|
resource "aws_iam_role" "sfn" { |
|
name = "${local.role_prefix}sfn" |
|
assume_role_policy = data.aws_iam_policy_document.sfn_assume.json |
|
permissions_boundary = local.permission_boundary |
|
tags = var.tags |
|
} |
|
|
|
data "aws_iam_policy_document" "sfn_assume" { |
|
statement { |
|
actions = ["sts:AssumeRole"] |
|
principals { |
|
type = "Service" |
|
identifiers = ["states.amazonaws.com"] |
|
} |
|
} |
|
} |
|
|
|
data "aws_iam_policy_document" "sfn" { |
|
statement { |
|
actions = [ |
|
"events:PutEvents", |
|
] |
|
|
|
resources = [ |
|
data.aws_cloudwatch_event_bus.target.arn, |
|
] |
|
} |
|
|
|
statement { |
|
actions = [ |
|
"logs:CreateLogDelivery", |
|
"logs:GetLogDelivery", |
|
"logs:UpdateLogDelivery", |
|
"logs:DeleteLogDelivery", |
|
"logs:ListLogDeliveries", |
|
"logs:PutLogEvents", |
|
"logs:PutResourcePolicy", |
|
"logs:DescribeResourcePolicies", |
|
"logs:DescribeLogGroups", |
|
] |
|
|
|
#tfsec:ignore:aws-iam-no-policy-wildcards Wildcards are needed for these unscoped actions |
|
resources = ["*"] |
|
} |
|
} |
|
|
|
resource "aws_iam_policy" "sfn" { |
|
name = aws_iam_role.sfn.name |
|
policy = data.aws_iam_policy_document.sfn.json |
|
} |
|
|
|
resource "aws_iam_role_policy_attachment" "sfn" { |
|
role = aws_iam_role.sfn.name |
|
policy_arn = aws_iam_policy.sfn.arn |
|
} |
|
|
|
resource "aws_iam_role" "events" { |
|
name = "${local.role_prefix}events" |
|
assume_role_policy = data.aws_iam_policy_document.events_assume.json |
|
permissions_boundary = local.permission_boundary |
|
tags = var.tags |
|
} |
|
|
|
data "aws_iam_policy_document" "events_assume" { |
|
statement { |
|
actions = ["sts:AssumeRole"] |
|
principals { |
|
type = "Service" |
|
identifiers = ["events.amazonaws.com"] |
|
} |
|
} |
|
} |
|
data "aws_iam_policy_document" "events" { |
|
statement { |
|
actions = [ |
|
"states:StartExecution", |
|
] |
|
|
|
resources = [ |
|
aws_sfn_state_machine.replay.arn, |
|
] |
|
} |
|
|
|
statement { |
|
actions = [ |
|
"sqs:SendMessage", |
|
] |
|
|
|
resources = [ |
|
aws_sqs_queue.dlq.arn, |
|
] |
|
} |
|
} |
|
|
|
resource "aws_iam_policy" "events" { |
|
name = aws_iam_role.events.name |
|
policy = data.aws_iam_policy_document.events.json |
|
} |
|
|
|
resource "aws_iam_role_policy_attachment" "events" { |
|
role = aws_iam_role.events.name |
|
policy_arn = aws_iam_policy.events.arn |
|
} |