How to add Account Condition to AWS Lambda Permissions in Terraform

If you need to lock an AWS Lambda function down to a source account for security reasons (PCI.Lambda.1) then you can do so by using the source_account option of the aws_lambda_permission Terraform resource type.

resource "aws_lambda_permission" "do_something_with_bucket" { statement_id = "AllowExecutionFromS3Bucket" action = "lambda:InvokeFunction" function_name = module.do_something_with_bucket.arn principal = "" source_arn = var.source_bucket_arn source_account = var.account_id # <---------- here }
Code language: PHP (php)

We have stored the account_id in a variable so that it can be updated when we initialize our Terraform context:

source_account = var.account_id

This will allow the Condition to be populated as below:

"Condition": { "StringEquals": { "AWS:SourceAccount": "xxxxxxxxxxxx" }, }
Code language: JSON / JSON with Comments (json)
Notify of
Inline Feedbacks
View all comments