Merge pull request #100 from hudl/SK24-CantDeleteRole

SK24 - Use separate install role

serverless-config.yml

@@ -1,4 +1,7 @@
 lambda:
+  install:
+    roleName: calendar2slack-prod-us-east-1-lambdaRole
+    policyName: calendar2slack-prod-us-east-1-lambdaRole-policy
   update:
     roleName: hudl-cal2slack-lambda-update
     policyName: hudl-cal2slack-lambda-update-policy

serverless.yml

@@ -30,7 +30,7 @@ functions:
       - http:
           path: 'slack/install'
           method: get
-    role: slackbotRole
+    role: slackInstallRole
   create-user:
     handler: src/index.createUser
     events:
@@ -201,6 +201,61 @@ resources:
                           - Ref: 'AWS::Region'
                           - Ref: 'AWS::AccountId'
                           - 'table/cal2slack-usersettings'
+    slackInstallRole:
+      Type: AWS::IAM::Role
+      Properties:
+        Path: /
+        RoleName: ${self:custom.lambda.install.roleName}
+        AssumeRolePolicyDocument:
+          Version: '2012-10-17'
+          Statement:
+            - Effect: Allow
+              Principal:
+                Service:
+                  - lambda.amazonaws.com
+              Action: sts:AssumeRole
+        Policies:
+          - PolicyName: ${self:custom.lambda.install.policyName}
+            PolicyDocument:
+              Version: '2012-10-17'
+              Statement:
+                - Effect: Allow
+                  Action:
+                    - logs:CreateLogGroup
+                    - logs:CreateLogStream
+                    - logs:PutLogEvents
+                  Resource:
+                    - 'Fn::Join':
+                        - ':'
+                        - - 'arn:aws:logs'
+                          - Ref: 'AWS::Region'
+                          - Ref: 'AWS::AccountId'
+                          - 'log-group:/aws/lambda/*:*:*'
+                - Effect: Allow
+                  Action:
+                    - secretsmanager:GetSecretValue
+                  Resource:
+                    - 'Fn::Join':
+                        - ':'
+                        - - 'arn:aws:secretsmanager'
+                          - Ref: 'AWS::Region'
+                          - Ref: 'AWS::AccountId'
+                          - 'secret:${self:custom.lambda.slackbot.secretsPrefix}/*'
+                - Effect: Allow
+                  Action:
+                    - dynamodb:Scan
+                    - dynamodb:Query
+                    - dynamodb:GetItem
+                    - dynamodb:BatchGetItem
+                    - dynamodb:PutItem
+                    - dynamodb:UpdateItem
+                  Resource:
+                    - 'Fn::Join':
+                        - ':'
+                        - - 'arn:aws:dynamodb'
+                          - Ref: 'AWS::Region'
+                          - Ref: 'AWS::AccountId'
+                          - 'table/cal2slack-usersettings'
   Outputs:
     UserSettingsTableArn:
       Description: 'The ARN for the cal2slack-usersettings table'