awscc_lambda_permission (Resource)

The AWS::Lambda::Permission resource grants an AWS service or another account permission to use a function. You can apply the policy at the function level, or specify a qualifier to restrict access to a single version or alias. If you use a qualifier, the invoker must use the full Amazon Resource Name (ARN) of that version or alias to invoke the function. To grant permission to another account, specify the account ID as the Principal. To grant permission to an organization defined in AOlong, specify the organization ID as the PrincipalOrgID. For AWS services, the principal is a domain-style identifier defined by the service, like s3.amazonaws.com or sns.amazonaws.com. For AWS services, you can also specify the ARN of the associated resource as the SourceArn. If you grant permission to a service principal without specifying the source, other accounts could potentially configure resources in their account to invoke your Lambda function. If your function has a fu

Example Usage

With SNS

To use awscc_lambda_permission with SNS

# Creates a Permission to to allow SNS to execute a Lambda function
# This example assumes you have a valid lambdatets.zip 
#  created on the same directory where you are running your terraform file


resource "awscc_lambda_permission" "with_sns" {
  statement_id  = "AllowExecutionFromSNS"
  action        = "lambda:InvokeFunction"
  function_name = awscc_lambda_function.func.function_name
  principal     = "sns.amazonaws.com"
  source_arn    = awscc_sns_topic.default.arn
}

resource "awscc_sns_topic" "default" {
  name = "call-lambda-maybe"
}

resource "awscc_sns_topic_subscription" "lambda" {
  topic_arn = awscc_sns_topic.default.arn
  protocol  = "lambda"
  endpoint  = awscc_lambda_function.func.arn
}

resource "awscc_lambda_function" "func" {
  filename      = "lambdatest.zip"
  function_name = "lambda_called_from_sns"
  role          = awscc_iam_role.default.arn
  handler       = "exports.handler"
  runtime       = "nodejs16.x"
}

resource "awscc_iam_role" "default" {
  name = "iam_for_lambda_with_sns"

  # Terraform's "jsonencode" function converts a
  # Terraform expression result to valid JSON syntax.
  assume_role_policy = jsonencode({
    Version = "2012-10-17"
    Statement = [
      {
        Action = "sts:AssumeRole"
        Effect = "Allow"
        Sid    = ""
        Principal = {
          Service = "lambda.amazonaws.com"
        }
      },
    ]
  })
}

Schema

Required

Optional

Read-Only

Import

Import is supported using the following syntax:

$ terraform import awscc_lambda_permission.example <resource ID>