Copy pathiam.tf
122 lines (105 loc) · 5.3 KB
/
iam.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
################# IAM for run task Lambda@Edge ##################
resource "aws_iam_role" "runtask_edge" {
name = "${var.name_prefix}-runtask-edge"
assume_role_policy = templatefile("${path.module}/iam/trust-policies/lambda_edge.tpl", { none = "none" })
tags = local.combined_tags
}
resource "aws_iam_role_policy_attachment" "runtask_edge" {
count = length(local.lambda_managed_policies)
role = aws_iam_role.runtask_edge.name
policy_arn = local.lambda_managed_policies[count.index]
}
################# RunTask EventBridge ##################
resource "aws_iam_role" "runtask_eventbridge" {
name = "${var.name_prefix}-runtask-eventbridge"
assume_role_policy = templatefile("${path.module}/iam/trust-policies/lambda.tpl", { none = "none" })
tags = local.combined_tags
}
resource "aws_iam_role_policy_attachment" "runtask_eventbridge" {
count = length(local.lambda_managed_policies)
role = aws_iam_role.runtask_eventbridge.name
policy_arn = local.lambda_managed_policies[count.index]
}
resource "aws_iam_role_policy" "runtask_eventbridge" {
name = "${var.name_prefix}-runtask-eventbridge-policy"
role = aws_iam_role.runtask_eventbridge.id
policy = templatefile("${path.module}/iam/role-policies/runtask-eventbridge-lambda-role-policy.tpl", {
data_aws_region = data.aws_region.current_region.name
data_aws_account_id = data.aws_caller_identity.current_account.account_id
data_aws_partition = data.aws_partition.current_partition.partition
var_event_bus_name = var.event_bus_name
resource_runtask_secrets = var.deploy_waf ? [aws_secretsmanager_secret.runtask_hmac.arn, aws_secretsmanager_secret.runtask_cloudfront[0].arn] : [aws_secretsmanager_secret.runtask_hmac.arn]
})
}
################# RunTask Request ##################
resource "aws_iam_role" "runtask_request" {
name = "${var.name_prefix}-runtask-request"
assume_role_policy = templatefile("${path.module}/iam/trust-policies/lambda.tpl", { none = "none" })
tags = local.combined_tags
}
resource "aws_iam_role_policy_attachment" "runtask_request" {
count = length(local.lambda_managed_policies)
role = aws_iam_role.runtask_request.name
policy_arn = local.lambda_managed_policies[count.index]
}
################# RunTask CallBack ##################
resource "aws_iam_role" "runtask_callback" {
name = "${var.name_prefix}-runtask-callback"
assume_role_policy = templatefile("${path.module}/iam/trust-policies/lambda.tpl", { none = "none" })
tags = local.combined_tags
}
resource "aws_iam_role_policy_attachment" "runtask_callback" {
count = length(local.lambda_managed_policies)
role = aws_iam_role.runtask_callback.name
policy_arn = local.lambda_managed_policies[count.index]
}
################# RunTask Fulfillment ##################
resource "aws_iam_role" "runtask_fulfillment" {
name = "${var.name_prefix}-runtask-fulfillment"
assume_role_policy = templatefile("${path.module}/iam/trust-policies/lambda.tpl", { none = "none" })
tags = local.combined_tags
}
resource "aws_iam_role_policy_attachment" "runtask_fulfillment" {
count = length(local.lambda_managed_policies)
role = aws_iam_role.runtask_fulfillment.name
policy_arn = local.lambda_managed_policies[count.index]
}
resource "aws_iam_role_policy" "runtask_fulfillment" {
name = "${var.name_prefix}-runtask-fulfillment-policy"
role = aws_iam_role.runtask_fulfillment.id
policy = templatefile("${path.module}/iam/role-policies/runtask-fulfillment-lambda-role-policy.tpl", {
data_aws_region = data.aws_region.current_region.name
data_aws_account_id = data.aws_caller_identity.current_account.account_id
data_aws_partition = data.aws_partition.current_partition.partition
local_log_group_name = local.cloudwatch_log_group_name
})
}
################# RunTask State machine ##################
resource "aws_iam_role" "runtask_states" {
name = "${var.name_prefix}-runtask-statemachine"
assume_role_policy = templatefile("${path.module}/iam/trust-policies/states.tpl", { none = "none" })
tags = local.combined_tags
}
resource "aws_iam_role_policy" "runtask_states" {
name = "${var.name_prefix}-runtask-statemachine-policy"
role = aws_iam_role.runtask_states.id
policy = templatefile("${path.module}/iam/role-policies/runtask-state-role-policy.tpl", {
data_aws_region = data.aws_region.current_region.name
data_aws_account_id = data.aws_caller_identity.current_account.account_id
data_aws_partition = data.aws_partition.current_partition.partition
var_name_prefix = var.name_prefix
})
}
################# RunTask EventBridge rule ##################
resource "aws_iam_role" "runtask_rule" {
name = "${var.name_prefix}-runtask-rule"
assume_role_policy = templatefile("${path.module}/iam/trust-policies/events.tpl", { none = "none" })
tags = local.combined_tags
}
resource "aws_iam_role_policy" "runtask_rule" {
name = "${var.name_prefix}-runtask-rule-policy"
role = aws_iam_role.runtask_rule.id
policy = templatefile("${path.module}/iam/role-policies/runtask-rule-role-policy.tpl", {
resource_runtask_states = aws_sfn_state_machine.runtask_states.arn
})
}