From ef770c1ea4ee633489323a8ab321b1214b51a770 Mon Sep 17 00:00:00 2001
From: Ellie <ecsymonds@gmail.com>
Date: Mon, 12 Aug 2024 16:57:11 +0100
Subject: chore: add aws_iam_role

---
 terraform/iam.tf | 29 +++++++++++++++++++++++++++++
 1 file changed, 29 insertions(+)
 create mode 100644 terraform/iam.tf

(limited to 'terraform/iam.tf')

diff --git a/terraform/iam.tf b/terraform/iam.tf
new file mode 100644
index 0000000..7501373
--- /dev/null
+++ b/terraform/iam.tf
@@ -0,0 +1,29 @@
+# define
+
+resource "aws_iam_role" "bentley_service_role" {
+    assume_role_policy = <<EOF
+    {
+        "Version": "2012-10-17",
+        "Statement": [
+            {
+                "Effect": "Allow",
+                "Action": [
+                    "sts:AssumeRole"
+                ],
+                "Principal": {
+                    "Service": [
+                        "lambda.amazonaws.com",
+                        "s3.amazonaws.com",
+                        "cloudwatch.amazonaws.com",
+                        "events.amazonaws.com",
+                    ]
+                }
+            }
+        ]
+    }
+    EOF
+}
+
+# create
+
+# attach
\ No newline at end of file
-- 
cgit v1.2.3


From c75e650dbeb1390336d15487a2c87c53337cd8dc Mon Sep 17 00:00:00 2001
From: Ellie <ecsymonds@gmail.com>
Date: Tue, 13 Aug 2024 11:25:33 +0100
Subject: infra(tf): add s3 policy for list & write

---
 terraform/iam.tf | 29 ++++++++++++++++++++++++-----
 1 file changed, 24 insertions(+), 5 deletions(-)

(limited to 'terraform/iam.tf')

diff --git a/terraform/iam.tf b/terraform/iam.tf
index 7501373..b9919a5 100644
--- a/terraform/iam.tf
+++ b/terraform/iam.tf
@@ -1,5 +1,3 @@
-# define
-
 resource "aws_iam_role" "bentley_service_role" {
     assume_role_policy = <<EOF
     {
@@ -24,6 +22,27 @@ resource "aws_iam_role" "bentley_service_role" {
     EOF
 }
 
-# create
-
-# attach
\ No newline at end of file
+# s3 setup
+# allows to list and retrieve s3 buckets, and allows retention/tagging/access control settings
+data "aws_iam_policy_document" "s3_data_policy_doc" {
+  statement {
+    actions = [
+      "s3:ListAllMyBuckets",
+      "s3:GetBucketLocation"
+      ]
+    resources = ["arn:aws:s3:::*"]
+  }
+  
+  statement {
+    actions = [
+      "s3:PutObject",
+      "s3:PutObjectRetention",
+      "s3:PutObjectTagging",
+      "s3:PutObjectAcl"
+    ]
+    resources = [
+      "${aws_s3_bucket.data_bucket.arn}/*",
+      "${aws_s3_bucket.code_bucket.arn}/*"
+    ]
+  }
+}
\ No newline at end of file
-- 
cgit v1.2.3


From 65e470c0bce51381da8f401f0ba07bd20a76071f Mon Sep 17 00:00:00 2001
From: Ellie <ecsymonds@gmail.com>
Date: Tue, 13 Aug 2024 11:55:00 +0100
Subject: infra(tf): add wip write policy and attach policy

---
 terraform/iam.tf | 33 +++++++++++++++++++++------------
 1 file changed, 21 insertions(+), 12 deletions(-)

(limited to 'terraform/iam.tf')

diff --git a/terraform/iam.tf b/terraform/iam.tf
index b9919a5..dda4d74 100644
--- a/terraform/iam.tf
+++ b/terraform/iam.tf
@@ -22,17 +22,12 @@ resource "aws_iam_role" "bentley_service_role" {
     EOF
 }
 
+# lambda setup
+
+
 # s3 setup
-# allows to list and retrieve s3 buckets, and allows retention/tagging/access control settings
+# allows allows retention/tagging/access control settings
 data "aws_iam_policy_document" "s3_data_policy_doc" {
-  statement {
-    actions = [
-      "s3:ListAllMyBuckets",
-      "s3:GetBucketLocation"
-      ]
-    resources = ["arn:aws:s3:::*"]
-  }
-  
   statement {
     actions = [
       "s3:PutObject",
@@ -41,8 +36,22 @@ data "aws_iam_policy_document" "s3_data_policy_doc" {
       "s3:PutObjectAcl"
     ]
     resources = [
-      "${aws_s3_bucket.data_bucket.arn}/*",
-      "${aws_s3_bucket.code_bucket.arn}/*"
+      "${aws_s3_bucket.extract_bucket.arn}/*",
+      "${aws_s3_bucket.transform_bucket.arn}/*",
+      "${aws_s3_bucket.lambda_bucket.arn}/*",
     ]
   }
-}
\ No newline at end of file
+}
+
+# write policy
+resource "aws_iam_policy" "s3_policy" {
+    policy = data.aws_iam_policy_document.s3_data_policy_doc.json
+}
+
+# attach policy to role
+resource "aws_iam_role_policy_attachment" "s3_policy_attachment" {
+    role = aws_iam_role.bentley_service_role.name
+    policy_arn = aws_iam_policy.s3_policy.arn
+}
+
+# lambda setup
-- 
cgit v1.2.3


