FIX lambda permissions v3

ONLYOFFICE · Nov 28, 2023 · e6a6686 · e6a6686
1 parent ea39acc
commit e6a6686
Showing 1 changed file with 126 additions and 93 deletions.
diff --git a/develop-template.yaml b/develop-template.yaml
@@ -29,84 +29,10 @@ Resources:
       SnapStart:
         ApplyOn: None
       PackageType: Zip
+      Role: !GetAtt WebEdgeLambdaRole.Arn
+
       Policies:
         - Statement:
-            - Action:
-                - dynamodb:*
-                - dax:*
-                - lambda:*
-                - application-autoscaling:DeleteScalingPolicy
-                - application-autoscaling:DeregisterScalableTarget
-                - application-autoscaling:DescribeScalableTargets
-                - application-autoscaling:DescribeScalingActivities
-                - application-autoscaling:DescribeScalingPolicies
-                - application-autoscaling:PutScalingPolicy
-                - application-autoscaling:RegisterScalableTarget
-                - cloudwatch:DeleteAlarms
-                - cloudwatch:DescribeAlarmHistory
-                - cloudwatch:DescribeAlarms
-                - cloudwatch:DescribeAlarmsForMetric
-                - cloudwatch:GetMetricStatistics
-                - cloudwatch:ListMetrics
-                - cloudwatch:PutMetricAlarm
-                - cloudwatch:GetMetricData
-                - datapipeline:ActivatePipeline
-                - datapipeline:CreatePipeline
-                - datapipeline:DeletePipeline
-                - datapipeline:DescribeObjects
-                - datapipeline:DescribePipelines
-                - datapipeline:GetPipelineDefinition
-                - datapipeline:ListPipelines
-                - datapipeline:PutPipelineDefinition
-                - datapipeline:QueryObjects
-                - ec2:DescribeVpcs
-                - ec2:DescribeSubnets
-                - ec2:DescribeSecurityGroups
-                - iam:GetRole
-                - iam:ListRoles
-                - kms:DescribeKey
-                - kms:ListAliases
-                - sns:CreateTopic
-                - sns:DeleteTopic
-                - sns:ListSubscriptions
-                - sns:ListSubscriptionsByTopic
-                - sns:ListTopics
-                - sns:Subscribe
-                - sns:Unsubscribe
-                - sns:SetTopicAttributes
-                - lambda:CreateFunction
-                - lambda:ListFunctions
-                - lambda:ListEventSourceMappings
-                - lambda:CreateEventSourceMapping
-                - lambda:DeleteEventSourceMapping
-                - lambda:GetFunctionConfiguration
-                - lambda:DeleteFunction
-                - resource-groups:ListGroups
-                - resource-groups:ListGroupResources
-                - resource-groups:GetGroup
-                - resource-groups:GetGroupQuery
-                - resource-groups:DeleteGroup
-                - resource-groups:CreateGroup
-                - tag:GetResources
-                - kinesis:ListStreams
-                - kinesis:DescribeStream
-                - kinesis:DescribeStreamSummary
-              Effect: Allow
-              Resource: "*"
-            - Action:
-                - cloudwatch:GetInsightRuleReport
-              Effect: Allow
-              Resource: arn:aws:cloudwatch:*:*:insight-rule/DynamoDBContributorInsights*
-            - Action:
-                - iam:PassRole
-              Effect: Allow
-              Resource: "*"
-              Condition:
-                StringLike:
-                  iam:PassedToService:
-                    - application-autoscaling.amazonaws.com
-                    - application-autoscaling.amazonaws.com.cn
-                    - dax.amazonaws.com
             - Effect: Allow
               Action:
                 - iam:CreateServiceLinkedRole
@@ -119,23 +45,7 @@ Resources:
                     - dynamodb.application-autoscaling.amazonaws.com
                     - contributorinsights.dynamodb.amazonaws.com
                     - kinesisreplication.dynamodb.amazonaws.com
-            - Effect: Allow
-              Action:
-                - logs:CreateLogGroup
-              Resource: arn:aws:logs:*:*:*
-            - Effect: Allow
-              Action:
-                - logs:CreateLogStream
-                - logs:PutLogEvents
-              Resource:
-                - arn:aws:logs:*:*:log-group:*:*
-            - Effect: Allow
-              Action:
-                - sts:AssumeRole
-              Principal:
-                Service:
-                  - lambda.amazonaws.com
