Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: Give SNS feedback access to CloudWatch #237

Open
wants to merge 4 commits into
base: master
Choose a base branch
from
Open

fix: Give SNS feedback access to CloudWatch #237

wants to merge 4 commits into from

Conversation

aldenquimby
Copy link

Description

  • The SNS feedback role needs both (a) allow SNS to assume the role, and (b) allow writing to CloudWatch
  • This PR adds (b)

Motivation and Context

Breaking Changes

  • No

How Has This Been Tested?

  • I have updated at least one of the examples/* to demonstrate and validate my change(s)
  • I have tested and validated these changes using one or more of the provided examples/* projects
  • I have executed pre-commit run -a on my pull request

antonbabenko
antonbabenko reviewed Sep 20, 2024
View reviewed changes
iam.tf Outdated Show resolved Hide resolved
@aldenquimby aldenquimby changed the title fix: give SNS feedback access to CloudWatch fix: Give SNS feedback access to CloudWatch Sep 20, 2024
@aldenquimby aldenquimby mentioned this pull request Oct 21, 2024
Open
1 task
@github-actions GitHub Actions
Copy link

This PR has been automatically marked as stale because it has been open 30 days
with no activity. Remove stale label or comment or this PR will be closed in 10 days

@github-actions github-actions bot added the stale label Nov 21, 2024
@aldenquimby
Copy link
Author

This is still valid. Commenting to keep it open

@github-actions github-actions bot removed the stale label Nov 22, 2024
@github-actions GitHub Actions
Copy link

This PR has been automatically marked as stale because it has been open 30 days
with no activity. Remove stale label or comment or this PR will be closed in 10 days

@github-actions github-actions bot added the stale label Dec 22, 2024
@aldenquimby
Copy link
Author

Not stale

@github-actions github-actions bot removed the stale label Dec 23, 2024
bryantbiggs
bryantbiggs reviewed Jan 6, 2025
View reviewed changes
iam.tf
statement {
effect = "Allow"
actions = [
"logs:CreateLogGroup",
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Terraform creates the log group, this one can be removed

Copy link
Author

@aldenquimby aldenquimby Jan 7, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Where are the 2 SNS log groups being created? I see a log group for Lambda logs, but that is different. I believe this permission is necessary for the sns/:region/:account/:topic and sns/:region/:account/:topic/Failure log groups that are auto-created by SNS (assuming permissions are wired up correctly)

bryantbiggs
bryantbiggs reviewed Jan 6, 2025
View reviewed changes
iam.tf
"logs:PutMetricFilter",
"logs:PutRetentionPolicy",
]
resources = ["*"]
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

we know the ARN and can scope it with the aws_cloudwatch_log_group created by the module instead of using a wildcard

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I believe that is the log group for Lambda logs, which is not what we want here. We instead need the SNS feedback log groups, per my other comment. I could restrict it down to sns/:region/:account/:topic and sns/:region/:account/:topic/*? (I know the /Failure group is needed, but I'm not sure about others. The reference post just uses *, so that's not helpful)

bryantbiggs
bryantbiggs reviewed Jan 6, 2025
View reviewed changes
iam.tf
@@ -36,3 +53,11 @@ resource "aws_iam_role" "sns_feedback_role" {
var.sns_topic_feedback_role_tags,
)
}

resource "aws_iam_role_policy" "sns_feedback_role" {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

create a policy and attach it instead of inline policy. name should not be hardcoded - you can see other modules for references

Copy link
Author

@aldenquimby aldenquimby Jan 7, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ok, can do! Is this what you are referring to? https://github.com/terraform-aws-modules/terraform-aws-vpc/blob/573f574c922782bc658f05523d0c902a4792b0a8/vpc-flow-logs.tf#L115-L129

Would you like me to add a _policy_name and _policy_use_name_prefix variable for this?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@bryantbiggs bryantbiggs bryantbiggs left review comments

@antonbabenko antonbabenko Awaiting requested review from antonbabenko

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

SNS Feedback role is broken
3 participants
@aldenquimby @antonbabenko @bryantbiggs