11# Read-only policy for DynamoDB
22data "aws_iam_policy_document" "dynamodb_read_policy_doc" {
33 statement {
4- actions = " dynamodb:GetItem" " dynamodb:Query" " dynamodb:Scan"
4+ actions = " dynamodb:GetItem" " dynamodb:Query" " dynamodb:Scan"
55 resources = module . eligibility_status_table . arn ]
66 }
77}
@@ -16,7 +16,7 @@ resource "aws_iam_role_policy" "lambda_dynamodb_read_policy" {
1616# Write-only policy for DynamoDB
1717data "aws_iam_policy_document" "dynamodb_write_policy_doc" {
1818 statement {
19- actions = " dynamodb:PutItem" " dynamodb:UpdateItem" " dynamodb:DeleteItem" " dynamodb:BatchWriteItem"
19+ actions = " dynamodb:PutItem" " dynamodb:UpdateItem" " dynamodb:DeleteItem" " dynamodb:BatchWriteItem"
2020 resources = module . eligibility_status_table . arn ]
2121 }
2222}
@@ -37,15 +37,15 @@ data "aws_iam_policy_document" "dynamo_kms_access_policy_doc" {
3737
3838# Attach dynamoDB write policy to external write role
3939resource "aws_iam_role_policy" "external_dynamodb_write_policy" {
40- count = length (aws_iam_role. write_access_role )
40+ count = length (aws_iam_role. write_access_role )
4141 name = " DynamoDBWriteAccess"
4242 role = . write_access_role [count . index ]. id
4343 policy = . aws_iam_policy_document . dynamodb_write_policy_doc . json
4444}
4545
4646# Attach dynamo KMS policy to external write role
4747resource "aws_iam_role_policy" "external_kms_access_policy" {
48- count = length (aws_iam_role. write_access_role )
48+ count = length (aws_iam_role. write_access_role )
4949 name = " KMSAccessForDynamoDB"
5050 role = . write_access_role [count . index ]. id
5151 policy = . aws_iam_policy_document . dynamo_kms_access_policy_doc . json
@@ -65,7 +65,7 @@ data "aws_iam_policy_document" "s3_rules_bucket_policy" {
6565 ]
6666 condition {
6767 test = " Bool"
68- values = " true"
68+ values = " true"
6969 variable = " aws:SecureTransport"
7070 }
7171 }
@@ -90,7 +90,7 @@ data "aws_iam_policy_document" "rules_s3_bucket_policy" {
9090 " ${ module . s3_rules_bucket . storage_bucket_arn } /*"
9191 ]
9292 principals {
93- type = " *"
93+ type = " *"
9494 identifiers = " *"
9595 }
9696 condition {
@@ -121,7 +121,7 @@ data "aws_iam_policy_document" "audit_s3_bucket_policy" {
121121 " ${ module . s3_audit_bucket . storage_bucket_arn } /*"
122122 ]
123123 principals {
124- type = " *"
124+ type = " *"
125125 identifiers = " *"
126126 }
127127 condition {
@@ -192,15 +192,15 @@ resource "aws_iam_role_policy_attachment" "lambda_logs_policy_attachment" {
192192# Policy doc for S3 Audit bucket
193193data "aws_iam_policy_document" "s3_audit_bucket_policy" {
194194 statement {
195- sid = " AllowSSLRequestsOnly"
195+ sid = " AllowSSLRequestsOnly"
196196 actions = " s3:*"
197197 resources =
198198 module . s3_audit_bucket . storage_bucket_arn ,
199199 " ${ module . s3_audit_bucket . storage_bucket_arn } /*"
200200 ]
201201 condition {
202202 test = " Bool"
203- values = " true"
203+ values = " true"
204204 variable = " aws:SecureTransport"
205205 }
206206 }
@@ -222,18 +222,18 @@ data "aws_iam_policy_document" "dynamodb_kms_key_policy" {
222222 sid = " EnableIamUserPermissions"
223223 effect = " Allow"
224224 principals {
225- type = " AWS"
225+ type = " AWS"
226226 identifiers = " arn:aws:iam::${ data . aws_caller_identity . current . account_id } :root"
227227 }
228- actions = " kms:*"
228+ actions = " kms:*"
229229 resources = " *"
230230 }
231231
232232 statement {
233233 sid = " AllowLambdaDecrypt"
234234 effect = " Allow"
235235 principals {
236- type = " AWS"
236+ type = " AWS"
237237 identifiers = aws_iam_role . eligibility_lambda_role . arn ]
238238 }
239239 actions =
@@ -260,21 +260,21 @@ data "aws_iam_policy_document" "s3_rules_kms_key_policy" {
260260 sid = " EnableIamUserPermissions"
261261 effect = " Allow"
262262 principals {
263- type = " AWS"
263+ type = " AWS"
264264 identifiers = " arn:aws:iam::${ data . aws_caller_identity . current . account_id } :root"
265265 }
266- actions = " kms:*"
266+ actions = " kms:*"
267267 resources = " *"
268268 }
269269
270270 statement {
271271 sid = " AllowLambdaDecrypt"
272272 effect = " Allow"
273273 principals {
274- type = " AWS"
274+ type = " AWS"
275275 identifiers = aws_iam_role . eligibility_lambda_role . arn ]
276276 }
277- actions = " kms:Decrypt"
277+ actions = " kms:Decrypt"
278278 resources = " *"
279279 }
280280}
@@ -293,17 +293,17 @@ data "aws_iam_policy_document" "s3_audit_kms_key_policy" {
293293 sid = " EnableIamUserPermissions"
294294 effect = " Allow"
295295 principals {
296- type = " AWS"
296+ type = " AWS"
297297 identifiers = " arn:aws:iam::${ data . aws_caller_identity . current . account_id } :root"
298298 }
299- actions = " kms:*"
299+ actions = " kms:*"
300300 resources = " *"
301301 }
302302 statement {
303303 sid = " AllowLambdaFullWrite"
304304 effect = " Allow"
305305 principals {
306- type = " AWS"
306+ type = " AWS"
307307 identifiers = aws_iam_role . eligibility_lambda_role . arn , aws_iam_role . eligibility_audit_firehose_role . arn ]
308308 }
309309 actions =
@@ -340,3 +340,21 @@ resource "aws_iam_role_policy" "lambda_firehose_policy" {
340340 role = . eligibility_lambda_role . id
341341 policy = . aws_iam_policy_document . lambda_firehose_write_policy . json
342342}
343+
344+ data "aws_iam_policy_document" "lambda_xray_tracing_permissions_policy" {
345+ statement {
346+ sid = " AllowLambdaToPutToXRay"
347+ effect = " Allow"
348+ actions =
349+ " xray:PutTraceSegments"
350+ " xray:PutTelemetryRecords"
351+ ]
352+ resources = " *"
353+ }
354+ }
355+
356+ resource "aws_iam_role_policy" "lambda_xray_tracing_policy" {
357+ name = " LambdaXRayWritePolicy"
358+ role = . eligibility_lambda_role . id
359+ policy = . aws_iam_policy_document . lambda_xray_tracing_permissions_policy . json
360+ }
0 commit comments