Add Github CI lambda update user

GispoCoding · Jan 24, 2024 · 27fa7b0 · 27fa7b0
1 parent 588c254
commit 27fa7b0
Show file tree

Hide file tree

Showing 3 changed files with 66 additions and 0 deletions.
diff --git a/infra/iam.tf b/infra/iam.tf
@@ -57,3 +57,43 @@ resource "aws_iam_role_policy_attachment" "lambda_secrets_attachment" {
   role       = aws_iam_role.lambda_exec.name
   policy_arn = aws_iam_policy.secrets-policy.arn
 }
+
+
+# Lambda update user
+resource "aws_iam_user" "lambda_update_user" {
+  name               = var.AWS_LAMBDA_USER
+  tags               = merge(local.default_tags, { Name = "${var.prefix}_lambda_update" })
+}
+
+# Create the policy to update lambda functions
+resource "aws_iam_policy" "lambda_update_policy" {
+  # We need a separate policy for each hame instance, since they have separate lambda functions
+  name        = "${var.prefix}-lambda_update_policy"
+  path        = "/"
+  description = "Github CI lambda update policy"
+
+  policy = jsonencode({
+    "Version" : "2012-10-17",
+    "Statement" : [
+      {
+        "Effect" : "Allow",
+        "Action" : [
+          "lambda:CreateFunction",
+          "lambda:UpdateFunctionCode",
+          "lambda:InvokeFunction",
+          "lambda:UpdateFunctionConfiguration"
+        ],
+        "Resource" : [
+          aws_lambda_function.db_manager.arn,
+          ]
+      }
+    ]
+  })
+  tags   = merge(local.default_tags, { Name = "${var.prefix}-lambda_update_policy" })
+}
+
+resource "aws_iam_policy_attachment" "lambda_update_attachment" {
+  name       = "${var.prefix}-lambda_update_attachment"
+  users      = [aws_iam_user.lambda_update_user.name]
+  policy_arn = aws_iam_policy.lambda_update_policy.arn
+}
diff --git a/infra/main.tf b/infra/main.tf
@@ -0,0 +1,12 @@
+terraform {
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+    }
+  }
+}
+
+
+provider "aws" {
+  region = var.AWS_REGION_NAME
+}
diff --git a/infra/outputs.tf b/infra/outputs.tf
@@ -0,0 +1,14 @@
+output "db_postgres_version" {
+  description = "The exact PostgreSQL version of the main db."
+  value       = aws_db_instance.main_db.engine_version_actual
+}
+
+output "lambda_db_manager" {
+  description = "Name of the db_manager Lambda function."
+  value       = aws_lambda_function.db_manager.function_name
+}
+
+output "lambda_update_user" {
+  description = "Name of the lambda function update user."
+  value       = aws_iam_user.lambda_update_user.name
+}