github.com/danp/terraform@v0.9.5-0.20170426144147-39d740081351/website/source/docs/providers/aws/r/lambda_permission.html.markdown

github.com/danp/terraform@v0.9.5-0.20170426144147-39d740081351/website/source/docs/providers/aws/r/lambda_permission.html.markdown (about)

     1  ---
     2  layout: "aws"
     3  page_title: "AWS: aws_lambda_permission"
     4  sidebar_current: "docs-aws-resource-lambda-permission"
     5  description: |-
     6    Creates a Lambda function permission.
     7  ---
     8  
     9  # aws\_lambda\_permission
    10  
    11  Creates a Lambda permission to allow external sources invoking the Lambda function
    12  (e.g. CloudWatch Event Rule, SNS or S3).
    13  
    14  ## Example Usage
    15  
    16  ```hcl
    17  resource "aws_lambda_permission" "allow_cloudwatch" {
    18    statement_id   = "AllowExecutionFromCloudWatch"
    19    action         = "lambda:InvokeFunction"
    20    function_name  = "${aws_lambda_function.test_lambda.function_name}"
    21    principal      = "events.amazonaws.com"
    22    source_account = "111122223333"
    23    source_arn     = "arn:aws:events:eu-west-1:111122223333:rule/RunDaily"
    24    qualifier      = "${aws_lambda_alias.test_alias.name}"
    25  }
    26  
    27  resource "aws_lambda_alias" "test_alias" {
    28    name             = "testalias"
    29    description      = "a sample description"
    30    function_name    = "${aws_lambda_function.test_lambda.function_name}"
    31    function_version = "$LATEST"
    32  }
    33  
    34  resource "aws_lambda_function" "test_lambda" {
    35    filename      = "lambdatest.zip"
    36    function_name = "lambda_function_name"
    37    role          = "${aws_iam_role.iam_for_lambda.arn}"
    38    handler       = "exports.handler"
    39    runtime       = "nodejs6.10"
    40  }
    41  
    42  resource "aws_iam_role" "iam_for_lambda" {
    43    name = "iam_for_lambda"
    44  
    45    assume_role_policy = <<EOF
    46  {
    47    "Version": "2012-10-17",
    48    "Statement": [
    49      {
    50        "Action": "sts:AssumeRole",
    51        "Principal": {
    52          "Service": "lambda.amazonaws.com"
    53        },
    54        "Effect": "Allow",
    55        "Sid": ""
    56      }
    57    ]
    58  }
    59  EOF
    60  }
    61  ```
    62  
    63  ## Usage with SNS
    64  
    65  ```hcl
    66  resource "aws_lambda_permission" "with_sns" {
    67    statement_id  = "AllowExecutionFromSNS"
    68    action        = "lambda:InvokeFunction"
    69    function_name = "${aws_lambda_function.my-func.function_name}"
    70    principal     = "sns.amazonaws.com"
    71    source_arn    = "${aws_sns_topic.default.arn}"
    72  }
    73  
    74  resource "aws_sns_topic" "default" {
    75    name = "call-lambda-maybe"
    76  }
    77  
    78  resource "aws_sns_topic_subscription" "lambda" {
    79    topic_arn = "${aws_sns_topic.default.arn}"
    80    protocol  = "lambda"
    81    endpoint  = "${aws_lambda_function.func.arn}"
    82  }
    83  
    84  resource "aws_lambda_function" "func" {
    85    filename      = "lambdatest.zip"
    86    function_name = "lambda_called_from_sns"
    87    role          = "${aws_iam_role.default.arn}"
    88    handler       = "exports.handler"
    89    runtime       = "python2.7"
    90  }
    91  
    92  resource "aws_iam_role" "default" {
    93    name = "iam_for_lambda_with_sns"
    94  
    95    assume_role_policy = <<EOF
    96  {
    97    "Version": "2012-10-17",
    98    "Statement": [
    99      {
   100        "Action": "sts:AssumeRole",
   101        "Principal": {
   102          "Service": "lambda.amazonaws.com"
   103        },
   104        "Effect": "Allow",
   105        "Sid": ""
   106      }
   107    ]
   108  }
   109  EOF
   110  }
   111  ```
   112  
   113  ## Argument Reference
   114  
   115   * `action` - (Required) The AWS Lambda action you want to allow in this statement. (e.g. `lambda:InvokeFunction`)
   116   * `function_name` - (Required) Name of the Lambda function whose resource policy you are updating
   117   * `principal` - (Required) The principal who is getting this permission.
   118   	e.g. `s3.amazonaws.com`, an AWS account ID, or any valid AWS service principal
   119   	such as `events.amazonaws.com` or `sns.amazonaws.com`.
   120   * `statement_id` - (Required) A unique statement identifier.
   121   * `qualifier` - (Optional) Query parameter to specify function version or alias name.
   122   	The permission will then apply to the specific qualified ARN.
   123   	e.g. `arn:aws:lambda:aws-region:acct-id:function:function-name:2`
   124   * `source_account` - (Optional) The AWS account ID (without a hyphen) of the source owner.
   125   * `source_arn` - (Optional) When granting Amazon S3 or CloudWatch Events permission to
   126   	invoke your function, you should specify this field with the Amazon Resource Name (ARN)
   127   	for the S3 Bucket or CloudWatch Events Rule as its value.  This ensures that only events
   128   	generated from the specified bucket or rule can invoke the function.
   129   	API Gateway ARNs have a unique structure described
   130   	[here](http://docs.aws.amazon.com/apigateway/latest/developerguide/api-gateway-control-access-using-iam-policies-to-invoke-api.html).