From 936eee1eb44d8bfdbd148d22b749966e9606fb46 Mon Sep 17 00:00:00 2001
From: Ellie <ecsymonds@gmail.com>
Date: Tue, 13 Aug 2024 11:58:02 +0100
Subject: infra(tf): add wip lambda role

---
 terraform/iam.tf | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

(limited to 'terraform/iam.tf')

diff --git a/terraform/iam.tf b/terraform/iam.tf
index dda4d74..10b8749 100644
--- a/terraform/iam.tf
+++ b/terraform/iam.tf
@@ -23,6 +23,9 @@ resource "aws_iam_role" "bentley_service_role" {
 }
 
 # lambda setup
+resource "aws_iam_role" "lambda_role" {
+  assume_role_policy = data.aws_iam_policy_document.bentley_service_role.json
+}
 
 
 # s3 setup
@@ -44,14 +47,14 @@ data "aws_iam_policy_document" "s3_data_policy_doc" {
 }
 
 # write policy
-resource "aws_iam_policy" "s3_policy" {
+resource "aws_iam_policy" "s3_write_policy" {
     policy = data.aws_iam_policy_document.s3_data_policy_doc.json
 }
 
 # attach policy to role
 resource "aws_iam_role_policy_attachment" "s3_policy_attachment" {
-    role = aws_iam_role.bentley_service_role.name
-    policy_arn = aws_iam_policy.s3_policy.arn
+    role = aws_iam_role.lambda_role.name
+    policy_arn = aws_iam_policy.s3_write_policy.arn
 }
 
 # lambda setup
-- 
cgit v1.2.3


From eb09f0f6a42e2a2ce9529492a47a34f782ffad53 Mon Sep 17 00:00:00 2001
From: Ellie <ecsymonds@gmail.com>
Date: Tue, 13 Aug 2024 12:17:52 +0100
Subject: infra(tf): clean-up code & init lambda iam setup

---
 terraform/iam.tf | 123 +++++++++++++++++++++++++++++++++----------------------
 1 file changed, 74 insertions(+), 49 deletions(-)

(limited to 'terraform/iam.tf')

diff --git a/terraform/iam.tf b/terraform/iam.tf
index 10b8749..ecc63b1 100644
--- a/terraform/iam.tf
+++ b/terraform/iam.tf
@@ -1,60 +1,85 @@
-resource "aws_iam_role" "bentley_service_role" {
-    assume_role_policy = <<EOF
-    {
-        "Version": "2012-10-17",
-        "Statement": [
-            {
-                "Effect": "Allow",
-                "Action": [
-                    "sts:AssumeRole"
-                ],
-                "Principal": {
-                    "Service": [
-                        "lambda.amazonaws.com",
-                        "s3.amazonaws.com",
-                        "cloudwatch.amazonaws.com",
-                        "events.amazonaws.com",
-                    ]
-                }
-            }
-        ]
-    }
-    EOF
-}
+# Description: This file contains the IAM roles and policies for the lambda functions
+########################################################################
+# IAM MULTI-ROLE SETUP
+########################################################################
 
-# lambda setup
-resource "aws_iam_role" "lambda_role" {
-  assume_role_policy = data.aws_iam_policy_document.bentley_service_role.json
+# DEFINE MULTI-SERVICE ROLE (lambda, s3, cloudwatch, events)
+resource "aws_iam_role" "multi_service_role" {
+  name = "multi_service_role"
+
+  assume_role_policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [
+      {
+        Action = "sts:AssumeRole"
+        Effect = "Allow"
+        Principal = {
+          Service = [
+            "lambda.amazonaws.com",
+            "states.amazonaws.com",
+            "events.amazonaws.com",
+            "s3.amazonaws.com"
+          ]
+        }
+      }
+    ]
+  })
 }
 
 
-# s3 setup
-# allows allows retention/tagging/access control settings
-data "aws_iam_policy_document" "s3_data_policy_doc" {
-  statement {
-    actions = [
-      "s3:PutObject",
-      "s3:PutObjectRetention",
-      "s3:PutObjectTagging",
-      "s3:PutObjectAcl"
-    ]
-    resources = [
-      "${aws_s3_bucket.extract_bucket.arn}/*",
-      "${aws_s3_bucket.transform_bucket.arn}/*",
-      "${aws_s3_bucket.lambda_bucket.arn}/*",
-    ]
-  }
+
+########################################################################
+# S3 SETUP                                                        
+# Description: allows allows retention/tagging/access control settings
+# Lambda IAM Policy for S3 Write
+########################################################################
+
+# S3 DEFINE POLICY
+resource "aws_iam_policy" "s3_access_policy" {
+  name        = "s3_access_policy"
+  path        = "/"
+  description = "IAM policy for S3 access"
+
+  policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [
+      {
+        Effect = "Allow"
+        Action = [
+          "s3:PutObject",
+          "s3:GetObject",
+          "s3:ListBucket"
+        ]
+        resources = [
+          "${aws_s3_bucket.extract_bucket.arn}/*",
+          "${aws_s3_bucket.transform_bucket.arn}/*",
+          "${aws_s3_bucket.lambda_bucket.arn}/*"
+          ]
+        }
+      ] 
+    }
+  )
 }
 
