Merge pull request #76 from ScottLogic/SDE-139-individual-lambda-iam-…

…roles SDE 139 Individual lambda IAM roles
ScottLogic · Aug 26, 2019 · fd6973f · fd6973f
2 parents 11d4064 + 8eabecc
commit fd6973f
Show file tree

Hide file tree

Showing 26 changed files with 3,480 additions and 1,597 deletions.
diff --git a/aws-infrastructure/aws-infrastructure.tf b/aws-infrastructure/aws-infrastructure.tf
@@ -47,6 +47,17 @@ module "ssm_es_endpoint_parameter" {
   value = module.elasticsearch.endpoint
 }
 
+module "ssm_es_arn_parameter" {
+  source                    = "./modules/ssm_parameter"
+  name_prefix               = local.name_prefix
+  project                   = var.project
+  environment               = var.environment
+  name = "elasticsearch-arn"
+  description = "The Elasticsearch ARN for the SDE project"
+  type = "String"
+  value = module.elasticsearch.elasticsearch_arn
+}
+
 module "ssm_s3_bucket_name_parameter" {
   source                    = "./modules/ssm_parameter"
   name_prefix               = local.name_prefix
@@ -58,6 +69,17 @@ module "ssm_s3_bucket_name_parameter" {
   value = module.s3-bucket.bucket_name
 }
 
+module "ssm_s3_arn_parameter" {
+  source                    = "./modules/ssm_parameter"
+  name_prefix               = local.name_prefix
+  project                   = var.project
+  environment               = var.environment
+  name = "s3-bucket-arn"
+  description = "The S3 bucket ARN for the SDE project"
+  type = "String"
+  value = module.s3-bucket.arn
+}
+
 module "ssm_s3_bucket_site_url_parameter" {
   source                    = "./modules/ssm_parameter"
   name_prefix               = local.name_prefix

