updating role paths used by scheduled queries (#1216)

airbnb · Mar 31, 2020 · 07812ef · 07812ef
1 parent 5b63c95
commit 07812ef
Show file tree

Hide file tree

Showing 4 changed files with 21 additions and 7 deletions.
diff --git a/streamalert_cli/_infrastructure/modules/tf_scheduled_queries/cloudwatch_schedule.tf b/streamalert_cli/_infrastructure/modules/tf_scheduled_queries/cloudwatch_schedule.tf
@@ -7,6 +7,10 @@ resource "aws_cloudwatch_event_rule" "event" {
   name                = "${var.prefix}_streamalert_scheduled_queries_event_${count.index}"
   description         = var.query_packs[count.index].description
   schedule_expression = var.query_packs[count.index].schedule_expression
+
+  tags = {
+    Name = "StreamAlert"
+  }
 }
 
 resource "aws_cloudwatch_event_target" "run_step_function" {

diff --git a/streamalert_cli/_infrastructure/modules/tf_scheduled_queries/iam_roles.tf b/streamalert_cli/_infrastructure/modules/tf_scheduled_queries/iam_roles.tf
@@ -15,7 +15,7 @@
 
 # Attach additional permissions to the auto-generated Lambda IAM Role
 resource "aws_iam_role_policy" "lambda_permissions" {
-  name   = "${var.prefix}_streamalert_scheduled_queries_lambda_permissions"
+  name   = "LambdaRequiredPermissions"
   role   = module.scheduled_queries_lambda.role_id
   policy = data.aws_iam_policy_document.lambda_permissions.json
 }
@@ -97,7 +97,12 @@ data "aws_iam_policy_document" "lambda_permissions" {
 # Setup the IAM Role for the Step Functions
 resource "aws_iam_role" "iam_for_step_functions" {
   name               = "${var.prefix}_streamalert_scheduled_queries_state_machines"
+  path               = "/streamalert/"
   assume_role_policy = data.aws_iam_policy_document.iam_step_function_assume_role.json
+
+  tags = {
+    Name = "StreamAlert"
+  }
 }
 
 # Only allow Step Functions to assume this role
@@ -116,7 +121,7 @@ data "aws_iam_policy_document" "iam_step_function_assume_role" {
 
 # Attach an additional policy to the IAM Role
 resource "aws_iam_role_policy" "stepfunction_permissions" {
-  name   = "${var.prefix}_streamalert_scheduled_queries_state_machine_permissions"
+  name   = "StepFunctionsInvokeLambda"
   role   = aws_iam_role.iam_for_step_functions.id
   policy = data.aws_iam_policy_document.stepfunction_permissions.json
 }
@@ -143,7 +148,12 @@ data "aws_iam_policy_document" "stepfunction_permissions" {
 # Setup the IAM Role
 resource "aws_iam_role" "iam_for_cloudwatch_schedule" {
   name               = "${var.prefix}_streamalert_scheduled_queries_cloudwatch_schedule"
+  path               = "/streamalert/"
   assume_role_policy = data.aws_iam_policy_document.iam_cloudwatch_assume_role.json
+
+  tags = {
+    Name = "StreamAlert"
+  }
 }
 
 # Only allow cloudwatch to assume this role
@@ -162,7 +172,7 @@ data "aws_iam_policy_document" "iam_cloudwatch_assume_role" {
 
 # Attach additional permissions to the IAM Role
 resource "aws_iam_role_policy" "cloudwatch_schedule_permissions" {
-  name   = "${var.prefix}_streamalert_scheduled_queries_cloudwatch_schedule_permissions"
+  name   = "StepFunctionsStartViaCWE"
   role   = aws_iam_role.iam_for_cloudwatch_schedule.id
   policy = data.aws_iam_policy_document.cloudwatch_schedule_permission.json
 }

diff --git a/streamalert_cli/_infrastructure/modules/tf_scheduled_queries/step_function.tf b/streamalert_cli/_infrastructure/modules/tf_scheduled_queries/step_function.tf
@@ -64,4 +64,8 @@ resource "aws_sfn_state_machine" "state_machine" {
 }
 EOF
 
+  tags = {
+    Name = "StreamAlert"
+  }
+
 }
diff --git a/streamalert_cli/_infrastructure/modules/tf_scheduled_queries/versions.tf b/streamalert_cli/_infrastructure/modules/tf_scheduled_queries/versions.tf