1 minute read

My Terraform scripts for Dynamo DB table and policies.

Provision the table

# dynamodb: jobs
resource "aws_dynamodb_table" "jobs_table" {
  name           = "${var.component}-jobs-${var.env}"
  billing_mode   = "PROVISIONED"
  read_capacity  = 5
  write_capacity = 5
  hash_key       = "companyId"
  range_key      = "jobNo"

  attribute {
    name = "companyId"
    type = "S"
  }

  attribute {
    name = "jobNo"
    type = "S"
  }

  tags = {
    Name        = var.component
    Environment = var.env
  }
}

Policy for lambda to access the database

Index comes as a sub-resource to the table. So put * if you want to include all sub-resources.

data "aws_iam_policy_document" "iam_lambda_dynamodb_policy_document" {
  statement {
    effect = "Allow"
    actions = [
      "dynamodb:PutItem",
      "dynamodb:DeleteItem",
      "dynamodb:UpdateItem",
      "dynamodb:Get*",
      "dynamodb:Query",
      "dynamodb:DescribeTable"
    ]
    resources = [
			"arn:aws:dynamodb:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:table/${aws_dynamodb_table.jobs_table.name}",
      "arn:aws:dynamodb:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:table/${aws_dynamodb_table.jobs_table.name}/*",
      "arn:aws:dynamodb:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:table/${aws_dynamodb_table.users_table.name}",
      "arn:aws:dynamodb:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:table/${aws_dynamodb_table.users_table.name}/*"    ]
  }
}

resource "aws_iam_policy" "iam_lambda_dynamodb_policy" {
  name   = "${var.component}_${var.env}_iam_lambda_dynamodb_policy"
  policy = data.aws_iam_policy_document.iam_lambda_dynamodb_policy_document.json
}

resource "aws_iam_role_policy_attachment" "lambda_dynamodb_policy_attachment" {
  role       = aws_iam_role.iam_lambda_role.name
  policy_arn = aws_iam_policy.iam_lambda_dynamodb_policy.arn
}

Create a table with GSI

resource "aws_dynamodb_table" "users_table" {
  name           = "${var.component}-users-${var.env}"
  billing_mode   = "PROVISIONED"
  read_capacity  = 5
  write_capacity = 5
  hash_key       = "companyId"
  range_key      = "email"

  attribute {
    name = "companyId"
    type = "S"
  }

  attribute {
    name = "email"
    type = "S"
  }

  point_in_time_recovery {
    enabled = true
  }

  global_secondary_index {
    name            = "emailIndex"
    hash_key        = "email"
    write_capacity  = 5
    read_capacity   = 5
    projection_type = "ALL"
  }


  tags = {
    Name        = var.component
    Environment = var.env
  }
}

Comments