diff --git a/iam-role-resources/calculateUserDailyDigest.yml b/iam-role-resources/calculateUserDailyDigest.yml
@@ -0,0 +1,59 @@
+Resources:
+  calculateUserDailyDigestLambdaRole:
+    Type: AWS::IAM::Role
+    Properties:
+      RoleName: ${self:service}-${self:custom.stage}-calculateUserDailyDigestLambdaRole
+      AssumeRolePolicyDocument:
+        Version: '2012-10-17'
+        Statement:
+          - Effect: Allow
+            Principal:
+              Service:
+                - lambda.amazonaws.com
+            Action: sts:AssumeRole
+      Policies:
+        - PolicyName: inlinePolicy
+          PolicyDocument:
+            Version: '2012-10-17'
+            Statement:
+              - Effect: Allow
+                Action:
+                  - es:ESHttpPost
+                Resource:
+                  - '${self:custom.esArn}/*'
+              - Effect: Allow
+                Action:
+                  - lambda:InvokeFunction
+                Resource:
+                  - !Join
+                      - ':'
+                      -
+                        - 'arn:aws:lambda'
+                        - Ref: 'AWS::Region'
+                        - Ref: 'AWS::AccountId'
+                        - 'function'
+                        - '${self:service}-${self:custom.stage}-sendDigestEmail'
+              - Effect: Allow
+                Action:
+                  - logs:CreateLogStream
+                Resource:
+                  - !Join
+                      - ':'
+                      -
+                        - 'arn:aws:logs'
+                        - Ref: 'AWS::Region'
+                        - Ref: 'AWS::AccountId'
+                        - log-group
+                        - '/aws/lambda/${self:service}-${self:custom.stage}*:*'
+              - Effect: Allow
+                Action:
+                  - logs:PutLogEvents
+                Resource:
+                  - !Join
+                      - ':'
+                      -
+                        - 'arn:aws:logs'
+                        - Ref: 'AWS::Region'
+                        - Ref: 'AWS::AccountId'
+                        - log-group
+                        - '/aws/lambda/${self:service}-${self:custom.stage}*:*:*'
diff --git a/iam-role-resources/createPost.yml b/iam-role-resources/createPost.yml
@@ -0,0 +1,47 @@
+Resources:
+  createPostLambdaRole:
+    Type: AWS::IAM::Role
+    Properties:
+      RoleName: ${self:service}-${self:custom.stage}-createPostLambdaRole
+      AssumeRolePolicyDocument:
+        Version: '2012-10-17'
+        Statement:
+          - Effect: Allow
+            Principal:
+              Service:
+                - lambda.amazonaws.com
+            Action: sts:AssumeRole
+      Policies:
+        - PolicyName: inlinePolicy
+          PolicyDocument:
+            Version: '2012-10-17'
+            Statement:
+              - Effect: Allow
+                Action:
+                  - es:ESHttpPost
+                Resource:
+                  - '${self:custom.esArn}/*'
+              - Effect: Allow
+                Action:
+                  - logs:CreateLogStream
+                Resource:
+                  - !Join
+                      - ':'
+                      -
+                        - 'arn:aws:logs'
+                        - Ref: 'AWS::Region'
+                        - Ref: 'AWS::AccountId'
+                        - log-group
+                        - '/aws/lambda/${self:service}-${self:custom.stage}*:*'
+              - Effect: Allow
+                Action:
+                  - logs:PutLogEvents
+                Resource:
+                  - !Join
+                      - ':'
+                      -
+                        - 'arn:aws:logs'
+                        - Ref: 'AWS::Region'
+                        - Ref: 'AWS::AccountId'
+                        - log-group
+                        - '/aws/lambda/${self:service}-${self:custom.stage}*:*:*'
diff --git a/iam-role-resources/createPostRequest.yml b/iam-role-resources/createPostRequest.yml
@@ -0,0 +1,54 @@
+Resources:
+  createPostRequestLambdaRole:
+    Type: AWS::IAM::Role
+    Properties:
+      RoleName: ${self:service}-${self:custom.stage}-createPostRequestLambdaRole
+      AssumeRolePolicyDocument:
+        Version: '2012-10-17'
+        Statement:
+          - Effect: Allow
+            Principal:
+              Service:
+                - lambda.amazonaws.com
+            Action: sts:AssumeRole
+      Policies:
+        - PolicyName: inlinePolicy
+          PolicyDocument:
+            Version: '2012-10-17'
+            Statement:
+              - Effect: Allow
+                Action:
+                  - states:StartExecution
+                Resource:
+                  - !Join
+                      - ':'
+                      -
+                        - 'arn:aws:states'
+                        - Ref: 'AWS::Region'
+                        - Ref: 'AWS::AccountId'
+                        - 'stateMachine'
+                        - '${self:service}-${self:custom.stage}-create-post-request-step-function'
+              - Effect: Allow
+                Action:
+                  - logs:CreateLogStream
+                Resource:
+                  - !Join
+                      - ':'
+                      -
+                        - 'arn:aws:logs'
+                        - Ref: 'AWS::Region'
+                        - Ref: 'AWS::AccountId'
+                        - log-group
+                        - '/aws/lambda/${self:service}-${self:custom.stage}*:*'
+              - Effect: Allow
+                Action:
+                  - logs:PutLogEvents
+                Resource:
+                  - !Join
+                      - ':'
+                      -
+                        - 'arn:aws:logs'
+                        - Ref: 'AWS::Region'
