wip: running terraform apply to continue fixing terraform infrastructure

4 files changed, 79 insertions, 65 deletions

diff --git a/terraform/events.tf b/terraform/events.tf
index 0196dc3..7a6b0ad 100644
--- a/terraform/events.tf
+++ b/terraform/events.tf
@@ -50,7 +50,7 @@ resource "aws_s3_bucket_notification" "extract_bucket_notification" {
 
 ######
 
-resource "aws_lambda_permission" "allow_s3_transfrom_bucket" {
+resource "aws_lambda_permission" "allow_s3_transform_bucket" {
   statement_id  = "AllowS3InvokeLambdaTransform"
   action        = "lambda:InvokeFunction"
   function_name = aws_lambda_function.transform_lambda.function_name #replaced lambda name placeholder
@@ -67,5 +67,5 @@ resource "aws_s3_bucket_notification" "transform_bucket_notification" {
     lambda_function_arn = aws_lambda_function.transform_lambda.arn #replaced lambda name placeholder
   }
 
-  depends_on = [aws_lambda_permission.allow_s3_transform]
+  depends_on = [aws_lambda_permission.allow_s3_transform_bucket]
 }
\ No newline at end of file
diff --git a/terraform/iam.tf b/terraform/iam.tf
index bb8d932..f34d58a 100644
--- a/terraform/iam.tf
+++ b/terraform/iam.tf
@@ -4,7 +4,7 @@
 ########################################################################
 
 # DEFINE MULTI-SERVICE ROLE (lambda, s3, cloudwatch, events)
-resource "aws_iam_role" "bentley_multi_service_role" {
+resource "aws_iam_role" "multi_service_role" {
   name = "multi_service_role"
 
   assume_role_policy = jsonencode({
@@ -16,7 +16,7 @@ resource "aws_iam_role" "bentley_multi_service_role" {
         Principal = {
           Service = [
             "lambda.amazonaws.com",
-            "states.amazonaws.com",
+            "cloudwatch.amazonaws.com",
             "events.amazonaws.com",
             "s3.amazonaws.com"
           ]
@@ -27,7 +27,6 @@ resource "aws_iam_role" "bentley_multi_service_role" {
 }
 
 
-
 ########################################################################
 # S3 SETUP                                                        
 # Description: allows allows retention/tagging/access control settings
@@ -35,32 +34,23 @@ resource "aws_iam_role" "bentley_multi_service_role" {
 ########################################################################
 
 # S3 DEFINE POLICY
-resource "aws_iam_policy" "s3_access_policy" {
-  name        = "s3_access_policy"
-  path        = "/"
-  description = "IAM policy for S3 access"
-
-  policy = jsonencode({
-    Version = "2012-10-17"
-    Statement = [
-      {
-        Effect = "Allow"
-        Action = [
-          "s3:PutObject",
-          "s3:GetObject",
-          "s3:ListBucket"
-        ]
-        resources = [
-          "${aws_s3_bucket.extract_bucket.arn}/*",
-          "${aws_s3_bucket.transform_bucket.arn}/*",
-          "${aws_s3_bucket.lambda_bucket.arn}/*"
-          ]
-        }
-      ] 
-    }
-  )
+data "aws_iam_policy_document" "s3_data_policy_doc" {
+  statement {
+    actions = [
+      "s3:PutObject",
+      "s3:PutObjectRetention",
+      "s3:PutObjectTagging",
+      "s3:PutObjectAcl"
+    ]
+    resources = [
+      "${aws_s3_bucket.extract_bucket.arn}/*",
+      "${aws_s3_bucket.transform_bucket.arn}/*",
+      "${aws_s3_bucket.lambda_code_bucket.arn}/*",
+    ]
+  }
 }
 
+
 ########################################################################
 # LAMBDA SETUP
 # Description: Allows Lambda permission to write to Cloudwatch logs
@@ -112,6 +102,11 @@ data "aws_iam_policy_document" "cw_document" {
   }
 }
 
