mirror of
https://github.com/Hestia-Homes/survey-extraction.git
synced 2026-06-08 11:17:29 +00:00
121 lines
No EOL
3.3 KiB
HCL
121 lines
No EOL
3.3 KiB
HCL
# This is an example file to setup a lamda function with a sqs and cloudwatch.
|
|
# Please us this as a template for future lambda.
|
|
# Be sure to push the image you are using to ECR or it won't deploy properly
|
|
|
|
# Create an SQS queue that will trigger the Lambda
|
|
resource "aws_sqs_queue" "my_queue" {
|
|
name = "my-lambda-queue"
|
|
}
|
|
|
|
# Create an ECR repository to store the Docker image for the Lambda function
|
|
resource "aws_ecr_repository" "lambda_repo" {
|
|
name = "lambda_example"
|
|
}
|
|
|
|
# IAM role that the Lambda function will assume
|
|
resource "aws_iam_role" "lambda_exec_role" {
|
|
name = "lambda-exec-role"
|
|
|
|
assume_role_policy = jsonencode({
|
|
Version = "2012-10-17",
|
|
Statement = [
|
|
{
|
|
Action = "sts:AssumeRole",
|
|
Effect = "Allow",
|
|
Principal = {
|
|
Service = "lambda.amazonaws.com"
|
|
}
|
|
}
|
|
]
|
|
})
|
|
}
|
|
|
|
# Attach AWS-managed policy for basic Lambda execution (CloudWatch logging)
|
|
resource "aws_iam_role_policy_attachment" "lambda_basic_execution" {
|
|
role = aws_iam_role.lambda_exec_role.name
|
|
policy_arn = "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"
|
|
}
|
|
|
|
# Custom policy: SQS access + ECR image pull permissions
|
|
resource "aws_iam_policy" "lambda_custom_policy" {
|
|
name = "lambda-sqs-ecr-policy"
|
|
|
|
policy = jsonencode({
|
|
Version = "2012-10-17",
|
|
Statement = [
|
|
# Allow Lambda to read from SQS
|
|
{
|
|
Effect = "Allow",
|
|
Action = [
|
|
"sqs:ReceiveMessage",
|
|
"sqs:DeleteMessage",
|
|
"sqs:GetQueueAttributes"
|
|
],
|
|
Resource = aws_sqs_queue.my_queue.arn
|
|
},
|
|
# Allow Lambda to pull images from ECR
|
|
{
|
|
Effect = "Allow",
|
|
Action = [
|
|
"ecr:GetDownloadUrlForLayer",
|
|
"ecr:BatchGetImage",
|
|
"ecr:BatchCheckLayerAvailability"
|
|
],
|
|
Resource = aws_ecr_repository.lambda_repo.arn
|
|
},
|
|
# Needed to authenticate to ECR (pulling the image)
|
|
{
|
|
Effect = "Allow",
|
|
Action = [
|
|
"ecr:GetAuthorizationToken"
|
|
],
|
|
Resource = "*"
|
|
}
|
|
]
|
|
})
|
|
}
|
|
|
|
# Attach the custom policy to the Lambda role
|
|
resource "aws_iam_role_policy_attachment" "lambda_custom_policy_attach" {
|
|
role = aws_iam_role.lambda_exec_role.name
|
|
policy_arn = aws_iam_policy.lambda_custom_policy.arn
|
|
}
|
|
|
|
# Define the Lambda function using a Docker image from ECR
|
|
resource "aws_lambda_function" "lambda_docker" {
|
|
function_name = "docker-hello-world-python-example"
|
|
role = aws_iam_role.lambda_exec_role.arn
|
|
package_type = "Image"
|
|
image_uri = "${aws_ecr_repository.lambda_repo.repository_url}:latest"
|
|
timeout = 10
|
|
}
|
|
|
|
# Connect the SQS queue to the Lambda so it gets triggered by incoming messages
|
|
resource "aws_lambda_event_source_mapping" "sqs_trigger" {
|
|
event_source_arn = aws_sqs_queue.my_queue.arn
|
|
function_name = aws_lambda_function.lambda_docker.arn
|
|
batch_size = 1
|
|
}
|
|
|
|
|
|
resource "aws_ecr_repository_policy" "lambda_ecr_access" {
|
|
repository = aws_ecr_repository.lambda_repo.name
|
|
|
|
policy = jsonencode({
|
|
Version = "2008-10-17",
|
|
Statement = [
|
|
{
|
|
Sid = "AllowLambdaPull",
|
|
Effect = "Allow",
|
|
Principal = {
|
|
Service = "lambda.amazonaws.com"
|
|
},
|
|
Action = [
|
|
"ecr:GetDownloadUrlForLayer",
|
|
"ecr:BatchGetImage",
|
|
"ecr:BatchCheckLayerAvailability"
|
|
]
|
|
}
|
|
]
|
|
})
|
|
} |