How to add Account Condition to AWS Lambda Permissions in Terraform

0 min read 102 words

If you need to lock an AWS Lambda function down to a source account for security reasons (PCI.Lambda.1) then you can do so by using the source_account option of the aws_lambda_permission Terraform resource type.

resource "aws_lambda_permission" "do_something_with_bucket" {
  statement_id   = "AllowExecutionFromS3Bucket"
  action         = "lambda:InvokeFunction"
  function_name  = module.do_something_with_bucket.arn
  principal      = "s3.amazonaws.com"
  source_arn     = var.source_bucket_arn
  source_account = var.account_id # <---------- here
}

We have stored the account_id in a variable so that it can be updated when we initialize our Terraform context:

<meta charset="utf-8">source_account = var.account_id

This will allow the Condition to be populated as below:

"Condition": {
  "StringEquals": {
    "AWS:SourceAccount": "xxxxxxxxxxxx"
  },
}
Andrew
Andrew

Andrew is a visionary software engineer and DevOps expert with a proven track record of delivering cutting-edge solutions that drive innovation at Ataiva.com. As a leader on numerous high-profile projects, Andrew brings his exceptional technical expertise and collaborative leadership skills to the table, fostering a culture of agility and excellence within the team. With a passion for architecting scalable systems, automating workflows, and empowering teams, Andrew is a sought-after authority in the field of software development and DevOps.

Tags