fix: adjust iam

Author: koneru9999

src/components/AsyncTextExtract.ts

@@ -62,28 +62,29 @@ export class AsyncTextExtract extends pulumi.ComponentResource {
 
     this.bucket = bucket
 
+    const topicName = `${name}-sns-topic`
+    this.snsTopic = new aws.sns.Topic(
+      topicName,
+      {
+        name: topicName
+      },
+      defaultResourceOptions
+    )
+
     // 'AmazonTextract' will be used to create inline policy for iam:PassRole.
     // refer to https://docs.aws.amazon.com/textract/latest/dg/api-async-roles.html#api-async-roles-all-topics (step 8)
-    const roleName = `AmazonTextract${name}-role`
+    const roleName = `${name}-textract-service-role`
     this.role = new aws.iam.Role(
       roleName,
       {
         name: roleName,
         assumeRolePolicy: aws.iam.assumeRolePolicyForPrincipal({
-          Service: ['ec2.amazonaws.com', 'textract.amazonaws.com', 'lambda.amazonaws.com']
+          Service: ['textract.amazonaws.com', 'lambda.amazonaws.com']
         })
       },
       defaultResourceOptions
     )
 
-    const topicName = `${name}-sns-topic`
-    this.snsTopic = new aws.sns.Topic(
-      topicName,
-      {
-        name: topicName
-      },
-      defaultResourceOptions
-    )
     this.snsPolicy = new SNSPublishPolicy(`${topicName}-policy`, { topicArn: this.snsTopic.arn })
     new aws.iam.RolePolicyAttachment(
       `${topicName}-policy-attachment`,
@@ -101,30 +102,31 @@ export class AsyncTextExtract extends pulumi.ComponentResource {
       if (!RoleArn || !SNSTopicArn) {
         throw new Error('Required ENV are not present')
       }
-      const extract = new AWS.Textract({})
-      try {
-        for (const record of records) {
-          extract
-            .startDocumentTextDetection({
-              JobTag: record.s3.object.key,
-              DocumentLocation: {
-                S3Object: {
-                  Bucket: record.s3.bucket.name,
-                  Name: record.s3.object.key
-                }
-              },
-              NotificationChannel: {
-                RoleArn,
-                SNSTopicArn
-              }
-            })
-            .send()
-        }
-
-        callback(undefined, undefined)
-      } catch (error) {
-        callback(error, undefined)
-      }
+      const extract = new AWS.Textract({ logger: console, region: aws.config.region })
+      const [record] = records
+      const Bucket = record.s3.bucket.name
+      const key = record.s3.object.key
+
+      return extract
+        .startDocumentTextDetection({
+          JobTag: record.s3.object.key,
+          DocumentLocation: {
+            S3Object: {
+              Bucket,
+              Name: key
+            }
+          },
+          NotificationChannel: {
+            RoleArn,
+            SNSTopicArn
+          }
+        })
+        .promise()
+        .then(data => {
+          console.log(data)
+          callback(undefined, undefined)
+        })
+        .catch(err => callback(err, undefined))
     }
 
     const lambdaName = `${name}-lambda-callback`
@@ -145,7 +147,37 @@ export class AsyncTextExtract extends pulumi.ComponentResource {
       defaultResourceOptions
     )
 
-    new LambdaCloudWatchPolicy(`${name}-policy`, { lambdaName }, defaultResourceOptions)
+    const cloudwatchPolicy = new LambdaCloudWatchPolicy(
+      `${name}-cloudwatch-policy`,
+      { lambdaName },
+      defaultResourceOptions
+    )
+    new aws.iam.RolePolicyAttachment(
+      `${name}-cloudwatch-policy-attachment`,
+      {
+        policyArn: cloudwatchPolicy.policy.arn,
+        role: roleName
+      },
+      defaultResourceOptions
+    )
+
+    new aws.iam.RolePolicy(
+      name,
+      {
+        role: this.role,
+        policy: {
+          Version: '2012-10-17',
+          Statement: [
+            {
+              Effect: 'Allow',
+              Action: ['textract:*'],
+              Resource: this.callbackFunction.arn
+            }
+          ]
+        }
+      },
+      defaultResourceOptions
+    )
 
     this.bucketEventSubscription = bucket.onObjectCreated(
       `${name}-AsyncTextExtractor-onUpload`,

src/components/policies/s3.ts

@@ -0,0 +1,35 @@
+import * as aws from '@pulumi/aws'
+import * as pulumi from '@pulumi/pulumi'
+
+interface S3ReadPolicyArgs {
+  name: string
+  bucketArn: pulumi.Output<aws.ARN>
+}
+
+export class S3ReadPolicy extends pulumi.ComponentResource {
+  readonly policy: aws.iam.Policy
+
+  constructor(args: S3ReadPolicyArgs, opts?: pulumi.ComponentResourceOptions) {
+    super('aws:components:S3ReadPolicy', args.name, args, opts)
+    const { name, bucketArn } = args
+    const defaultParentOptions: pulumi.ResourceOptions = { parent: this }
+    const policy = new aws.iam.Policy(
+      name,
+      {
+        name,
+        policy: {
+          Version: '2012-10-17',
+          Statement: [
+            {
+              Action: ['s3:GetObject'],
+              Effect: 'Allow',
+              Resource: pulumi.interpolate`${bucketArn}/*`
+            }
+          ]
+        }
+      },
+      defaultParentOptions
+    )
+    this.policy = policy
+  }
+}