Merge pull request #5161 from ministryofjustice/csr/lambda-iam-role

Csr/lambda iam role
ministryofjustice · Feb 23, 2024 · ed4b4cc · ed4b4cc
2 parents afb1184 + 3a561c5
commit ed4b4cc
Show file tree

Hide file tree

Showing 3 changed files with 28 additions and 6 deletions.
diff --git a/terraform/environments/corporate-staff-rostering/iam.tf b/terraform/environments/corporate-staff-rostering/iam.tf
@@ -64,6 +64,31 @@ resource "aws_iam_role" "lambda-ad-role" {
   assume_role_policy = data.aws_iam_policy_document.lambda_assume_role_policy.json
 }
 
+resource "aws_iam_policy" "lambda-ad-policy" {
+  name = "LambdaADObjectCleanUpPolicy"
+  description = "Policy to grant AD lambda function VPC access"
+
+  policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [
+      {
+        Action = [
+          "logs:CreateLogGroup",
+          "logs:CreateLogStream",
+          "logs:PutLogEvents",
+          "ec2:CreateNetworkInterface",
+          "ec2:Describe*",
+          "ec2:DeleteNetworkInterface",
+          "ec2:AssignPrivateIpAddresses",
+          "ec2:UnassignPrivateIpAddresses"
+        ]
+        Effect   = "Allow"
+        Resource = "*"
+      },
+    ]
+  })
+}
+
 data "aws_iam_policy" "HmppsDomainSecrets" {
   name = "HmppsDomainSecretsPolicy"
 }
@@ -82,9 +107,9 @@ resource "aws_iam_role_policy_attachment" "lambda_kms" {
   policy_arn = data.aws_iam_policy.BusinessUnitKmsCmk.arn
 }
 
-resource "aws_iam_role_policy_attachment" "lambda-vpc-attachment" {
+resource "aws_iam_role_policy_attachment" "lambda-ad-policy-attachment" {
   role       = aws_iam_role.lambda-ad-role.name
-  policy_arn = "arn:aws:iam::aws:policy/service-role/AWSLambdaVPCAccessExecutionRole"
+  policy_arn = aws_iam_policy.lambda-ad-policy.arn
 }
 
 

diff --git a/terraform/environments/corporate-staff-rostering/lambda.tf b/terraform/environments/corporate-staff-rostering/lambda.tf
@@ -17,6 +17,7 @@ module "ad-clean-up-lambda" {
   source_code_hash = filebase64sha256("${path.module}/lambda/ad-clean-up/deployment_package.zip")
   handler          = "lambda_function.lambda_handler"
   runtime          = "python3.12"
+  timeout          = 60
 
   create_role = false
   lambda_role = aws_iam_role.lambda-ad-role.arn
@@ -79,7 +80,6 @@ module "lambda_cw_logs_xml_to_json" {
   source_code_hash = filebase64sha256("${path.module}/lambda/cw-xml-to-json/deployment_package.zip")
   runtime          = "python3.12"
   handler          = "lambda_function.lambda_handler"
-  timeout          = 60
 
   policy_json_attached = true
   policy_json = jsonencode({

diff --git a/terraform/environments/corporate-staff-rostering/platform_versions.tf b/terraform/environments/corporate-staff-rostering/platform_versions.tf
@@ -8,9 +8,6 @@ terraform {
       version = "~> 3.0"
       source  = "hashicorp/http"
     }
-    archive = {
-      source  = "hashicorp/archive"
-    }
   }
   required_version = "~> 1.0"
 }