我正在尝试使用 Terraform 创建多个具有 S3 存储桶访问权限的 lambda 函数。 terraform 脚本运行良好,但 lambda 函数仍然没有 S3 访问权限。在 lambda Web UI 中的配置 - 权限 - 资源摘要 - 按资源下,我的 lambda 函数只能访问日志。
如何解决这个问题?谢谢你。
terraform {
required_providers {
aws = {
source = "hashicorp/aws"
}
docker = {
source = "kreuzwerker/docker"
}
}
}
provider "aws" {
region = var.region
}
data "aws_caller_identity" "this" {}
data "aws_ecr_authorization_token" "token" {}
provider "docker" {
registry_auth {
address = format("%v.dkr.ecr.%v.amazonaws.com", data.aws_caller_identity.this.account_id, var.region)
username = data.aws_ecr_authorization_token.token.user_name
password = data.aws_ecr_authorization_token.token.password
}
}
resource "aws_iam_role" "lambda_execution_role" {
name = "lambda_execution_role"
assume_role_policy = jsonencode({
Version = "2012-10-17",
Statement = [
{
Action = "sts:AssumeRole",
Principal = {
Service = "lambda.amazonaws.com"
},
Effect = "Allow",
Sid = ""
}
]
})
}
resource "aws_iam_policy" "lambda_s3_access" {
name = "lambda_s3_access_policy"
policy = jsonencode({
Version = "2012-10-17",
Statement = [
{
Action = [
"s3:GetObject",
"s3:PutObject",
"s3:DeleteObject"
],
Resource = [
"arn:aws:s3:::mys3bucketname/*"
],
Effect = "Allow"
}
]
})
}
resource "aws_iam_role_policy_attachment" "lambda_s3_access_attachment" {
role = aws_iam_role.lambda_execution_role.name
policy_arn = aws_iam_policy.lambda_s3_access.arn
}
module "lambda_proxy" {
source = "terraform-aws-modules/lambda/aws"
count = var.num_proxies
function_name = "proxy-${count.index}"
create_package = false
image_uri = module.docker_image.image_uri
package_type = "Image"
architectures = ["x86_64"]
timeout = 30
hash_extra = count.index
lambda_role = aws_iam_role.lambda_execution_role.arn
}
module "docker_image" {
source = "terraform-aws-modules/lambda/aws//modules/docker-build"
create_ecr_repo = true
ecr_repo = "lambda-proxy"
source_path = "${path.module}/src"
platform = "linux/amd64"
image_tag = sha1(join("", [
filesha1("${path.module}/src/requirements.txt"),
filesha1("${path.module}/src/lambda_function.py"),
filesha1("${path.module}/Dockerfile")
]))
ecr_repo_lifecycle_policy = jsonencode({
"rules" : [
{
"rulePriority" : 1,
"description" : "Keep only the last 1 image",
"selection" : {
"tagStatus" : "any",
"countType" : "imageCountMoreThan",
"countNumber" : 1
},
"action" : {
"type" : "expire"
}
}
]
})
}
事实证明,模块中的角色有点不同。以下配置有效。
module "lambda_proxy" {
source = "terraform-aws-modules/lambda/aws"
count = var.num_proxies
function_name = "proxy-${count.index}"
create_package = false
image_uri = module.docker_image.image_uri
package_type = "Image"
architectures = ["x86_64"]
timeout = 30
hash_extra = count.index
attach_policy = true
policy = "arn:aws:iam::aws:policy/AmazonS3FullAccess"
}