From 559333f90954c88d5288e36f00166658a0f4bbee Mon Sep 17 00:00:00 2001 From: Roman Volykh Date: Mon, 29 Dec 2025 17:42:01 +0200 Subject: [PATCH] fix: Reduce CloudWatch permissions --- infra/modules/alerting/telegram.tf | 21 ++++++++++++--- infra/modules/alerting/variables.tf | 4 +-- infra/modules/api/data.tf | 40 ++++++++++++++++++++++++++--- infra/modules/handler/roles.tf | 19 +++++++++----- infra/modules/handler/variables.tf | 4 +-- infra/tests/01_unit.tftest.hcl | 4 +-- 6 files changed, 72 insertions(+), 20 deletions(-) diff --git a/infra/modules/alerting/telegram.tf b/infra/modules/alerting/telegram.tf index 6626daa..1481a10 100644 --- a/infra/modules/alerting/telegram.tf +++ b/infra/modules/alerting/telegram.tf @@ -56,9 +56,24 @@ resource "aws_iam_role" "lambda_execution" { tags = var.tags } -resource "aws_iam_role_policy_attachment" "lambda_basic_execution" { - role = aws_iam_role.lambda_execution.name - policy_arn = "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole" +resource "aws_iam_role_policy" "lambda_exec_required_perm" { + name = "${var.name}-required" + role = aws_iam_role.lambda_execution.id + + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Sid = "Logging", + Effect = "Allow" + Action = [ + "logs:CreateLogStream", + "logs:PutLogEvents", + ] + Resource = "arn:aws:logs:*:*:log-group:/aws/lambda/${var.name}:log-stream:*" + } + ] + }) } resource "aws_iam_role_policy" "fallback_to_sns" { diff --git a/infra/modules/alerting/variables.tf b/infra/modules/alerting/variables.tf index a2a56e3..7772ae0 100644 --- a/infra/modules/alerting/variables.tf +++ b/infra/modules/alerting/variables.tf @@ -35,8 +35,8 @@ variable "role_policies" { default = [] validation { - condition = length(var.role_policies) <= 8 - error_message = "role_policies must be less than 9 policies" + condition = length(var.role_policies) <= 9 + error_message = "role_policies must be less than 10 policies" } } diff --git a/infra/modules/api/data.tf b/infra/modules/api/data.tf index c8d0521..b5e3baf 100644 --- a/infra/modules/api/data.tf +++ b/infra/modules/api/data.tf @@ -6,16 +6,48 @@ data "aws_iam_policy_document" "cloudwatch_permissions" { statement { effect = "Allow" actions = [ - "logs:CreateLogGroup", - "logs:CreateLogStream", "logs:DescribeLogGroups", + ] + resources = [ + "*", + ] + } + + statement { + effect = "Allow" + actions = [ + "logs:CreateLogGroup", + "logs:DeleteLogGroup", + ] + resources = [ + "arn:aws:logs:*:*:log-group:/aws/apigateway/welcome:*" + ] + } + + statement { + effect = "Allow" + actions = [ "logs:DescribeLogStreams", + "logs:FilterLogEvents" + ] + resources = [ + "arn:aws:logs:*:*:log-group:/aws/apigateway/welcome:*", + aws_cloudwatch_log_group.access_logs.arn, + aws_cloudwatch_log_group.stage_v1.arn, + ] + } + + statement { + effect = "Allow" + actions = [ + "logs:CreateLogStream", "logs:PutLogEvents", "logs:GetLogEvents", - "logs:FilterLogEvents" ] resources = [ - "*", + "arn:aws:logs:*:*:log-group:/aws/apigateway/welcome:*", + aws_cloudwatch_log_group.access_logs.arn, + aws_cloudwatch_log_group.stage_v1.arn, ] } } diff --git a/infra/modules/handler/roles.tf b/infra/modules/handler/roles.tf index 0e03a3b..8fe5d97 100644 --- a/infra/modules/handler/roles.tf +++ b/infra/modules/handler/roles.tf @@ -15,19 +15,24 @@ resource "aws_iam_role" "lambda_execution" { }) } -resource "aws_iam_role_policy_attachment" "lambda_basic_execution" { - role = aws_iam_role.lambda_execution.name - policy_arn = "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole" -} - -resource "aws_iam_role_policy" "sqs" { - name = "${var.function_name}-sqs-policy" +resource "aws_iam_role_policy" "lambda_exec_required_perm" { + name = "${var.function_name}-required" role = aws_iam_role.lambda_execution.id policy = jsonencode({ Version = "2012-10-17" Statement = [ { + Sid = "Logging", + Effect = "Allow" + Action = [ + "logs:CreateLogStream", + "logs:PutLogEvents", + ] + Resource = "arn:aws:logs:*:*:log-group:/aws/lambda/${var.function_name}:log-stream:*" + }, + { + Sid = "SQS" Effect = "Allow" Action = [ "sqs:ReceiveMessage", diff --git a/infra/modules/handler/variables.tf b/infra/modules/handler/variables.tf index 4335c22..940ec37 100644 --- a/infra/modules/handler/variables.tf +++ b/infra/modules/handler/variables.tf @@ -54,7 +54,7 @@ variable "role_policies" { default = [] validation { - condition = length(var.role_policies) <= 8 - error_message = "role_policies must be less than 9 policies" + condition = length(var.role_policies) <= 10 + error_message = "role_policies must be less than 11 policies" } } diff --git a/infra/tests/01_unit.tftest.hcl b/infra/tests/01_unit.tftest.hcl index 16c2437..0982577 100644 --- a/infra/tests/01_unit.tftest.hcl +++ b/infra/tests/01_unit.tftest.hcl @@ -175,7 +175,7 @@ run "verify_module_handler_negative" { source_path = "../../apps/mux" sqs_queue_arn = "arn:aws:sqs:000000000000:us-east-1:${run.prepare.prefix}queue.fifo" sqs_batch_size = 10 - role_policies = [["1"], ["2"], ["3"], ["4"], ["5"], ["6"], ["7"], ["8"], ["9"]] + role_policies = [["1"], ["2"], ["3"], ["4"], ["5"], ["6"], ["7"], ["8"], ["9"], ["10"], ["11"]] } expect_failures = [var.role_policies] @@ -205,7 +205,7 @@ run "verify_module_alerting_negative" { variables { name = "${run.prepare.prefix}alerting-negative" reserved_concurrent_executions = 1 - role_policies = [["1"], ["2"], ["3"], ["4"], ["5"], ["6"], ["7"], ["8"], ["9"]] + role_policies = [["1"], ["2"], ["3"], ["4"], ["5"], ["6"], ["7"], ["8"], ["9"], ["10"]] } expect_failures = [var.role_policies]