|
| 1 | +data "aws_iam_policy_document" "lambda" { |
| 2 | + statement { |
| 3 | + effect = "Allow" |
| 4 | + actions = ["sts:AssumeRole"] |
| 5 | + principals { |
| 6 | + type = "Service" |
| 7 | + identifiers = ["lambda.amazonaws.com"] |
| 8 | + } |
| 9 | + } |
| 10 | +} |
| 11 | + |
| 12 | +data "aws_iam_policy" "lambda" { |
| 13 | + name = "AWSLambdaBasicExecutionRole" |
| 14 | +} |
| 15 | + |
| 16 | +resource "aws_iam_role" "lambda" { |
| 17 | + name = "print-events" |
| 18 | + assume_role_policy = data.aws_iam_policy_document.lambda.json |
| 19 | + managed_policy_arns = [data.aws_iam_policy.lambda.arn] |
| 20 | +} |
| 21 | + |
| 22 | +resource "aws_iam_role_policy" "web_identity_token_policy" { |
| 23 | + name = "print-events-web-identity-token-policy" |
| 24 | + role = aws_iam_role.lambda.id |
| 25 | + |
| 26 | + policy = jsonencode({ |
| 27 | + Version = "2012-10-17" |
| 28 | + Statement = [ |
| 29 | + { |
| 30 | + Effect = "Allow" |
| 31 | + Action = "sts:GetWebIdentityToken" |
| 32 | + Resource = "*" |
| 33 | + Condition = { |
| 34 | + "ForAnyValue:StringEquals" = { |
| 35 | + "sts:IdentityTokenAudience" = "https://issuer.enforce.dev" |
| 36 | + } |
| 37 | + "NumericLessThanEquals" : { |
| 38 | + "sts:DurationSeconds" : 300 |
| 39 | + } |
| 40 | + } |
| 41 | + } |
| 42 | + ] |
| 43 | + }) |
| 44 | +} |
| 45 | + |
| 46 | +locals { |
| 47 | + source_hash = sha1(join("", [ |
| 48 | + filesha1("${path.module}/../Dockerfile"), |
| 49 | + filesha1("${path.module}/../lambda_function.py"), |
| 50 | + filesha1("${path.module}/../requirements.txt"), |
| 51 | + ])) |
| 52 | +} |
| 53 | + |
| 54 | +resource "aws_ecr_repository" "lambda" { |
| 55 | + name = "print-events" |
| 56 | + force_delete = true |
| 57 | +} |
| 58 | + |
| 59 | +provider "docker" { |
| 60 | + registry_auth { |
| 61 | + address = split("/", aws_ecr_repository.lambda.repository_url)[0] |
| 62 | + config_file = pathexpand("~/.docker/config.json") |
| 63 | + } |
| 64 | +} |
| 65 | + |
| 66 | +resource "docker_image" "lambda" { |
| 67 | + name = aws_ecr_repository.lambda.repository_url |
| 68 | + build { |
| 69 | + context = abspath("${path.module}/..") |
| 70 | + dockerfile = abspath("${path.module}/../Dockerfile") |
| 71 | + platform = "linux/amd64" |
| 72 | + } |
| 73 | + triggers = { |
| 74 | + source_hash = local.source_hash |
| 75 | + } |
| 76 | +} |
| 77 | + |
| 78 | +resource "docker_registry_image" "lambda" { |
| 79 | + name = docker_image.lambda.name |
| 80 | + keep_remotely = true |
| 81 | + triggers = { |
| 82 | + image_id = docker_image.lambda.image_id |
| 83 | + } |
| 84 | +} |
| 85 | + |
| 86 | +resource "aws_lambda_function" "lambda" { |
| 87 | + function_name = "print-events" |
| 88 | + role = aws_iam_role.lambda.arn |
| 89 | + package_type = "Image" |
| 90 | + image_uri = "${docker_registry_image.lambda.name}@${docker_registry_image.lambda.sha256_digest}" |
| 91 | + timeout = 30 |
| 92 | + |
| 93 | + environment { |
| 94 | + variables = { |
| 95 | + ORG_ID = data.chainguard_group.group.id |
| 96 | + IDENTITY = chainguard_identity.aws.id |
| 97 | + CE_TYPES = join(",", var.ce_types) |
| 98 | + } |
| 99 | + } |
| 100 | +} |
| 101 | + |
| 102 | +resource "aws_lambda_function_url" "lambda" { |
| 103 | + function_name = aws_lambda_function.lambda.function_name |
| 104 | + authorization_type = "NONE" |
| 105 | +} |
0 commit comments