-# write policy
+# S3 WRITE POLICY
 resource "aws_iam_policy" "s3_write_policy" {
-    policy = data.aws_iam_policy_document.s3_data_policy_doc.json
+  policy = data.aws_iam_policy_document.s3_data_policy_doc.json
 }
 
-# attach policy to role
-resource "aws_iam_role_policy_attachment" "s3_policy_attachment" {
-    role = aws_iam_role.lambda_role.name
-    policy_arn = aws_iam_policy.s3_write_policy.arn
+# S3 ATTACH POLICY
+resource "aws_iam_role_policy_attachment" "lambda_s3_policy_attachment" {
+  role       = aws_iam_role.lambda_role.name
+  policy_arn = aws_iam_policy.s3_write_policy.arn
 }
 
-# lambda setup
+########################################################################
+# LAMBDA SETUP
+# Description: Allows Lambda permission to write to Cloudwatch logs
+########################################################################
+
+
+
+# Uses Iam policy document to assume role for lambda functions
+resource "aws_iam_role" "lambda_role" {
+  assume_role_policy = data.aws_iam_policy_document.bentley_service_role.json
+}
\ No newline at end of file
-- 
cgit v1.2.3


From 3c824df60374380d044cb9181672fa76b610d84f Mon Sep 17 00:00:00 2001
From: Ellie <ecsymonds@gmail.com>
Date: Tue, 13 Aug 2024 12:30:53 +0100
Subject: infra(tf): clean-up code

---
 terraform/iam.tf | 69 +++++++++++++++++++++++++++++++++++++++++++++-----------
 1 file changed, 56 insertions(+), 13 deletions(-)

(limited to 'terraform/iam.tf')

diff --git a/terraform/iam.tf b/terraform/iam.tf
index ecc63b1..bb8d932 100644
--- a/terraform/iam.tf
+++ b/terraform/iam.tf
@@ -4,7 +4,7 @@
 ########################################################################
 
 # DEFINE MULTI-SERVICE ROLE (lambda, s3, cloudwatch, events)
-resource "aws_iam_role" "multi_service_role" {
+resource "aws_iam_role" "bentley_multi_service_role" {
   name = "multi_service_role"
 
   assume_role_policy = jsonencode({
@@ -61,6 +61,61 @@ resource "aws_iam_policy" "s3_access_policy" {
   )
 }
 
+########################################################################
+# LAMBDA SETUP
+# Description: Allows Lambda permission to write to Cloudwatch logs
+########################################################################
+
+resource "aws_iam_policy" "lambda_execution_policy" {
+  name = "lambda_execution_policy"
+  path = "/"
+  description = "IAM policy for Lambda execution"
+
+  policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [
+        {
+        Effect = "Allow"
+        Action = [
+          "lambda:InvokeFunction",
+          "lambda:GetFunction"
+        ]
+        Resource = "*"
+        }
+      ]
+    }
+  )
+}
+
+########################################################################
+# CLOUDWATCH SETUP
+# Description: Give permission for Lambda to write to CloudWatch logs
+########################################################################
+
+data "aws_iam_policy_document" "cw_document" {
+  statement {
+    actions = ["logs:CreateLogGroup"]
+    resources = [
+      "arn:aws:logs:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:*"
+      ]
+  }
+
+  statement {
+    actions = [
+      "logs:CreateLogStream",
+      "logs:CreateLogGroup",
+      "logs:PutLogEvents"
+      ]
+      resources = [
+        "arn:aws:logs:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:log-group:/aws/lambda/*"
+      ]
+  }
+}
+
+########################################################################
+# POLICY WRITE & ATTACH
+########################################################################
+
 # S3 WRITE POLICY
 resource "aws_iam_policy" "s3_write_policy" {
   policy = data.aws_iam_policy_document.s3_data_policy_doc.json
@@ -70,16 +125,4 @@ resource "aws_iam_policy" "s3_write_policy" {
 resource "aws_iam_role_policy_attachment" "lambda_s3_policy_attachment" {
   role       = aws_iam_role.lambda_role.name
   policy_arn = aws_iam_policy.s3_write_policy.arn
-}
-
-########################################################################
-# LAMBDA SETUP
-# Description: Allows Lambda permission to write to Cloudwatch logs
-########################################################################
-
-
-
-# Uses Iam policy document to assume role for lambda functions
-resource "aws_iam_role" "lambda_role" {
-  assume_role_policy = data.aws_iam_policy_document.bentley_service_role.json
 }
\ No newline at end of file
-- 
cgit v1.2.3