tweak the permissions

nullstone-modules · Apr 12, 2024 · cb82003 · cb82003
1 parent 021efcf
commit cb82003
Show file tree

Hide file tree

Showing 3 changed files with 32 additions and 38 deletions.
diff --git a/access.tf b/access.tf
@@ -1,6 +1,29 @@
-resource "aws_iam_role_policy_attachment" "scheduler-policy" {
-  role       = var.app_metadata["role_name"]
-  policy_arn = "arn:aws:iam::aws:policy/service-role/AWSBatchServiceEventTargetRole"
+resource "aws_iam_role_policy_attachment" "batch-job-creation" {
+  role       = local.role_name
+  policy_arn = aws_iam_policy.batch-job-creation.arn
+}
+
+resource "aws_iam_policy" "batch-job-creation" {
+  name        = "${local.resource_name}-batch-job-creation"
+  policy      = data.aws_iam_policy_document.batch-job-creation.json
+  description = "Policy to enable the management and creation of batch jobs"
+}
+
+data "aws_iam_policy_document" "batch-job-creation" {
+  statement {
+    effect = "Allow"
+    actions = [
+      "batch:SubmitJob",
+      "batch:DescribeJobs",
+      "batch:TerminateJob",
+      "batch:ListJobs",
+      "batch:ListJobDefinitions",
+      "batch:DescribeJobDefinitions",
+      "batch:DescribeJobQueues",
+      "batch:ListJobQueues",
+    ]
+    resources = ["*"]
+  }
 }
 
 resource "aws_iam_role_policy_attachment" "assume-scheduler" {
@@ -9,9 +32,9 @@ resource "aws_iam_role_policy_attachment" "assume-scheduler" {
 }
 
 resource "aws_iam_policy" "assume-scheduler" {
-  name        = local.resource_name
-  description = "Policy to enable the creation of schedules for batch jobs"
+  name        = "${local.resource_name}-assume-scheduler"
   policy      = data.aws_iam_policy_document.assume-scheduler.json
+  description = "Policy to allow assuming the scheduler and events roles"
 }
 
 data "aws_iam_policy_document" "assume-scheduler" {

diff --git a/eventbus.tf b/eventbus.tf
@@ -7,37 +7,4 @@ locals {
   eventbus_arn         = data.ns_connection.eventbus.outputs.eventbus_arn
   eventbus_name        = data.ns_connection.eventbus.outputs.eventbus_name
   scheduler_group_name = data.ns_connection.eventbus.outputs.scheduler_group_name
-  scheduler_role_arn   = data.ns_connection.eventbus.outputs.scheduler_role_arn
-  scheduler_role_name  = data.ns_connection.eventbus.outputs.scheduler_role_name
-}
-
-data "aws_iam_role" "scheduler_role" {
-  name = local.scheduler_role_name
-}
-
-resource "aws_iam_role_policy_attachment" "batch-job-creation" {
-  role       = data.aws_iam_role.scheduler_role.name
-  policy_arn = aws_iam_policy.batch-job-creation.arn
-}
-
-resource "aws_iam_policy" "batch-job-creation" {
-  name   = local.resource_name
-  policy = data.aws_iam_policy_document.batch-job-creation.json
-}
-
-data "aws_iam_policy_document" "batch-job-creation" {
-  statement {
-    effect = "Allow"
-    actions = [
-      "batch:SubmitJob",
-      "batch:DescribeJobs",
-      "batch:TerminateJob",
-      "batch:ListJobs",
-      "batch:ListJobDefinitions",
-      "batch:DescribeJobDefinitions",
-      "batch:DescribeJobQueues",
-      "batch:ListJobQueues",
-    ]
-    resources = ["*"]
-  }
 }
diff --git a/variables.tf b/variables.tf
@@ -7,3 +7,7 @@ EOF
   type    = map(string)
   default = {}
 }
+
+locals {
+  role_name = var.app_metadata["role_name"]
+}