Adjust Lambda IAM Policy

base/customer_portal_lambda/README.md

@@ -1 +1,3 @@
 # Customer Portal Lambda
+
+Note there is a dependence in 005-iam for the PassRole action for the portal role.

base/threatquotient_lambda/README.md

@@ -0,0 +1,4 @@
+# Threatquotient_lambda
+
+Note, this lambda function creates the threatq-data-sync-lambda-role. There is a dependence in 005-iam for the PassRole action for the role. There is also a dependency on the Vault containing the correct values. 
+

base/threatquotient_lambda/iam.tf

@@ -13,6 +13,14 @@ data "aws_iam_policy_document" "policy_document" {
     ]
     resources = ["*"]
   }
+  statement {
+    effect = "Allow"
+    actions = [ "s3:*", ]
+    resources = [ 
+    "arn:${var.aws_partition}:s3:::${aws_s3_bucket.bucket.arn}",
+    "arn:${var.aws_partition}:s3:::${aws_s3_bucket.bucket.arn}/*",
+    ]
+  }
 }
 
 resource "aws_iam_policy" "policy" {

base/threatquotient_lambda/main.tf

@@ -40,7 +40,7 @@ resource "aws_lambda_function" "function" {
   description      = "Sync data between ThreatQ and Splunk"
   #filename         = "code.zip"
   #source_code_hash = filebase64sha256("code.zip")
-  s3_bucket        = aws_s3_bucket.bucket.arn
+  s3_bucket        = aws_s3_bucket.bucket.id
   s3_key           = "code.zip"
   function_name    = "threatq_data_sync"
   role             = aws_iam_role.role.arn

base/threatquotient_lambda/s3.tf

@@ -86,3 +86,11 @@ resource "aws_kms_alias" "key_alias" {
   name          = "alias/threatq-lambda-s3-key"
   target_key_id = aws_kms_key.key.key_id
 }
+
+#upload the initial code as a placeholder
+resource "aws_s3_bucket_object" "object" {
+  bucket = aws_s3_bucket.bucket.id
+  key    = "code.zip"
+  source = "code.zip"
+  etag = filemd5("code.zip")
+}