# This is an example file to setup a lamda function with a sqs and cloudwatch.
# Please us this as a template for future lambda.
# Be sure to push the image you are using to ECR or it won't deploy properly

# Create an SQS queue that will trigger the Lambda
resource "aws_sqs_queue" "my_queue" {
  name = "my-lambda-queue"
}

# Create an ECR repository to store the Docker image for the Lambda function
resource "aws_ecr_repository" "lambda_repo" {
  name = "lambda_example"
}

# IAM role that the Lambda function will assume
resource "aws_iam_role" "lambda_exec_role" {
  name = "lambda-exec-role"

  assume_role_policy = jsonencode({
    Version = "2012-10-17",
    Statement = [
      {
        Action = "sts:AssumeRole",
        Effect = "Allow",
        Principal = {
          Service = "lambda.amazonaws.com"
        }
      }
    ]
  })
}

# Attach AWS-managed policy for basic Lambda execution (CloudWatch logging)
resource "aws_iam_role_policy_attachment" "lambda_basic_execution" {
  role       = aws_iam_role.lambda_exec_role.name
  policy_arn = "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"
}

# Custom policy: SQS access + ECR image pull permissions
resource "aws_iam_policy" "lambda_custom_policy" {
  name = "lambda-sqs-ecr-policy"

  policy = jsonencode({
    Version = "2012-10-17",
    Statement = [
      # Allow Lambda to read from SQS
      {
        Effect = "Allow",
        Action = [
          "sqs:ReceiveMessage",
          "sqs:DeleteMessage",
          "sqs:GetQueueAttributes"
        ],
        Resource = aws_sqs_queue.my_queue.arn
      },
      # Allow Lambda to pull images from ECR
      {
        Effect = "Allow",
        Action = [
          "ecr:GetDownloadUrlForLayer",
          "ecr:BatchGetImage",
          "ecr:BatchCheckLayerAvailability"
        ],
        Resource = aws_ecr_repository.lambda_repo.arn
      },
      # Needed to authenticate to ECR (pulling the image)
      {
        Effect = "Allow",
        Action = [
          "ecr:GetAuthorizationToken"
        ],
        Resource = "*"
      }
    ]
  })
}

# Attach the custom policy to the Lambda role
resource "aws_iam_role_policy_attachment" "lambda_custom_policy_attach" {
  role       = aws_iam_role.lambda_exec_role.name
  policy_arn = aws_iam_policy.lambda_custom_policy.arn
}

# Define the Lambda function using a Docker image from ECR
resource "aws_lambda_function" "lambda_docker" {
  function_name = "docker-hello-world-python-example"
  role          = aws_iam_role.lambda_exec_role.arn
  package_type  = "Image"
  image_uri     = "${aws_ecr_repository.lambda_repo.repository_url}:latest"
  timeout       = 10
}

# Connect the SQS queue to the Lambda so it gets triggered by incoming messages
resource "aws_lambda_event_source_mapping" "sqs_trigger" {
  event_source_arn = aws_sqs_queue.my_queue.arn
  function_name    = aws_lambda_function.lambda_docker.arn
  batch_size       = 1
}


resource "aws_ecr_repository_policy" "lambda_ecr_access" {
  repository = aws_ecr_repository.lambda_repo.name

  policy = jsonencode({
    Version = "2008-10-17",
    Statement = [
      {
        Sid       = "AllowLambdaPull",
        Effect    = "Allow",
        Principal = {
          Service = "lambda.amazonaws.com"
        },
        Action = [
          "ecr:GetDownloadUrlForLayer",
          "ecr:BatchGetImage",
          "ecr:BatchCheckLayerAvailability"
        ]
      }
    ]
  })
}