If you need to lock an AWS Lambda function down to a source account for security reasons (PCI.Lambda.1) then you can do so by using the source_account option of the aws_lambda_permission Terraform resource type.

1
2
3
4
5
6
7
8
resource "aws_lambda_permission" "do_something_with_bucket" {
  statement_id   = "AllowExecutionFromS3Bucket"
  action         = "lambda:InvokeFunction"
  function_name  = module.do_something_with_bucket.arn
  principal      = "s3.amazonaws.com"
  source_arn     = var.source_bucket_arn
  source_account = var.account_id # <---------- here
}

We have stored the account_id in a variable so that it can be updated when we initialize our Terraform context:

<meta charset="utf-8">source_account = var.account_id

This will allow the Condition to be populated as below:

1
2
3
4
5
"Condition": {
  "StringEquals": {
    "AWS:SourceAccount": "xxxxxxxxxxxx"
  },
}