+resource "aws_iam_policy" "cw_policy" {
+  name = "cw_policy"
+  policy = data.aws_iam_policy_document.cw_document.json
+}
+
 ########################################################################
 # POLICY WRITE & ATTACH
 ########################################################################
@@ -123,6 +118,15 @@ resource "aws_iam_policy" "s3_write_policy" {
 
 # S3 ATTACH POLICY
 resource "aws_iam_role_policy_attachment" "lambda_s3_policy_attachment" {
-  role       = aws_iam_role.lambda_role.name
-  policy_arn = aws_iam_policy.s3_write_policy.arn
-}
\ No newline at end of file
+  for_each = toset([
+    aws_iam_policy.s3_write_policy.arn,
+    aws_iam_policy.lambda_execution_policy.arn,
+    aws_iam_policy.cw_policy.arn
+  ])
+  role       = aws_iam_role.multi_service_role.name
+  policy_arn = each.value
+}
+
+################
+# RDS POLICIES #
+################
diff --git a/terraform/lambda.tf b/terraform/lambda.tf
index 09d6697..bcbf394 100644
--- a/terraform/lambda.tf
+++ b/terraform/lambda.tf
@@ -7,9 +7,9 @@ data "archive_file" "extract_lambda_zip" {
 
 resource "aws_lambda_function" "extract_lambda" {
     function_name = "${var.extract_lambda_name}"
-    s3_bucket = aws_s3_bucket.lambda_bucket.bucket
+    s3_bucket = aws_s3_bucket.lambda_code_bucket.bucket
     s3_key = "extract_lambda/extract_function.zip"
-    role = aws_iam_role.PLACEHOLDER_extract_lambda_role.arn # << lambda role placehodler
+    role = aws_iam_role.multi_service_role.arn #<< lambda role placehodler
     handler = "extract_lambda.lambda_handler" # << check that the function is called lambda handler
     runtime = "python3.11"
     environment {
@@ -36,9 +36,9 @@ data "archive_file" "transform_lambda_zip" {
 
 resource "aws_lambda_function" "transform_lambda" {
     function_name = "${var.transform_lambda_name}"
-    s3_bucket = aws_s3_bucket.lambda_bucket.bucket
+    s3_bucket = aws_s3_bucket.lambda_code_bucket.bucket
     s3_key = "transform_lambda/transform_function.zip"
-    role = aws_iam_role.PLACEHOLDER_transform_lambda_role.arn # << lambda role placehodler
+    role = aws_iam_role.multi_service_role.arn # << lambda role placehodler
     handler = "transform_lambda.lambda_handler" # << check that the function is called lambda handler
     runtime = "python3.11"
     environment {
@@ -55,7 +55,6 @@ resource "aws_lambda_permission" "allow_to_write_to_s3_transform_bucket" {
   source_arn = aws_s3_bucket.transform_bucket.arn
 }
 
-
 ### LOAD LAMBDA SET UP
 data "archive_file" "load_lambda_zip" {
   type        = "zip"
@@ -65,9 +64,9 @@ data "archive_file" "load_lambda_zip" {
 
 resource "aws_lambda_function" "load_lambda" {
     function_name = "${var.load_lambda_name}"
-    s3_bucket = aws_s3_bucket.lambda_bucket.bucket
+    s3_bucket = aws_s3_bucket.lambda_code_bucket.bucket
     s3_key = "load_lambda/load_function.zip"
-    role = aws_iam_role.PLACEHOLDER_load_lambda_role.arn # << lambda role placehodler
+    role = aws_iam_role.multi_service_role.arn # << lambda role placehodler
     handler = "load_lambda.lambda_handler" # << check that the function is called lambda handler
     runtime = "python3.11"
 }
diff --git a/terraform/s3.tf b/terraform/s3.tf
index 8cb65ef..8ab5622 100644
--- a/terraform/s3.tf
+++ b/terraform/s3.tf
@@ -1,40 +1,51 @@
 ### EXTRACT BUCKET SET-UP
 resource "aws_s3_bucket" "extract_bucket" {
-    bucket = "${var.s3_extract_bucket_name}"
+    bucket_prefix = "${var.s3_extract_bucket_name}-"
 }
 
-resource "aws_s3_object" "extract_lambda_code" {
-  bucket = aws_s3_bucket.s3_code_bucket_name.bucket
-  key = "${var.extract_lambda_name}/extract_function.zip"
-  source = "${path.module}/../extract_function.zip"
-} # << can't figure out how this is being used but we seem to need it
-
-resource "aws_s3_bucket_notification" "extract_bucket_notification" {
-  bucket = aws_s3_bucket.extract_bucket.id
-  lambda_function {
-    lambda_function_arn = aws_lambda_function.extract_lambda.arn
-    events              = ["s3:ObjectCreated:*"]
-  }
-  depends_on = [aws_lambda_permission.allow_to_write_to_s3_extract_bucket]
-}  # << is this the correct permission dependency?
-
+# resource "aws_s3_bucket_notification" "extract_bucket_notification" {
+#   bucket = aws_s3_bucket.extract_bucket.id
+#   lambda_function {
+#     lambda_function_arn = aws_lambda_function.extract_lambda.arn
+#     events              = ["s3:ObjectCreated:*"]
+#   }
+#   depends_on = [aws_lambda_permission.allow_to_write_to_s3_extract_bucket]
+# }  # << is this the correct permission dependency?
 
 ### TRANSFORM BUCKET SET-UP
 resource "aws_s3_bucket" "transform_bucket" {
-    bucket = "${var.s3_transform_bucket_name}"
+    bucket_prefix = "${var.s3_transform_bucket_name}-"
 }
 
+# resource "aws_s3_bucket_notification" "transform_bucket_notification" {
+#   bucket = aws_s3_bucket.transform_bucket.id
+#   lambda_function {
+#     lambda_function_arn = aws_lambda_function.transform_lambda.arn
+#     events              = ["s3:ObjectCreated:*"]
+#   }
+#   depends_on = [aws_lambda_permission.allow_to_write_to_s3_transform_bucket]
+# }  # << is this the correct permission dependency?
+
+
+### LAMBDA BUCKET
+resource "aws_s3_bucket" "lambda_code_bucket" {
+    bucket_prefix = "${var.s3_code_bucket_name}-"
+}
+
+resource "aws_s3_object" "extract_lambda_code" {
+  bucket = aws_s3_bucket.lambda_code_bucket.bucket
+  key = "${var.extract_lambda_name}/extract_function.zip"
+  source = "${path.module}/../extract_function.zip"
+} # << can't figure out how this is being used but we seem to need it
+
 resource "aws_s3_object" "transform_lambda_code" {
-  bucket = aws_s3_bucket.s3_code_bucket_name.bucket
+  bucket = aws_s3_bucket.lambda_code_bucket.bucket
   key = "${var.transform_lambda_name}/transform_function.zip"
   source = "${path.module}/../transform_function.zip"
 } # << can't figure out how this is being used but we seem to need it
 
-resource "aws_s3_bucket_notification" "transform_bucket_notification" {
-  bucket = aws_s3_bucket.transform_bucket.id
-  lambda_function {
-    lambda_function_arn = aws_lambda_function.transform_lambda.arn
-    events              = ["s3:ObjectCreated:*"]
-  }
-  depends_on = [aws_lambda_permission.allow_to_write_to_s3_transform_bucket]
-}  # << is this the correct permission dependency?
+resource "aws_s3_object" "load_lambda_code" {
+  bucket = aws_s3_bucket.lambda_code_bucket.bucket
+  key = "${var.load_lambda_name}/load_function.zip"
+  source = "${path.module}/../load_function.zip"
+}
\ No newline at end of file