|
11 | 11 | docker_image = config.get("docker_image") |
12 | 12 | environment = config.get("environment") |
13 | 13 |
|
14 | | -# Create an IAM Role for the Lambda function |
15 | | -lambda_role = aws.iam.Role("lambdaExecutionRole", |
16 | | - assume_role_policy="""{ |
17 | | - "Version": "2012-10-17", |
18 | | - "Statement": [ |
19 | | - { |
20 | | - "Action": "sts:AssumeRole", |
21 | | - "Principal": { |
22 | | - "Service": "lambda.amazonaws.com" |
23 | | - }, |
24 | | - "Effect": "Allow", |
25 | | - "Sid": "" |
26 | | - } |
27 | | - ] |
28 | | - }""" |
29 | | -) |
30 | | - |
31 | | -# Attach the basic execution policy to the role |
32 | | -lambda_policy_attachment = aws.iam.RolePolicyAttachment("lambdaExecutionPolicy", |
33 | | - role=lambda_role.name, |
34 | | - policy_arn="arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole" |
35 | | -) |
36 | | - |
37 | | -# Define a DynamoDB table |
| 14 | +# First create the DynamoDB table |
38 | 15 | dynamodb_table = aws.dynamodb.Table( |
39 | 16 | f"todo-{environment}", |
40 | | - name=f"todo-{environment}", # Explicit table name |
| 17 | + name=f"todo-{environment}", |
41 | 18 | hash_key="id", |
42 | 19 | range_key="timestamp", |
43 | 20 | attributes=[ |
|
57 | 34 | } |
58 | 35 | ) |
59 | 36 |
|
60 | | -# 3. Create DynamoDB policy |
61 | | -dynamodb_policy = aws.iam.Policy( |
62 | | - "dynamodb-policy", |
63 | | - name=f"dynamodb-policy-{environment}", |
64 | | - description="Policy for DynamoDB access", |
| 37 | +# Create Lambda execution role |
| 38 | +lambda_role = aws.iam.Role( |
| 39 | + "lambdaExecutionRole", |
| 40 | + assume_role_policy=json.dumps({ |
| 41 | + "Version": "2012-10-17", |
| 42 | + "Statement": [{ |
| 43 | + "Action": "sts:AssumeRole", |
| 44 | + "Principal": { |
| 45 | + "Service": "lambda.amazonaws.com" |
| 46 | + }, |
| 47 | + "Effect": "Allow", |
| 48 | + "Sid": "" |
| 49 | + }] |
| 50 | + }) |
| 51 | +) |
| 52 | + |
| 53 | +# Create inline policy for the role instead of a managed policy |
| 54 | +dynamodb_policy = aws.iam.RolePolicy( |
| 55 | + "lambdaRolePolicy", |
| 56 | + role=lambda_role.id, |
65 | 57 | policy=pulumi.Output.json_dumps({ |
66 | 58 | "Version": "2012-10-17", |
67 | 59 | "Statement": [ |
|
79 | 71 | dynamodb_table.arn, |
80 | 72 | pulumi.Output.concat(dynamodb_table.arn, "/*") |
81 | 73 | ] |
| 74 | + }, |
| 75 | + { |
| 76 | + "Effect": "Allow", |
| 77 | + "Action": [ |
| 78 | + "logs:CreateLogGroup", |
| 79 | + "logs:CreateLogStream", |
| 80 | + "logs:PutLogEvents" |
| 81 | + ], |
| 82 | + "Resource": "arn:aws:logs:*:*:*" |
82 | 83 | } |
83 | 84 | ] |
84 | 85 | }) |
|
0 commit comments