configure common lamba role arn

rhyek · Apr 1, 2024 · 3ac76a2 · 3ac76a2
1 parent 070f94c
commit 3ac76a2
Show file tree

Hide file tree

Showing 8 changed files with 49 additions and 8 deletions.
diff --git a/.github/workflows/deploy.yaml b/.github/workflows/deploy.yaml
@@ -27,6 +27,7 @@ jobs:
       CONFIG_DIRECTORY: './infra'
     outputs:
       ecr_repository_scrape_txs_url: ${{ steps.terraform-outputs.outputs.ecr_repository_scrape_txs_url }}
+      iam_lambda_role_arn: ${{ steps.terraform-outputs.outputs.iam_lambda_role_arn }}
     steps:
       - name: Checkout
         uses: actions/checkout@v3
@@ -60,6 +61,7 @@ jobs:
           workspace-id: ws-pftgvrxWKzhd2z9z
           outputs: |
             ecr_repository_scrape_txs_url
+            iam_lambda_role_arn
   deploy-scrape-txs:
     name: Deploy Scrape Bank Transactions
     runs-on: ubuntu-22.04
@@ -79,6 +81,7 @@ jobs:
       - name: Set build params
         run: |
           echo "ECR_REPO_URL=${{ needs.terraform.outputs.ecr_repository_scrape_txs_url }}" >> $GITHUB_ENV
+          echo "LAMBDA_ROLE_ARN=${{ needs.terraform.outputs.iam_lambda_role_arn }}" >> $GITHUB_ENV
           echo "IMAGE_TAG=$(echo $GITHUB_SHA | cut -c1-7)" >> $GITHUB_ENV
       - name: Expose GitHub Runtime
         uses: crazy-max/ghaction-github-runtime@v3

diff --git a/infra/main.tf b/infra/main.tf
@@ -1,9 +1,7 @@
-resource "aws_ecr_repository" "scrape_txs" {
-  name                 = "scrape_txs"
-  image_tag_mutability = "IMMUTABLE"
-  force_delete         = true
+module "ecr" {
+  source = "./modules/ecr"
+}
 
-  image_scanning_configuration {
-    scan_on_push = true
-  }
+module "iam" {
+  source = "./modules/iam"
 }
diff --git a/infra/modules/ecr/main.tf b/infra/modules/ecr/main.tf
@@ -0,0 +1,9 @@
+resource "aws_ecr_repository" "scrape_txs" {
+  name                 = "scrape_txs"
+  image_tag_mutability = "IMMUTABLE"
+  force_delete         = true
+
+  image_scanning_configuration {
+    scan_on_push = true
+  }
+}
diff --git a/infra/modules/ecr/outputs.tf b/infra/modules/ecr/outputs.tf
@@ -0,0 +1,3 @@
+output "ecr_repository_scrape_txs_url" {
+  value = aws_ecr_repository.scrape_txs.repository_url
+}
diff --git a/infra/modules/iam/main.tf b/infra/modules/iam/main.tf
@@ -0,0 +1,20 @@
+data "aws_iam_policy_document" "assume_role" {
+  statement {
+    principals {
+      type        = "Service"
+      identifiers = ["lambda.amazonaws.com"]
+    }
+    actions = ["sts:AssumeRole"]
+    effect  = "Allow"
+  }
+}
+
+resource "aws_iam_role" "lambda_role" {
+  name               = "lambda_role"
+  assume_role_policy = data.aws_iam_policy_document.assume_role.json
+}
+
+resource "aws_iam_role_policy_attachment" "lambda_role_policy_attachment" {
+  role       = aws_iam_role.lambda_role.name
+  policy_arn = "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"
+}
diff --git a/infra/modules/iam/outputs.tf b/infra/modules/iam/outputs.tf
@@ -0,0 +1,3 @@
+output "iam_lambda_role_arn" {
+  value = aws_iam_role.lambda_role.arn
+}
diff --git a/infra/outputs.tf b/infra/outputs.tf
@@ -1,3 +1,7 @@
 output "ecr_repository_scrape_txs_url" {
-  value = aws_ecr_repository.scrape_txs.repository_url
+  value = module.ecr.ecr_repository_scrape_txs_url
+}
+
+output "iam_lambda_role_arn" {
+  value = module.iam.iam_lambda_role_arn
 }
diff --git a/projects/scrape-txs/deploy/serverless.yml b/projects/scrape-txs/deploy/serverless.yml
@@ -11,6 +11,7 @@ functions:
     timeout: 300 # 5 minutes
     environment:
       DATABASE_URL: ${env:DATABASE_URL}
+    role: ${env:LAMBDA_ROLE_ARN}
     events:
       # Invoke Lambda function every day at 7am Guatemala time
       - schedule: