-
Notifications
You must be signed in to change notification settings - Fork 6
/
Copy pathLogRetentionRoleStack.ts
81 lines (72 loc) · 2.59 KB
/
LogRetentionRoleStack.ts
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
// Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
// SPDX-License-Identifier: MIT-0
import * as cdk from 'aws-cdk-lib';
import * as iam from 'aws-cdk-lib/aws-iam';
import * as kms from 'aws-cdk-lib/aws-kms';
import { NagSuppressions } from 'cdk-nag';
import { Construct } from 'constructs';
import { STAGE } from '../../../config/Types';
interface Props extends cdk.StackProps {
resAccount: string;
stageName: STAGE;
applicationName: string;
encryptionKey: kms.IKey;
}
export class LogRetentionRoleStack extends cdk.Stack {
constructor(scope: Construct, id: string, props: Props) {
super(scope, id, props);
const role = new iam.Role(this, 'Role', {
roleName: LogRetentionRoleStack.getRoleName(this.account, this.region, props.stageName, props.applicationName),
assumedBy: new iam.AccountPrincipal(props.resAccount),
inlinePolicies: {
logRetentionOperation: new iam.PolicyDocument({
statements: [
new iam.PolicyStatement({
effect: iam.Effect.ALLOW,
actions: [
'logs:PutRetentionPolicy',
'logs:CreateLogGroup',
'logs:CreateLogStream',
'logs:PutLogEvents',
'logs:GetLogEvents',
'logs:AssociateKmsKey',
'logs:Describe*',
'cloudformation:Get*',
'cloudformation:Describe*',
'cloudformation:List*',
],
resources: ['*'],
}),
new iam.PolicyStatement({
effect: iam.Effect.ALLOW,
actions: ['kms:Encrypt', 'kms:Decrypt', 'kms:ReEncrypt', 'kms:GenerateDataKey', 'kms:DescribeKey'],
resources: [props.encryptionKey.keyArn],
}),
],
}),
},
});
new cdk.CfnOutput(this, 'RoleArnCfnOutput', {
value: role.roleArn,
});
NagSuppressions.addResourceSuppressions(role, [{
id: 'AwsSolutions-IAM5',
reason: 'This is default IAM role for lambda function. Suppress this warning.',
}],
true,
);
}
static getRoleName(account:string, region:string, stageName: STAGE, applicationName: string) {
return `log-retention-${account}-${region}-${applicationName}-${stageName}`;
}
static getRoleArn(account: string, region: string, stageName: STAGE, applicationName: string) {
return cdk.Arn.format({
partition: 'aws',
service: 'iam',
account,
region: '',
resource: 'role',
resourceName: LogRetentionRoleStack.getRoleName(account, region, stageName, applicationName),
});
}
}