From 04f0708b15b87b64655c7977b818e9fcd38d2e5d Mon Sep 17 00:00:00 2001 From: Jun-te Kim Date: Thu, 11 Sep 2025 15:01:47 +0000 Subject: [PATCH] walthamforest --- .../extractor_and_loader_lambda.tf | 70 +++++++++--------- .../lambda_example_and_config.tf | 73 +++++++++---------- .../walthamforest_etl_lambda.tf | 71 +++++++++--------- 3 files changed, 101 insertions(+), 113 deletions(-) diff --git a/deployment/lambda/extractor_and_loader/extractor_and_loader_lambda.tf b/deployment/lambda/extractor_and_loader/extractor_and_loader_lambda.tf index 193ae27..c5996fe 100644 --- a/deployment/lambda/extractor_and_loader/extractor_and_loader_lambda.tf +++ b/deployment/lambda/extractor_and_loader/extractor_and_loader_lambda.tf @@ -16,44 +16,40 @@ resource "aws_sqs_queue" "extractor_and_loader_queue" { } -# IAM policy specific to this Lambda -# resource "aws_iam_policy" "extractor_loader_policy" { -# name = "extractor-loader-policy" +# Custom IAM policy specific to lambda_example +resource "aws_iam_policy" "extractor_loader_policy" { + name = "extractor_loader_policy" -# policy = jsonencode({ -# Version = "2012-10-17", -# Statement = [ -# { -# Effect = "Allow", -# Action = [ -# "sqs:ReceiveMessage", -# "sqs:DeleteMessage", -# "sqs:GetQueueAttributes", -# "sqs:GetQueueUrl", -# "sqs:ChangeMessageVisibility" -# ], -# Resource = aws_sqs_queue.extractor_and_loader_queue.arn -# }, -# { -# Effect = "Allow", -# Action = [ -# "ecr:GetDownloadUrlForLayer", -# "ecr:BatchGetImage", -# "ecr:BatchCheckLayerAvailability" -# ], -# Resource = data.aws_ecr_repository.extractor_and_loader.arn -# }, -# { -# Effect = "Allow", -# Action = ["ecr:GetAuthorizationToken"], -# Resource = "*" -# } -# ] -# }) -# } -data "aws_iam_policy" "extractor_loader_policy" { - # Existing customer-managed policy ARN: - arn = "arn:aws:iam::${data.aws_caller_identity.current.account_id}:policy/extractor-loader-policy" + policy = jsonencode({ + Version = "2012-10-17", + Statement = [ + { + Effect = "Allow", + Action = [ + "sqs:ReceiveMessage", + "sqs:DeleteMessage", + "sqs:GetQueueAttributes", + "sqs:GetQueueUrl", + "sqs:ChangeMessageVisibility" + ], + Resource = aws_sqs_queue.lambda_example_queue.arn + }, + { + Effect = "Allow", + Action = [ + "ecr:GetDownloadUrlForLayer", + "ecr:BatchGetImage", + "ecr:BatchCheckLayerAvailability" + ], + Resource = data.aws_ecr_repository.lambda_example.arn + }, + { + Effect = "Allow", + Action = ["ecr:GetAuthorizationToken"], + Resource = "*" + } + ] + }) } resource "aws_iam_role_policy_attachment" "extractor_loader_policy_attach" { diff --git a/deployment/lambda/lambda_example/lambda_example_and_config.tf b/deployment/lambda/lambda_example/lambda_example_and_config.tf index 94259a9..5e52a05 100644 --- a/deployment/lambda/lambda_example/lambda_example_and_config.tf +++ b/deployment/lambda/lambda_example/lambda_example_and_config.tf @@ -13,47 +13,44 @@ resource "aws_sqs_queue" "lambda_example_queue" { name = "lambda-example-queue" } -# # Custom IAM policy specific to lambda_example -# resource "aws_iam_policy" "lambda_example_policy" { -# name = "lambda-example-policy" +# Custom IAM policy specific to lambda_example +resource "aws_iam_policy" "lambda_example_policy" { + name = "lambda-example-policy" -# policy = jsonencode({ -# Version = "2012-10-17", -# Statement = [ -# { -# Effect = "Allow", -# Action = [ -# "sqs:ReceiveMessage", -# "sqs:DeleteMessage", -# "sqs:GetQueueAttributes", -# "sqs:GetQueueUrl", -# "sqs:ChangeMessageVisibility" -# ], -# Resource = aws_sqs_queue.lambda_example_queue.arn -# }, -# { -# Effect = "Allow", -# Action = [ -# "ecr:GetDownloadUrlForLayer", -# "ecr:BatchGetImage", -# "ecr:BatchCheckLayerAvailability" -# ], -# Resource = data.aws_ecr_repository.lambda_example.arn -# }, -# { -# Effect = "Allow", -# Action = ["ecr:GetAuthorizationToken"], -# Resource = "*" -# } -# ] -# }) -# } - -data "aws_iam_policy" "lambda_example_policy" { - # Existing customer-managed policy ARN: - arn = "arn:aws:iam::${data.aws_caller_identity.current.account_id}:policy/lambda_example_policy" + policy = jsonencode({ + Version = "2012-10-17", + Statement = [ + { + Effect = "Allow", + Action = [ + "sqs:ReceiveMessage", + "sqs:DeleteMessage", + "sqs:GetQueueAttributes", + "sqs:GetQueueUrl", + "sqs:ChangeMessageVisibility" + ], + Resource = aws_sqs_queue.lambda_example_queue.arn + }, + { + Effect = "Allow", + Action = [ + "ecr:GetDownloadUrlForLayer", + "ecr:BatchGetImage", + "ecr:BatchCheckLayerAvailability" + ], + Resource = data.aws_ecr_repository.lambda_example.arn + }, + { + Effect = "Allow", + Action = ["ecr:GetAuthorizationToken"], + Resource = "*" + } + ] + }) } + + resource "aws_iam_role_policy_attachment" "lambda_example_policy_attach" { role = data.aws_iam_role.lambda_exec_role.name policy_arn = aws_iam_policy.lambda_example_policy.arn diff --git a/deployment/lambda/walthamforest_etl/walthamforest_etl_lambda.tf b/deployment/lambda/walthamforest_etl/walthamforest_etl_lambda.tf index e188c96..2e8ffd3 100644 --- a/deployment/lambda/walthamforest_etl/walthamforest_etl_lambda.tf +++ b/deployment/lambda/walthamforest_etl/walthamforest_etl_lambda.tf @@ -15,47 +15,42 @@ resource "aws_sqs_queue" "walthamforest_etl_adhoc_queue" { } -# # IAM policy specific to this Lambda -# resource "aws_iam_policy" "walthamforest_etl_adhoc_policy" { -# name = "walthamforest_etl_adhoc-loader-policy" +# Custom IAM policy specific to lambda_example +resource "aws_iam_policy" "walthamforest_etl_adhoc_policy" { + name = "lambda-example-policy" -# policy = jsonencode({ -# Version = "2012-10-17", -# Statement = [ -# { -# Effect = "Allow", -# Action = [ -# "sqs:ReceiveMessage", -# "sqs:DeleteMessage", -# "sqs:GetQueueAttributes", -# "sqs:GetQueueUrl", -# "sqs:ChangeMessageVisibility" -# ], -# Resource = aws_sqs_queue.walthamforest_etl_adhoc_queue.arn -# }, -# { -# Effect = "Allow", -# Action = [ -# "ecr:GetDownloadUrlForLayer", -# "ecr:BatchGetImage", -# "ecr:BatchCheckLayerAvailability" -# ], -# Resource = data.aws_ecr_repository.walthamforest_etl_adhoc_ecr.arn -# }, -# { -# Effect = "Allow", -# Action = ["ecr:GetAuthorizationToken"], -# Resource = "*" -# } -# ] -# }) -# } -data "aws_iam_policy" "walthamforest_etl_adhoc_policy" { - # Existing customer-managed policy ARN: - arn = "arn:aws:iam::${data.aws_caller_identity.current.account_id}:policy/walthamforest_etl_adhoc_policy" + policy = jsonencode({ + Version = "2012-10-17", + Statement = [ + { + Effect = "Allow", + Action = [ + "sqs:ReceiveMessage", + "sqs:DeleteMessage", + "sqs:GetQueueAttributes", + "sqs:GetQueueUrl", + "sqs:ChangeMessageVisibility" + ], + Resource = aws_sqs_queue.lambda_example_queue.arn + }, + { + Effect = "Allow", + Action = [ + "ecr:GetDownloadUrlForLayer", + "ecr:BatchGetImage", + "ecr:BatchCheckLayerAvailability" + ], + Resource = data.aws_ecr_repository.lambda_example.arn + }, + { + Effect = "Allow", + Action = ["ecr:GetAuthorizationToken"], + Resource = "*" + } + ] + }) } - resource "aws_iam_role_policy_attachment" "walthamforest_etl_adhoc_policy_attach" { role = data.aws_iam_role.lambda_exec_role.name policy_arn = aws_iam_policy.walthamforest_etl_adhoc_policy.arn