Skip to content

Commit 4a15775

Browse files
uolteruolter
committed
Update deployment chatbot iam policy
1 parent ae2f4bc commit 4a15775

File tree

1 file changed

+40
-28
lines changed
  • apps/infrastructure/src/modules/chatbot

1 file changed

+40
-28
lines changed

apps/infrastructure/src/modules/chatbot/data.tf

Lines changed: 40 additions & 28 deletions
Original file line numberDiff line numberDiff line change
@@ -138,36 +138,48 @@ data "aws_iam_policy_document" "deploy_github" {
138138
resource "aws_iam_policy" "deploy_chatbot" {
139139
name = "DeployChatbot"
140140
description = "Policy to allow to deploy the chatbot"
141+
policy = data.aws_iam_policy_document.deploy_chatbot.json
142+
}
143+
144+
data "aws_iam_policy_document" "deploy_chatbot" {
145+
# ECR GetAuthorizationToken is a global action and cannot be scoped
146+
statement {
147+
sid = "ECRGetAuthorizationToken"
148+
effect = "Allow"
149+
actions = ["ecr:GetAuthorizationToken"]
150+
resources = ["*"]
151+
}
152+
153+
# ECR push permissions scoped to chatbot repositories
154+
statement {
155+
sid = "ECRPushImages"
156+
effect = "Allow"
157+
actions = [
158+
"ecr:BatchCheckLayerAvailability",
159+
"ecr:BatchGetImage",
160+
"ecr:CompleteLayerUpload",
161+
"ecr:InitiateLayerUpload",
162+
"ecr:PutImage",
163+
"ecr:UploadLayerPart",
164+
]
165+
resources = [for repo in local.ecr_repos : "arn:aws:ecr:${var.aws_region}:${data.aws_caller_identity.current.account_id}:repository/${repo.repository_name}"]
166+
}
141167

142-
policy = jsonencode({
143-
Version = "2012-10-17"
144-
Statement = [
145-
{
146-
Action = [
147-
"lambda:*",
148-
"ecr:GetAuthorizationToken",
149-
"ecr:CompleteLayerUpload",
150-
"ecr:GetAuthorizationToken",
151-
"ecr:UploadLayerPart",
152-
"ecr:InitiateLayerUpload",
153-
"ecr:BatchCheckLayerAvailability",
154-
"ecr:PutImage",
155-
"ecr:BatchGetImage",
156-
"ecr:GetRepositoryPolicy",
157-
"ecr:SetRepositoryPolicy"
158-
]
159-
Effect = "Allow"
160-
Resource = "*"
161-
},
162-
{
163-
Action = [
164-
"iam:PassRole"
165-
]
166-
Effect = "Allow"
167-
Resource = "*"
168-
}
168+
# Lambda update permissions scoped to chatbot functions
169+
statement {
170+
sid = "LambdaUpdateFunctionCode"
171+
effect = "Allow"
172+
actions = [
173+
"lambda:GetFunction",
174+
"lambda:UpdateFunctionCode",
175+
]
176+
resources = [
177+
"arn:aws:lambda:${var.aws_region}:${data.aws_caller_identity.current.account_id}:function:${local.prefix}-api-lambda",
178+
"arn:aws:lambda:${var.aws_region}:${data.aws_caller_identity.current.account_id}:function:${local.prefix}-evaluate-lambda",
179+
"arn:aws:lambda:${var.aws_region}:${data.aws_caller_identity.current.account_id}:function:${local.prefix}-index-lambda",
180+
"arn:aws:lambda:${var.aws_region}:${data.aws_caller_identity.current.account_id}:function:${local.prefix}-monitor-lambda",
169181
]
170-
})
182+
}
171183
}
172184

173185
data "aws_iam_policy_document" "ecs_monitoring_ssm_policy" {

0 commit comments

Comments
 (0)