sigs.k8s.io/cluster-api-provider-aws@v1.5.5/docs/book/terraform/ami_lambda.tf (about) 1 provider "aws" { 2 region = "us-east-1" 3 profile = "heptio-oss" 4 } 5 6 7 resource "aws_lambda_function" "amilist" { 8 function_name = "amilist" 9 filename = "amilist.zip" 10 handler = "amilist" 11 source_code_hash = "data.archive_file.zip.output_base64sha256" 12 role = aws_iam_role.iam_for_lambda.arn 13 runtime = "go1.x" 14 memory_size = 256 15 timeout = 60 16 } 17 18 resource "aws_s3_bucket" "cluster-api-aws" { 19 bucket = "cluster-api-aws-amis.sigs.k8s.io" 20 acl = "public-read" 21 cors_rule { 22 allowed_headers = ["*"] 23 allowed_methods = ["GET"] 24 allowed_origins = ["*"] 25 expose_headers = ["ETag"] 26 max_age_seconds = 3000 27 } 28 website { 29 index_document = "amis.json" 30 } 31 } 32 33 resource "aws_cloudfront_origin_access_identity" "cluster_api" { 34 comment = "Cluster API AMIs" 35 } 36 37 resource "aws_cloudfront_distribution" "cluster-api-aws" { 38 origin { 39 origin_id = "s3" 40 domain_name = aws_s3_bucket.cluster-api-aws.bucket_regional_domain_name 41 s3_origin_config { 42 origin_access_identity = aws_cloudfront_origin_access_identity.cluster_api.cloudfront_access_identity_path 43 } 44 } 45 enabled = true 46 restrictions { 47 geo_restriction { 48 restriction_type = "none" 49 } 50 } 51 52 default_cache_behavior { 53 allowed_methods = ["HEAD","GET"] 54 cached_methods = ["HEAD","GET"] 55 target_origin_id = "s3" 56 57 forwarded_values { 58 query_string = false 59 60 cookies { 61 forward = "none" 62 } 63 64 headers = ["Origin", "Access-Control-Request-Headers", "Access-Control-Request-Method"] 65 66 } 67 68 viewer_protocol_policy = "allow-all" 69 min_ttl = 60 70 default_ttl = 3600 71 max_ttl = 3600 72 } 73 74 viewer_certificate { 75 cloudfront_default_certificate = true 76 } 77 } 78 79 resource "aws_iam_role" "iam_for_lambda" { 80 name = "amilist-lambda" 81 82 managed_policy_arns = ["arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"] 83 84 assume_role_policy = jsonencode({ 85 Version = "2012-10-17", 86 Statement = [ 87 { 88 Action = "sts:AssumeRole" 89 Effect = "Allow" 90 Principal = { 91 Service = "lambda.amazonaws.com" 92 } 93 }, 94 ] 95 }) 96 97 inline_policy { 98 name = "inline-policy" 99 policy = jsonencode({ 100 Version = "2012-10-17", 101 Statement = [ 102 { 103 Action = [ 104 "ec2:DescribeImages", 105 ] 106 Resource = "*" 107 Effect = "Allow" 108 }, 109 { 110 Action = [ 111 "s3:*", 112 ] 113 Resource = "arn:aws:s3:::cluster-api-aws-amis.sigs.k8s.io/*" 114 Effect = "Allow" 115 }, 116 ] 117 }) 118 } 119 } 120 121 resource "aws_s3_bucket_policy" "cluster-api" { 122 bucket = aws_s3_bucket.cluster-api-aws.id 123 policy = data.aws_iam_policy_document.s3_policy.json 124 } 125 126 data "aws_iam_policy_document" "s3_policy" { 127 statement { 128 actions = ["s3:GetObject"] 129 resources = ["${aws_s3_bucket.cluster-api-aws.arn}/*"] 130 131 principals { 132 type = "AWS" 133 identifiers = [aws_cloudfront_origin_access_identity.cluster_api.iam_arn] 134 } 135 } 136 } 137 138 resource "aws_cloudwatch_event_rule" "every_hour" { 139 name = "every-hour" 140 description = "Fires every hour" 141 schedule_expression = "rate(1 hour)" 142 } 143 144 resource "aws_cloudwatch_event_target" "update_amis_every_hour" { 145 rule = aws_cloudwatch_event_rule.every_hour.name 146 target_id = "amilist" 147 arn = aws_lambda_function.amilist.arn 148 } 149 150 resource "aws_lambda_permission" "allow_cloudwatch_to_call_amilist" { 151 statement_id = "AllowExecutionFromCloudWatch" 152 action = "lambda:InvokeFunction" 153 function_name = aws_lambda_function.amilist.function_name 154 principal = "events.amazonaws.com" 155 source_arn = aws_cloudwatch_event_rule.every_hour.arn 156 } 157 158 data "archive_file" "zip" { 159 type = "zip" 160 source_dir = "out" 161 output_path = "amilist.zip" 162 }