diff --git a/packages/serverless-deploy-iam/bin/app.ts b/packages/serverless-deploy-iam/bin/app.ts index e126faf..25d4667 100644 --- a/packages/serverless-deploy-iam/bin/app.ts +++ b/packages/serverless-deploy-iam/bin/app.ts @@ -101,7 +101,7 @@ export class ServiceDeployIAM extends cdk.Stack { actions: ["s3:ListAllMyBuckets"], }, { - name: "CLOUD_WATCH", + name: "CLOUD_WATCH_LOGS", prefix: `arn:aws:logs:${region}:${accountId}:log-group:`, qualifiers: [ `/aws/lambda/${serviceName}*`, @@ -114,7 +114,7 @@ export class ServiceDeployIAM extends cdk.Stack { actions: ["logs:*"], }, { - name: "CLOUD_WATCH", + name: "CLOUD_WATCH_LOGS", resources: ["*"], actions: ["logs:DeleteDataProtectionPolicy"], }, @@ -611,7 +611,7 @@ export class ServiceDeployIAM extends cdk.Stack { let delimiter = "/"; switch (serviceName) { case "COGNITO": - case "CLOUD_WATCH": + case "CLOUD_WATCH_LOGS": case "CLOUD_WATCH_ALARMS": case "LAMBDA": case "S3": diff --git a/packages/serverless-deploy-iam/test/deploy-role.test.ts b/packages/serverless-deploy-iam/test/deploy-role.test.ts index a0dccb6..d949856 100644 --- a/packages/serverless-deploy-iam/test/deploy-role.test.ts +++ b/packages/serverless-deploy-iam/test/deploy-role.test.ts @@ -55,18 +55,14 @@ describe("Deploy user policy", () => { objectLike({ Action: [ "cloudformation:CreateStack", - "cloudformation:DescribeStacks", + "cloudformation:Describe*", + "cloudformation:List*", + "cloudformation:Get*", "cloudformation:DeleteStack", - "cloudformation:DescribeStackEvents", "cloudformation:UpdateStack", "cloudformation:ExecuteChangeSet", "cloudformation:CreateChangeSet", "cloudformation:DeleteChangeSet", - "cloudformation:DescribeChangeSet", - "cloudformation:ListStackResources", - "cloudformation:DescribeStackResource", - "cloudformation:DescribeStackResources", - "cloudformation:GetTemplate", ], Effect: "Allow", Resource: [ @@ -148,7 +144,7 @@ describe("Deploy user policy", () => { ); }); - test("has correct CloudWatch permissions", () => { + test("has correct CloudWatch logs permissions", () => { const app = new cdk.App(); const stack = new ServiceDeployIAM(app, "jest-deploy-iam"); expectCDK(stack).to( @@ -157,22 +153,7 @@ describe("Deploy user policy", () => { PolicyDocument: { Statement: arrayWith( objectLike({ - Action: [ - "logs:CreateLogGroup", - "logs:DescribeLogGroups", - "logs:DeleteLogGroup", - "logs:CreateLogStream", - "logs:DescribeLogStreams", - "logs:DeleteLogStream", - "logs:FilterLogEvents", - "logs:TagResource", - "logs:UntagResource", - "logs:DescribeMetricFilters", - "logs:PutMetricFilter", - "logs:ListTagsForResource", - "logs:PutDataProtectionPolicy", - "logs:UpdateDataProtectionPolicy", - ], + Action: ["logs:*"], Effect: "Allow", Resource: [ { @@ -278,17 +259,11 @@ describe("Deploy user policy", () => { Statement: arrayWith( objectLike({ Action: [ - "cloudwatch:ListMetrics", - "cloudwatch:ListMetricStreams", - "cloudwatch:ListTagsForResource", - "cloudwatch:ListDashboards", + "cloudwatch:List*", "cloudwatch:DescribeAlarms", "cloudwatch:DeleteAlarms", "cloudwatch:EnableAlarmActions", - "cloudwatch:PutMetricAlarm", - "cloudwatch:PutDashboard", - "cloudwatch:PutMetricData", - "cloudwatch:PutMetricStream", + "cloudwatch:Put*", "cloudwatch:SetAlarmState", "cloudwatch:TagResource", "cloudwatch:StartMetricStreams",