+                        - Ref: 'AWS::AccountId'
+                        - log-group
+                        - '/aws/lambda/${self:service}-${self:custom.stage}*:*:*'
diff --git a/iam-role-resources/createRealTimeSubscription.yml b/iam-role-resources/createRealTimeSubscription.yml
@@ -0,0 +1,47 @@
+Resources:
+  createRealTimeSubscriptionLambdaRole:
+    Type: AWS::IAM::Role
+    Properties:
+      RoleName: ${self:service}-${self:custom.stage}-createRealTimeSubscriptionLambdaRole
+      AssumeRolePolicyDocument:
+        Version: '2012-10-17'
+        Statement:
+          - Effect: Allow
+            Principal:
+              Service:
+                - lambda.amazonaws.com
+            Action: sts:AssumeRole
+      Policies:
+        - PolicyName: inlinePolicy
+          PolicyDocument:
+            Version: '2012-10-17'
+            Statement:
+              - Effect: Allow
+                Action:
+                  - es:ESHttpPost
+                Resource:
+                  - '${self:custom.esArn}/*'
+              - Effect: Allow
+                Action:
+                  - logs:CreateLogStream
+                Resource:
+                  - !Join
+                      - ':'
+                      -
+                        - 'arn:aws:logs'
+                        - Ref: 'AWS::Region'
+                        - Ref: 'AWS::AccountId'
+                        - log-group
+                        - '/aws/lambda/${self:service}-${self:custom.stage}*:*'
+              - Effect: Allow
+                Action:
+                  - logs:PutLogEvents
+                Resource:
+                  - !Join
+                      - ':'
+                      -
+                        - 'arn:aws:logs'
+                        - Ref: 'AWS::Region'
+                        - Ref: 'AWS::AccountId'
+                        - log-group
+                        - '/aws/lambda/${self:service}-${self:custom.stage}*:*:*'
diff --git a/iam-role-resources/createSubscription.yml b/iam-role-resources/createSubscription.yml
@@ -0,0 +1,56 @@
+Resources:
+  createSubscriptionLambdaRole:
+    Type: AWS::IAM::Role
+    Properties:
+      RoleName: ${self:service}-${self:custom.stage}-createSubscriptionLambdaRole
+      AssumeRolePolicyDocument:
+        Version: '2012-10-17'
+        Statement:
+          - Effect: Allow
+            Principal:
+              Service:
+                - lambda.amazonaws.com
+            Action: sts:AssumeRole
+      Policies:
+        - PolicyName: inlinePolicy
+          PolicyDocument:
+            Version: '2012-10-17'
+            Statement:
+              - Effect: Allow
+                Action:
+                  - dynamodb:GetItem
+                  - dynamodb:PutItem
+                Resource:
+                  - !Join
+                      - ''
+                      -
+                        - 'arn:aws:dynamodb:'
+                        - Ref: 'AWS::Region'
+                        - ':'
+                        - Ref: 'AWS::AccountId'
+                        - ':table/'
+                        - Ref: SubscriptionsTable
+              - Effect: Allow
+                Action:
+                  - logs:CreateLogStream
+                Resource:
+                  - !Join
+                      - ':'
+                      -
+                        - 'arn:aws:logs'
+                        - Ref: 'AWS::Region'
+                        - Ref: 'AWS::AccountId'
+                        - log-group
+                        - '/aws/lambda/${self:service}-${self:custom.stage}*:*'
+              - Effect: Allow
+                Action:
+                  - logs:PutLogEvents
+                Resource:
+                  - !Join
+                      - ':'
+                      -
+                        - 'arn:aws:logs'
+                        - Ref: 'AWS::Region'
+                        - Ref: 'AWS::AccountId'
+                        - log-group
+                        - '/aws/lambda/${self:service}-${self:custom.stage}*:*:*'
diff --git a/iam-role-resources/deleteRealTimeSubscription.yml b/iam-role-resources/deleteRealTimeSubscription.yml
@@ -0,0 +1,47 @@
+Resources:
+  deleteRealTimeSubscriptionLambdaRole:
+    Type: AWS::IAM::Role
+    Properties:
+      RoleName: ${self:service}-${self:custom.stage}-deleteRealTimeSubscriptionLambdaRole
+      AssumeRolePolicyDocument:
+        Version: '2012-10-17'
+        Statement:
+          - Effect: Allow
+            Principal:
+              Service:
+                - lambda.amazonaws.com
+            Action: sts:AssumeRole
+      Policies:
+        - PolicyName: inlinePolicy
+          PolicyDocument:
+            Version: '2012-10-17'
+            Statement:
+              - Effect: Allow
+                Action:
+                  - es:ESHttpPost
+                Resource:
+                  - '${self:custom.esArn}/*'
+              - Effect: Allow
+                Action:
+                  - logs:CreateLogStream
+                Resource:
+                  - !Join
+                      - ':'
+                      -
+                        - 'arn:aws:logs'
+                        - Ref: 'AWS::Region'
+                        - Ref: 'AWS::AccountId'
+                        - log-group
+                        - '/aws/lambda/${self:service}-${self:custom.stage}*:*'
+              - Effect: Allow
+                Action:
+                  - logs:PutLogEvents
+                Resource:
+                  - !Join
+                      - ':'
+                      -
+                        - 'arn:aws:logs'
+                        - Ref: 'AWS::Region'
+                        - Ref: 'AWS::AccountId'
+                        - log-group
+                        - '/aws/lambda/${self:service}-${self:custom.stage}*:*:*'