在 Terraform 中为 AWS lambda 指定触发事件

Question

我有以下 main.tf 文件，它创建了一个 S3 存储桶 my-tf-test-bucket-12567 和一个 AWS lambda hasher_lambda：

provider "aws" {
  profile = "default"
  region  = "us-east-1"
}

resource "aws_s3_bucket" "b" {
  bucket = "my-tf-test-bucket-12567"
  acl    = "private"

  tags = {
    Name        = "My bucket"
    Environment = "Dev"
  }
}

data "archive_file" "lambda" {
  type        = "zip"
  source_file = "${path.module}/src/hash.py"
  output_path = "${path.module}/src/hash.py.zip"
}
 
resource "aws_iam_role" "iam_for_lambda" {
  # add S3 inline policies for lambda to be able to read/write from/to S3 bucket
  name = "iam_for_lambda"
 
  assume_role_policy = <<EOF
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": "sts:AssumeRole",
      "Principal": {
        "Service": "lambda.amazonaws.com"
      },
      "Effect": "Allow",
      "Sid": ""
    }
  ]
}
EOF
}
 
resource "aws_lambda_function" "hasher_lambda" {
  filename      = data.archive_file.lambda.output_path
  function_name = "hasher_lambda"
  role          = aws_iam_role.iam_for_lambda.arn
  handler       = "hash.handler"
  runtime       = "python3.8"
}

如何在 Terraform 中配置 AWS lambda 以由 S3 存储桶 my-tf-test-bucket-12567 触发？

Answer 1

您可能需要创建aws_s3_bucket_notification 和aws_lambda_permission 才能让S3 事件调用该函数。

Lambda 权限：

resource "aws_lambda_permission" "allow_bucket" {
  statement_id  = "AllowExecutionFromS3Bucket"
  action        = "lambda:InvokeFunction"
  function_name = aws_lambda_function.hasher_lambda.arn
  principal     = "s3.amazonaws.com"
  source_arn    = aws_s3_bucket.bucket.arn
}

存储桶通知：

resource "aws_s3_bucket_notification" "bucket_notification" {
  bucket = aws_s3_bucket.b.id

  lambda_function {
    lambda_function_arn = aws_lambda_function.func.arn
    events              = ["s3:ObjectCreated:*"]
  }

  depends_on = [aws_lambda_permission.allow_bucket]
}

可能有多种事件通知类型可能会导致调用 Lambda。整个列表可以在 AWS 文档中找到：source。