Adds Cloudwatch logs policy to executor role

bobthemighty · Mar 31, 2022 · a17ac37 · a17ac37
1 parent 4a5bc5e
commit a17ac37
Show file tree

Hide file tree

Showing 3 changed files with 28 additions and 0 deletions.
diff --git a/infra/cloudwatch.tf b/infra/cloudwatch.tf
@@ -0,0 +1,19 @@
+locals {
+  log_group_arn = "arn:aws:logs:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:log-group:/aws/lambda/${var.lambda_function_name}:*"
+}
+
+data aws_iam_policy_document cloudwatch_logs {
+  statement {
+    sid = "createLogGroup"
+
+    actions = [
+      "logs:CreateLogGroup",
+      "logs:CreateLogStream",
+      "logs:PutLogEvents"
+    ]
+
+    resources = [local.log_group_arn]
+
+  }
+
+}
diff --git a/infra/data.tf b/infra/data.tf
@@ -0,0 +1,3 @@
+data "aws_caller_identity" "current" {}
+
+data "aws_region" "current" {}
diff --git a/infra/lambda.tf b/infra/lambda.tf
@@ -31,4 +31,10 @@ data aws_iam_policy_document assumption_policy {
 resource aws_iam_role iam_for_lambda {
   name = "${var.lambda_function_name}-executor"
   assume_role_policy = data.aws_iam_policy_document.assumption_policy.json
+
+
+  inline_policy {
+    name   = "allow-cloudwatch-logs"
+    policy = data.aws_iam_policy_document.cloudwatch_logs.json
+  }
 }