Skip to content

Commit 1cfa58c

Browse files
zmoogzmoog
authored
Remove ec2:DescribeRegions permissions from lambda role (#20)
Remove the `ec2:DescribeRegions` permission from the lambda role. ESF no longer needs this permission. For more details, please see elastic/elastic-serverless-forwarder#811.
1 parent ec6ce2d commit 1cfa58c

2 files changed

Lines changed: 28 additions & 5 deletions

File tree

esf.tf

Lines changed: 23 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -116,11 +116,30 @@ locals {
116116
s3-buckets-get_object = { effect = "Allow", actions = ["s3:GetObject"], resources = [for arn in var.s3-buckets : "${arn}/*"] }
117117
} : {})
118118

119-
ec2 = (length(local.cloudwatch-logs-arns) > 0 ? {
120-
ec2 = { effect = "Allow", actions = ["ec2:DescribeRegions"], resources = ["*"] } } : {}
121-
)
119+
# Unpack release-version (e.g., `lambda-v1.20.0`) into major, minor, patch
120+
release-version-unpacked = split(".", replace(var.release-version, "lambda-v", ""))
121+
122+
release-version-parts = {
123+
major = tonumber(local.release-version-unpacked[0])
124+
minor = tonumber(local.release-version-unpacked[1])
125+
patch = tonumber(local.release-version-unpacked[2])
126+
}
127+
}
128+
129+
check "esf-release" {
130+
assert {
131+
condition = (
132+
(local.release-version-parts.major > 1) ||
133+
(local.release-version-parts.major == 1 && local.release-version-parts.minor > 7) ||
134+
(local.release-version-parts.major == 1 && local.release-version-parts.minor == 7 && local.release-version-parts.patch >= 2)
135+
)
136+
# Why version 1.7.2? Because before that version, ESF was listing the regions and required the `ec2:DescribeRegions` permission.
137+
# See https://github.com/elastic/elastic-serverless-forwarder/pull/811
138+
error_message = "Release version ${var.release-version} is not supported. Please use a version >= 1.7.2"
139+
}
122140
}
123141

142+
124143
resource "aws_s3_bucket" "esf-config-bucket" {
125144
count = var.config-file-bucket == "" ? 1 : 0
126145

@@ -205,8 +224,7 @@ module "esf-lambda-function" {
205224
local.sqs,
206225
local.ssm-secrets,
207226
local.kms-keys,
208-
local.s3-buckets,
209-
local.ec2
227+
local.s3-buckets
210228
)
211229

212230
use_existing_cloudwatch_log_group = false

variables.tf

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -13,6 +13,11 @@ variable "lambda-name" {
1313
variable "release-version" {
1414
description = "ESF release version. You can find the possible values in https://github.com/elastic/elastic-serverless-forwarder/tags."
1515
type = string
16+
17+
validation {
18+
condition = can(regex("^lambda-v[0-9]+\\.[0-9]+\\.[0-9]+$", var.release-version))
19+
error_message = "The release-version must match the format lambda-v<major>.<minor>.<patch>. For example, lambda-v1.20.0."
20+
}
1621
}
1722

1823
variable "aws_region" {

0 commit comments

Comments
 (0)