Skip to content

Commit e587078

Browse files
anthony-nhsanthony-nhs
committed
get rid of aws policy
1 parent c5efec3 commit e587078

File tree

2 files changed

+43
-13
lines changed

2 files changed

+43
-13
lines changed

SAMtemplates/lambda_resources.yaml

Lines changed: 23 additions & 11 deletions
Original file line numberDiff line numberDiff line change
@@ -20,11 +20,6 @@ Parameters:
2020
Type: String
2121
Description: Splunk delivery stream
2222
Default: none
23-
EnableSplunk:
24-
Type: String
25-
Description: Whether to use splunk
26-
Default: false
27-
AllowedValues: [true, false]
2823
LambdaName:
2924
Type: String
3025
Description: Name of lambda we are creating for
@@ -62,9 +57,18 @@ Parameters:
6257
]
6358
ExecutePolicyExportName:
6459
Type: String
60+
IncludeAdditionalPolicies:
61+
Type: String
62+
Default: false
63+
AdditionalPolicies:
64+
Type: CommaDelimitedList
65+
Description: A list of additional policies to attach the lambdas role (comma delimited).
66+
Default: none
6567

6668
Conditions:
67-
ShouldUseSplunk: !Equals [true, !Ref EnableSplunk]
69+
ShouldIncludeAdditionalPolicies: !Equals
70+
- true
71+
- !Ref IncludeAdditionalPolicies
6872

6973
Resources:
7074
ExecuteLambdaManagedPolicy:
@@ -89,10 +93,19 @@ Resources:
8993
Principal:
9094
Service: "lambda.amazonaws.com"
9195
Action: "sts:AssumeRole"
92-
ManagedPolicyArns:
93-
- !ImportValue lambda-resources:LambdaInsightsLogGroupPolicy
94-
- !ImportValue account-resources:LambdaEncryptCloudwatchKMSPolicy
95-
- arn:aws:iam::aws:policy/service-role/AWSLambdaVPCAccessExecutionRole
96+
ManagedPolicyArns: !Split
97+
- ","
98+
- !Join
99+
- ","
100+
- - !Ref LambdaManagedPolicy
101+
- !ImportValue lambda-resources:LambdaInsightsLogGroupPolicy
102+
- !ImportValue account-resources:CloudwatchEncryptionKMSPolicyArn
103+
- !If
104+
- ShouldIncludeAdditionalPolicies
105+
- !Join
106+
- ","
107+
- !Ref AdditionalPolicies
108+
- !Ref AWS::NoValue
96109

97110
LambdaManagedPolicy:
98111
Type: AWS::IAM::ManagedPolicy
@@ -122,7 +135,6 @@ Resources:
122135
KmsKeyId: !Ref CloudWatchKMSKey
123136

124137
LambdaSplunkSubscriptionFilter:
125-
Condition: ShouldUseSplunk
126138
Type: AWS::Logs::SubscriptionFilter
127139
Properties:
128140
RoleArn: !Ref SplunkSubscriptionFilterRole

SAMtemplates/main_template.yaml

Lines changed: 20 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -54,7 +54,6 @@ Resources:
5454
CloudWatchKMSKey: !ImportValue account-resources:CloudwatchLogsKmsKeyArn
5555
SplunkSubscriptionFilterRole: !ImportValue lambda-resources:SplunkSubscriptionFilterRole
5656
SplunkDeliveryStream: !ImportValue lambda-resources:SplunkDeliveryStream
57-
EnableSplunk: "true"
5857
LambdaName: !Sub "${AWS::StackName}-FHIRValidatorUKCore"
5958
LambdaArn: !Sub arn:aws:lambda:${AWS::Region}:${AWS::AccountId}:function:${AWS::StackName}-FHIRValidatorUKCore
6059
LogRetentionDays: !Ref LogRetentionDays
@@ -102,6 +101,22 @@ Resources:
102101
IpProtocol: "-1"
103102
VpcId: !ImportValue vpc-resources:VpcId
104103

104+
LambdaVPCPolicy:
105+
Type: AWS::IAM::ManagedPolicy
106+
Properties:
107+
PolicyDocument:
108+
Version: 2012-10-17
109+
Statement:
110+
- Effect: Allow
111+
Action:
112+
- ec2:CreateNetworkInterface
113+
- ec2:DescribeNetworkInterfaces
114+
- ec2:DescribeSubnets
115+
- ec2:DeleteNetworkInterface
116+
- ec2:AssignPrivateIpAddresses
117+
- ec2:UnassignPrivateIpAddresses
118+
Resource: "*"
119+
105120
FHIRValidatorNHSDigitalLegacyResources:
106121
Type: AWS::Serverless::Application
107122
Properties:
@@ -116,6 +131,8 @@ Resources:
116131
LambdaArn: !Sub arn:aws:lambda:${AWS::Region}:${AWS::AccountId}:function:${AWS::StackName}-FHIRValidatorNHSDigitalLegacy
117132
LogRetentionDays: !Ref LogRetentionDays
118133
ExecutePolicyExportName: FHIRValidatorNHSDigitalLegacyExecuteLambdaPolicyArn
134+
IncludeAdditionalPolicies: true
135+
AdditionalPolicies: !Ref LambdaVPCPolicy
119136

120137
FHIRValidatorNHSDigitalLegacy:
121138
Type: AWS::Serverless::Function
@@ -162,11 +179,12 @@ Resources:
162179
CloudWatchKMSKey: !ImportValue account-resources:CloudwatchLogsKmsKeyArn
163180
SplunkSubscriptionFilterRole: !ImportValue lambda-resources:SplunkSubscriptionFilterRole
164181
SplunkDeliveryStream: !ImportValue lambda-resources:SplunkDeliveryStream
165-
EnableSplunk: "true"
166182
LambdaName: !Sub "${AWS::StackName}-FHIRValidatorNHSDigitalCurrent"
167183
LambdaArn: !Sub arn:aws:lambda:${AWS::Region}:${AWS::AccountId}:function:${AWS::StackName}-FHIRValidatorNHSDigitalCurrent
168184
LogRetentionDays: !Ref LogRetentionDays
169185
ExecutePolicyExportName: FHIRValidatorNHSDigitalCurrentExecuteLambdaPolicyArn
186+
IncludeAdditionalPolicies: true
187+
AdditionalPolicies: !Ref LambdaVPCPolicy
170188

171189
FHIRValidatorNHSDigitalCurrent:
172190
Type: AWS::Serverless::Function

0 commit comments

Comments
 (0)