github.com/ves/terraform@v0.8.0-beta2/website/source/docs/providers/aws/r/lambda_permission.html.markdown (about) 1 --- 2 layout: "aws" 3 page_title: "AWS: aws_lambda_permission" 4 sidebar_current: "docs-aws-resource-lambda-permission" 5 description: |- 6 Creates a Lambda function permission. 7 --- 8 9 # aws\_lambda\_permission 10 11 Creates a Lambda permission to allow external sources invoking the Lambda function 12 (e.g. CloudWatch Event Rule, SNS or S3). 13 14 ## Example Usage 15 16 ``` 17 resource "aws_lambda_permission" "allow_cloudwatch" { 18 statement_id = "AllowExecutionFromCloudWatch" 19 action = "lambda:InvokeFunction" 20 function_name = "${aws_lambda_function.test_lambda.arn}" 21 principal = "events.amazonaws.com" 22 source_account = "111122223333" 23 source_arn = "arn:aws:events:eu-west-1:111122223333:rule/RunDaily" 24 qualifier = "${aws_lambda_alias.test_alias.name}" 25 } 26 27 resource "aws_lambda_alias" "test_alias" { 28 name = "testalias" 29 description = "a sample description" 30 function_name = "${aws_lambda_function.test_lambda.arn}" 31 function_version = "$LATEST" 32 } 33 34 resource "aws_lambda_function" "test_lambda" { 35 filename = "lambdatest.zip" 36 function_name = "lambda_function_name" 37 role = "${aws_iam_role.iam_for_lambda.arn}" 38 handler = "exports.handler" 39 } 40 41 resource "aws_iam_role" "iam_for_lambda" { 42 name = "iam_for_lambda" 43 assume_role_policy = <<EOF 44 { 45 "Version": "2012-10-17", 46 "Statement": [ 47 { 48 "Action": "sts:AssumeRole", 49 "Principal": { 50 "Service": "lambda.amazonaws.com" 51 }, 52 "Effect": "Allow", 53 "Sid": "" 54 } 55 ] 56 } 57 EOF 58 } 59 ``` 60 61 ## Usage with SNS 62 63 ``` 64 resource "aws_lambda_permission" "with_sns" { 65 statement_id = "AllowExecutionFromSNS" 66 action = "lambda:InvokeFunction" 67 function_name = "${aws_lambda_function.my-func.arn}" 68 principal = "sns.amazonaws.com" 69 source_arn = "${aws_sns_topic.default.arn}" 70 } 71 72 resource "aws_sns_topic" "default" { 73 name = "call-lambda-maybe" 74 } 75 76 resource "aws_sns_topic_subscription" "lambda" { 77 topic_arn = "${aws_sns_topic.default.arn}" 78 protocol = "lambda" 79 endpoint = "${aws_lambda_function.func.arn}" 80 } 81 82 resource "aws_lambda_function" "func" { 83 filename = "lambdatest.zip" 84 function_name = "lambda_called_from_sns" 85 role = "${aws_iam_role.default.arn}" 86 handler = "exports.handler" 87 } 88 89 resource "aws_iam_role" "default" { 90 name = "iam_for_lambda_with_sns" 91 assume_role_policy = <<EOF 92 { 93 "Version": "2012-10-17", 94 "Statement": [ 95 { 96 "Action": "sts:AssumeRole", 97 "Principal": { 98 "Service": "lambda.amazonaws.com" 99 }, 100 "Effect": "Allow", 101 "Sid": "" 102 } 103 ] 104 } 105 EOF 106 } 107 ``` 108 109 ## Argument Reference 110 111 * `action` - (Required) The AWS Lambda action you want to allow in this statement. (e.g. `lambda:InvokeFunction`) 112 * `function_name` - (Required) Name of the Lambda function whose resource policy you are updating 113 * `principal` - (Required) The principal who is getting this permission. 114 e.g. `s3.amazonaws.com`, an AWS account ID, or any valid AWS service principal 115 such as `events.amazonaws.com` or `sns.amazonaws.com`. 116 * `statement_id` - (Required) A unique statement identifier. 117 * `qualifier` - (Optional) Query parameter to specify function version or alias name. 118 The permission will then apply to the specific qualified ARN. 119 e.g. `arn:aws:lambda:aws-region:acct-id:function:function-name:2` 120 * `source_account` - (Optional) The AWS account ID (without a hyphen) of the source owner. 121 * `source_arn` - (Optional) When granting Amazon S3 or CloudWatch Events permission to 122 invoke your function, you should specify this field with the Amazon Resource Name (ARN) 123 for the S3 Bucket or CloudWatch Events Rule as its value. This ensures that only events 124 generated from the specified bucket or rule can invoke the function.