implementing the lambda function

terraform/hydrocron-lambda-iam.tf

@@ -1,5 +1,77 @@
 #IAM roles
 
+resource "aws_iam_instance_profile" "hydrocron-service-profile" {
+  name = "${local.ec2_resources_name}-instance-profile"
+  role = aws_iam_role.hydrocron-service-role.name
+}
+
+resource "aws_iam_policy" "hydrocron-service-policy" {
+  name = "${local.ec2_resources_name}-service-policy"
+  path = "/"
+  policy = <<POLICY
+{
+  "Version": "2012-10-17",
+  "Statement": [
+      {
+          "Effect": "Allow",
+          "Action": [
+            "cloudwatch:GetMetricStatistics",
+            "logs:CreateLogGroup",
+            "logs:CreateLogStream",
+            "logs:DescribeLogStreams",
+            "logs:PutLogEvents",
+            "ssm:GetParameter",
+            "ec2:CreateNetworkInterface",
+            "ec2:DescribeNetworkInterfaces",
+            "ec2:DeleteNetworkInterface"
+          ],
+          "Resource": "*"
+      },
+      {
+          "Effect": "Allow",
+          "Action": [
+              "s3:GetAccelerateConfiguration",
+              "s3:GetLifecycleConfiguration",
+              "s3:GetReplicationConfiguration",
+              "s3:GetBucket*",
+              "s3:PutAccelerateConfiguration",
+              "s3:PutLifecycleConfiguration",
+              "s3:PutReplicationConfiguration",
+              "s3:PutBucket*",
+              "s3:ListBucket*"
+          ],
+          "Resource": [
+                  "arn:aws:s3:::podaac-${var.stage}-service-work",
+                  "arn:aws:s3:::podaac-${var.stage}-service-work/*"
+          ]
+      },
+      {
+          "Effect": "Allow",
+          "Action": [
+              "s3:AbortMultipartUpload",
+              "s3:GetObject*",
+              "s3:PutObject*",
+              "s3:ListMultipartUploadParts",
+              "s3:DeleteObject",
+              "s3:DeleteObjectVersion"
+          ],
+          "Resource": [
+              "arn:aws:s3:::podaac-${var.stage}-service-work",
+              "arn:aws:s3:::podaac-${var.stage}-service-work/*"
+          ]
+      },
+      {
+          "Effect": "Allow",
+          "Action": [
+              "s3:ListAllMyBuckets"
+          ],
+          "Resource": "*"
+      }
+  ]
+}
+POLICY
+}
+
 resource "aws_iam_role" "hydrocron-service-role" {
   name = "${local.ec2_resources_name}-service-role"
 
@@ -20,3 +92,9 @@ resource "aws_iam_role" "hydrocron-service-role" {
 }
 EOF
 }
+
+resource "aws_iam_policy_attachment" "hydrocron-service-attach" {
+  name       = "${local.ec2_resources_name}-attachment"
+  roles      = [aws_iam_role.hydrocron-service-role.id]
+  policy_arn = aws_iam_policy.hydrocron-service-policy.arn
+}