Skip to content

Commit

Permalink
fix: Correct assume role permissions for SNS service to assume IAM ro…
Browse files Browse the repository at this point in the history 
…le (#220)

* Added inline assume_role_policy for sns_feedback_role

* Unified perms

* fix: Correct assume role policy

---------

Co-authored-by: Swaraj Baral <swaraj.baral@raft.ai>
Co-authored-by: Bryant Biggs <bryantbiggs@gmail.com>
  • Loading branch information
@SwarajBaral @bryantbiggs
3 people authored Mar 26, 2024
1 parent 30cd80c commit dae0c0f
Show file tree
Hide file tree
Showing 2 changed files with 12 additions and 11 deletions.
2 changes: 1 addition & 1 deletion .pre-commit-config.yaml
View file
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
repos:
- repo: https://github.com/antonbabenko/pre-commit-terraform
rev: v1.88.0
rev: v1.88.4
hooks:
- id: terraform_fmt
- id: terraform_docs
Expand Down
21 changes: 11 additions & 10 deletions iam.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6,20 +6,18 @@ data "aws_iam_policy_document" "sns_feedback" {
count = local.create_sns_feedback_role ? 1 : 0

statement {
sid = "PermitDeliveryStatusMessagesToCloudWatchLogs"
sid = "SnsAssume"
effect = "Allow"

actions = [
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:PutLogEvents",
"logs:PutMetricFilter",
"logs:PutRetentionPolicy"
"sts:AssumeRole",
"sts:TagSession",
]

resources = [
"*"
]
principals {
type = "Service"
identifiers = ["sns.amazonaws.com"]
}
}
}

Expand All @@ -33,5 +31,8 @@ resource "aws_iam_role" "sns_feedback_role" {
permissions_boundary = var.sns_topic_feedback_role_permissions_boundary
assume_role_policy = data.aws_iam_policy_document.sns_feedback[0].json

tags = merge(var.tags, var.sns_topic_feedback_role_tags)
tags = merge(
var.tags,
var.sns_topic_feedback_role_tags,
)
}

0 comments on commit dae0c0f

Please sign in to comment.