CODEWITHSUNDEEP
amazon-web-servicesterraformterraform-provider-aws
Matt W
Matt W

Reputation: 12423

How to construct import command for aws_lambda_permission

Now that Terraform can import lambda permissions (which was not possible when this post was made) how do I find the function_name/statement_id portion of the import arguments for the aws_lambda_permission resource?

I guess this could be rephrased as: Where do I find the SID for the permission object when it has been created by, eg, the console?

In the permissions tab of the Lambda function I have this policy:

{
  "Version": "2012-10-17",
  "Id": "default",
  "Statement": [
    {
      "Sid": "11111111-1234-1234-1234-1234567891234",
      "Effect": "Allow",
      "Principal": {
        "Service": "apigateway.amazonaws.com"
      },
      "Action": "lambda:InvokeFunction",
      "Resource": "arn:aws:lambda:eu-west-2:123456789012:function:MyLizardApp",
      "Condition": {
        "ArnLike": {
          "AWS:SourceArn": "arn:aws:execute-api:eu-west-2:123456789012:hfqy1l9g3m/*/*/*"
        }
      }
    },
    {
      "Sid": "22222222-1234-1234-1234-1234567891234",
      "Effect": "Allow",
      "Principal": {
        "Service": "apigateway.amazonaws.com"
      },
      "Action": "lambda:InvokeFunction",
      "Resource": "arn:aws:lambda:eu-west-2:123456789012:function:MyLizardApp",
      "Condition": {
        "ArnLike": {
          "AWS:SourceArn": "arn:aws:execute-api:eu-west-2:123456789012:hfqy1l9g3m/*/*/"
        }
      }
    }
  ]
}

The import command I'm attempting to use is this:

terraform import aws_lambda_permission.apigw_lambda_proxy MyLizardApp/InvokeFunction

I'm doing this to attempt to populate the terraform resource (this is described as one method of importing terraform in this post):

resource "aws_lambda_permission" "apigw_lambda_proxy" {
}

resource "aws_lambda_permission" "apigw_lambda_root" {
}

Upvotes: 0

Views: 261

Answers (1)

ydaetskcoR
ydaetskcoR

Reputation: 56887

This should just be in the Permissions tab in the Lambda function in the AWS console. The first section of that tab are the permissions that the Lambda function has, while the second part (titled Resource-based policy) has the permissions for invoking the Lambda function from other AWS services.

You should also be able to get it by using the AWS CLI's aws lambda get-policy. This will return the invocation policy as nested, escaped JSON which can be extracted with jq:

aws lambda get-policy --function-name MY_EXAMPLE_FUNCTION | jq -r '.Policy | fromjson | .Statement[].Sid'

Upvotes: 1

Related Questions