Skip to content

Commit 5ddaded

Browse files
mattgodboltmattgodbolt
authored
Create elfshaker resources (#1667)
1 parent 7b459c7 commit 5ddaded

File tree

3 files changed

+84
-1
lines changed

3 files changed

+84
-1
lines changed

terraform/lambda.tf

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -19,6 +19,7 @@ resource "aws_iam_role_policy_attachment" "terraform_lambda_policy" {
1919
policy_arn = "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"
2020
}
2121

22+
# Pretty sure this is subsumed by https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSLambdaBasicExecutionRole.html above?
2223
data "aws_iam_policy_document" "aws_lambda_logging" {
2324
statement {
2425
sid = "AllowLogging"

terraform/lambda_elfshaker.tf

Lines changed: 82 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,82 @@
1+
resource "aws_iam_role" "elfshaker" {
2+
name = "elfshaker"
3+
assume_role_policy = data.aws_iam_policy_document.aws_lambda_trust_policy.json
4+
}
5+
6+
# Should grant logging etc
7+
resource "aws_iam_role_policy_attachment" "elfshaker_basic_lambda" {
8+
role = aws_iam_role.elfshaker.name
9+
policy_arn = "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"
10+
}
11+
12+
resource "aws_cloudwatch_log_group" "elfshaker" {
13+
name = "/aws/lambda/elfshaker"
14+
retention_in_days = 14
15+
}
16+
17+
resource "aws_s3_bucket" "elfshaker-godbolt-org" {
18+
bucket = "elfshaker.godbolt.org"
19+
tags = {
20+
S3-Bucket-Name = "elfshaker.godbolt.org"
21+
}
22+
lifecycle {
23+
prevent_destroy = true
24+
}
25+
}
26+
27+
resource "aws_s3_bucket_ownership_controls" "elfshaker-godbolt-org" {
28+
bucket = aws_s3_bucket.elfshaker-godbolt-org.id
29+
rule {
30+
object_ownership = "BucketOwnerEnforced"
31+
}
32+
}
33+
34+
# Probably need to set this up to _allow_ public access
35+
resource "aws_s3_bucket_public_access_block" "elfshaker-godbolt-org" {
36+
bucket = aws_s3_bucket.elfshaker-godbolt-org.id
37+
38+
block_public_acls = true
39+
block_public_policy = true
40+
ignore_public_acls = true
41+
restrict_public_buckets = true
42+
}
43+
44+
# resource "aws_s3_bucket_lifecycle_configuration" "elfshaker-godbolt-org" {
45+
# bucket = aws_s3_bucket.elfshaker-godbolt-org.id
46+
# rule {
47+
# id = "Remove cached items"
48+
# status = "Enabled"
49+
# expiration {
50+
# days = 3
51+
# }
52+
# noncurrent_version_expiration {
53+
# noncurrent_days = 1
54+
# }
55+
# filter {
56+
# prefix = ""
57+
# }
58+
# }
59+
# }
60+
61+
# IAM Policy for S3 Access
62+
data "aws_iam_policy_document" "elfshaker_s3_access" {
63+
statement {
64+
sid = "ElfShakerS3"
65+
actions = [
66+
"s3:GetObject",
67+
"s3:PutObject"
68+
]
69+
resources = ["${aws_s3_bucket.elfshaker-godbolt-org.arn}/*"]
70+
}
71+
}
72+
73+
resource "aws_iam_policy" "elfshaker_s3_access" {
74+
name = "elfshaker_lambda_s3_access"
75+
description = "Allow elfshaker lambda to access its s3 bucket"
76+
policy = data.aws_iam_policy_document.elfshaker_s3_access.json
77+
}
78+
79+
resource "aws_iam_role_policy_attachment" "elfshaker_s3_access" {
80+
role = aws_iam_role.elfshaker.name
81+
policy_arn = aws_iam_policy.elfshaker_s3_access.arn
82+
}

terraform/lambda_explain.tf

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -21,7 +21,7 @@ resource "aws_lambda_function" "explain" {
2121
package_type = "Image"
2222
image_uri = data.aws_ecr_image.explain.image_uri
2323
function_name = "explain"
24-
role = aws_iam_role.iam_for_lambda.arn
24+
role = aws_iam_role.iam_for_lambda.arn # TODO separate role?
2525
timeout = 30
2626
memory_size = 256
2727

0 commit comments

Comments
 (0)