# ----------------------------------------------------------------------------------------------------------- # IAM Role for Redirect Lambda resource "aws_iam_role" "lambda_redirect" { name = "${var.site}-lambda-redirect-role" assume_role_policy = <<EOF { "Version": "2012-10-17", "Statement": [ { "Action": "sts:AssumeRole", "Principal": { "Service": [ "edgelambda.amazonaws.com", "lambda.amazonaws.com" ] }, "Effect": "Allow", "Sid": "" } ] } EOF tags = { Site = var.site } } # ----------------------------------------------------------------------------------------------------------- # IAM Role for Log Parsing Lambda resource "aws_iam_role" "lambda" { name = "${var.site}-lambda-role" assume_role_policy = <<EOF { "Version": "2012-10-17", "Statement": [ { "Action": "sts:AssumeRole", "Principal": { "Service": [ "edgelambda.amazonaws.com", "lambda.amazonaws.com" ] }, "Effect": "Allow", "Sid": "" } ] } EOF tags = { Site = var.site } } resource "aws_iam_role_policy" "lambda" { name = "${var.site}-lambda-execution-policy" role = aws_iam_role.lambda.id policy = <<EOF { "Version": "2012-10-17", "Statement": [ { "Action": [ "logs:CreateLogStream", "logs:PutLogEvents", "logs:CreateLogGroup" ], "Effect": "Allow", "Resource": "*" }, { "Effect": "Allow", "Action": [ "s3:*" ], "Resource": "arn:aws:s3:::*" }, { "Sid": "Invoke", "Effect": "Allow", "Action": [ "lambda:InvokeFunction" ], "Resource": "arn:aws:lambda:*" } ] } EOF }