@pulumi/aws/lambda/permission.js

A Pulumi package for creating and managing Amazon Web Services (AWS) cloud resources.

"use strict";
// *** WARNING: this file was generated by pulumi-language-nodejs. ***
// *** Do not edit by hand unless you're certain you know what you are doing! ***
Object.defineProperty(exports, "__esModule", { value: true });
exports.Permission = void 0;
const pulumi = require("@pulumi/pulumi");
const utilities = require("../utilities");
/**
 * Manages an AWS Lambda permission. Use this resource to grant external sources (e.g., EventBridge Rules, SNS, or S3) permission to invoke Lambda functions.
 *
 * ## Example Usage
 *
 * ### Basic Usage with EventBridge
 *
 * ```typescript
 * import * as pulumi from "@pulumi/pulumi";
 * import * as aws from "@pulumi/aws";
 *
 * const iamForLambda = new aws.iam.Role("iam_for_lambda", {
 *     name: "iam_for_lambda",
 *     assumeRolePolicy: JSON.stringify({
 *         Version: "2012-10-17",
 *         Statement: [{
 *             Action: "sts:AssumeRole",
 *             Effect: "Allow",
 *             Sid: "",
 *             Principal: {
 *                 Service: "lambda.amazonaws.com",
 *             },
 *         }],
 *     }),
 * });
 * const testLambda = new aws.lambda.Function("test_lambda", {
 *     code: new pulumi.asset.FileArchive("lambdatest.zip"),
 *     name: "lambda_function_name",
 *     role: iamForLambda.arn,
 *     handler: "exports.handler",
 *     runtime: aws.lambda.Runtime.NodeJS20dX,
 * });
 * const testAlias = new aws.lambda.Alias("test_alias", {
 *     name: "testalias",
 *     description: "a sample description",
 *     functionName: testLambda.name,
 *     functionVersion: "$LATEST",
 * });
 * const allowCloudwatch = new aws.lambda.Permission("allow_cloudwatch", {
 *     statementId: "AllowExecutionFromCloudWatch",
 *     action: "lambda:InvokeFunction",
 *     "function": testLambda.name,
 *     principal: "events.amazonaws.com",
 *     sourceArn: "arn:aws:events:eu-west-1:111122223333:rule/RunDaily",
 *     qualifier: testAlias.name,
 * });
 * ```
 *
 * ### SNS Integration
 *
 * ```typescript
 * import * as pulumi from "@pulumi/pulumi";
 * import * as aws from "@pulumi/aws";
 *
 * const _default = new aws.sns.Topic("default", {name: "call-lambda-maybe"});
 * const defaultRole = new aws.iam.Role("default", {
 *     name: "iam_for_lambda_with_sns",
 *     assumeRolePolicy: JSON.stringify({
 *         Version: "2012-10-17",
 *         Statement: [{
 *             Action: "sts:AssumeRole",
 *             Effect: "Allow",
 *             Sid: "",
 *             Principal: {
 *                 Service: "lambda.amazonaws.com",
 *             },
 *         }],
 *     }),
 * });
 * const func = new aws.lambda.Function("func", {
 *     code: new pulumi.asset.FileArchive("lambdatest.zip"),
 *     name: "lambda_called_from_sns",
 *     role: defaultRole.arn,
 *     handler: "exports.handler",
 *     runtime: aws.lambda.Runtime.Python3d12,
 * });
 * const withSns = new aws.lambda.Permission("with_sns", {
 *     statementId: "AllowExecutionFromSNS",
 *     action: "lambda:InvokeFunction",
 *     "function": func.name,
 *     principal: "sns.amazonaws.com",
 *     sourceArn: _default.arn,
 * });
 * const lambda = new aws.sns.TopicSubscription("lambda", {
 *     topic: _default.arn,
 *     protocol: "lambda",
 *     endpoint: func.arn,
 * });
 * ```
 *
 * ### API Gateway REST API Integration
 *
 * ```typescript
 * import * as pulumi from "@pulumi/pulumi";
 * import * as aws from "@pulumi/aws";
 *
 * const myDemoAPI = new aws.apigateway.RestApi("MyDemoAPI", {
 *     name: "MyDemoAPI",
 *     description: "This is my API for demonstration purposes",
 * });
 * const lambdaPermission = new aws.lambda.Permission("lambda_permission", {
 *     statementId: "AllowMyDemoAPIInvoke",
 *     action: "lambda:InvokeFunction",
 *     "function": "MyDemoFunction",
 *     principal: "apigateway.amazonaws.com",
 *     sourceArn: pulumi.interpolate`${myDemoAPI.executionArn}/*`,
 * });
 * ```
 *
 * ### CloudWatch Log Group Integration
 *
 * ```typescript
 * import * as pulumi from "@pulumi/pulumi";
 * import * as aws from "@pulumi/aws";
 *
 * const _default = new aws.cloudwatch.LogGroup("default", {name: "/default"});
 * const assumeRole = aws.iam.getPolicyDocument({
 *     statements: [{
 *         effect: "Allow",
 *         principals: [{
 *             type: "Service",
 *             identifiers: ["lambda.amazonaws.com"],
 *         }],
 *         actions: ["sts:AssumeRole"],
 *     }],
 * });
 * const defaultRole = new aws.iam.Role("default", {
 *     name: "iam_for_lambda_called_from_cloudwatch_logs",
 *     assumeRolePolicy: assumeRole.then(assumeRole => assumeRole.json),
 * });
 * const loggingFunction = new aws.lambda.Function("logging", {
 *     code: new pulumi.asset.FileArchive("lamba_logging.zip"),
