@pulumi/aws

import * as pulumi from "@pulumi/pulumi"; import { Function } from "./index"; /** * Manages an AWS Lambda permission. Use this resource to grant external sources (e.g., EventBridge Rules, SNS, or S3) permission to invoke Lambda functions. * * ## Example Usage * * ### Basic Usage with EventBridge * * ```typescript * import * as pulumi from "@pulumi/pulumi"; * import * as aws from "@pulumi/aws"; * * const iamForLambda = new aws.iam.Role("iam_for_lambda", { * name: "iam_for_lambda", * assumeRolePolicy: JSON.stringify({ * Version: "2012-10-17", * Statement: [{ * Action: "sts:AssumeRole", * Effect: "Allow", * Sid: "", * Principal: { * Service: "lambda.amazonaws.com", * }, * }], * }), * }); * const testLambda = new aws.lambda.Function("test_lambda", { * code: new pulumi.asset.FileArchive("lambdatest.zip"), * name: "lambda_function_name", * role: iamForLambda.arn, * handler: "exports.handler", * runtime: aws.lambda.Runtime.NodeJS20dX, * }); * const testAlias = new aws.lambda.Alias("test_alias", { * name: "testalias", * description: "a sample description", * functionName: testLambda.name, * functionVersion: "$LATEST", * }); * const allowCloudwatch = new aws.lambda.Permission("allow_cloudwatch", { * statementId: "AllowExecutionFromCloudWatch", * action: "lambda:InvokeFunction", * "function": testLambda.name, * principal: "events.amazonaws.com", * sourceArn: "arn:aws:events:eu-west-1:111122223333:rule/RunDaily", * qualifier: testAlias.name, * }); * ``` * * ### SNS Integration * * ```typescript * import * as pulumi from "@pulumi/pulumi"; * import * as aws from "@pulumi/aws"; * * const _default = new aws.sns.Topic("default", {name: "call-lambda-maybe"}); * const defaultRole = new aws.iam.Role("default", { * name: "iam_for_lambda_with_sns", * assumeRolePolicy: JSON.stringify({ * Version: "2012-10-17", * Statement: [{ * Action: "sts:AssumeRole", * Effect: "Allow", * Sid: "", * Principal: { * Service: "lambda.amazonaws.com", * }, * }], * }), * }); * const func = new aws.lambda.Function("func", { * code: new pulumi.asset.FileArchive("lambdatest.zip"), * name: "lambda_called_from_sns", * role: defaultRole.arn, * handler: "exports.handler", * runtime: aws.lambda.Runtime.Python3d12, * }); * const withSns = new aws.lambda.Permission("with_sns", { * statementId: "AllowExecutionFromSNS", * action: "lambda:InvokeFunction", * "function": func.name, * principal: "sns.amazonaws.com", * sourceArn: _default.arn, * }); * const lambda = new aws.sns.TopicSubscription("lambda", { * topic: _default.arn, * protocol: "lambda", * endpoint: func.arn, * }); * ``` * * ### API Gateway REST API Integration * * ```typescript * import * as pulumi from "@pulumi/pulumi"; * import * as aws from "@pulumi/aws"; * * const myDemoAPI = new aws.apigateway.RestApi("MyDemoAPI", { * name: "MyDemoAPI", * description: "This is my API for demonstration purposes", * }); * const lambdaPermission = new aws.lambda.Permission("lambda_permission", { * statementId: "AllowMyDemoAPIInvoke", * action: "lambda:InvokeFunction", * "function": "MyDemoFunction", * principal: "apigateway.amazonaws.com", * sourceArn: pulumi.interpolate`${myDemoAPI.executionArn}/*`, * }); * ``` * * ### CloudWatch Log Group Integration * * ```typescript * import * as pulumi from "@pulumi/pulumi"; * import * as aws from "@pulumi/aws"; * * const _default = new aws.cloudwatch.LogGroup("default", {name: "/default"}); * const assumeRole = aws.iam.getPolicyDocument({ * statements: [{ * effect: "Allow", * principals: [{ * type: "Service", * identifiers: ["lambda.amazonaws.com"], * }], * actions: ["sts:AssumeRole"], * }], * }); * const defaultRole = new aws.iam.Role("default", { * name: "iam_for_lambda_called_from_cloudwatch_logs", * assumeRolePolicy: assumeRole.then(assumeRole => assumeRole.json), * }); * const