Skip to content

Commit

Permalink
fix(subscriber): use iam:PassRole for Lambda
Browse files Browse the repository at this point in the history
We need to allow iam:PassRole for the subscription lambda for the case
where the destination is a Firehose Delivery Stream. We currently do not
adequately capture this functionality because we never test Firehose as
a destination. We'll have to fix that with further integration testing
in the collection stack.
  • Loading branch information
jta committed Dec 12, 2023
1 parent 016257a commit 25a6c88
Showing 1 changed file with 19 additions and 1 deletion.
20 changes: 19 additions & 1 deletion apps/subscriber/template.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -81,6 +81,10 @@ Conditions:
UseStackName: !Equals
- !Ref NameOverride
- ''
HasRoleArn: !Not
- !Equals
- !Ref RoleArn
- ''
HasDiscoveryRate: !Not
- !Equals
- !Ref DiscoveryRate
Expand Down Expand Up @@ -158,6 +162,17 @@ Resources:
- logs:CreateLogStream
- logs:PutLogEvents
Resource: !GetAtt LogGroup.Arn
- !If
- HasRoleArn
- PolicyName: pass
PolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Action:
- iam:PassRole
Resource: !Ref RoleArn
- !Ref AWS::NoValue
- PolicyName: queue
PolicyDocument:
Version: 2012-10-17
Expand Down Expand Up @@ -230,7 +245,10 @@ Resources:
LOG_GROUP_NAME_PATTERNS: !Join
- ','
- !Ref LogGroupNamePatterns
ROLE_ARN: !Ref RoleArn
ROLE_ARN: !If
- HasRoleArn
- !Ref RoleArn
- !Ref AWS::NoValue
QUEUE_URL: !Ref Queue
VERBOSITY: 9
NUM_WORKERS: !Ref NumWorkers
Expand Down

0 comments on commit 25a6c88

Please sign in to comment.