add inline role policies

guardian · Oct 23, 2023 · 9c72e28 · 9c72e28
1 parent d93b2b9
commit 9c72e28
Show file tree

Hide file tree

Showing 2 changed files with 195 additions and 1 deletion.
diff --git a/cdk/lib/__snapshots__/batch-email-sender.test.ts.snap b/cdk/lib/__snapshots__/batch-email-sender.test.ts.snap
@@ -1202,6 +1202,86 @@ exports[`The BatchEmailSender stack matches the snapshot 1`] = `
       },
       "Type": "AWS::ApiGateway::Method",
     },
+    "cloudwatchlogsinlinepolicyB03D217C": {
+      "Properties": {
+        "PolicyDocument": {
+          "Statement": [
+            {
+              "Action": [
+                "logs:CreateLogGroup",
+                "logs:CreateLogStream",
+                "logs:PutLogEvents",
+                "lambda:InvokeFunction",
+              ],
+              "Effect": "Allow",
+              "Resource": {
+                "Fn::Join": [
+                  "",
+                  [
+                    "arn:aws:logs:",
+                    {
+                      "Ref": "AWS::Region",
+                    },
+                    ":",
+                    {
+                      "Ref": "AWS::AccountId",
+                    },
+                    ":log-group:/aws/lambda/batch-email-sender-CODE:log-stream:*",
+                  ],
+                ],
+              },
+            },
+          ],
+          "Version": "2012-10-17",
+        },
+        "PolicyName": "cloudwatchlogsinlinepolicyB03D217C",
+        "Roles": [
+          {
+            "Ref": "BatchEmailSenderLambdaServiceRoleADC9CE54",
+          },
+        ],
+      },
+      "Type": "AWS::IAM::Policy",
+    },
+    "sqsinlinepolicyA7B14341": {
+      "Properties": {
+        "PolicyDocument": {
+          "Statement": [
+            {
+              "Action": [
+                "sqs:GetQueueUrl",
+                "sqs:SendMessage",
+              ],
+              "Effect": "Allow",
+              "Resource": {
+                "Fn::Join": [
+                  "",
+                  [
+                    "arn:aws:sqs:",
+                    {
+                      "Ref": "AWS::Region",
+                    },
+                    ":",
+                    {
+                      "Ref": "AWS::AccountId",
+                    },
+                    ":braze-emails-CODE",
+                  ],
+                ],
+              },
+            },
+          ],
+          "Version": "2012-10-17",
+        },
+        "PolicyName": "sqsinlinepolicyA7B14341",
+        "Roles": [
+          {
+            "Ref": "BatchEmailSenderLambdaServiceRoleADC9CE54",
+          },
+        ],
+      },
+      "Type": "AWS::IAM::Policy",
+    },
   },
 }
 `;
@@ -2408,6 +2488,86 @@ exports[`The BatchEmailSender stack matches the snapshot 2`] = `
       },
       "Type": "AWS::ApiGateway::Method",
     },
+    "cloudwatchlogsinlinepolicyB03D217C": {
+      "Properties": {
+        "PolicyDocument": {
+          "Statement": [
+            {
+              "Action": [
+                "logs:CreateLogGroup",
+                "logs:CreateLogStream",
+                "logs:PutLogEvents",
+                "lambda:InvokeFunction",
+              ],
+              "Effect": "Allow",
+              "Resource": {
+                "Fn::Join": [
+                  "",
+                  [
+                    "arn:aws:logs:",
+                    {
+                      "Ref": "AWS::Region",
+                    },
+                    ":",
+                    {
+                      "Ref": "AWS::AccountId",
+                    },
+                    ":log-group:/aws/lambda/batch-email-sender-PROD:log-stream:*",
+                  ],
+                ],
+              },
+            },
+          ],
+          "Version": "2012-10-17",
+        },
+        "PolicyName": "cloudwatchlogsinlinepolicyB03D217C",
+        "Roles": [
+          {
+            "Ref": "BatchEmailSenderLambdaServiceRoleADC9CE54",
+          },
+        ],
+      },
+      "Type": "AWS::IAM::Policy",
+    },
+    "sqsinlinepolicyA7B14341": {
+      "Properties": {
+        "PolicyDocument": {
+          "Statement": [
+            {
+              "Action": [
+                "sqs:GetQueueUrl",
+                "sqs:SendMessage",
+              ],
+              "Effect": "Allow",
+              "Resource": {
+                "Fn::Join": [
+                  "",
+                  [
+                    "arn:aws:sqs:",
+                    {
+                      "Ref": "AWS::Region",
+                    },
+                    ":",
+                    {
+                      "Ref": "AWS::AccountId",
+                    },
+                    ":braze-emails-PROD",
+                  ],
+                ],
+              },
+            },
+          ],
+          "Version": "2012-10-17",
+        },
+        "PolicyName": "sqsinlinepolicyA7B14341",
+        "Roles": [
+          {
+            "Ref": "BatchEmailSenderLambdaServiceRoleADC9CE54",
+          },
+        ],
+      },
+      "Type": "AWS::IAM::Policy",
+    },
   },
 }
 `;
diff --git a/cdk/lib/batch-email-sender.ts b/cdk/lib/batch-email-sender.ts
@@ -7,6 +7,7 @@ import type {App} from "aws-cdk-lib";
 import {Duration} from "aws-cdk-lib";
 import {ApiKey, CfnUsagePlanKey, Cors, UsagePlan} from "aws-cdk-lib/aws-apigateway";
 import {ComparisonOperator, Metric} from "aws-cdk-lib/aws-cloudwatch";
+import {Effect, Policy, PolicyStatement} from "aws-cdk-lib/aws-iam";
 import {Runtime} from "aws-cdk-lib/aws-lambda";
 import {CfnInclude} from "aws-cdk-lib/cloudformation-include";
 
@@ -126,6 +127,39 @@ export class BatchEmailSender extends GuStack {
 
 
         // ---- Apply policies ---- //
-        // TODO
+        const cloudwatchLogsInlinePolicy: Policy = new Policy(this, "cloudwatch-logs-inline-policy", {
+            statements: [
+                new PolicyStatement({
+                    effect: Effect.ALLOW,
+                    actions: [
+                        "logs:CreateLogGroup",
+                        "logs:CreateLogStream",
+                        "logs:PutLogEvents",
+                        "lambda:InvokeFunction"
+                    ],
+                    resources: [
+                        `arn:aws:logs:${this.region}:${this.account}:log-group:/aws/lambda/batch-email-sender-${this.stage}:log-stream:*`,
+                    ]
+                }),
+            ],
+        })
+
+        const sqsInlinePolicy: Policy = new Policy(this, "sqs-inline-policy", {
+            statements: [
+                new PolicyStatement({
+                    effect: Effect.ALLOW,
+                    actions: [
+                        "sqs:GetQueueUrl",
+                        "sqs:SendMessage",
+                    ],
+                    resources: [
+                        `arn:aws:sqs:${this.region}:${this.account}:braze-emails-${this.stage}`,
+                    ]
+                }),
+            ],
+        })
+
+        batchEmailSenderLambda.role?.attachInlinePolicy(cloudwatchLogsInlinePolicy)
+        batchEmailSenderLambda.role?.attachInlinePolicy(sqsInlinePolicy)
     }
 }