updated iam role logic used by lambda workshop

dmitchsplunk · dmitchsplunk · commit 92f9a5a59e23 · 2025-07-08T16:56:26.000-07:00
diff --git a/content/en/ninja-workshops/6-lambda-kinesis/1-setup.md b/content/en/ninja-workshops/6-lambda-kinesis/1-setup.md
@@ -8,6 +8,25 @@ weight: 1
 
 ## Prerequisites
 
+### Note to Workshop Instructor
+
+This step only needs to be completed once, as the IAM role created 
+in this step will be shared by all workshop participants: 
+
+``` bash
+cd ~/workshop/lambda/iam_role
+terraform init
+terraform plan
+terraform apply 
+```
+
+After the workshop is complete, cleanup the role as follows: 
+
+``` bash
+cd ~/workshop/lambda/iam_role
+terraform destroy
+```
+
 ### Observability Workshop Instance
 The Observability Workshop uses the `Splunk4Ninjas - Observability` workshop template in Splunk Show, 
 which provides a pre-configured EC2 instance running Ubuntu. 
diff --git a/workshop/lambda/auto/main.tf b/workshop/lambda/auto/main.tf
@@ -10,48 +10,10 @@ provider "aws" {
 
 
 # Get IAM Role
-data "aws_caller_identity" "current" {}
-resource "aws_iam_role" "lambda_kinesis" {
+data "aws_iam_role" "lambda_kinesis" {
   name = "lambda_kinesis"
-  assume_role_policy = jsonencode({
-    Version = "2012-10-17"
-    Statement = [
-      {
-        Action = "sts:AssumeRole"
-        Effect = "Allow"
-        Principal = {
-          Service = "lambda.amazonaws.com"
-        }
-      }
-    ]
-  })
-}
-resource "aws_iam_role_policy_attachment" "lambda_kinesis_execution" {
-  role       = aws_iam_role.lambda_kinesis.name
-  policy_arn = "arn:aws:iam::aws:policy/AmazonKinesisFullAccess"
 }
 
-resource "aws_iam_policy" "lambda_cloudwatch_logs" {
-  name = "LambdaCloudWatchLogsCustomPolicy"
-  policy = jsonencode({
-      "Version": "2012-10-17",
-      "Statement": [
-          {
-              "Effect": "Allow",
-              "Action": [
-                  "logs:CreateLogStream",
-                  "logs:PutLogEvents"
-              ],
-              "Resource": "*"
-          }
-      ]
-  })
-}
-
-resource "aws_iam_role_policy_attachment" "lambda_cloudwatch_logs_attachment" {
-  role       = aws_iam_role.lambda_kinesis.name
-  policy_arn = aws_iam_policy.lambda_cloudwatch_logs.arn
-}
 
 # Create S3 Bucket, Ownership, ACL
 resource "aws_s3_bucket" "lambda_bucket" {
diff --git a/workshop/lambda/iam_role/main.tf b/workshop/lambda/iam_role/main.tf
@@ -0,0 +1,54 @@
+provider "aws" {
+  region = "us-east-1"
+
+  default_tags {
+    tags = {
+      o11y-workshop = "lambda-tracing"
+    }
+  }
+}
+
+
+# Create IAM Role
+data "aws_caller_identity" "current" {}
+resource "aws_iam_role" "lambda_kinesis" {
+  name = "lambda_kinesis"
+  assume_role_policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [
+      {
+        Action = "sts:AssumeRole"
+        Effect = "Allow"
+        Principal = {
+          Service = "lambda.amazonaws.com"
+        }
+      }
+    ]
+  })
+}
+resource "aws_iam_role_policy_attachment" "lambda_kinesis_execution" {
+  role       = aws_iam_role.lambda_kinesis.name
+  policy_arn = "arn:aws:iam::aws:policy/AmazonKinesisFullAccess"
+}
+
+resource "aws_iam_policy" "lambda_cloudwatch_logs" {
+  name = "LambdaCloudWatchLogsCustomPolicy"
+  policy = jsonencode({
+      "Version": "2012-10-17",
+      "Statement": [
+          {
+              "Effect": "Allow",
+              "Action": [
+                  "logs:CreateLogStream",
+                  "logs:PutLogEvents"
+              ],
+              "Resource": "*"
+          }
+      ]
+  })
+}
+
+resource "aws_iam_role_policy_attachment" "lambda_cloudwatch_logs_attachment" {
+  role       = aws_iam_role.lambda_kinesis.name
+  policy_arn = aws_iam_policy.lambda_cloudwatch_logs.arn
+}
diff --git a/workshop/lambda/iam_role/outputs.tf b/workshop/lambda/iam_role/outputs.tf
diff --git a/workshop/lambda/iam_role/terraform.tf b/workshop/lambda/iam_role/terraform.tf
@@ -0,0 +1,15 @@
+terraform {
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = "~> 5.38.0"
+    }
+    archive = {
+      source  = "hashicorp/archive"
+      version = "~> 2.4.2"
+    }
+  }
+
+  required_version = "~> 1.2"
+}
+
diff --git a/workshop/lambda/iam_role/variables.tf b/workshop/lambda/iam_role/variables.tf
diff --git a/workshop/lambda/manual/main.tf b/workshop/lambda/manual/main.tf
@@ -10,48 +10,10 @@ provider "aws" {
 
 
 # Get IAM Role
-data "aws_caller_identity" "current" {}
-resource "aws_iam_role" "lambda_kinesis" {
+data "aws_iam_role" "lambda_kinesis" {
   name = "lambda_kinesis"
-  assume_role_policy = jsonencode({
-    Version = "2012-10-17"
-    Statement = [
-      {
-        Action = "sts:AssumeRole"
-        Effect = "Allow"
-        Principal = {
-          Service = "lambda.amazonaws.com"
-        }
-      }
-    ]
-  })
-}
-resource "aws_iam_role_policy_attachment" "lambda_kinesis_execution" {
-  role       = aws_iam_role.lambda_kinesis.name
-  policy_arn = "arn:aws:iam::aws:policy/AmazonKinesisFullAccess"
 }
 
-resource "aws_iam_policy" "lambda_cloudwatch_logs" {
-  name = "LambdaCloudWatchLogsCustomPolicy"
-  policy = jsonencode({
-      "Version": "2012-10-17",
-      "Statement": [
-          {
-              "Effect": "Allow",
-              "Action": [
-                  "logs:CreateLogStream",
-                  "logs:PutLogEvents"
-              ],
-              "Resource": "*"
-          }
-      ]
-  })
-}
-
-resource "aws_iam_role_policy_attachment" "lambda_cloudwatch_logs_attachment" {
-  role       = aws_iam_role.lambda_kinesis.name
-  policy_arn = aws_iam_policy.lambda_cloudwatch_logs.arn
-}
 
 # Create S3 Bucket, Ownership, ACL
 resource "aws_s3_bucket" "lambda_bucket" {
