From dc963c47d56171e554ba241652c3c82414261522 Mon Sep 17 00:00:00 2001 From: Pier-Hugues Pellerin Date: Fri, 25 Jan 2019 20:16:51 -0500 Subject: [PATCH] Fix permissions issues for SQS (#10265) **NOTES:** This PR is based on top of #10116 Correctly add the permissions to the lambda role when monitoring SQS queue. Fixes: #9152 --- CHANGELOG.next.asciidoc | 1 + x-pack/functionbeat/provider/aws/sqs.go | 50 ++++++++++++++++++++++--- 2 files changed, 46 insertions(+), 5 deletions(-) diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc index 9937ba6a16a..b493a53cb3a 100644 --- a/CHANGELOG.next.asciidoc +++ b/CHANGELOG.next.asciidoc @@ -137,6 +137,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d *Functionbeat* - Ensure that functionbeat is logging at info level not debug. {issue}10262[10262] +- Add the required permissions to the role when deployment SQS functions. {issue}9152[9152] ==== Added diff --git a/x-pack/functionbeat/provider/aws/sqs.go b/x-pack/functionbeat/provider/aws/sqs.go index 49dbd1c0fa3..ced6feb23c4 100644 --- a/x-pack/functionbeat/provider/aws/sqs.go +++ b/x-pack/functionbeat/provider/aws/sqs.go @@ -7,6 +7,7 @@ package aws import ( "context" "errors" + "sort" "github.com/aws/aws-lambda-go/events" "github.com/aws/aws-lambda-go/lambda" @@ -101,12 +102,51 @@ func (s *SQS) Template() *cloudformation.Template { return template } +// Policies returns a slice of policies to add to the lambda role. +func (s *SQS) Policies() []cloudformation.AWSIAMRole_Policy { + resources := make([]string, len(s.config.Triggers)) + for idx, trigger := range s.config.Triggers { + resources[idx] = trigger.EventSourceArn + } + + // Give us a chance to generate the same document indenpendant of the changes, + // to help with updates. + sort.Strings(resources) + + // SQS Roles permissions: + // - lambda:CreateEventSourceMapping + // - lambda:ListEventSourceMappings + // - lambda:ListFunctions + // + // Lambda Role permission + // - sqs:ChangeMessageVisibility + // - sqs:DeleteMessage + // - sqs:GetQueueAttributes + // - sqs:ReceiveMessage + policies := []cloudformation.AWSIAMRole_Policy{ + cloudformation.AWSIAMRole_Policy{ + PolicyName: cloudformation.Join("-", []string{"fnb", "sqs", s.config.Name}), + PolicyDocument: map[string]interface{}{ + "Statement": []map[string]interface{}{ + map[string]interface{}{ + "Action": []string{ + "sqs:ChangeMessageVisibility", + "sqs:DeleteMessage", + "sqs:GetQueueAttributes", + "sqs:ReceiveMessage", + }, + "Effect": "Allow", + "Resource": resources, + }, + }, + }, + }, + } + + return policies +} + // LambdaConfig returns the configuration to use when creating the lambda. func (s *SQS) LambdaConfig() *lambdaConfig { return s.config.LambdaConfig } - -// Policies returns a slice of policy to add to the lambda. -func (s *SQS) Policies() []cloudformation.AWSIAMRole_Policy { - return []cloudformation.AWSIAMRole_Policy{} -}