feat: Added default resources for events permissions (#34)

Octogonapus · web-flow · commit 698e4c1a4640 · 2022-04-11T09:40:01.000+02:00
diff --git a/README.md b/README.md
@@ -46,6 +46,17 @@ EOF
     lambda = {
       lambda = ["arn:aws:lambda:eu-west-1:123456789012:function:test1", "arn:aws:lambda:eu-west-1:123456789012:function:test2"]
     }
+
+    stepfunction_Sync = {
+      stepfunction = ["arn:aws:states:eu-west-1:123456789012:stateMachine:test1"]
+      stepfunction_Wildcard = ["arn:aws:states:eu-west-1:123456789012:stateMachine:test1"]
+
+      # Set to true to use the default events (otherwise, set this to a list of ARNs; see the docs linked in locals.tf
+      # for more information). Without events permissions, you will get an error similar to this:
+      #   Error: AccessDeniedException: 'arn:aws:iam::xxxx:role/step-functions-role' is not authorized to
+      #   create managed-rule
+      events = true
+    }
   }
 
   type = "STANDARD"
diff --git a/examples/complete/main.tf b/examples/complete/main.tf
@@ -66,6 +66,17 @@ module "step_function" {
       xray = true
     }
 
+    stepfunction_Sync = {
+      stepfunction = ["arn:aws:states:eu-west-1:123456789012:stateMachine:test1"]
+      stepfunction_Wildcard = ["arn:aws:states:eu-west-1:123456789012:stateMachine:test1"]
+
+      # Set to true to use the default events (otherwise, set this to a list of ARNs; see the docs linked in locals.tf
+      # for more information). Without events permissions, you will get an error similar to this:
+      #   Error: AccessDeniedException: 'arn:aws:iam::xxxx:role/step-functions-role' is not authorized to
+      #   create managed-rule
+      events = true
+    }
+
     #    # NB: This will "Deny" everything (including logging)!
     #    no_tasks = {
     #      deny_all = true
diff --git a/locals.tf b/locals.tf
@@ -211,6 +211,7 @@ locals {
           "events:DescribeRule"
         ]
       }
+      default_resources = ["arn:aws:events:${local.aws_region}:${data.aws_caller_identity.current.account_id}:rule/StepFunctionsGetEventsForBatchJobsRule"]
     }
 
     batch_WaitForTaskToken = {
@@ -269,6 +270,7 @@ locals {
           "events:PutRule",
           "events:DescribeRule"
         ]
+        default_resources = ["arn:aws:events:${local.aws_region}:${data.aws_caller_identity.current.account_id}:rule/StepFunctionsGetEventsForECSTaskRule"]
       }
     }
 
@@ -352,6 +354,7 @@ locals {
           "events:DescribeRule"
         ]
       }
+      default_resources = ["arn:aws:events:${local.aws_region}:${data.aws_caller_identity.current.account_id}:rule/StepFunctionsGetEventsForSageMakerTrainingJobsRule"]
     }
 
     sagemaker_CreateTrainingJob_WaitForTaskToken = {
@@ -417,6 +420,7 @@ locals {
           "events:PutRule",
           "events:DescribeRule"
         ]
+        default_resources = ["arn:aws:events:${local.aws_region}:${data.aws_caller_identity.current.account_id}:rule/StepFunctionsGetEventsForSageMakerTransformJobsRule"]
       }
     }
 
@@ -464,6 +468,7 @@ locals {
           "events:PutRule",
           "events:DescribeRule"
         ]
+        default_resources = ["arn:aws:events:${local.aws_region}:${data.aws_caller_identity.current.account_id}:rule/StepFunctionsGetEventForEMRAddJobFlowStepsRule"]
       }
     }
 
@@ -497,6 +502,7 @@ locals {
           "events:PutRule",
           "events:DescribeRule"
         ]
+        default_resources = ["arn:aws:events:${local.aws_region}:${data.aws_caller_identity.current.account_id}:rule/StepFunctionsGetEventForEMRRunJobFlowRule"]
       }
     }
 
@@ -541,6 +547,7 @@ locals {
           "events:DescribeRule"
         ]
       }
+      default_resources = ["arn:aws:events:${local.aws_region}:${data.aws_caller_identity.current.account_id}:rule/StepFunctionsGetEventForEMRTerminateJobFlowsRule"]
     }
 
     # https://docs.aws.amazon.com/step-functions/latest/dg/codebuild-iam.html
@@ -560,6 +567,7 @@ locals {
           "events:DescribeRule"
         ]
       }
+      default_resources = ["arn:aws:events:${local.aws_region}:${data.aws_caller_identity.current.account_id}:rule/StepFunctionsGetEventForCodeBuildStartBuildRule"]
     }
 
     codebuild_StartBuild = {
@@ -711,6 +719,7 @@ locals {
           "events:PutRule",
           "events:DescribeRule"
         ]
+        default_resources = ["arn:aws:events:${local.aws_region}:${data.aws_caller_identity.current.account_id}:rule/StepFunctionsGetEventsForStepFunctionsExecutionRule"]
       }
     }
 