loggingFunction = new aws.lambda.Function("logging", { * code: new pulumi.asset.FileArchive("lamba_logging.zip"), * name: "lambda_called_from_cloudwatch_logs", * handler: "exports.handler", * role: defaultRole.arn, * runtime: aws.lambda.Runtime.Python3d12, * }); * const logging = new aws.lambda.Permission("logging", { * action: "lambda:InvokeFunction", * "function": loggingFunction.name, * principal: "logs.eu-west-1.amazonaws.com", * sourceArn: pulumi.interpolate`${_default.arn}:*`, * }); * const loggingLogSubscriptionFilter = new aws.cloudwatch.LogSubscriptionFilter("logging", { * destinationArn: loggingFunction.arn, * filterPattern: "", * logGroup: _default.name, * name: "logging_default", * }, { * dependsOn: [logging], * }); * ``` * * ### Cross-Account Function URL Access * * ```typescript * import * as pulumi from "@pulumi/pulumi"; * import * as aws from "@pulumi/aws"; * * const url = new aws.lambda.FunctionUrl("url", { * functionName: example.functionName, * authorizationType: "AWS_IAM", * }); * const urlPermission = new aws.lambda.Permission("url", { * action: "lambda:InvokeFunctionUrl", * "function": example.functionName, * principal: "arn:aws:iam::444455556666:role/example", * sourceAccount: "444455556666", * functionUrlAuthType: "AWS_IAM", * }); * ``` */ export declare class Permission extends pulumi.CustomResource { /** * Get an existing Permission resource's state with the given name, ID, and optional extra * properties used to qualify the lookup. * * @param name The _unique_ name of the resulting resource. * @param id The _unique_ provider ID of the resource to lookup. * @param state Any extra arguments used during the lookup. * @param opts Optional settings to control the behavior of the CustomResource. */ static get(name: string, id: pulumi.Input<pulumi.ID>, state?: PermissionState, opts?: pulumi.CustomResourceOptions): Permission; /** * Returns true if the given object is an instance of Permission. This is designed to work even * when multiple copies of the Pulumi SDK have been loaded into the same process. */ static isInstance(obj: any): obj is Permission; /** * Lambda action to allow in this statement (e.g., `lambda:InvokeFunction`) */ readonly action: pulumi.Output<string>; /** * Event Source Token for Alexa Skills */ readonly eventSourceToken: pulumi.Output<string | undefined>; /** * Name or ARN of the Lambda function */ readonly function: pulumi.Output<string>; /** * Lambda Function URL authentication type. Valid values: `AWS_IAM` or `NONE`. Only valid with `lambda:InvokeFunctionUrl` action */ readonly functionUrlAuthType: pulumi.Output<string | undefined>; /** * AWS service or account that invokes the function (e.g., `s3.amazonaws.com`, `sns.amazonaws.com`, AWS account ID, or AWS IAM principal) * * The following arguments are optional: */ readonly principal: pulumi.Output<string>; /** * AWS Organizations ID to grant permission to all accounts under this organization */ readonly principalOrgId: pulumi.Output<string | undefined>; /** * Lambda function version or alias name */ readonly qualifier: pulumi.Output<string | undefined>; /** * Region where this resource will be [managed](https://docs.aws.amazon.com/general/latest/gr/rande.html#regional-endpoints). Defaults to the Region set in the provider configuration */ readonly region: pulumi.Output<string>; /** * AWS account ID of the source owner for cross-account access, S3, or SES */ readonly sourceAccount: pulumi.Output<string | undefined>; /** * ARN of the source resource granting permission to invoke the Lambda function */ readonly sourceArn: pulumi.Output<string | undefined>; /** * Statement identifier. Generated by Pulumi if not provided */ readonly statementId: pulumi.Output<string>; /** * Statement identifier prefix. Conflicts with `statementId` */ readonly statementIdPrefix: pulumi.Output<string>; /** * Create a Permission resource with the given unique name, arguments, and options. * * @param name The _unique_ name of the resource. * @param args The arguments to use to populate this resource's properties. * @param opts A bag of options that control this resource's behavior. */ constructor(name: string, args: PermissionArgs, opts?: pulumi.CustomResourceOptions); } /** * Input properties used for looking up and filtering Permission resources. */ export interface PermissionState { /** * Lambda action to allow in this statement (e.g., `lambda:InvokeFunction`) */ action?: pulumi.Input<string>; /** * Event Source Token for Alexa Skills */ eventSourceToken?: pulumi.Input<string>; /** * Name or ARN of the Lambda function */ function?: pulumi.Input<string | Function>; /** * Lambda Function URL authentication type. Valid values: `AWS_IAM` or `NONE`. Only valid with `lambda:InvokeFunctionUrl` action */ functionUrlAuthType?: pulumi.Input<string>; /** * AWS service or account that invokes the function (e.g., `s3.amazonaws.com`, `sns.amazonaws.com`, AWS account ID, or AWS IAM principal) * * The following arguments are optional: */ principal?: pulumi.Input<string>; /** * AWS Organizations ID to grant permission to all accounts under this organization */ principalOrgId?: pulumi.Input<string>; /** * Lambda function version or alias name */ qualifier?: pulumi.Input<string>; /** * Region where this resource will be [managed](https://docs.aws.amazon.com/general/latest/gr/rande.html#regional-endpoints). Defaults to the Region set in the provider configuration */ region?: pulumi.Input<string>; /** * AWS account ID of the source owner for cross-account access, S3, or SES */ sourceAccount?: pulumi.Input<string>; /** * ARN of the source resource granting permission to invoke the Lambda function */ sourceArn?: pulumi.Input<string>; /** * Statement identifier. Generated by Pulumi if not provided */ statementId?: pulumi.Input<string>; /** * Statement identifier prefix. Conflicts with `statementId` */ statementIdPrefix?: pulumi.Input<string>; } /** * The set of arguments for constructing a Permission resource. */ export interface PermissionArgs { /** * Lambda action to allow in this statement (e.g., `lambda:InvokeFunction`) */ action: pulumi.Input<string>; /** * Event Source Token for Alexa Skills */ eventSourceToken?: pulumi.Input<string>; /** * Name or ARN of the Lambda function */ function: pulumi.Input<string | Function>; /** * Lambda Function URL authentication type. Valid values: `AWS_IAM` or `NONE`. Only valid with `lambda:InvokeFunctionUrl` action */ functionUrlAuthType?: pulumi.Input<string>; /** * AWS service or account that invokes the function (e.g., `s3.amazonaws.com`, `sns.amazonaws.com`, AWS account ID, or AWS IAM principal) * * The following arguments are optional: */ principal: pulumi.Input<string>; /** * AWS Organizations ID to grant permission to all accounts under this organization */ principalOrgId?: pulumi.Input<string>; /** * Lambda function version or alias name */ qualifier?: pulumi.Input<string>; /** * Region where this resource will be [managed](https://docs.aws.amazon.com/general/latest/gr/rande.html#regional-endpoints). Defaults to the Region set in the provider configuration */ region?: pulumi.Input<string>; /** * AWS account ID of the source owner for cross-account access, S3, or SES */ sourceAccount?: pulumi.Input<string>; /** * ARN of the source resource granting permission to invoke the Lambda function */ sourceArn?: pulumi.Input<string>; /** * Statement identifier. Generated by Pulumi if not provided */ statementId?: pulumi.Input<string>; /** * Statement identifier prefix. Conflicts with `statementId` */ statementIdPrefix?: pulumi.Input<string>; }