How to Add Account Condition to AWS Lambda Permissions in Terraform

  • Home /
  • Blog Posts /
  • How to add Account Condition to AWS Lambda Permissions in Terraform

Published on 2 December 2021

Author: Andrew

Estimated reading time: 1 min

#Aws, #Terraform

If you need to lock an AWS Lambda function down to a source account for security reasons (PCI.Lambda.1) then you can do so by using the source_account option of the aws_lambda_permission Terraform resource type.

resource "aws_lambda_permission" "do_something_with_bucket" {
  statement_id   = "AllowExecutionFromS3Bucket"
  action         = "lambda:InvokeFunction"
  function_name  = module.do_something_with_bucket.arn
  principal      = "s3.amazonaws.com"
  source_arn     = var.source_bucket_arn
  source_account = var.account_id # <---------- here
}

We have stored the account_id in a variable so that it can be updated when we initialize our Terraform context:

<meta charset="utf-8">source_account = var.account_id

This will allow the Condition to be populated as below:

"Condition": {
  "StringEquals": {
    "AWS:SourceAccount": "xxxxxxxxxxxx"
  },
}

Published on 2 December 2021

Filed under #Aws, #Terraform