eli-384 further permissions changes

eddalmond1 · eddalmond1 · commit dc1430fbc938 · 2025-11-14T15:43:46.000Z
diff --git a/infrastructure/stacks/api-layer/waf.tf b/infrastructure/stacks/api-layer/waf.tf
@@ -196,6 +196,7 @@ resource "aws_cloudwatch_log_resource_policy" "waf" {
     Version = "2012-10-17"
     Statement = [
       {
+        Sid    = "AWSLogDeliveryWrite"
         Effect = "Allow"
         Principal = {
           Service = "delivery.logs.amazonaws.com"
@@ -205,6 +206,23 @@ resource "aws_cloudwatch_log_resource_policy" "waf" {
           "logs:PutLogEvents"
         ]
         Resource = "${aws_cloudwatch_log_group.waf[0].arn}:*"
+        Condition = {
+          StringEquals = {
+            "aws:SourceAccount" = data.aws_caller_identity.current.account_id
+          }
+          ArnLike = {
+            "aws:SourceArn" = "arn:aws:logs:${var.default_aws_region}:${data.aws_caller_identity.current.account_id}:*"
+          }
+        }
+      },
+      {
+        Sid    = "AWSLogDeliveryAclCheck"
+        Effect = "Allow"
+        Principal = {
+          Service = "delivery.logs.amazonaws.com"
+        }
+        Action   = "logs:GetLogDelivery"
+        Resource = "*"
       }
     ]
   })
diff --git a/infrastructure/stacks/iams-developer-roles/github_actions_policies.tf b/infrastructure/stacks/iams-developer-roles/github_actions_policies.tf
@@ -240,7 +240,11 @@ resource "aws_iam_policy" "api_infrastructure" {
           "acm:ListCertificates",
           # WAF v2 list operations
           "wafv2:ListWebACLs",
-          "wafv2:ListTagsForResource"
+          "wafv2:ListTagsForResource",
+          # CloudWatch Logs resource policies (require wildcard)
+          "logs:PutResourcePolicy",
+          "logs:DeleteResourcePolicy",
+          "logs:DescribeResourcePolicies"
 
         ],
         Resource = "*"
diff --git a/infrastructure/stacks/iams-developer-roles/iams_permissions_boundary.tf b/infrastructure/stacks/iams-developer-roles/iams_permissions_boundary.tf
@@ -170,22 +170,7 @@ data "aws_iam_policy_document" "permissions_boundary" {
       "lambda:ListProvisionedConcurrencyConfigs",
 
       # CloudWatch Logs - log management
-      "logs:CreateLogGroup",
-      "logs:DeleteLogGroup",
-      "logs:CreateLogStream",
-      "logs:PutLogEvents",
-      "logs:DescribeLogGroups",
-      "logs:DescribeLogStreams",
-      "logs:Describe*",
-      "logs:ListTagsForResource",
-      "logs:TagResource",
-      "logs:UntagResource",
-      "logs:PutRetentionPolicy",
-      "logs:AssociateKmsKey",
-      "logs:PutMetricFilter",
-      "logs:PutSubscriptionFilter",
-      "logs:DeleteSubscriptionFilter",
-      "logs:DescribeSubscriptionFilters",
+      "logs:*",
 
       # S3 - bucket and object management
       "s3:GetLifecycleConfiguration",
