-
Notifications
You must be signed in to change notification settings - Fork 8
/
lambda.tf
107 lines (87 loc) · 3.27 KB
/
lambda.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
data "archive_file" "lambda_zip" {
type = "zip"
source_dir = "${path.module}/lambda/samlpost"
output_path = "${path.module}/dist/lambda_samlpost.zip"
}
resource "aws_lambda_function" "samlpost" {
provider = aws.iam-security-account
function_name = "${var.lambda_name}-${var.resource_name_suffix}"
filename = data.archive_file.lambda_zip.output_path
source_code_hash = data.archive_file.lambda_zip.output_base64sha256
// source_code_hash = filebase64sha256(data.archive_file.lambda_zip.output_path)
handler = "index.handler"
runtime = "nodejs14.x"
timeout = 10
role = aws_iam_role.lambda_exec.arn
environment {
variables = {
samlReadRole = "arn:aws:iam::${local.master_account_id}:saml-provider/${var.keycloak_saml_name},arn:aws:iam::${local.master_account_id}:role/${local.saml_read_role_name}",
kc_base_url = var.kc_base_url,
kc_realm = var.kc_realm,
kc_terraform_auth_client_id = var.kc_terraform_auth_client_id,
kc_terraform_auth_client_secret = var.kc_terraform_auth_client_secret
silver_kc_realm = var.silver_kc_realm
silver_kc_base_url = var.silver_kc_base_url
silver_kc_terraform_auth_client_id = var.silver_kc_terraform_auth_client_id
silver_kc_terraform_auth_client_secret = var.silver_kc_terraform_auth_client_secret
}
}
tags = local.common_tags
}
resource "aws_iam_role" "lambda_exec" {
provider = aws.iam-security-account
name = "${var.lambda_name}-${var.resource_name_suffix}"
assume_role_policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Action": "sts:AssumeRole",
"Principal": {
"Service": "lambda.amazonaws.com"
},
"Effect": "Allow"
}
]
}
EOF
tags = local.common_tags
}
data "aws_iam_policy" "AWSLambdaBasicExecutionRole" {
provider = aws.master-account
arn = "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"
}
resource "aws_iam_role_policy_attachment" "test-attach" {
provider = aws.iam-security-account
role = aws_iam_role.lambda_exec.name
policy_arn = data.aws_iam_policy.AWSLambdaBasicExecutionRole.arn
}
resource "aws_iam_policy" "assume_role_org_read" {
provider = aws.iam-security-account
name = "serverless_saml_lambda-org-read-${var.resource_name_suffix}"
policy = jsonencode({
Version = "2012-10-17"
Statement = [{
Effect = "Allow"
Action = [
"sts:AssumeRole"
]
Resource = "${aws_iam_role.saml_read_role.arn}"
}]
})
}
resource "aws_iam_role_policy_attachment" "thisSTS" {
provider = aws.iam-security-account
role = aws_iam_role.lambda_exec.name
policy_arn = aws_iam_policy.assume_role_org_read.arn
}
resource "aws_lambda_permission" "apigw" {
provider = aws.iam-security-account
statement_id = "AllowAPIGatewayInvoke"
action = "lambda:InvokeFunction"
function_name = aws_lambda_function.samlpost.function_name
principal = "apigateway.amazonaws.com"
# The "/*/*" portion grants access from any method on any resource
# within the API Gateway REST API.
source_arn = "${aws_api_gateway_rest_api.samlpost.execution_arn}/*/*"
}