From 25a6c8812fe2f35587722515b3f86363ee086788 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jo=C3=A3o=20Taveira=20Ara=C3=BAjo?= Date: Tue, 12 Dec 2023 13:36:24 -0800 Subject: [PATCH] fix(subscriber): use iam:PassRole for Lambda We need to allow iam:PassRole for the subscription lambda for the case where the destination is a Firehose Delivery Stream. We currently do not adequately capture this functionality because we never test Firehose as a destination. We'll have to fix that with further integration testing in the collection stack. --- apps/subscriber/template.yaml | 20 +++++++++++++++++++- 1 file changed, 19 insertions(+), 1 deletion(-) diff --git a/apps/subscriber/template.yaml b/apps/subscriber/template.yaml index f28b1184..7cecf429 100644 --- a/apps/subscriber/template.yaml +++ b/apps/subscriber/template.yaml @@ -81,6 +81,10 @@ Conditions: UseStackName: !Equals - !Ref NameOverride - '' + HasRoleArn: !Not + - !Equals + - !Ref RoleArn + - '' HasDiscoveryRate: !Not - !Equals - !Ref DiscoveryRate @@ -158,6 +162,17 @@ Resources: - logs:CreateLogStream - logs:PutLogEvents Resource: !GetAtt LogGroup.Arn + - !If + - HasRoleArn + - PolicyName: pass + PolicyDocument: + Version: 2012-10-17 + Statement: + - Effect: Allow + Action: + - iam:PassRole + Resource: !Ref RoleArn + - !Ref AWS::NoValue - PolicyName: queue PolicyDocument: Version: 2012-10-17 @@ -230,7 +245,10 @@ Resources: LOG_GROUP_NAME_PATTERNS: !Join - ',' - !Ref LogGroupNamePatterns - ROLE_ARN: !Ref RoleArn + ROLE_ARN: !If + - HasRoleArn + - !Ref RoleArn + - !Ref AWS::NoValue QUEUE_URL: !Ref Queue VERBOSITY: 9 NUM_WORKERS: !Ref NumWorkers