tf_aws_lambda_ip_whitelist/iam.tf at master · fvinas/tf_aws_lambda_ip_whitelist · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
data "aws_iam_policy_document" "lambda_assume_role" {
  statement {
    actions = ["sts:AssumeRole"]

    principals {
      type        = "Service"
      identifiers = ["lambda.amazonaws.com"]
    }
  }
}

# -------------------------------------------------------------------
#                         LAMBDA ADD RULE
# -------------------------------------------------------------------

resource "aws_iam_role" "lambda_add_rule_role" {
  name               = "${format("%s-lambda-add-rule-role", var.name)}"
  assume_role_policy = "${data.aws_iam_policy_document.lambda_assume_role.json}"
}

resource "aws_iam_role_policy_attachment" "lambda_add_rule_execution_role" {
  role       = "${aws_iam_role.lambda_add_rule_role.name}"
  policy_arn = "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"
}

resource "aws_iam_role_policy_attachment" "lambda_add_rule_sg_alter_role" {
  role       = "${aws_iam_role.lambda_add_rule_role.name}"
  policy_arn = "${aws_iam_policy.lambda_add_rule_sg_alter_policy.arn}"
}

resource "aws_iam_policy" "lambda_add_rule_sg_alter_policy" {
  name        = "${format("%s-lambda-add-rule", var.name)}"
  path        = "/"
  description = "Allow lambda_add_rule to add an ingress rule to a security group"

  policy = <<EOF_POLICY
{
    "Version": "2012-10-17",
    "Statement": [{
        "Effect": "Allow",
        "Action": [
            "ec2:DescribeSecurityGroups"
        ],
        "Resource": [
            "*"
        ]
    }, {
        "Effect": "Allow",
        "Action": [
            "ec2:AuthorizeSecurityGroupIngress",
            "ec2:RevokeSecurityGroupIngress"
        ],
        "Resource": [
            "arn:aws:ec2:${var.region}:${data.aws_caller_identity.current.account_id}:security-group/${var.security_group_id}"
        ]
    }]
}
EOF_POLICY
}

# -------------------------------------------------------------------
#                        LAMBDA CLEAN RULES
# -------------------------------------------------------------------

resource "aws_iam_role" "lambda_clean_rules_role" {
  name               = "${format("%s-lambda-clean-rules-role", var.name)}"
  assume_role_policy = "${data.aws_iam_policy_document.lambda_assume_role.json}"
}

resource "aws_iam_role_policy_attachment" "lambda_clean_rules_execution_role" {
  role       = "${aws_iam_role.lambda_clean_rules_role.name}"
  policy_arn = "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"
}

resource "aws_iam_role_policy_attachment" "lambda_clean_rules_sg_alter_role" {
  role       = "${aws_iam_role.lambda_clean_rules_role.name}"
  policy_arn = "${aws_iam_policy.lambda_clean_rules_sg_alter_policy.arn}"
}

resource "aws_iam_policy" "lambda_clean_rules_sg_alter_policy" {
  name        = "${format("%s-lambda-clean-rules", var.name)}"
  path        = "/"
  description = "Allow lambda_clean_rules to remove a ingress rules from a security group"

  policy = <<EOF_POLICY
{
    "Version": "2012-10-17",
    "Statement": [{
        "Effect": "Allow",
        "Action": [
            "ec2:DescribeSecurityGroups"
        ],
        "Resource": [
            "*"
        ]
    }, {
        "Effect": "Allow",
        "Action": [
            "ec2:RevokeSecurityGroupIngress"
        ],
        "Resource": [
            "arn:aws:ec2:${var.region}:${data.aws_caller_identity.current.account_id}:security-group/${var.security_group_id}"
        ]
    }]
}
EOF_POLICY
}