I'm trying to convert a serverless framework
YML file into a Terraform script.
It's my first time with terraform
and I don't have much experience with infra either.
I'm getting some errors with my Terraform but my question is more about my approach.
Is there a better/simpler/smarter way to write the same serverless yml in Terraform ?
Maybe modules out there which would make my life easier.
Terraform
# Lambda invoke function role data
data "aws_iam_policy_document" "lambda_invoke_function_role" {
version = "2012-10-17"
statement {
sid = ""
effect = "Allow"
actions = ["sts:AssumeRole"]
principals {
service = "lambda.amazonaws.com"
}
}
}
# Lambda ec2
data "aws_iam_policy_document" "ec2_lambda_policies_role" {
version = "2012-10-17"
statement {
sid = ""
effect = "Allow"
actions = [
"ec2:CreateNetworkInterface",
"ec2:DescribeNetworkInterfaces",
"ec2:DetachNetworkInterface",
"ec2:DeleteNetworkInterface"
]
resources = "*"
}
}
# Lambda allow invoke
data "aws_iam_policy_document" "allow_invoke_role" {
version = "2012-10-17"
statement {
sid = ""
effect = "Allow"
actions = [
"lambda:InvokeFunction"
]
resources = "*"
}
}
# Lambda invoke function role
resource "aws_iam_role" "lambda_invoke_function_role" {
name = "lambdaRole"
assume_role_policy = "${data.aws_iam_policy_document.lambda_invoke_function_role.json}"
}
# EC2 ##############################################################################
resource "aws_iam_policy" "ec2_lambda_policies_policy" {
name = "ec2LambdaPolicy"
assume_role_policy = "${data.aws_iam_policy_document.ec2_lambda_policies_role.json}"
}
resource "aws_iam_role_policy_attachment" "ec2_lambda_policies_policy_attachment" {
role = "${aws_iam_role.lambda_invoke_function_role.name}"
policy_arn = "${aws_iam_policy.ec2_lambda_policies_policy.arn}"
}
###############################################################################
# Allow Invoke #####################################################################
resource "aws_iam_policy" "allow_invoke_policy" {
name = "allowInvokePolicy"
assume_role_policy = "${data.aws_iam_policy_document.allow_invoke_role.json}"
}
resource "aws_iam_role_policy_attachment" "allow_invoke_policy_attachment" {
role = "${aws_iam_role.lambda_invoke_function_role.name}"
policy_arn = "${aws_iam_policy.allow_invoke_policy.arn}"
}
###############################################################################
# Lambda invoke function role policy attachment
resource "aws_iam_role_policy_attachment" "aws_lambda_basic_execution_role" {
role = "${aws_iam_role.lambda_invoke_function_role.name}"
policy_arn = "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"
}
# Lambda invoke function role policy attachment
resource "aws_iam_role_policy_attachment" "aws_lambda_vpc_access_execution_role" {
role = "${aws_iam_role.lambda_invoke_function_role.name}"
policy_arn = "arn:aws:iam::aws:policy/service-role/AWSLambdaVPCAccessExecutionRole"
}
Serverless YML (cloudformation)
LambdaRole:
Type: AWS::IAM::Role
Properties:
Path: '/'
RoleName: LambdaRole
AssumeRolePolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Principal:
Service:
- lambda.amazonaws.com
Action: sts:AssumeRole
Policies:
- PolicyName: ec2LambdaPolicies
PolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Action:
- ec2:CreateNetworkInterface
- ec2:DescribeNetworkInterfaces
- ec2:DetachNetworkInterface
- ec2:DeleteNetworkInterface
Resource: "*"
- PolicyName: 'AllowInvoke'
PolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: 'Allow'
Action: 'lambda:InvokeFunction'
Resource: '*'
ManagedPolicyArns:
- arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole
- arn:aws:iam::aws:policy/service-role/AWSLambdaVPCAccessExecutionRole
You may want to take a look at cf-to-tf which will convert cloudformation into terraform.
cf-to-tf --stack foobarbaz config | json2hcl | cf-to-tf clean-hcl | terraform fmt -
That will import your stack foobarbaz
from AWS and convert it into terraform and print it to stdout.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.