From 9c72e289b085cfac7e033aab535483ce1724ba1e Mon Sep 17 00:00:00 2001 From: Michael Jacobson Date: Mon, 23 Oct 2023 14:20:15 +0100 Subject: [PATCH] add inline role policies --- .../batch-email-sender.test.ts.snap | 160 ++++++++++++++++++ cdk/lib/batch-email-sender.ts | 36 +++- 2 files changed, 195 insertions(+), 1 deletion(-) diff --git a/cdk/lib/__snapshots__/batch-email-sender.test.ts.snap b/cdk/lib/__snapshots__/batch-email-sender.test.ts.snap index 3e6f1f3819..e439fde5e6 100644 --- a/cdk/lib/__snapshots__/batch-email-sender.test.ts.snap +++ b/cdk/lib/__snapshots__/batch-email-sender.test.ts.snap @@ -1202,6 +1202,86 @@ exports[`The BatchEmailSender stack matches the snapshot 1`] = ` }, "Type": "AWS::ApiGateway::Method", }, + "cloudwatchlogsinlinepolicyB03D217C": { + "Properties": { + "PolicyDocument": { + "Statement": [ + { + "Action": [ + "logs:CreateLogGroup", + "logs:CreateLogStream", + "logs:PutLogEvents", + "lambda:InvokeFunction", + ], + "Effect": "Allow", + "Resource": { + "Fn::Join": [ + "", + [ + "arn:aws:logs:", + { + "Ref": "AWS::Region", + }, + ":", + { + "Ref": "AWS::AccountId", + }, + ":log-group:/aws/lambda/batch-email-sender-CODE:log-stream:*", + ], + ], + }, + }, + ], + "Version": "2012-10-17", + }, + "PolicyName": "cloudwatchlogsinlinepolicyB03D217C", + "Roles": [ + { + "Ref": "BatchEmailSenderLambdaServiceRoleADC9CE54", + }, + ], + }, + "Type": "AWS::IAM::Policy", + }, + "sqsinlinepolicyA7B14341": { + "Properties": { + "PolicyDocument": { + "Statement": [ + { + "Action": [ + "sqs:GetQueueUrl", + "sqs:SendMessage", + ], + "Effect": "Allow", + "Resource": { + "Fn::Join": [ + "", + [ + "arn:aws:sqs:", + { + "Ref": "AWS::Region", + }, + ":", + { + "Ref": "AWS::AccountId", + }, + ":braze-emails-CODE", + ], + ], + }, + }, + ], + "Version": "2012-10-17", + }, + "PolicyName": "sqsinlinepolicyA7B14341", + "Roles": [ + { + "Ref": "BatchEmailSenderLambdaServiceRoleADC9CE54", + }, + ], + }, + "Type": "AWS::IAM::Policy", + }, }, } `; @@ -2408,6 +2488,86 @@ exports[`The BatchEmailSender stack matches the snapshot 2`] = ` }, "Type": "AWS::ApiGateway::Method", }, + "cloudwatchlogsinlinepolicyB03D217C": { + "Properties": { + "PolicyDocument": { + "Statement": [ + { + "Action": [ + "logs:CreateLogGroup", + "logs:CreateLogStream", + "logs:PutLogEvents", + "lambda:InvokeFunction", + ], + "Effect": "Allow", + "Resource": { + "Fn::Join": [ + "", + [ + "arn:aws:logs:", + { + "Ref": "AWS::Region", + }, + ":", + { + "Ref": "AWS::AccountId", + }, + ":log-group:/aws/lambda/batch-email-sender-PROD:log-stream:*", + ], + ], + }, + }, + ], + "Version": "2012-10-17", + }, + "PolicyName": "cloudwatchlogsinlinepolicyB03D217C", + "Roles": [ + { + "Ref": "BatchEmailSenderLambdaServiceRoleADC9CE54", + }, + ], + }, + "Type": "AWS::IAM::Policy", + }, + "sqsinlinepolicyA7B14341": { + "Properties": { + "PolicyDocument": { + "Statement": [ + { + "Action": [ + "sqs:GetQueueUrl", + "sqs:SendMessage", + ], + "Effect": "Allow", + "Resource": { + "Fn::Join": [ + "", + [ + "arn:aws:sqs:", + { + "Ref": "AWS::Region", + }, + ":", + { + "Ref": "AWS::AccountId", + }, + ":braze-emails-PROD", + ], + ], + }, + }, + ], + "Version": "2012-10-17", + }, + "PolicyName": "sqsinlinepolicyA7B14341", + "Roles": [ + { + "Ref": "BatchEmailSenderLambdaServiceRoleADC9CE54", + }, + ], + }, + "Type": "AWS::IAM::Policy", + }, }, } `; diff --git a/cdk/lib/batch-email-sender.ts b/cdk/lib/batch-email-sender.ts index 7673fb1d96..dda32d7f13 100644 --- a/cdk/lib/batch-email-sender.ts +++ b/cdk/lib/batch-email-sender.ts @@ -7,6 +7,7 @@ import type {App} from "aws-cdk-lib"; import {Duration} from "aws-cdk-lib"; import {ApiKey, CfnUsagePlanKey, Cors, UsagePlan} from "aws-cdk-lib/aws-apigateway"; import {ComparisonOperator, Metric} from "aws-cdk-lib/aws-cloudwatch"; +import {Effect, Policy, PolicyStatement} from "aws-cdk-lib/aws-iam"; import {Runtime} from "aws-cdk-lib/aws-lambda"; import {CfnInclude} from "aws-cdk-lib/cloudformation-include"; @@ -126,6 +127,39 @@ export class BatchEmailSender extends GuStack { // ---- Apply policies ---- // - // TODO + const cloudwatchLogsInlinePolicy: Policy = new Policy(this, "cloudwatch-logs-inline-policy", { + statements: [ + new PolicyStatement({ + effect: Effect.ALLOW, + actions: [ + "logs:CreateLogGroup", + "logs:CreateLogStream", + "logs:PutLogEvents", + "lambda:InvokeFunction" + ], + resources: [ + `arn:aws:logs:${this.region}:${this.account}:log-group:/aws/lambda/batch-email-sender-${this.stage}:log-stream:*`, + ] + }), + ], + }) + + const sqsInlinePolicy: Policy = new Policy(this, "sqs-inline-policy", { + statements: [ + new PolicyStatement({ + effect: Effect.ALLOW, + actions: [ + "sqs:GetQueueUrl", + "sqs:SendMessage", + ], + resources: [ + `arn:aws:sqs:${this.region}:${this.account}:braze-emails-${this.stage}`, + ] + }), + ], + }) + + batchEmailSenderLambda.role?.attachInlinePolicy(cloudwatchLogsInlinePolicy) + batchEmailSenderLambda.role?.attachInlinePolicy(sqsInlinePolicy) } } \ No newline at end of file