-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathlambda.tf
114 lines (97 loc) · 2.96 KB
/
lambda.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
variable "s3_deployment_bucket" {
type = string
}
variable "s3_deployment_key" {
type = string
}
variable "lambda_role" {
type = string
}
resource "aws_lambda_function" "wemerch_lambda" {
function_name = "gql"
# The bucket name as created earlier with "aws s3api create-bucket"
s3_bucket = var.s3_deployment_bucket
s3_key = var.s3_deployment_key
# "main" is the filename within the zip file (main.js) and "handler"
# is the name of the property under which the handler function was
# exported in that file.
handler = "dist/handlers.gql"
runtime = "nodejs18.x"
timeout = 30
memory_size = 256
role = var.lambda_role
vpc_config {
subnet_ids = [aws_subnet.wemerch_private_subnet1.id, aws_subnet.wemerch_private_subnet2.id]
security_group_ids = [aws_security_group.wemerch_lambda_security_group.id]
}
}
// todo rename from proxy => default
resource "aws_api_gateway_resource" "proxy" {
rest_api_id = "${aws_api_gateway_rest_api.wemerch_api_gateway_rest_api.id}"
parent_id = "${aws_api_gateway_rest_api.wemerch_api_gateway_rest_api.root_resource_id}"
path_part = "$default"
}
resource "aws_api_gateway_method" "proxy" {
rest_api_id = "${aws_api_gateway_rest_api.wemerch_api_gateway_rest_api.id}"
resource_id = "${aws_api_gateway_resource.proxy.id}"
http_method = "ANY"
authorization = "NONE"
}
resource "aws_lambda_permission" "apigw" {
statement_id = "AllowAPIGatewayInvoke"
action = "lambda:InvokeFunction"
function_name = "${aws_lambda_function.wemerch_lambda.function_name}"
principal = "apigateway.amazonaws.com"
# The /*/* portion grants access from any method on any resource
# within the API Gateway "REST API".
source_arn = "${aws_api_gateway_rest_api.wemerch_api_gateway_rest_api.execution_arn}/*/*"
}
resource "aws_security_group" "wemerch_lambda_security_group" {
name = "wemerch-lambda-security-group"
description = "Allow inbound traffic"
vpc_id = aws_vpc.wemerch.id
ingress {
description = "TLS from VPC"
from_port = 80
to_port = 80
protocol = "tcp"
cidr_blocks = [aws_vpc.wemerch.cidr_block]
}
ingress {
description = "TLS from VPC"
from_port = 443
to_port = 443
protocol = "tcp"
cidr_blocks = [aws_vpc.wemerch.cidr_block]
}
egress {
from_port = 0
to_port = 0
protocol = "-1"
cidr_blocks = ["0.0.0.0/0"]
ipv6_cidr_blocks = ["::/0"]
}
tags = {
Name = "allow_tls"
}
}
# IAM role which dictates what other AWS services the Lambda function
# may access.
# resource "aws_iam_role" "lambda_exec" {
# name = "serverless_example_lambda"
# assume_role_policy = <<EOF
# {
# "Version": "2012-10-17",
# "Statement": [
# {
# "Action": "sts:AssumeRole",
# "Principal": {
# "Service": "lambda.amazonaws.com"
# },
# "Effect": "Allow",
# "Sid": ""
# }
# ]
# }
# EOF
# }