@@ -743,3 +752,5 @@ locals {
 
   }
 }
+
+data "aws_caller_identity" "current" {}

Original file line number	Diff line number	Diff line change
`@@ -211,6 +211,7 @@ locals {`
`211`	`211`	`"events:DescribeRule"`
`212`	`212`	`]`
`213`	`213`	`}`
	`214`	`+ default_resources = ["arn:aws:events:${local.aws_region}:${data.aws_caller_identity.current.account_id}:rule/StepFunctionsGetEventsForBatchJobsRule"]`
`214`	`215`	`}`
`215`	`216`
`216`	`217`	`batch_WaitForTaskToken = {`
`@@ -269,6 +270,7 @@ locals {`
`269`	`270`	`"events:PutRule",`
`270`	`271`	`"events:DescribeRule"`
`271`	`272`	`]`
	`273`	`+ default_resources = ["arn:aws:events:${local.aws_region}:${data.aws_caller_identity.current.account_id}:rule/StepFunctionsGetEventsForECSTaskRule"]`
`272`	`274`	`}`
`273`	`275`	`}`
`274`	`276`
`@@ -352,6 +354,7 @@ locals {`
`352`	`354`	`"events:DescribeRule"`
`353`	`355`	`]`
`354`	`356`	`}`
	`357`	`+ default_resources = ["arn:aws:events:${local.aws_region}:${data.aws_caller_identity.current.account_id}:rule/StepFunctionsGetEventsForSageMakerTrainingJobsRule"]`
`355`	`358`	`}`
`356`	`359`
`357`	`360`	`sagemaker_CreateTrainingJob_WaitForTaskToken = {`
`@@ -417,6 +420,7 @@ locals {`
`417`	`420`	`"events:PutRule",`
`418`	`421`	`"events:DescribeRule"`
`419`	`422`	`]`
	`423`	`+ default_resources = ["arn:aws:events:${local.aws_region}:${data.aws_caller_identity.current.account_id}:rule/StepFunctionsGetEventsForSageMakerTransformJobsRule"]`
`420`	`424`	`}`
`421`	`425`	`}`
`422`	`426`
`@@ -464,6 +468,7 @@ locals {`
`464`	`468`	`"events:PutRule",`
`465`	`469`	`"events:DescribeRule"`
`466`	`470`	`]`
	`471`	`+ default_resources = ["arn:aws:events:${local.aws_region}:${data.aws_caller_identity.current.account_id}:rule/StepFunctionsGetEventForEMRAddJobFlowStepsRule"]`
`467`	`472`	`}`
`468`	`473`	`}`
`469`	`474`
`@@ -497,6 +502,7 @@ locals {`
`497`	`502`	`"events:PutRule",`
`498`	`503`	`"events:DescribeRule"`
`499`	`504`	`]`
	`505`	`+ default_resources = ["arn:aws:events:${local.aws_region}:${data.aws_caller_identity.current.account_id}:rule/StepFunctionsGetEventForEMRRunJobFlowRule"]`
`500`	`506`	`}`
`501`	`507`	`}`
`502`	`508`
`@@ -541,6 +547,7 @@ locals {`
`541`	`547`	`"events:DescribeRule"`
`542`	`548`	`]`
`543`	`549`	`}`
	`550`	`+ default_resources = ["arn:aws:events:${local.aws_region}:${data.aws_caller_identity.current.account_id}:rule/StepFunctionsGetEventForEMRTerminateJobFlowsRule"]`
`544`	`551`	`}`
`545`	`552`
`546`	`553`	`# https://docs.aws.amazon.com/step-functions/latest/dg/codebuild-iam.html`
`@@ -560,6 +567,7 @@ locals {`
`560`	`567`	`"events:DescribeRule"`
`561`	`568`	`]`
`562`	`569`	`}`
	`570`	`+ default_resources = ["arn:aws:events:${local.aws_region}:${data.aws_caller_identity.current.account_id}:rule/StepFunctionsGetEventForCodeBuildStartBuildRule"]`
`563`	`571`	`}`
`564`	`572`
`565`	`573`	`codebuild_StartBuild = {`
`@@ -711,6 +719,7 @@ locals {`
`711`	`719`	`"events:PutRule",`
`712`	`720`	`"events:DescribeRule"`
`713`	`721`	`]`
	`722`	`+ default_resources = ["arn:aws:events:${local.aws_region}:${data.aws_caller_identity.current.account_id}:rule/StepFunctionsGetEventsForStepFunctionsExecutionRule"]`
`714`	`723`	`}`
`715`	`724`	`}`
`716`	`725`
`@@ -743,3 +752,5 @@ locals {`
`743`	`752`
`744`	`753`	`}`
`745`	`754`	`}`
	`755`	`+`
	`756`	`+data "aws_caller_identity" "current" {}`