eli-510 adding permissions for assume role

eddalmond1 · eddalmond1 · commit f00baa35d2cc · 2025-11-03T14:48:31.000Z
diff --git a/infrastructure/stacks/api-layer/csoc_log_forwarding.tf b/infrastructure/stacks/api-layer/csoc_log_forwarding.tf
@@ -16,6 +16,18 @@ data "aws_iam_policy_document" "cwl_subscription_assume_role" {
       type        = "Service"
       identifiers = ["logs.${var.default_aws_region}.amazonaws.com"]
     }
+
+    condition {
+      test     = "StringLike"
+      variable = "aws:SourceArn"
+      values   = ["${module.eligibility_signposting_api_gateway.cloudwatch_destination_arn}:*"]
+    }
+
+    condition {
+      test     = "StringEquals"
+      variable = "aws:SourceAccount"
+      values   = [data.aws_caller_identity.current.account_id]
+    }
   }
 }
 

Original file line number	Diff line number	Diff line change
`@@ -16,6 +16,18 @@ data "aws_iam_policy_document" "cwl_subscription_assume_role" {`
`16`	`16`	`type = "Service"`
`17`	`17`	`identifiers = ["logs.${var.default_aws_region}.amazonaws.com"]`
`18`	`18`	`}`
	`19`	`+`
	`20`	`+ condition {`
	`21`	`+ test = "StringLike"`
	`22`	`+ variable = "aws:SourceArn"`
	`23`	`+ values = ["${module.eligibility_signposting_api_gateway.cloudwatch_destination_arn}:*"]`
	`24`	`+ }`
	`25`	`+`
	`26`	`+ condition {`
	`27`	`+ test = "StringEquals"`
	`28`	`+ variable = "aws:SourceAccount"`
	`29`	`+ values = [data.aws_caller_identity.current.account_id]`
	`30`	`+ }`
`19`	`31`	`}`
`20`	`32`	`}`
`21`	`33`