######################################### # IAM ROLE FOR EC2-FIRST S3 FULL ACCESS # ######################################### resource "aws_iam_role" "ec2-s3" { name = "ec2-s3-full-tf" path = "/" assume_role_policy = jsonencode({ "Version" = "2012-10-17", "Statement" = [ { "Effect" = "Allow", "Principal" = { "Service" = "ec2.amazonaws.com" }, "Action" = "sts:AssumeRole" "Sid" = "" } ] }) } resource "aws_iam_role_policy" "s3-full" { name = "s3-full-tf" role = aws_iam_role.ec2-s3.id policy = jsonencode({ "Version" = "2012-10-17", "Statement" = [ { "Effect" = "Allow", "Action" = [ "s3:*", "s3-object-lambda:*" ], "Resource" = "*" } ] }) } ############################ ### IAM INSTANCE PROFILE ### ############################ resource "aws_iam_instance_profile" "instance-role" { name = "instance-role" role = aws_iam_role.ec2-s3.name } ################################## #### LAMBDA ROLE AND POLICIES #### ################################## resource "aws_iam_role" "iam_for_lambda" { name = "lambda-role-for-s3" assume_role_policy = <<EOF { "Version": "2012-10-17", "Statement": [ { "Action": "sts:AssumeRole", "Principal": { "Service": "lambda.amazonaws.com" }, "Effect": "Allow" } ] } EOF } resource "aws_iam_role_policy" "lambda-s3-dynamodb" { name = "lambda-s3-dynamodb" role = aws_iam_role.iam_for_lambda.id policy = jsonencode({ Version = "2012-10-17" Statement = [ { Action = [ "s3:PutObject", "s3:GetObject", "s3:GetObjectVersion" ] Effect = "Allow" Resource = ["*"] } ] Statement = [ { Action = [ "lambda:Invoke*" ] Effect = "Allow" Resource = ["*"] } ] #------------------------------------------------------- # To create inline policy we can use this code blocks #------------------------------------------------------- # Statement = [ # { # Action = ["dynamodb:GetItem", # "dynamodb:PutItem", # "dynamodb:UpdateItem" # ] # Effect = "Allow" # Resource = ["arn:aws:dynamodb:*:*:table/awscapstoneDynamo"] # } # ] }) } # data "aws_iam_policy_document" "lambda-s3-dynamodb" { # statement { # actions = ["s3:PutObject","s3:GetObject","s3:GetObjectVersion"] # resources = [ "*" ] # } # statement { # actions = ["lambda:Invoke*"] # resources = [ "*" ] # } # statement { # actions = [ "dynamodb:GetItem", # "dynamodb:PutItem", # "dynamodb:UpdateItem"] # resources = [ "arn:aws:dynamodb:*:*:*" ] # } # statement { # actions = [ "s3:*", # "s3-object-lambda:*"] # resources = [ "*" ] # } # } resource "aws_iam_role_policy_attachment" "role-policy-attachment" { for_each = toset([ "arn:aws:iam::aws:policy/job-function/NetworkAdministrator", "arn:aws:iam::aws:policy/AmazonDynamoDBFullAccess", "arn:aws:iam::aws:policy/AmazonS3FullAccess" ]) role = aws_iam_role.iam_for_lambda.name policy_arn = each.value }