mirror of
https://github.com/GenderDysphoria/GenderDysphoria.fyi.git
synced 2025-01-31 07:16:17 +00:00
99 lines
2.3 KiB
HCL
99 lines
2.3 KiB
HCL
|
|
|
|
# -----------------------------------------------------------------------------------------------------------
|
|
# IAM Role for Redirect Lambda
|
|
|
|
data "aws_iam_policy_document" "lambda_redirect" {
|
|
statement {
|
|
actions = ["sts:AssumeRole"]
|
|
|
|
principals {
|
|
type = "Service"
|
|
identifiers = [
|
|
"edgelambda.amazonaws.com",
|
|
"lambda.amazonaws.com"
|
|
]
|
|
}
|
|
}
|
|
}
|
|
|
|
resource "aws_iam_role" "lambda_redirect" {
|
|
name = "${var.site}-lambda-redirect-role"
|
|
assume_role_policy = data.aws_iam_policy_document.lambda_redirect.json
|
|
|
|
tags = {
|
|
Site = var.site
|
|
}
|
|
}
|
|
|
|
#######################################################
|
|
# LOGGING POLICY
|
|
|
|
data "aws_iam_policy_document" "lambda_logging" {
|
|
statement {
|
|
actions = [
|
|
"logs:CreateLogStream",
|
|
"logs:PutLogEvents",
|
|
"logs:CreateLogGroup"
|
|
]
|
|
|
|
resources = [ "arn:aws:logs:*:*:*" ]
|
|
}
|
|
}
|
|
|
|
resource "aws_iam_policy" "lambda_logging" {
|
|
name = "${var.site}_lambda_logging"
|
|
path = "/"
|
|
description = "IAM policy for logging from a lambda"
|
|
|
|
policy = data.aws_iam_policy_document.lambda_logging.json
|
|
}
|
|
|
|
resource "aws_iam_role_policy_attachment" "lambda_logs" {
|
|
role = aws_iam_role.lambda_redirect.name
|
|
policy_arn = aws_iam_policy.lambda_logging.arn
|
|
}
|
|
|
|
#######################################################
|
|
# REPLICATION POLICY
|
|
|
|
# aws_iam_policy_document.lambda_replication
|
|
data "aws_iam_policy_document" "lambda_replication" {
|
|
statement {
|
|
actions = [
|
|
"lambda:EnableReplication*",
|
|
]
|
|
resources = [
|
|
"*"
|
|
]
|
|
}
|
|
|
|
statement {
|
|
actions = [
|
|
"iam:CreateServiceLinkedRole"
|
|
]
|
|
resources = [
|
|
"arn:aws:iam::*:role/aws-service-role/events.amazonaws.com/AWSServiceRoleForCloudWatchEvents*"
|
|
]
|
|
condition {
|
|
test = "StringLike"
|
|
variable = "iam:AWSServiceName"
|
|
values = ["events.amazonaws.com"]
|
|
}
|
|
}
|
|
}
|
|
|
|
resource "aws_iam_policy" "lambda_replication" {
|
|
name = "${var.site}_lambda_replication"
|
|
path = "/"
|
|
description = "IAM policy for replication by lambda@edge"
|
|
|
|
policy = data.aws_iam_policy_document.lambda_replication.json
|
|
}
|
|
|
|
resource "aws_iam_role_policy_attachment" "lambda_replication" {
|
|
role = aws_iam_role.lambda_redirect.name
|
|
policy_arn = aws_iam_policy.lambda_replication.arn
|
|
}
|
|
|