Updated roles and polices to match required permissions and resources, using web identity

Author: oliverbeumkes-nhs

infrastructure/cloudwatch_rum.tf

@@ -31,7 +31,15 @@ resource "aws_iam_role" "cognito_unauth_role" {
         Principal : {
           Federated : "cognito-identity.amazonaws.com"
         },
-        Action = "sts:AssumeRole"
+        Action = "sts:AssumeRoleWithWebIdentity",
+        Condition = {
+          StringEquals = {
+            "cognito-identity.amazonaws.com:aud" = "${local.current_region}:${aws_cognito_identity_pool.rum_identity_pool[0].id}"
+          },
+          "ForAnyValue:StringLike" = {
+            "cognito-identity.amazonaws.com:amr" = "unauthenticated"
+          }
+        }
       }
     ]
   })
@@ -41,19 +49,16 @@ resource "aws_iam_policy" "cognito_access_policy" {
   name        = "${terraform.workspace}-cognito-access-policy"
   description = "Policy for unauthenticated Cognito identities"
 
-  policy = jsonencode({
-    Version = "2012-10-17",
-    Statement = [
-      {
-        Effect = "Allow",
-        Action = [
-          "mobileanalytics:PutEvents",
-          "cognito-sync:*",
-          "cognito-identity:*",
-        ],
-        Resource = "*"
-      }
-    ]
+  policy = jsonencode(
+    {
+      "Version" : "2012-10-17",
+      "Statement" : [
+        {
+          "Effect" : "Allow",
+          "Action" : "rum:PutRumEvents",
+          "Resource" : "arn:aws:rum:${local.current_region}:${local.current_account_id}:appmonitor/${terraform.workspace}-app-monitor"
+        }
+      ]
   })
 }
 
@@ -125,4 +130,4 @@ resource "aws_rum_app_monitor" "app_monitor" {
   tags = {
     ServiceRole = aws_iam_role.rum_service_role.arn
   }
-}
+}