Using Terraform for creating IAM roles and policies is to create a role that can be assumed by a Lambda function, and attach a managed policy and a custom policy to it.
provider.tf
terraform {
required_providers {
aws = {
source = "hashicorp/aws"
version = "5.34.0"
}
}
}
provider "aws" {
region = "us-east-1"
}
main.tf
# Define a data source for the assume role policy document
data "aws_iam_policy_document" "lambda_assume_role_policy" {
statement {
actions = ["sts:AssumeRole"]
principals {
type = "Service"
identifiers = ["lambda.amazonaws.com"]
}
}
}
# Create a role that can be assumed by Lambda
resource "aws_iam_role" "lambda_role" {
name = "lambda-role"
assume_role_policy = data.aws_iam_policy_document.lambda_assume_role_policy.json
}
# Attach a managed policy to the role
resource "aws_iam_role_policy_attachment" "lambda_basic_execution" {
role = aws_iam_role.lambda_role.name
policy_arn = "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"
}
# Create a custom policy for the role
resource "aws_iam_policy" "lambda_s3_access" {
name = "lambda-s3-access"
description = "Allow Lambda to access S3 buckets"
policy = jsonencode({
Version = "2012-10-17"
Statement = [
{
Effect = "Allow"
Action = ["s3:GetObject", "s3:PutObject"]
Resource = ["arn:aws:s3:::my-bucket/*"]
}
]
})
}
# Attach the custom policy to the role
resource "aws_iam_role_policy_attachment" "lambda_s3_access" {
role = aws_iam_role.lambda_role.name
policy_arn = aws_iam_policy.lambda_s3_access.arn
}
With this code, we're creating a role named lambda-role that Lambda functions can assume, while also attaching two critical policies: one for basic Lambda execution and another custom policy for S3 access.