-
Notifications
You must be signed in to change notification settings - Fork 30
/
injectLogsIamRole.js
80 lines (75 loc) · 2.16 KB
/
injectLogsIamRole.js
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
'use strict';
const { ServerlessSDK } = require('@serverless/platform-client');
const { entries, values } = require('lodash');
module.exports = async function (ctx) {
if (
ctx.sls.service.custom &&
ctx.sls.service.custom.enterprise &&
ctx.sls.service.custom.enterprise.collectLambdaLogs === false
) {
return;
}
if (
values(ctx.sls.service.provider.compiledCloudFormationTemplate.Resources).filter(
({ Type }) => Type === 'AWS::Logs::LogGroup'
).length === 0
) {
// no log groups
return;
}
if (
ctx.sls.service.custom &&
ctx.sls.service.custom.enterprise &&
ctx.sls.service.custom.enterprise.logAccessIamRole
) {
return;
}
const sdk = new ServerlessSDK();
const { awsAccountId } = await sdk.metadata.get();
ctx.sls.service.provider.compiledCloudFormationTemplate.Resources.EnterpriseLogAccessIamRole = {
Type: 'AWS::IAM::Role',
Properties: {
AssumeRolePolicyDocument: {
Version: '2012-10-17',
Statement: [
{
Effect: 'Allow',
Principal: {
AWS: `arn:aws:iam::${awsAccountId}:root`,
},
Action: 'sts:AssumeRole',
Condition: {
StringEquals: {
'sts:ExternalId': `ServerlessEnterprise-${ctx.sls.service.orgUid}`,
},
},
},
],
},
Policies: [
{
PolicyName: 'LogFilterAccess',
PolicyDocument: {
Version: '2012-10-17',
Statement: [
{
Effect: 'Allow',
Action: ['logs:FilterLogEvents'],
Resource: entries(ctx.sls.service.provider.compiledCloudFormationTemplate.Resources)
.filter(([, { Type }]) => Type === 'AWS::Logs::LogGroup')
.map(([logicalId]) => ({
'Fn::GetAtt': [logicalId, 'Arn'],
})),
},
],
},
},
],
},
};
ctx.sls.service.provider.compiledCloudFormationTemplate.Outputs.EnterpriseLogAccessIamRole = {
Value: {
'Fn::GetAtt': ['EnterpriseLogAccessIamRole', 'Arn'],
},
};
};