Allow lambda access (#371)

morozRed · web-flow · commit 73671df523a1 · 2024-12-11T17:10:49.000+08:00
* Allow lambda access

* add more permissions after testing
diff --git a/aws/iam/iam-for-deploy-bot/main.tf b/aws/iam/iam-for-deploy-bot/main.tf
@@ -163,6 +163,42 @@ resource "aws_iam_policy" "service-discovery-access" {
   })
 }
 
+resource "aws_iam_policy" "deploy-bot-lambda-access" {
+  name        = "DeployBot_LambdaAccess"
+  path        = "/"
+  description = "Allow Lambda access for deploy-bot"
+
+  policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [
+      {
+        Effect = "Allow"
+        Action = [
+          "lambda:AddPermission",
+          "lambda:GetPolicy",
+          "lambda:GetFunction",
+          "lambda:ListFunctions",
+          "lambda:ListVersionsByFunction",
+          "lambda:GetFunctionConfiguration",
+          "lambda:GetFunctionCodeSigningConfig",
+          "lambda:UpdateFunctionCode",
+          "lambda:UpdateFunctionConfiguration",
+          "lambda:PublishVersion",
+          "lambda:CreateFunction",
+          "lambda:DeleteFunction",
+          "lambda:TagResource",
+          "lambda:UntagResource",
+          "iam:ListRolePolicies",
+          "iam:GetRolePolicy",
+          "iam:GetRole",
+          "iam:PassRole"
+        ]
+        Resource = "*"
+      }
+    ]
+  })
+}
+
 resource "aws_iam_group_policy_attachment" "deploy-bot-ecs-access" {
   group      = aws_iam_group.deploy-bot-deploy-access.name
   policy_arn = "arn:aws:iam::aws:policy/AmazonECS_FullAccess"
@@ -192,3 +228,8 @@ resource "aws_iam_group_policy_attachment" "service-discovery-access" {
   group      = aws_iam_group.deploy-bot-deploy-access.name
   policy_arn = aws_iam_policy.service-discovery-access.arn
 }
+
+resource "aws_iam_group_policy_attachment" "deploy-bot-lambda-access" {
+  group      = aws_iam_group.deploy-bot-deploy-access.name
+  policy_arn = aws_iam_policy.deploy-bot-lambda-access.arn
+}
