File tree Expand file tree Collapse file tree
stacks/iams-developer-roles Expand file tree Collapse file tree Original file line number Diff line number Diff line change @@ -88,6 +88,13 @@ data "aws_iam_policy_document" "firehose_kms_key_policy" {
8888 " kms:DescribeKey"
8989 ]
9090 resources = aws_kms_key . firehose_cmk . arn ]
91+ condition {
92+ test = " StringEquals"
93+ variable = " kms:EncryptionContext:aws:logs:arn"
94+ values =
95+ " arn:aws:logs:${ var . region } :${ data . aws_caller_identity . current . account_id } :log-group:/aws/kinesisfirehose/${ var . project_name } -${ var . environment } -audit"
96+ ]
97+ }
9198 }
9299}
93100
Original file line number Diff line number Diff line change @@ -426,7 +426,8 @@ resource "aws_iam_policy" "cloudwatch_logging" {
426426 Effect = " Allow"
427427 Action = [
428428 " logs:ListTagsForResource"
429- " logs:DescribeLogGroups"
429+ " logs:DescribeLogGroups"
430+ " logs:PutRetentionPolicy"
430431 ],
431432 Resource = " arn:aws:logs:${ var . default_aws_region } :${ data . aws_caller_identity . current . account_id } :log-group:/aws/kinesisfirehose/*"
432433 }
@@ -447,14 +448,20 @@ resource "aws_iam_policy" "firehose_readonly" {
447448 {
448449 Effect = " Allow"
449450 Action = [
451+ " firehose:CreateDeliveryStream"
452+ " firehose:DeleteDeliveryStream"
450453 " firehose:DescribeDeliveryStream"
451- " firehose:ListTagsForDeliveryStream"
452- ],
454+ " firehose:UpdateDestination"
455+ " firehose:PutRecord"
456+ " firehose:PutRecordBatch"
457+ " firehose:TagDeliveryStream"
458+ " firehose:ListTagsForDeliveryStream"
459+ " firehose:UntagDeliveryStream"
460+ ]
453461 Resource = " arn:aws:firehose:${ var . default_aws_region } :${ data . aws_caller_identity . current . account_id } :deliverystream/eligibility-signposting-api*"
454462 }
455463 ]
456464 })
457-
458465 tags = merge (local. tags , { Name = " firehose-describe-access"
459466}
460467
You can’t perform that action at this time.
0 commit comments