fix(log_forwarder): add ListBucket permission and modify lambda s3 permission when log arns are provided

bryantbiggs · bryantbiggs · commit 711ca6efc4c2 · 2020-10-20T10:27:55.000-04:00
diff --git a/modules/log_forwarder/main.tf b/modules/log_forwarder/main.tf
@@ -208,7 +208,7 @@ resource "aws_lambda_permission" "cloudwatch" {
 }
 
 resource "aws_lambda_permission" "s3" {
-  count = var.create ? 1 : 0
+  count = var.create && length(var.s3_log_bucket_arns) > 0 ? 1 : 0
 
   statement_id   = "datadog-forwarder-S3Permission"
   action         = "lambda:InvokeFunction"
diff --git a/modules/log_forwarder/policy.tmpl b/modules/log_forwarder/policy.tmpl
@@ -18,7 +18,8 @@
       "Action": [
         "s3:GetObject",
         "s3:PutObject",
-        "s3:DeleteObject"
+        "s3:DeleteObject",
+        "s3:ListBucket"
       ],
       "Effect": "Allow",
       "Resource": [

Original file line number	Diff line number	Diff line change
`@@ -208,7 +208,7 @@ resource "aws_lambda_permission" "cloudwatch" {`
`208`	`208`	`}`
`209`	`209`
`210`	`210`	`resource "aws_lambda_permission" "s3" {`
`211`		`- count = var.create ? 1 : 0`
	`211`	`+ count = var.create && length(var.s3_log_bucket_arns) > 0 ? 1 : 0`
`212`	`212`
`213`	`213`	`statement_id = "datadog-forwarder-S3Permission"`
`214`	`214`	`action = "lambda:InvokeFunction"`