diff options
| author | lian-manonog <lian.manonog@gmail.com> | 2024-08-13 17:16:12 +0100 |
|---|---|---|
| committer | lian-manonog <lian.manonog@gmail.com> | 2024-08-13 17:16:12 +0100 |
| commit | 68a0b4740e1aab2c507547ab985c7c1dc436d9c9 (patch) | |
| tree | 17ae6ce650c27bbccd83869cc3aafe551afa1e03 /terraform/iam.tf | |
| parent | 0b38e6b20157cc0fe59dd3dc85905e18e0d0f555 (diff) | |
| download | de-project-bentley-68a0b4740e1aab2c507547ab985c7c1dc436d9c9.tar.gz de-project-bentley-68a0b4740e1aab2c507547ab985c7c1dc436d9c9.zip | |
wip: running terraform apply to continue fixing terraform infrastructure
Diffstat (limited to 'terraform/iam.tf')
| -rw-r--r-- | terraform/iam.tf | 64 |
1 files changed, 34 insertions, 30 deletions
diff --git a/terraform/iam.tf b/terraform/iam.tf index bb8d932..f34d58a 100644 --- a/terraform/iam.tf +++ b/terraform/iam.tf @@ -4,7 +4,7 @@ ######################################################################## # DEFINE MULTI-SERVICE ROLE (lambda, s3, cloudwatch, events) -resource "aws_iam_role" "bentley_multi_service_role" { +resource "aws_iam_role" "multi_service_role" { name = "multi_service_role" assume_role_policy = jsonencode({ @@ -16,7 +16,7 @@ resource "aws_iam_role" "bentley_multi_service_role" { Principal = { Service = [ "lambda.amazonaws.com", - "states.amazonaws.com", + "cloudwatch.amazonaws.com", "events.amazonaws.com", "s3.amazonaws.com" ] @@ -27,7 +27,6 @@ resource "aws_iam_role" "bentley_multi_service_role" { } - ######################################################################## # S3 SETUP # Description: allows allows retention/tagging/access control settings @@ -35,32 +34,23 @@ resource "aws_iam_role" "bentley_multi_service_role" { ######################################################################## # S3 DEFINE POLICY -resource "aws_iam_policy" "s3_access_policy" { - name = "s3_access_policy" - path = "/" - description = "IAM policy for S3 access" - - policy = jsonencode({ - Version = "2012-10-17" - Statement = [ - { - Effect = "Allow" - Action = [ - "s3:PutObject", - "s3:GetObject", - "s3:ListBucket" - ] - resources = [ - "${aws_s3_bucket.extract_bucket.arn}/*", - "${aws_s3_bucket.transform_bucket.arn}/*", - "${aws_s3_bucket.lambda_bucket.arn}/*" - ] - } - ] - } - ) +data "aws_iam_policy_document" "s3_data_policy_doc" { + statement { + actions = [ + "s3:PutObject", + "s3:PutObjectRetention", + "s3:PutObjectTagging", + "s3:PutObjectAcl" + ] + resources = [ + "${aws_s3_bucket.extract_bucket.arn}/*", + "${aws_s3_bucket.transform_bucket.arn}/*", + "${aws_s3_bucket.lambda_code_bucket.arn}/*", + ] + } } + ######################################################################## # LAMBDA SETUP # Description: Allows Lambda permission to write to Cloudwatch logs @@ -112,6 +102,11 @@ data "aws_iam_policy_document" "cw_document" { } } +resource "aws_iam_policy" "cw_policy" { + name = "cw_policy" + policy = data.aws_iam_policy_document.cw_document.json +} + ######################################################################## # POLICY WRITE & ATTACH ######################################################################## @@ -123,6 +118,15 @@ resource "aws_iam_policy" "s3_write_policy" { # S3 ATTACH POLICY resource "aws_iam_role_policy_attachment" "lambda_s3_policy_attachment" { - role = aws_iam_role.lambda_role.name - policy_arn = aws_iam_policy.s3_write_policy.arn -}
\ No newline at end of file + for_each = toset([ + aws_iam_policy.s3_write_policy.arn, + aws_iam_policy.lambda_execution_policy.arn, + aws_iam_policy.cw_policy.arn + ]) + role = aws_iam_role.multi_service_role.name + policy_arn = each.value +} + +################ +# RDS POLICIES # +################ |