NRL-1411 Specify actions in iam role

jackleary · jackleary · commit 807525754aef · 2025-05-01T16:03:52.000+01:00
diff --git a/terraform/account-wide-infrastructure/modules/glue/iam.tf b/terraform/account-wide-infrastructure/modules/glue/iam.tf
@@ -63,7 +63,6 @@ data "aws_iam_policy_document" "glue_service" {
 
     resources = [
       "arn:aws:logs:*:*:*:/aws-glue/*",
-      # "arn:aws:logs:*:*:*:/customlogs/*"
     ]
 
     effect = "Allow"
@@ -83,7 +82,9 @@ data "aws_iam_policy_document" "glue_service" {
 
   statement {
     actions = [
-      "cloudwatch:*",
+      "cloudwatch:Get*",
+      "cloudwatch:List*",
+      "cloudwatch:Put*",
     ]
     resources = [
       "*"
@@ -97,7 +98,7 @@ data "aws_iam_policy_document" "glue_service" {
     ]
     effect = "Allow"
     resources = [
-      "*"
+      "arn:aws:iam::*:role/AWSGlueServiceRole*"
     ]
   }
 }

Original file line number	Diff line number	Diff line change
`@@ -63,7 +63,6 @@ data "aws_iam_policy_document" "glue_service" {`
`63`	`63`
`64`	`64`	`resources = [`
`65`	`65`	`"arn:aws:logs::::/aws-glue/",`
`66`		`- # "arn:aws:logs::::/customlogs/"`
`67`	`66`	`]`
`68`	`67`
`69`	`68`	`effect = "Allow"`
`@@ -83,7 +82,9 @@ data "aws_iam_policy_document" "glue_service" {`
`83`	`82`
`84`	`83`	`statement {`
`85`	`84`	`actions = [`
`86`		`- "cloudwatch:*",`
	`85`	`+ "cloudwatch:Get*",`
	`86`	`+ "cloudwatch:List*",`
	`87`	`+ "cloudwatch:Put*",`
`87`	`88`	`]`
`88`	`89`	`resources = [`
`89`	`90`	`"*"`
`@@ -97,7 +98,7 @@ data "aws_iam_policy_document" "glue_service" {`
`97`	`98`	`]`
`98`	`99`	`effect = "Allow"`
`99`	`100`	`resources = [`
`100`		`- "*"`
	`101`	`+ "arn:aws:iam:::role/AWSGlueServiceRole"`
`101`	`102`	`]`
`102`	`103`	`}`
`103`	`104`	`}`