Pass in ddb role to assume, also set sts and ddb policies

spire/templates/apps-300A.yml

@@ -198,6 +198,8 @@ Resources:
         DovetailCdnHostname: !Ref DovetailCdnHostname
         DovetailRouterHostname: !Ref DovetailRouterHostname
         DovetailCdnRedirectPrefix: !Sub /prx/${EnvironmentTypeAbbreviation}/Spire/Dovetail-Router/${AWS::Region}/redirect-prefix
+        FrequencyDynamodbTableName: !Sub /prx/${EnvironmentTypeAbbreviation}/dovetail-analytics/FREQUENCY_DDB_TABLE
+        FrequencyDynamodbAccessRoleArn: !Sub /prx/${EnvironmentTypeAbbreviation}/dovetail-analytics/FREQUENCY_DDB_ACCESS_ROLE
       Tags:
         - { Key: prx:meta:tagging-version, Value: "2021-04-07" }
         - { Key: prx:cloudformation:stack-name, Value: !Ref AWS::StackName }

spire/templates/apps/dovetail-analytics.yml

@@ -739,7 +739,7 @@ Resources:
           AWS_NODEJS_CONNECTION_REUSE_ENABLED: "1"
           FREQUENCY: "true" # set function mode = frequency
           DDB_FREQUENCY_TABLE: !Ref FrequencyDynamodbTableName
-          DDB_TTL: !Ref kDynamoDbTtl
+          DDB_ROLE: !Ref FrequencyDynamodbAccessRoleArn
       Events:
         FrequencyKinesisTrigger:
           Properties:
@@ -757,9 +757,16 @@ Resources:
         - arn:aws:iam::aws:policy/service-role/AWSLambdaKinesisExecutionRole
         - Statement:
             - Action:
+                - dynamodb:BatchGetItem
+                - dynamodb:BatchWriteItem
+                - dynamodb:ConditionCheck
+                - dynamodb:DeleteItem
                 - dynamodb:DescribeTable
+                - dynamodb:DescribeTimeToLive
                 - dynamodb:GetItem
                 - dynamodb:PutItem
+                - dynamodb:Query
+                - dynamodb:UpdateItem
               Effect: Allow
               # TODO: can this be done with an AWS::Partition Sub?
               Resource: !Split

spire/templates/apps/dovetail-router.yml

@@ -94,6 +94,8 @@ Parameters:
   DovetailCdnHostname: { Type: String }
   DovetailRouterHostname: { Type: String }
   DovetailCdnRedirectPrefix: { Type: AWS::SSM::Parameter::Value<String> }
+  FrequencyDynamodbTableName: { Type: AWS::SSM::Parameter::Value<String> }
+  FrequencyDynamodbAccessRoleArn: { Type: AWS::SSM::Parameter::Value<String> }
 
 Conditions:
   IsProduction: !Equals [!Ref EnvironmentType, Production]
@@ -739,6 +741,25 @@ Resources:
             Effect: Allow
             Principal:
               Service: ecs-tasks.amazonaws.com
+          - Action:
+              - dynamodb:BatchGetItem
+              - dynamodb:ConditionCheck
+              - dynamodb:DescribeTable
+              - dynamodb:DescribeTimeToLive
+              - dynamodb:GetItem
+              - dynamodb:Query
+            Effect: Allow
+            Resource: !Split
+              - ","
+              - Fn::Sub:
+                  - arn:aws:dynamodb:*:*:table/${inner}
+                  - inner:
+                      Fn::Join:
+                        - ",arn:aws:dynamodb:*:*:table/"
+                        - !Split [",", !Ref FrequencyDynamodbTableName]
+          - Action: sts:AssumeRole
+            Effect: Allow
+            Resource: !Split [",", !Ref FrequencyDynamodbAccessRoleArn]
         Version: "2012-10-17"
       Tags:
         - { Key: prx:meta:tagging-version, Value: "2021-04-07" }
@@ -801,6 +822,10 @@ Resources:
               Value: !Ref NewRelicApiKeyPrxLite
             - Name: AGENTS_URL
               Value: https://raw.githubusercontent.com/PRX/prx-podagent/main/db/agents.lock.json
+            - Name: DDB_FREQUENCY_TABLE
+              Value: !Ref FrequencyDynamodbTableName
+            - Name: DDB_ROLE
+              Value: !Ref FrequencyDynamodbAccessRoleArn
           Essential: true
           Image: !Sub ${AWS::AccountId}.dkr.ecr.${AWS::Region}.amazonaws.com/${EcrImageTag}
           LogConfiguration: