/
chainguard.tf
32 lines (26 loc) · 1.07 KB
/
chainguard.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
data "aws_caller_identity" "current" {}
resource "chainguard_identity" "aws" {
parent_id = var.group
name = "aws-lambda-identity"
description = "Identity for AWS Lambda"
aws_identity {
aws_account = data.aws_caller_identity.current.account_id
aws_user_id_pattern = "^AROA(.*):${local.lambda_name}$"
// NB: This role will be assumed so can't use the role ARN directly. We must used the ARN of the assumed role
aws_arn = "arn:aws:sts::${data.aws_caller_identity.current.account_id}:assumed-role/${aws_iam_role.lambda.name}/${local.lambda_name}"
}
}
# Look up the registry.pull role to grant the identity.
data "chainguard_role" "puller" {
name = "registry.pull"
}
resource "chainguard_rolebinding" "puller" {
identity = chainguard_identity.aws.id
role = data.chainguard_role.puller.items[0].id
group = var.group
}
# Create a subscription to notify the Lambda function on changes under the root group.
resource "chainguard_subscription" "subscription" {
parent_id = var.group
sink = aws_lambda_function_url.lambda.function_url
}