Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
A (hopefully) minimum AWS IAM policy for serverless framework (terraform version)
# Note these are variable you should replace
# MyAccountNumber is your AWS account number
# MyServiceName is the service name you are defining on serverless config
#
# Additional note regarding region like us-west-2, you should change it to fit your situations
resource "aws_iam_policy" "serverless-deployer" {
# TODO: Limit usage to within VPC instead of anywhere
name = "serverless-deployer"
path = "/"
description = "Policy for serverless-deployer"
# Terraform's "jsonencode" function converts a
# Terraform expression result to valid JSON syntax.
policy = jsonencode({
Version = "2012-10-17"
Statement = [
{
Sid = "CloudformationRead"
Effect = "Allow"
Action = [
"cloudformation:BatchDescribeTypeConfigurations",
"cloudformation:Describe*",
"cloudformation:Detect*",
"cloudformation:EstimateTemplateCost",
"cloudformation:Get*",
"cloudformation:List*",
"cloudformation:ValidateTemplate",
]
Resource = [
"*"
]
},
{
Sid = "CloudformationWrite"
Effect = "Allow"
Action = [
"cloudformation:ActivateType",
"cloudformation:CancelUpdateStack",
"cloudformation:ContinueUpdateRollback",
"cloudformation:CreateChangeSet",
"cloudformation:CreateStack",
"cloudformation:CreateStackInstances",
"cloudformation:CreateStackSet",
"cloudformation:DeactivateType",
"cloudformation:DeleteChangeSet",
"cloudformation:DeleteStack",
"cloudformation:DeleteStackInstances",
"cloudformation:DeleteStackSet",
"cloudformation:DeregisterType",
"cloudformation:ExecuteChangeSet",
"cloudformation:ImportStacksToStackSet",
"cloudformation:PublishType",
"cloudformation:RecordHandlerProgress",
"cloudformation:RegisterPublisher",
"cloudformation:RegisterType",
"cloudformation:Set*",
"cloudformation:SignalResource",
"cloudformation:StopStackSetOperation",
"cloudformation:TagResource",
"cloudformation:TestType",
"cloudformation:UntagResource",
"cloudformation:Update*",
]
Resource = [
# The resource format is arn:aws:cloudformation:<region>:<account>:stack/<service-name>-*/*
"arn:aws:cloudformation:us-west-2:MyAccountNumber:stack/MyServiceName-*/*",
]
},
{
Sid = "S3Access"
Effect = "Allow"
Action = [
"s3:*",
]
Resource = [
# The bucket resource format is arn:aws:s3:::<service-name>-*-serverlessdeploymentbucket-*
# The object resource format is arn:aws:s3:::<service-name>-*-serverlessdeploymentbucket-*/*
"arn:aws:s3:::MyServiceName-*-serverlessdeploymentbucket-*",
"arn:aws:s3:::MyServiceName-*-serverlessdeploymentbucket-*/*",
]
},
{
Sid = "IAMAccess"
Effect = "Allow"
Action = [
"iam:*",
]
Resource = [
# The resource format is arn:aws:iam::<account>:role/<service-name>-*-<region>-lambdaRole
"arn:aws:iam::MyAccountNumber:role/MyServiceName-*-us-west-2-lambdaRole",
]
},
{
Sid = "APIGatewayAccess"
Effect = "Allow"
Action = [
"apigateway:*",
]
Resource = [
# TODO: I have not figured out how to further limit this
"*",
]
},
{
Sid = "LogsAccess"
Effect = "Allow"
Action = [
"logs:*",
]
Resource = [
# The resource format is arn:aws:logs:<region>:<account>:log-group:/aws/lambda/<service-name>-*-*:log-stream:*
"arn:aws:logs:us-west-2:MyAccountNumber:log-group:/aws/lambda/MyServiceName-*-*:log-stream:*",
]
},
{
Sid = "LambdaAccess"
Effect = "Allow"
Action = [
"lambda:*",
]
Resource = [
# The resource format is arn:aws:lambda:<region>:<account>:function:<service-name>-*-*
"arn:aws:lambda:us-west-2:MyAccountNumber:function:MyServiceName-*-*",
]
},
]
})
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment