◾️はじめに
https://dk521123.hatenablog.com/entry/2025/09/17/224604
の続き。 今回は、これをTerraformコードで設定できるようにする
【1】サンプル
1)フォルダ構成
├── lambda │ └── main.py ├── local.tf ├── s3.tf ├── cloudwatch.tf ├── iam.tf └── lambda.tf
lambda/main.py
* 以下の関連記事のサンプルを参照
https://dk521123.hatenablog.com/entry/2025/09/17/224604
local.tf
provider "aws" { region = "us-west-2" } # 対象の既存バケット名リスト locals { lambda_function_name = "demo-lambda" s3_buckets = [ "your-existing-bucket-a", "your-existing-bucket-b", "your-existing-bucket-c" ] }
s3.tf
# 既存バケットをデータソースでまとめて参照 data "aws_s3_bucket" "target" { for_each = toset(local.s3_buckets) bucket = each.value } # Lambdaへのinvoke権限 (for_eachで全バケット分) resource "aws_lambda_permission" "allow_s3" { for_each = data.aws_s3_bucket.target statement_id = "AllowExecutionFromS3-${each.key}" action = "lambda:InvokeFunction" function_name = aws_lambda_function.s3_event.function_name principal = "s3.amazonaws.com" source_arn = each.value.arn } # S3イベント通知 → Lambda (for_eachで全バケット分) resource "aws_s3_bucket_notification" "notify" { for_each = data.aws_s3_bucket.target bucket = each.value.id lambda_function { lambda_function_arn = aws_lambda_function.s3_event.arn events = ["s3:ObjectCreated:*", "s3:ObjectRemoved:*"] } depends_on = [ aws_lambda_permission.allow_s3 ] }
cloudwatch.tf
resource "aws_cloudwatch_log_group" "demo_log_group" { name = "/aws/lambda/${local.lambda_function_name}" retention_in_days = 30 }
iam.tf
# Lambda用IAMロール resource "aws_iam_role" "lambda_role" { name = "lambda_s3_event_role" assume_role_policy = jsonencode({ Version = "2012-10-17", Statement = [ { Effect = "Allow", Principal = { Service = "lambda.amazonaws.com" }, Action = "sts:AssumeRole" } ] }) } resource "aws_iam_role_policy" "lambda_policy" { role = aws_iam_role.lambda_role.id policy = jsonencode({ Version = "2012-10-17", Statement = [ # すべての対象バケットにアクセス許可 { Effect = "Allow", Action = [ "s3:GetObject" ], Resource = [ for bucket in local.s3_buckets : "arn:aws:s3:::${bucket}/*" ] }, # CloudWatch Logs書き込み用 { Effect = "Allow", Action = [ "logs:CreateLogGroup", "logs:CreateLogStream", "logs:PutLogEvents" ], Resource = "*" } ] }) }
lambda.tf
# Lambdaをアップロードする際にzipにする必要があるので # ファイルをZIP圧縮する data "archive_file" "demo_zip" { type = "zip" source_dir = "${path.module}/lambda" output_path = "${path.module}/outputs/demo_lambda.zip" } # Lambda関数の作成 resource "aws_lambda_function" "demo_lambda" { function_name = local.lambda_function_name handler = "main.lambda_handler" runtime = "python3.13" filename = data.archive_file.demo_zip.output_path source_code_hash = filebase64sha256(data.archive_file.demo_zip.output_path) role = aws_iam_role.demo_lambda_role.arn environment { variables = { LOG_LEVEL = "INFO" } }
関連記事
Terraform ~ 環境構築編 ~
https://dk521123.hatenablog.com/entry/2023/04/05/000224
Terraform ~ 入門編 ~
https://dk521123.hatenablog.com/entry/2019/12/09/222057
Terraform ~ 基本編 ~
https://dk521123.hatenablog.com/entry/2023/05/03/000000
Terraform ~ local ~
https://dk521123.hatenablog.com/entry/2023/12/24/173633
Terraform ~ tfstate / Backend ~
https://dk521123.hatenablog.com/entry/2023/05/05/004939
Terraform ~ Terraformあれこれ ~
https://dk521123.hatenablog.com/entry/2023/05/15/205352
Terraform ~ AWS Lambda / 入門編 ~
https://dk521123.hatenablog.com/entry/2024/05/30/010920
Terraform ~ 複数環境へデプロイすることを考える ~
https://dk521123.hatenablog.com/entry/2023/05/06/003645
Lambda ~ Python / 入門編 ~
https://dk521123.hatenablog.com/entry/2021/10/07/103317
Lambda ~ Python / 外部モジュール追加 ~
https://dk521123.hatenablog.com/entry/2024/05/25/005456
Lambda ~ Python / S3トリガー ~
https://dk521123.hatenablog.com/entry/2024/05/23/162229
datadog ~ s3 ファイル到達の監視を考える ~
https://dk521123.hatenablog.com/entry/2025/09/17/224604
Terraform ~ s3 access log with EventBridge ~
https://dk521123.hatenablog.com/entry/2025/09/22/184009