 *     name: "lambda_called_from_cloudwatch_logs",
 *     handler: "exports.handler",
 *     role: defaultRole.arn,
 *     runtime: aws.lambda.Runtime.Python3d12,
 * });
 * const logging = new aws.lambda.Permission("logging", {
 *     action: "lambda:InvokeFunction",
 *     "function": loggingFunction.name,
 *     principal: "logs.eu-west-1.amazonaws.com",
 *     sourceArn: pulumi.interpolate`${_default.arn}:*`,
 * });
 * const loggingLogSubscriptionFilter = new aws.cloudwatch.LogSubscriptionFilter("logging", {
 *     destinationArn: loggingFunction.arn,
 *     filterPattern: "",
 *     logGroup: _default.name,
 *     name: "logging_default",
 * }, {
 *     dependsOn: [logging],
 * });
 * ```
 *
 * ### Cross-Account Function URL Access
 *
 * ```typescript
 * import * as pulumi from "@pulumi/pulumi";
 * import * as aws from "@pulumi/aws";
 *
 * const url = new aws.lambda.FunctionUrl("url", {
 *     functionName: example.functionName,
 *     authorizationType: "AWS_IAM",
 * });
 * const urlPermission = new aws.lambda.Permission("url", {
 *     action: "lambda:InvokeFunctionUrl",
 *     "function": example.functionName,
 *     principal: "arn:aws:iam::444455556666:role/example",
 *     sourceAccount: "444455556666",
 *     functionUrlAuthType: "AWS_IAM",
 * });
 * ```
 */
class Permission extends pulumi.CustomResource {
    /**
     * Get an existing Permission resource's state with the given name, ID, and optional extra
     * properties used to qualify the lookup.
     *
     * @param name The _unique_ name of the resulting resource.
     * @param id The _unique_ provider ID of the resource to lookup.
     * @param state Any extra arguments used during the lookup.
     * @param opts Optional settings to control the behavior of the CustomResource.
     */
    static get(name, id, state, opts) {
        return new Permission(name, state, { ...opts, id: id });
    }
    /**
     * Returns true if the given object is an instance of Permission.  This is designed to work even
     * when multiple copies of the Pulumi SDK have been loaded into the same process.
     */
    static isInstance(obj) {
        if (obj === undefined || obj === null) {
            return false;
        }
        return obj['__pulumiType'] === Permission.__pulumiType;
    }
    constructor(name, argsOrState, opts) {
        let resourceInputs = {};
        opts = opts || {};
        if (opts.id) {
            const state = argsOrState;
            resourceInputs["action"] = state?.action;
            resourceInputs["eventSourceToken"] = state?.eventSourceToken;
            resourceInputs["function"] = state?.function;
            resourceInputs["functionUrlAuthType"] = state?.functionUrlAuthType;
            resourceInputs["principal"] = state?.principal;
            resourceInputs["principalOrgId"] = state?.principalOrgId;
            resourceInputs["qualifier"] = state?.qualifier;
            resourceInputs["region"] = state?.region;
            resourceInputs["sourceAccount"] = state?.sourceAccount;
            resourceInputs["sourceArn"] = state?.sourceArn;
            resourceInputs["statementId"] = state?.statementId;
            resourceInputs["statementIdPrefix"] = state?.statementIdPrefix;
        }
        else {
            const args = argsOrState;
            if (args?.action === undefined && !opts.urn) {
                throw new Error("Missing required property 'action'");
            }
            if (args?.function === undefined && !opts.urn) {
                throw new Error("Missing required property 'function'");
            }
            if (args?.principal === undefined && !opts.urn) {
                throw new Error("Missing required property 'principal'");
            }
            resourceInputs["action"] = args?.action;
            resourceInputs["eventSourceToken"] = args?.eventSourceToken;
            resourceInputs["function"] = args?.function;
            resourceInputs["functionUrlAuthType"] = args?.functionUrlAuthType;
            resourceInputs["principal"] = args?.principal;
            resourceInputs["principalOrgId"] = args?.principalOrgId;
            resourceInputs["qualifier"] = args?.qualifier;
            resourceInputs["region"] = args?.region;
            resourceInputs["sourceAccount"] = args?.sourceAccount;
            resourceInputs["sourceArn"] = args?.sourceArn;
            resourceInputs["statementId"] = args?.statementId;
            resourceInputs["statementIdPrefix"] = args?.statementIdPrefix;
        }
        opts = pulumi.mergeOptions(utilities.resourceOptsDefaults(), opts);
        super(Permission.__pulumiType, name, resourceInputs, opts);
    }
}
exports.Permission = Permission;
/** @internal */
Permission.__pulumiType = 'aws:lambda/permission:Permission';
//# sourceMappingURL=permission.js.map