github.com/jrasell/terraform@v0.6.17-0.20160523115548-2652f5232949/website/source/docs/providers/aws/r/lambda_permission.html.markdown (about) 1 --- 2 layout: "aws" 3 page_title: "AWS: aws_lambda_permission" 4 sidebar_current: "docs-aws-resource-lambda-permission" 5 description: |- 6 Creates a Lambda function permission. 7 --- 8 9 # aws\_lambda\_permission 10 11 Creates a Lambda permission to allow external sources invoking the Lambda function 12 (e.g. CloudWatch Event Rule, SNS or S3). 13 14 ## Example Usage 15 16 ``` 17 resource "aws_lambda_permission" "allow_cloudwatch" { 18 statement_id = "AllowExecutionFromCloudWatch" 19 action = "lambda:InvokeFunction" 20 function_name = "${aws_lambda_function.test_lambda.arn}" 21 principal = "events.amazonaws.com" 22 source_account = "111122223333" 23 source_arn = "arn:aws:events:eu-west-1:111122223333:rule/RunDaily" 24 qualifier = "${aws_lambda_alias.test_alias.name}" 25 } 26 27 resource "aws_lambda_alias" "test_alias" { 28 name = "testalias" 29 description = "a sample description" 30 function_name = "${aws_lambda_function.test_lambda.arn}" 31 function_version = "$LATEST" 32 } 33 34 resource "aws_lambda_function" "test_lambda" { 35 filename = "lambdatest.zip" 36 function_name = "lambda_function_name" 37 role = "${aws_iam_role.iam_for_lambda.arn}" 38 handler = "exports.handler" 39 } 40 41 resource "aws_iam_role" "iam_for_lambda" { 42 name = "iam_for_lambda" 43 assume_role_policy = <<EOF 44 { 45 "Version": "2012-10-17", 46 "Statement": [ 47 { 48 "Action": "sts:AssumeRole", 49 "Principal": { 50 "Service": "lambda.amazonaws.com" 51 }, 52 "Effect": "Allow", 53 "Sid": "" 54 } 55 ] 56 } 57 EOF 58 } 59 ``` 60 61 ## Usage with SNS 62 63 ``` 64 resource "aws_lambda_permission" "with_sns" { 65 statement_id = "AllowExecutionFromSNS" 66 action = "lambda:InvokeFunction" 67 function_name = "${aws_lambda_function.my-func.arn}" 68 principal = "sns.amazonaws.com" 69 source_arn = "${aws_sns_topic.default.arn}" 70 } 71 72 resource "aws_sns_topic" "default" { 73 name = "call-lambda-maybe" 74 } 75 76 resource "aws_sns_topic_subscription" "lambda" { 77 topic_arn = "${aws_sns_topic.default.arn}" 78 protocol = "lambda" 79 endpoint = "${aws_lambda_function.func.arn}" 80 } 81 82 resource "aws_lambda_function" "func" { 83 filename = "lambdatest.zip" 84 function_name = "lambda_called_from_sns" 85 role = "${aws_iam_role.default.arn}" 86 handler = "exports.handler" 87 } 88 89 resource "aws_iam_role" "default" { 90 name = "iam_for_lambda_with_sns" 91 assume_role_policy = <<EOF 92 { 93 "Version": "2012-10-17", 94 "Statement": [ 95 { 96 "Action": "sts:AssumeRole", 97 "Principal": { 98 "Service": "lambda.amazonaws.com" 99 }, 100 "Effect": "Allow", 101 "Sid": "" 102 } 103 ] 104 } 105 EOF 106 } 107 ``` 108 109 ## Argument Reference 110 111 * `action` - (Required) The AWS Lambda action you want to allow in this statement. (e.g. `lambda:InvokeFunction`) 112 * `function_name` - (Required) Name of the Lambda function whose resource policy you are updating 113 * `principal` - (Required) The principal who is getting this permission. 114 e.g. `s3.amazonaws.com`, an AWS account ID, or any valid AWS service principal 115 such as `events.amazonaws.com` or `sns.amazonaws.com`. 116 * `statement_id` - (Required) A unique statement identifier. 117 * `qualifier` - (Optional) Query parameter to specify function version or alias name. 118 The permission will then apply to the specific qualified ARN. 119 e.g. `arn:aws:lambda:aws-region:acct-id:function:function-name:2` 120 * `source_account` - (Optional) The AWS account ID (without a hyphen) of the source owner. 121 * `source_arn` - (Optional) When granting Amazon S3 permission to invoke your function, 122 you should specify this field with the bucket Amazon Resource Name (ARN) as its value. 123 This ensures that only events generated from the specified bucket can invoke the function.