-                  - edgelambda.amazonaws.com
+
   GlobalDynamoDBTable:
     Type: AWS::DynamoDB::GlobalTable
     Properties:
@@ -176,3 +86,126 @@ Resources:
             TargetValue: 70
       StreamSpecification:
         StreamViewType: NEW_AND_OLD_IMAGES
+
+  # ==== ROLES ==== #
+  WebEdgeLambdaRole:
+    Type: AWS::IAM::Role
+    Properties:
+      AssumeRolePolicyDocument:
+        Version: 2012-10-17
+        Statement:
+          - Effect: Allow
+            Action: sts:AssumeRole
+            Principal:
+              Service:
+                - "lambda.amazonaws.com"
+                - "edgelambda.amazonaws.com"
+  # ==== POLICIES ==== #
+  PublishLogsPolicy:
+    Type: AWS::IAM::ManagedPolicy
+    Properties:
+      Description: Allows functions to write logs
+      Roles:
+        - !Ref WebEdgeLambdaRole
+      PolicyDocument:
+        Version: 2012-10-17
+        Statement:
+          - Effect: Allow
+            Action:
+              - logs:CreateLogGroup
+              - logs:CreateLogStream
+              - logs:PutLogEvents
+            Resource: "*"
+
+  DyanmoDBFullAccessPolicy:
+  Type: AWS::IAM::ManagedPolicy
+  Properties:
+    Description: Allows functions to write logs
+    Roles:
+      - !Ref WebEdgeLambdaRole
+    PolicyDocument:
+      Version: 2012-10-17
+      Statement:
+        - Effect: Allow
+          Action:
+            - dynamodb:*
+            - dax:*
+            - application-autoscaling:DeleteScalingPolicy
+            - application-autoscaling:DeregisterScalableTarget
+            - application-autoscaling:DescribeScalableTargets
+            - application-autoscaling:DescribeScalingActivities
+            - application-autoscaling:DescribeScalingPolicies
+            - application-autoscaling:PutScalingPolicy
+            - application-autoscaling:RegisterScalableTarget
+            - cloudwatch:DeleteAlarms
+            - cloudwatch:DescribeAlarmHistory
+            - cloudwatch:DescribeAlarms
+            - cloudwatch:DescribeAlarmsForMetric
+            - cloudwatch:GetMetricStatistics
+            - cloudwatch:ListMetrics
+            - cloudwatch:PutMetricAlarm
+            - cloudwatch:GetMetricData
+            - datapipeline:ActivatePipeline
+            - datapipeline:CreatePipeline
+            - datapipeline:DeletePipeline
+            - datapipeline:DescribeObjects
+            - datapipeline:DescribePipelines
+            - datapipeline:GetPipelineDefinition
+            - datapipeline:ListPipelines
+            - datapipeline:PutPipelineDefinition
+            - datapipeline:QueryObjects
+            - ec2:DescribeVpcs
+            - ec2:DescribeSubnets
+            - ec2:DescribeSecurityGroups
+            - iam:GetRole
+            - iam:ListRoles
+            - kms:DescribeKey
+            - kms:ListAliases
+            - sns:CreateTopic
+            - sns:DeleteTopic
+            - sns:ListSubscriptions
+            - sns:ListSubscriptionsByTopic
+            - sns:ListTopics
+            - sns:Subscribe
+            - sns:Unsubscribe
+            - sns:SetTopicAttributes
+            - lambda:CreateFunction
+            - lambda:ListFunctions
+            - lambda:ListEventSourceMappings
+            - lambda:CreateEventSourceMapping
+            - lambda:DeleteEventSourceMapping
+            - lambda:GetFunctionConfiguration
+            - lambda:DeleteFunction
+            - resource-groups:ListGroups
+            - resource-groups:ListGroupResources
+            - resource-groups:GetGroup
+            - resource-groups:GetGroupQuery
+            - resource-groups:DeleteGroup
+            - resource-groups:CreateGroup
+            - tag:GetResources
+            - kinesis:ListStreams
+            - kinesis:DescribeStream
+            - kinesis:DescribeStreamSummary
+          Resource: "*"
+        - Effect: Allow
+          Action:
+            - iam:PassRole
+          Condition:
+            StringLike:
+              iam:PassedToService:
+                - application-autoscaling.amazonaws.com
+                - application-autoscaling.amazonaws.com.cn
+                - dax.amazonaws.com
+          Resource: "*"
+        - Effect: Allow
+          Action:
+            - iam:CreateServiceLinkedRole
+          Condition:
+            StringEquals:
+              iam:AWSServiceName:
+                - replication.dynamodb.amazonaws.com
+                - dax.amazonaws.com
+                - dynamodb.application-autoscaling.amazonaws.com
+                - contributorinsights.dynamodb.amazonaws.com
+                - kinesisreplication.dynamodb.amazonaws.com
+          Resource: "*"