ansible / ansible.builtin / v2.4.4.0-1 / module / lambda_policy Creates, updates or deletes AWS Lambda policy statements. | "added in version" 2.4 of ansible.builtin" Authors: Pierre Jodouin (@pjodouin), Michael De La Rue (@mikedlr) preview | supported by communityansible.builtin.lambda_policy (v2.4.4.0-1) — module
pip
Install with pip install ansible==2.4.4.0.post1
This module allows the management of AWS Lambda policy statements. It is idempotent and supports "Check" mode. Use module M(lambda) to manage the lambda function itself, M(lambda_alias) to manage function aliases, M(lambda_event) to manage event source mappings such as Kinesis streams, M(lambda_invoke) to execute a lambda function and M(lambda_facts) to gather facts relating to one or more lambda functions.
--- - hosts: localhost gather_facts: no vars: state: present tasks: - name: Lambda S3 event notification lambda_policy: state: "{{ state | default('present') }}" function_name: functionName alias: Dev statement_id: lambda-s3-myBucket-create-data-log action: lambda:InvokeFunction principal: s3.amazonaws.com source_arn: arn:aws:s3:eu-central-1:123456789012:bucketName source_account: 123456789012 - name: show results debug: var=lambda_policy_action
alias: description: - Name of the function alias. Mutually exclusive with C(version). state: choices: - present - absent default: present description: - Describes the desired state. required: true action: description: - 'The AWS Lambda action you want to allow in this statement. Each Lambda action is a string starting with lambda: followed by the API name (see Operations ). For example, lambda:CreateFunction . You can use wildcard (lambda:* ) to grant permission for all AWS Lambda actions.' required: true profile: aliases: - aws_profile description: - A named AWS profile to use for authentication. - See the AWS documentation for more information about named profiles U(https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-profiles.html). - The C(AWS_PROFILE) environment variable may also be used. Prior to release 6.0.0 the C(AWS_PROFILE) environment variable will be ignored if any of I(access_key), I(secret_key), or I(session_token) are passed. After release 6.0.0 I(profile) will always fall back to the C(AWS_PROFILE) environment variable if set. - The I(profile) option is mutually exclusive with the I(aws_access_key), I(aws_secret_key) and I(security_token) options. type: str version: description: - Version of the Lambda function. Mutually exclusive with C(alias). principal: description: - The principal who is getting this permission. It can be Amazon S3 service Principal (s3.amazonaws.com ) if you want Amazon S3 to invoke the function, an AWS account ID if you are granting cross-account permission, or any valid AWS service principal such as sns.amazonaws.com . For example, you might want to allow a custom application in another AWS account to push events to AWS Lambda by invoking your function. required: true access_key: aliases: - aws_access_key_id - aws_access_key - ec2_access_key description: - AWS access key ID. - See the AWS documentation for more information about access tokens U(https://docs.aws.amazon.com/general/latest/gr/aws-sec-cred-types.html#access-keys-and-secret-access-keys). - The C(AWS_ACCESS_KEY_ID), C(AWS_ACCESS_KEY) or C(EC2_ACCESS_KEY) environment variables may also be used in decreasing order of preference. Prior to release 6.0.0 these environment variables will be ignored if the I(profile) parameter is passed. After release 6.0.0 I(access_key) will always fall back to the environment variables if set. - The I(aws_access_key) and I(profile) options are mutually exclusive. - The I(aws_access_key_id) alias was added in release 5.1.0 for consistency with the AWS botocore SDK. - The I(ec2_access_key) alias has been deprecated and will be removed in a release after 2024-12-01. - Support for the C(EC2_ACCESS_KEY) environment variable has been deprecated and will be removed in a release after 2024-12-01. type: str aws_config: description: - A dictionary to modify the botocore configuration. - Parameters can be found in the AWS documentation U(https://botocore.amazonaws.com/v1/documentation/api/latest/reference/config.html#botocore.config.Config). type: dict secret_key: aliases: - aws_secret_access_key - aws_secret_key - ec2_secret_key description: - AWS secret access key. - See the AWS documentation for more information about access tokens U(https://docs.aws.amazon.com/general/latest/gr/aws-sec-cred-types.html#access-keys-and-secret-access-keys). - The C(AWS_SECRET_ACCESS_KEY), C(AWS_SECRET_KEY), or C(EC2_SECRET_KEY) environment variables may also be used in decreasing order of preference. Prior to release 6.0.0 these environment variables will be ignored if the I(profile) parameter is passed. After release 6.0.0 I(secret_key) will always fall back to the environment variables if set. - The I(secret_key) and I(profile) options are mutually exclusive. - The I(aws_secret_access_key) alias was added in release 5.1.0 for consistency with the AWS botocore SDK. - The I(ec2_secret_key) alias has been deprecated and will be removed in a release after 2024-12-01. - Support for the C(EC2_SECRET_KEY) environment variable has been deprecated and will be removed in a release after 2024-12-01. type: str source_arn: description: - This is optional; however, when granting Amazon S3 permission to invoke your function, you should specify this field with the bucket Amazon Resource Name (ARN) as its value. This ensures that only events generated from the specified bucket can invoke the function. endpoint_url: aliases: - ec2_url - aws_endpoint_url - s3_url description: - URL to connect to instead of the default AWS endpoints. While this can be used to connection to other AWS-compatible services the amazon.aws and community.aws collections are only tested against AWS. - The C(AWS_URL) or C(EC2_URL) environment variables may also be used, in decreasing order of preference. - The I(ec2_url) and I(s3_url) aliases have been deprecated and will be removed in a release after 2024-12-01. - Support for the C(EC2_URL) environment variable has been deprecated and will be removed in a release after 2024-12-01. type: str statement_id: aliases: - sid description: - A unique statement identifier. required: true aws_ca_bundle: description: - The location of a CA Bundle to use when validating SSL certificates. - The C(AWS_CA_BUNDLE) environment variable may also be used. type: path function_name: aliases: - lambda_function_arn - function_arn description: - Name of the Lambda function whose resource policy you are updating by adding a new permission. - You can specify a function name (for example, Thumbnail ) or you can specify Amazon Resource Name (ARN) of the - function (for example, arn:aws:lambda:us-west-2:account-id:function:ThumbNail ). AWS Lambda also allows you to - specify partial ARN (for example, account-id:Thumbnail ). Note that the length constraint applies only to the - ARN. If you specify only the function name, it is limited to 64 character in length. required: true session_token: aliases: - aws_session_token - security_token - aws_security_token - access_token description: - AWS STS session token for use with temporary credentials. - See the AWS documentation for more information about access tokens U(https://docs.aws.amazon.com/general/latest/gr/aws-sec-cred-types.html#access-keys-and-secret-access-keys). - The C(AWS_SESSION_TOKEN), C(AWS_SECURITY_TOKEN) or C(EC2_SECURITY_TOKEN) environment variables may also be used in decreasing order of preference. Prior to release 6.0.0 these environment variables will be ignored if the I(profile) parameter is passed. After release 6.0.0 I(session_token) will always fall back to the environment variables if set. - The I(security_token) and I(profile) options are mutually exclusive. - Aliases I(aws_session_token) and I(session_token) were added in release 3.2.0, with the parameter being renamed from I(security_token) to I(session_token) in release 6.0.0. - The I(security_token), I(aws_security_token), and I(access_token) aliases have been deprecated and will be removed in a release after 2024-12-01. - Support for the C(EC2_SECRET_KEY) and C(AWS_SECURITY_TOKEN) environment variables has been deprecated and will be removed in a release after 2024-12-01. type: str source_account: description: - The AWS account ID (without a hyphen) of the source owner. For example, if the SourceArn identifies a bucket, then this is the bucket owner's account ID. You can use this additional condition to ensure the bucket you specify is owned by a specific account (it is possible the bucket owner deleted the bucket and some other AWS account created the bucket). You can also use this condition to specify all sources (that is, you don't specify the SourceArn ) owned by a specific account. validate_certs: default: true description: - When set to C(false), SSL certificates will not be validated for communication with the AWS APIs. - Setting I(validate_certs=false) is strongly discouraged, as an alternative, consider setting I(aws_ca_bundle) instead. type: bool event_source_token: description: - Token string representing source ARN or account. Mutually exclusive with C(source_arn) or C(source_account). debug_botocore_endpoint_logs: default: false description: - Use a C(botocore.endpoint) logger to parse the unique (rather than total) C("resource:action") API calls made during a task, outputing the set to the resource_actions key in the task results. Use the C(aws_resource_action) callback to output to total list made during a playbook. - The C(ANSIBLE_DEBUG_BOTOCORE_LOGS) environment variable may also be used. type: bool
lambda_policy_action: description: describes what action was taken returned: success type: string