Attach role policy

Jeff Fairchild · Jeff Fairchild · commit 5f9e4174c78e · 2020-01-28T11:15:10.000-05:00
diff --git a/lambda-healthcheck.tf b/lambda-healthcheck.tf
@@ -11,6 +11,14 @@ provider "aws" {
   version = "~> 2.46"
 }
 
+data "aws_iam_policy" "lambda" {
+  arn = "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"
+}
+
+data "aws_iam_policy" "cloudwatch_put_metric" {
+  arn = "arn:aws:iam::092841053073:policy/cloudwatch-put-metric"
+}
+
 resource "aws_iam_role" "lambda_healthcheck" {
   name = "lambda-healthcheck"
   path = "/service-role/"
@@ -34,6 +42,16 @@ resource "aws_iam_role" "lambda_healthcheck" {
 EOF
 }
 
+resource "aws_iam_role_policy_attachment" "metrics_role" {
+  role       = aws_iam_role.lambda_healthcheck.name
+  policy_arn = data.aws_iam_policy.lambda.arn
+}
+
+resource "aws_iam_role_policy_attachment" "put_metrics_role" {
+  role       = aws_iam_role.lambda_healthcheck.name
+  policy_arn = data.aws_iam_policy.cloudwatch_put_metric.arn
+}
+
 resource "aws_lambda_function" "healthcheck" {
   runtime       = "python3.8"
   handler       = "part_1"
diff --git a/terraform.tfstate b/terraform.tfstate
@@ -1,10 +1,48 @@
 {
   "version": 4,
   "terraform_version": "0.12.17",
-  "serial": 21,
+  "serial": 29,
   "lineage": "4e2a7732-9bb1-f787-fa33-cdca7563c7a4",
   "outputs": {},
   "resources": [
+    {
+      "mode": "data",
+      "type": "aws_iam_policy",
+      "name": "cloudwatch_put_metric",
+      "provider": "provider.aws",
+      "instances": [
+        {
+          "schema_version": 0,
+          "attributes": {
+            "arn": "arn:aws:iam::092841053073:policy/cloudwatch-put-metric",
+            "description": "cloudwatch readonly except put metric",
+            "id": "arn:aws:iam::092841053073:policy/cloudwatch-put-metric",
+            "name": "cloudwatch-put-metric",
+            "path": "/",
+            "policy": "{\n    \"Version\": \"2012-10-17\",\n    \"Statement\": [\n        {\n            \"Action\": [\n                \"cloudwatch:Describe*\",\n                \"cloudwatch:Get*\",\n                \"cloudwatch:List*\",\n                \"cloudwatch:PutMetricData\"\n            ],\n            \"Effect\": \"Allow\",\n            \"Resource\": \"*\"\n        }\n    ]\n}"
+          }
+        }
+      ]
+    },
+    {
+      "mode": "data",
+      "type": "aws_iam_policy",
+      "name": "lambda",
+      "provider": "provider.aws",
+      "instances": [
+        {
+          "schema_version": 0,
+          "attributes": {
+            "arn": "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole",
+            "description": "Provides write permissions to CloudWatch Logs.",
+            "id": "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole",
+            "name": "AWSLambdaBasicExecutionRole",
+            "path": "/service-role/",
+            "policy": "{\n  \"Version\": \"2012-10-17\",\n  \"Statement\": [\n    {\n      \"Effect\": \"Allow\",\n      \"Action\": [\n        \"logs:CreateLogGroup\",\n        \"logs:CreateLogStream\",\n        \"logs:PutLogEvents\"\n      ],\n      \"Resource\": \"*\"\n    }\n  ]\n}"
+          }
+        }
+      ]
+    },
     {
       "mode": "managed",
       "type": "aws_cloudwatch_event_rule",
@@ -63,6 +101,46 @@
         }
       ]
     },
+    {
+      "mode": "managed",
+      "type": "aws_iam_role_policy_attachment",
+      "name": "metrics_role",
+      "provider": "provider.aws",
+      "instances": [
+        {
+          "schema_version": 0,
+          "attributes": {
+            "id": "lambda-healthcheck-20200128161443520000000002",
+            "policy_arn": "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole",
+            "role": "lambda-healthcheck"
+          },
+          "private": "bnVsbA==",
+          "dependencies": [
+            "aws_iam_role.lambda_healthcheck"
+          ]
+        }
+      ]
+    },
+    {
+      "mode": "managed",
+      "type": "aws_iam_role_policy_attachment",
+      "name": "put_metrics_role",
+      "provider": "provider.aws",
+      "instances": [
+        {
+          "schema_version": 0,
+          "attributes": {
