Skip to content

Commit 1823b60

Browse files
brunozoricbrunozoric
authored
fix(pulumi-aws): ddb to es log permissions (#4659)
1 parent beded62 commit 1823b60

File tree

2 files changed

+44
-18
lines changed

2 files changed

+44
-18
lines changed

packages/pulumi-aws/src/apps/core/CoreElasticSearch.ts

Lines changed: 21 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -281,6 +281,8 @@ function getDynamoDbToElasticLambdaPolicy(
281281
app: PulumiApp,
282282
domain: pulumi.Output<aws.elasticsearch.Domain | aws.elasticsearch.GetDomainResult>
283283
) {
284+
const logDynamoDbTable = app.getModule(LogDynamo);
285+
284286
return app.addResource(aws.iam.Policy, {
285287
name: "DynamoDbToElasticLambdaPolicy-updated",
286288
config: {
@@ -296,19 +298,30 @@ function getDynamoDbToElasticLambdaPolicy(
296298
"es:ESHttpDelete",
297299
"es:ESHttpPatch",
298300
"es:ESHttpPost",
299-
"es:ESHttpPut",
300-
"dynamodb:BatchGetItem",
301-
"dynamodb:BatchWriteItem",
302-
"dynamodb:PutItem",
303-
"dynamodb:GetItem",
304-
"dynamodb:DeleteItem",
305-
"dynamodb:Query",
306-
"dynamodb:UpdateItem"
301+
"es:ESHttpPut"
307302
],
308303
Resource: [
309304
pulumi.interpolate`${domain.arn}`,
310305
pulumi.interpolate`${domain.arn}/*`
311306
]
307+
},
308+
{
309+
Sid: "PermissionForDynamoDbLog",
310+
Effect: "Allow",
311+
Action: [
312+
"dynamodb:GetItem",
313+
"dynamodb:PutItem",
314+
"dynamodb:UpdateItem",
315+
"dynamodb:DeleteItem",
316+
"dynamodb:BatchGetItem",
317+
"dynamodb:BatchWriteItem",
318+
"dynamodb:Scan",
319+
"dynamodb:Query"
320+
],
321+
Resource: [
322+
pulumi.interpolate`${logDynamoDbTable.output.arn}`,
323+
pulumi.interpolate`${logDynamoDbTable.output.arn}/*`
324+
]
312325
}
313326
]
314327
}

packages/pulumi-aws/src/apps/core/CoreOpenSearch.ts

Lines changed: 23 additions & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -10,9 +10,9 @@ import * as random from "@pulumi/random";
1010
import {
1111
createAppModule,
1212
PulumiApp,
13+
PulumiAppRemoteResource,
1314
PulumiAppResource,
14-
PulumiAppResourceConstructor,
15-
PulumiAppRemoteResource
15+
PulumiAppResourceConstructor
1616
} from "@webiny/pulumi";
1717

1818
import { getAwsAccountId } from "../awsUtils";
@@ -294,6 +294,8 @@ function getDynamoDbToElasticLambdaPolicy(
294294
app: PulumiApp,
295295
domain: pulumi.Output<aws.opensearch.Domain | aws.opensearch.GetDomainResult>
296296
) {
297+
const logDynamoDbTable = app.getModule(LogDynamo);
298+
297299
return app.addResource(aws.iam.Policy, {
298300
name: "DynamoDbToElasticLambdaPolicy-updated",
299301
config: {
@@ -309,19 +311,30 @@ function getDynamoDbToElasticLambdaPolicy(
309311
"es:ESHttpDelete",
310312
"es:ESHttpPatch",
311313
"es:ESHttpPost",
312-
"es:ESHttpPut",
313-
"dynamodb:BatchGetItem",
314-
"dynamodb:BatchWriteItem",
315-
"dynamodb:PutItem",
316-
"dynamodb:GetItem",
317-
"dynamodb:DeleteItem",
318-
"dynamodb:Query",
319-
"dynamodb:UpdateItem"
314+
"es:ESHttpPut"
320315
],
321316
Resource: [
322317
pulumi.interpolate`${domain.arn}`,
323318
pulumi.interpolate`${domain.arn}/*`
324319
]
320+
},
321+
{
322+
Sid: "PermissionForDynamoDbLog",
323+
Effect: "Allow",
324+
Action: [
325+
"dynamodb:GetItem",
326+
"dynamodb:PutItem",
327+
"dynamodb:UpdateItem",
328+
"dynamodb:DeleteItem",
329+
"dynamodb:BatchGetItem",
330+
"dynamodb:BatchWriteItem",
331+
"dynamodb:Scan",
332+
"dynamodb:Query"
333+
],
334+
Resource: [
335+
pulumi.interpolate`${logDynamoDbTable.output.arn}`,
336+
pulumi.interpolate`${logDynamoDbTable.output.arn}/*`
337+
]
325338
}
326339
]
327340
}

0 commit comments

Comments
 (0)