diff options
| author | Alex Schofield <git@ajschof.me> | 2024-08-14 22:52:33 +0100 |
|---|---|---|
| committer | Alex Schofield <git@ajschof.me> | 2024-08-14 22:52:33 +0100 |
| commit | 9ff947c167932bb9ff93f05c8adf2ffcd98b91cc (patch) | |
| tree | ab65c00705b13454a058977726b467944f08e62d | |
| parent | 5cdcbd64e9f4dba5f3ed8e8eb9f6e91e1adde0ba (diff) | |
| download | de-project-bentley-9ff947c167932bb9ff93f05c8adf2ffcd98b91cc.tar.gz de-project-bentley-9ff947c167932bb9ff93f05c8adf2ffcd98b91cc.zip | |
infra(tf): simplify multi_service_role
| -rw-r--r-- | terraform/iam.tf | 32 |
1 files changed, 15 insertions, 17 deletions
diff --git a/terraform/iam.tf b/terraform/iam.tf index cf4902a..20aeab3 100644 --- a/terraform/iam.tf +++ b/terraform/iam.tf @@ -16,9 +16,7 @@ resource "aws_iam_role" "multi_service_role" { Principal = { Service = [ "lambda.amazonaws.com", - "cloudwatch.amazonaws.com", - "events.amazonaws.com", - "s3.amazonaws.com" + "scheduler.amazonaws.com" ] } } @@ -57,22 +55,22 @@ data "aws_iam_policy_document" "s3_data_policy_doc" { ######################################################################## resource "aws_iam_policy" "lambda_execution_policy" { - name = "lambda_execution_policy" - path = "/" + name = "lambda_execution_policy" + path = "/" description = "IAM policy for Lambda execution" policy = jsonencode({ Version = "2012-10-17" Statement = [ - { + { Effect = "Allow" Action = [ "lambda:InvokeFunction", "lambda:GetFunction" ] Resource = "*" - } - ] + } + ] } ) } @@ -87,7 +85,7 @@ data "aws_iam_policy_document" "cw_document" { actions = ["logs:CreateLogGroup"] resources = [ "arn:aws:logs:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:*" - ] + ] } statement { @@ -95,15 +93,15 @@ data "aws_iam_policy_document" "cw_document" { "logs:CreateLogStream", "logs:CreateLogGroup", "logs:PutLogEvents" - ] - resources = [ - "arn:aws:logs:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:log-group:/aws/lambda/*" - ] + ] + resources = [ + "arn:aws:logs:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:log-group:/aws/lambda/*" + ] } } resource "aws_iam_policy" "cw_policy" { - name = "cw_policy" + name = "cw_policy" policy = data.aws_iam_policy_document.cw_document.json } @@ -128,17 +126,17 @@ resource "aws_iam_policy" "s3_write_policy" { # } resource "aws_iam_role_policy_attachment" "s3_attachment" { - role = aws_iam_role.multi_service_role.name + role = aws_iam_role.multi_service_role.name policy_arn = aws_iam_policy.s3_write_policy.arn } resource "aws_iam_role_policy_attachment" "lambda_attachment" { - role = aws_iam_role.multi_service_role.name + role = aws_iam_role.multi_service_role.name policy_arn = aws_iam_policy.lambda_execution_policy.arn } resource "aws_iam_role_policy_attachment" "cw_attachment" { - role = aws_iam_role.multi_service_role.name + role = aws_iam_role.multi_service_role.name policy_arn = aws_iam_policy.cw_policy.arn } |