Skip to content

Commit

Permalink
SDE-139 Moved lambda IAM roles into separate files
Browse files Browse the repository at this point in the history
  • Loading branch information
@OliverForeman
OliverForeman committed Aug 23, 2019
1 parent eb83a5b commit 44214d9
Show file tree
Hide file tree
Showing 23 changed files with 1,292 additions and 1,247 deletions.
59 changes: 59 additions & 0 deletions iam-role-resources/calculateUserDailyDigest.yml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,59 @@
Resources:
calculateUserDailyDigestLambdaRole:
Type: AWS::IAM::Role
Properties:
RoleName: ${self:service}-${self:custom.stage}-calculateUserDailyDigestLambdaRole
AssumeRolePolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Principal:
Service:
- lambda.amazonaws.com
Action: sts:AssumeRole
Policies:
- PolicyName: inlinePolicy
PolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Action:
- es:ESHttpPost
Resource:
- '${self:custom.esArn}/*'
- Effect: Allow
Action:
- lambda:InvokeFunction
Resource:
- !Join
- ':'
-
- 'arn:aws:lambda'
- Ref: 'AWS::Region'
- Ref: 'AWS::AccountId'
- 'function'
- '${self:service}-${self:custom.stage}-sendDigestEmail'
- Effect: Allow
Action:
- logs:CreateLogStream
Resource:
- !Join
- ':'
-
- 'arn:aws:logs'
- Ref: 'AWS::Region'
- Ref: 'AWS::AccountId'
- log-group
- '/aws/lambda/${self:service}-${self:custom.stage}*:*'
- Effect: Allow
Action:
- logs:PutLogEvents
Resource:
- !Join
- ':'
-
- 'arn:aws:logs'
- Ref: 'AWS::Region'
- Ref: 'AWS::AccountId'
- log-group
- '/aws/lambda/${self:service}-${self:custom.stage}*:*:*'
47 changes: 47 additions & 0 deletions iam-role-resources/createPost.yml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,47 @@
Resources:
createPostLambdaRole:
Type: AWS::IAM::Role
Properties:
RoleName: ${self:service}-${self:custom.stage}-createPostLambdaRole
AssumeRolePolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Principal:
Service:
- lambda.amazonaws.com
Action: sts:AssumeRole
Policies:
- PolicyName: inlinePolicy
PolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Action:
- es:ESHttpPost
Resource:
- '${self:custom.esArn}/*'
- Effect: Allow
Action:
- logs:CreateLogStream
Resource:
- !Join
- ':'
-
- 'arn:aws:logs'
- Ref: 'AWS::Region'
- Ref: 'AWS::AccountId'
- log-group
- '/aws/lambda/${self:service}-${self:custom.stage}*:*'
- Effect: Allow
Action:
- logs:PutLogEvents
Resource:
- !Join
- ':'
-
- 'arn:aws:logs'
- Ref: 'AWS::Region'
- Ref: 'AWS::AccountId'
- log-group
- '/aws/lambda/${self:service}-${self:custom.stage}*:*:*'
54 changes: 54 additions & 0 deletions iam-role-resources/createPostRequest.yml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,54 @@
Resources:
createPostRequestLambdaRole:
Type: AWS::IAM::Role
Properties:
RoleName: ${self:service}-${self:custom.stage}-createPostRequestLambdaRole
AssumeRolePolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Principal:
Service:
- lambda.amazonaws.com
Action: sts:AssumeRole
Policies:
- PolicyName: inlinePolicy
PolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Action:
- states:StartExecution
Resource:
- !Join
- ':'
-
- 'arn:aws:states'
- Ref: 'AWS::Region'
- Ref: 'AWS::AccountId'
- 'stateMachine'
- '${self:service}-${self:custom.stage}-create-post-request-step-function'
- Effect: Allow
Action:
- logs:CreateLogStream
Resource:
- !Join
- ':'
-
- 'arn:aws:logs'
- Ref: 'AWS::Region'
- Ref: 'AWS::AccountId'
- log-group
- '/aws/lambda/${self:service}-${self:custom.stage}*:*'
- Effect: Allow
Action:
- logs:PutLogEvents
Resource:
- !Join
- ':'
-
- 'arn:aws:logs'
- Ref: 'AWS::Region'
- Ref: 'AWS::AccountId'
- log-group
- '/aws/lambda/${self:service}-${self:custom.stage}*:*:*'
47 changes: 47 additions & 0 deletions iam-role-resources/createRealTimeSubscription.yml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,47 @@
Resources:
createRealTimeSubscriptionLambdaRole:
Type: AWS::IAM::Role
Properties:
RoleName: ${self:service}-${self:custom.stage}-createRealTimeSubscriptionLambdaRole
AssumeRolePolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Principal:
Service:
- lambda.amazonaws.com
Action: sts:AssumeRole
Policies:
- PolicyName: inlinePolicy
PolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Action:
- es:ESHttpPost
Resource:
- '${self:custom.esArn}/*'
- Effect: Allow
Action:
- logs:CreateLogStream
Resource:
- !Join
- ':'
-
- 'arn:aws:logs'
- Ref: 'AWS::Region'
- Ref: 'AWS::AccountId'
- log-group
- '/aws/lambda/${self:service}-${self:custom.stage}*:*'
- Effect: Allow
Action:
- logs:PutLogEvents
Resource:
- !Join
- ':'
-
- 'arn:aws:logs'
- Ref: 'AWS::Region'
- Ref: 'AWS::AccountId'
- log-group
- '/aws/lambda/${self:service}-${self:custom.stage}*:*:*'
56 changes: 56 additions & 0 deletions iam-role-resources/createSubscription.yml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,56 @@
Resources:
createSubscriptionLambdaRole:
Type: AWS::IAM::Role
Properties:
RoleName: ${self:service}-${self:custom.stage}-createSubscriptionLambdaRole
AssumeRolePolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Principal:
Service:
- lambda.amazonaws.com
Action: sts:AssumeRole
Policies:
- PolicyName: inlinePolicy
PolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Action:
- dynamodb:GetItem
- dynamodb:PutItem
Resource:
- !Join
- ''
-
- 'arn:aws:dynamodb:'
- Ref: 'AWS::Region'
- ':'
- Ref: 'AWS::AccountId'
- ':table/'
- Ref: SubscriptionsTable
- Effect: Allow
Action:
- logs:CreateLogStream
Resource:
- !Join
- ':'
-
- 'arn:aws:logs'
- Ref: 'AWS::Region'
- Ref: 'AWS::AccountId'
- log-group
- '/aws/lambda/${self:service}-${self:custom.stage}*:*'
- Effect: Allow
Action:
- logs:PutLogEvents
Resource:
- !Join
- ':'
-
- 'arn:aws:logs'
- Ref: 'AWS::Region'
- Ref: 'AWS::AccountId'
- log-group
- '/aws/lambda/${self:service}-${self:custom.stage}*:*:*'
47 changes: 47 additions & 0 deletions iam-role-resources/deleteRealTimeSubscription.yml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,47 @@
Resources:
deleteRealTimeSubscriptionLambdaRole:
Type: AWS::IAM::Role
Properties:
RoleName: ${self:service}-${self:custom.stage}-deleteRealTimeSubscriptionLambdaRole
AssumeRolePolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Principal:
Service:
- lambda.amazonaws.com
Action: sts:AssumeRole
Policies:
- PolicyName: inlinePolicy
PolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Action:
- es:ESHttpPost
Resource:
- '${self:custom.esArn}/*'
- Effect: Allow
Action:
- logs:CreateLogStream
Resource:
- !Join
- ':'
-
- 'arn:aws:logs'
- Ref: 'AWS::Region'
- Ref: 'AWS::AccountId'
- log-group
- '/aws/lambda/${self:service}-${self:custom.stage}*:*'
- Effect: Allow
Action:
- logs:PutLogEvents
Resource:
- !Join
- ':'
-
- 'arn:aws:logs'
- Ref: 'AWS::Region'
- Ref: 'AWS::AccountId'
- log-group
- '/aws/lambda/${self:service}-${self:custom.stage}*:*:*'
56 changes: 56 additions & 0 deletions iam-role-resources/deleteSubscription.yml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,56 @@
Resources:
deleteSubscriptionLambdaRole:
Type: AWS::IAM::Role
Properties:
RoleName: ${self:service}-${self:custom.stage}-deleteSubscriptionLambdaRole
AssumeRolePolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Principal:
Service:
- lambda.amazonaws.com
Action: sts:AssumeRole
Policies:
- PolicyName: inlinePolicy
PolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Action:
- dynamodb:GetItem
- dynamodb:PutItem
Resource:
- !Join
- ''
-
- 'arn:aws:dynamodb:'
- Ref: 'AWS::Region'
- ':'
- Ref: 'AWS::AccountId'
- ':table/'
- Ref: SubscriptionsTable
- Effect: Allow
Action:
- logs:CreateLogStream
Resource:
- !Join
- ':'
-
- 'arn:aws:logs'
- Ref: 'AWS::Region'
- Ref: 'AWS::AccountId'
- log-group
- '/aws/lambda/${self:service}-${self:custom.stage}*:*'
- Effect: Allow
Action:
- logs:PutLogEvents
Resource:
- !Join
- ':'
-
- 'arn:aws:logs'
- Ref: 'AWS::Region'
- Ref: 'AWS::AccountId'
- log-group
- '/aws/lambda/${self:service}-${self:custom.stage}*:*:*'
Loading

0 comments on commit 44214d9

Please sign in to comment.