Using the Terraform resource aws_lambda_permission, you can grant a specific AWS Lambda function permissions to interact with AWS services. You can also use this resource to test the properties of a single AWS Lambda permission. For example, you can test whether a function has the permission to access the Secrets Manager secret.
AWS Lambda is an AWS service that allows you to run code without provisioning servers. However, AWS Lambda requires permissions to interact with other AWS services and resources. You can achieve this by adding the appropriate resources and a Lambda resource policy. However, the Terraform provider is inconsistent when you want to name a resource. It will either give you a fixed name or auto-generate one. You might need to expand the IAM policy to solve the problem.
In addition to the aws_lambda_permission resource, you can use the aws_apigatewayv2_api resource to add an HTTP API to your Lambda function. The aws_apigatewayv2_api requires an S3 bucket and the resource name. This resource is a bit more lightweight than aws_lambda_permission. It omits the logging, stage, and other features of the aws_lambda_permission.
You can also add a path pattern to your code to route it between different origins. However, adding this feature limits the portability of your code. If you do this, you will need to add an extra print statement in your code to fix the problem.
Another way to test the AWS::Lambda::Permission resource is to use the InSpec audit resource. This resource is available in the Chef InSpec AWS resource pack. The InSpec audit resource provides Universal Matchers and special matchers for AWS services. The InSpec audit resource also has a get method that passes if the method returns. Depending on your application, you may need to add additional resources to test the properties of your AWS Lambda::Permission.
You can also add a role attribute to your function. This attribute overrides the provider-level declared role. You can use an ARN or a logical name to define the role. The best practice is to grant the least permissions that are necessary. You can also add an IAM policy to your function’s execution role. The IAM policy must grant permission to all actions, but you can make the policy less permissive.
For more information, see the documentation for the Chef InSpec AWS resource pack. This resource has a number of different resources, and it also provides information about configuring your AWS environment. Specifically, you will need to create a profile with the ID of the statement you want to test.
In addition, you can use the aws_efs_access_point resource to invoke a Lambda function for asynchronous flow. You may also need to add an aws_efs_mount_target resource. You may also want to add a log group with the aws_efs_file_system resource. You may also need to add a vpc_config resource to your code.
The aws_apigatewayv2_api example policy will grant you full access to the Secrets Manager secret. It also gives you permissions for most of the most common secrets manager actions.