+            "id": "lambda-healthcheck-20200128161443500200000001",
+            "policy_arn": "arn:aws:iam::092841053073:policy/cloudwatch-put-metric",
+            "role": "lambda-healthcheck"
+          },
+          "private": "bnVsbA==",
+          "dependencies": [
+            "aws_iam_role.lambda_healthcheck"
+          ]
+        }
+      ]
+    },
     {
       "mode": "managed",
       "type": "aws_lambda_function",
diff --git a/terraform.tfstate.backup b/terraform.tfstate.backup
@@ -1,10 +1,48 @@
 {
   "version": 4,
   "terraform_version": "0.12.17",
-  "serial": 20,
+  "serial": 24,
   "lineage": "4e2a7732-9bb1-f787-fa33-cdca7563c7a4",
   "outputs": {},
   "resources": [
+    {
+      "mode": "data",
+      "type": "aws_iam_policy",
+      "name": "cloudwatch_put_metric",
+      "provider": "provider.aws",
+      "instances": [
+        {
+          "schema_version": 0,
+          "attributes": {
+            "arn": "arn:aws:iam::092841053073:policy/cloudwatch-put-metric",
+            "description": "cloudwatch readonly except put metric",
+            "id": "arn:aws:iam::092841053073:policy/cloudwatch-put-metric",
+            "name": "cloudwatch-put-metric",
+            "path": "/",
+            "policy": "{\n    \"Version\": \"2012-10-17\",\n    \"Statement\": [\n        {\n            \"Action\": [\n                \"cloudwatch:Describe*\",\n                \"cloudwatch:Get*\",\n                \"cloudwatch:List*\",\n                \"cloudwatch:PutMetricData\"\n            ],\n            \"Effect\": \"Allow\",\n            \"Resource\": \"*\"\n        }\n    ]\n}"
+          }
+        }
+      ]
+    },
+    {
+      "mode": "data",
+      "type": "aws_iam_policy",
+      "name": "lambda",
+      "provider": "provider.aws",
+      "instances": [
+        {
+          "schema_version": 0,
+          "attributes": {
+            "arn": "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole",
+            "description": "Provides write permissions to CloudWatch Logs.",
+            "id": "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole",
+            "name": "AWSLambdaBasicExecutionRole",
+            "path": "/service-role/",
+            "policy": "{\n  \"Version\": \"2012-10-17\",\n  \"Statement\": [\n    {\n      \"Effect\": \"Allow\",\n      \"Action\": [\n        \"logs:CreateLogGroup\",\n        \"logs:CreateLogStream\",\n        \"logs:PutLogEvents\"\n      ],\n      \"Resource\": \"*\"\n    }\n  ]\n}"
+          }
+        }
+      ]
+    },
     {
       "mode": "managed",
       "type": "aws_cloudwatch_event_rule",
@@ -63,6 +101,40 @@
         }
       ]
     },
+    {
+      "mode": "managed",
+      "type": "aws_iam_role_policy_attachment",
+      "name": "metrics_role",
+      "provider": "provider.aws",
+      "instances": [
+        {
+          "status": "tainted",
+          "schema_version": 0,
+          "attributes": {
+            "id": "lambda-healthcheck-20200128161157130200000002",
+            "policy_arn": "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole",
+            "role": "lambda-healthcheck"
+          }
+        }
+      ]
+    },
+    {
+      "mode": "managed",
+      "type": "aws_iam_role_policy_attachment",
+      "name": "put_metrics_role",
+      "provider": "provider.aws",
+      "instances": [
+        {
+          "status": "tainted",
+          "schema_version": 0,
+          "attributes": {
+            "id": "lambda-healthcheck-20200128161157116000000001",
+            "policy_arn": "arn:aws:iam::092841053073:policy/cloudwatch-put-metric",
+            "role": "lambda-healthcheck"
+          }
+        }
+      ]
+    },
     {
       "mode": "managed",
       "type": "aws_lambda_function",
@@ -82,7 +154,7 @@
             "id": "healthcheck",
             "invoke_arn": "arn:aws:apigateway:us-east-2:lambda:path/2015-03-31/functions/arn:aws:lambda:us-east-2:092841053073:function:healthcheck/invocations",
             "kms_key_arn": "",
-            "last_modified": "2020-01-28T15:29:19.024+0000",
+            "last_modified": "2020-01-28T15:33:11.304+0000",
             "layers": [],
             "memory_size": 128,
             "publish": true,
