tf-module-lambda/main.tf at main · raluc12/tf-module-lambda · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
# ---------------------------------------------------------------------------
# IAM — Trust policy (shared by all Lambda execution roles)
# ---------------------------------------------------------------------------

data "aws_iam_policy_document" "lambda_trust" {
  statement {
    effect  = "Allow"
    actions = ["sts:AssumeRole"]
    principals {
      type        = "Service"
      identifiers = ["lambda.amazonaws.com"]
    }
  }
}

# ---------------------------------------------------------------------------
# IAM — Execution roles (one per function)
# ---------------------------------------------------------------------------

resource "aws_iam_role" "this" {
  for_each = var.lambda_role_names

  name               = each.value
  assume_role_policy = data.aws_iam_policy_document.lambda_trust.json
  tags               = var.tags
}

resource "aws_iam_role_policy_attachment" "basic_execution" {
  for_each = var.lambda_role_names

  role       = aws_iam_role.this[each.key].name
  policy_arn = "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"
}

# ---------------------------------------------------------------------------
# IAM — SSM read policy
# All Lambdas call ssm.ts at cold start to read /attendance-app/* parameters.
# ---------------------------------------------------------------------------

data "aws_iam_policy_document" "ssm_read" {
  statement {
    effect = "Allow"
    actions = [
      "ssm:GetParameter",
      "ssm:GetParameters",
      "ssm:GetParametersByPath",
    ]
    resources = ["arn:aws:ssm:*:*:parameter/attendance-app/*"]
  }
}

resource "aws_iam_policy" "ssm_read" {
  name        = "attendance-app-lambda-ssm-read"
  description = "Allows Lambda functions to read SSM parameters under /attendance-app/"
  policy      = data.aws_iam_policy_document.ssm_read.json
}

resource "aws_iam_role_policy_attachment" "ssm_read" {
  for_each = var.lambda_role_names

  role       = aws_iam_role.this[each.key].name
  policy_arn = aws_iam_policy.ssm_read.arn
}

# ---------------------------------------------------------------------------
# IAM — DynamoDB policy
# Only attached to enrollment functions — auth functions don't touch DynamoDB.
# ---------------------------------------------------------------------------

data "aws_iam_policy_document" "dynamodb_access" {
  statement {
    effect = "Allow"
    actions = [
      "dynamodb:GetItem",
      "dynamodb:PutItem",
      "dynamodb:DeleteItem",
      "dynamodb:Query",
      "dynamodb:Scan",
    ]
    resources = [
      "arn:aws:dynamodb:*:*:table/Users",
      "arn:aws:dynamodb:*:*:table/Courses",
      "arn:aws:dynamodb:*:*:table/Enrollments",
      "arn:aws:dynamodb:*:*:table/Departments",
      "arn:aws:dynamodb:*:*:table/Attendance",
    ]
  }
}

resource "aws_iam_policy" "dynamodb_access" {
  name        = "attendance-app-lambda-dynamodb-access"
  description = "Allows enrollment Lambda functions to read/write DynamoDB tables"
  policy      = data.aws_iam_policy_document.dynamodb_access.json
}

locals {
  dynamodb_role_keys = toset([
    for k in keys(var.lambda_role_names) : k
    if contains([
      "create_enrollment", "get_enrollment", "delete_enrollment",
      "get_attendance", "create_attendance", "get_attendance_teacher",
      "get_user"
    ], k)
  ])
}

resource "aws_iam_role_policy_attachment" "dynamodb_access" {
  for_each = local.dynamodb_role_keys

  role       = aws_iam_role.this[each.key].name
  policy_arn = aws_iam_policy.dynamodb_access.arn
}

# ---------------------------------------------------------------------------
# Lambda functions
# Zips are built by deploy.sh and placed in var.artifacts_dir.
# source_code_hash ensures only changed functions are redeployed.
# ---------------------------------------------------------------------------

resource "aws_lambda_function" "this" {
  for_each = var.lambda_function_names

  function_name    = each.value
  role             = aws_iam_role.this[each.key].arn
  filename         = "${var.artifacts_dir}/${each.value}.zip"
  source_code_hash = filebase64sha256("${var.artifacts_dir}/${each.value}.zip")

  handler     = "index.handler"
  runtime     = var.runtime
  timeout     = var.timeout
  memory_size = var.memory_size

  tags = var.tags

  depends_on = [aws_iam_role_policy_attachment.basic_execution]
}

resource "aws_cloudwatch_log_group" "this" {
  for_each = var.lambda_function_names

  name              = "/aws/lambda/${each.value}"
  retention_in_days = var.log_retention_days

  tags = var.tags
}

# ---------------------------------------------------------------------------
# SSM — store Lambda ARNs for the API Gateway module to consume
# ---------------------------------------------------------------------------

resource "aws_ssm_parameter" "lambda_arn" {
  for_each    = var.lambda_function_names
  name        = "/attendance-app/lambda/${each.key}/arn"
  description = "ARN for Lambda function ${each.value}"
  type        = "String"
  value       = aws_lambda_function.this[each.key].arn
}

resource "aws_ssm_parameter" "lambda_invoke_arn" {
  for_each    = var.lambda_function_names
  name        = "/attendance-app/lambda/${each.key}/invoke_arn"
  description = "Invoke ARN for Lambda function ${each.value}"
  type        = "String"
  value       = aws_lambda_function.this[each.key].invoke_arn
}