Clean up policies

PRX · May 23, 2024 · ee5f9a1 · ee5f9a1
1 parent b903920
commit ee5f9a1
Showing 1 changed file with 41 additions and 11 deletions.
diff --git a/template.yml b/template.yml
@@ -7,6 +7,46 @@ Parameters:
   EventbriteToken: { Type: String }
 
 Resources:
+  TicketNotificationsRole:
+    Type: AWS::IAM::Role
+    Properties:
+      AssumeRolePolicyDocument:
+        Statement:
+          - Action: sts:AssumeRole
+            Effect: Allow
+            Principal:
+              Service: lambda.amazonaws.com
+        Version: "2012-10-17"
+      ManagedPolicyArns:
+        - arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole
+      Policies:
+        - PolicyDocument:
+            Statement:
+              - Action: events:PutEvents
+                Effect: Allow
+                Resource: !Sub arn:${AWS::Partition}:events:${AWS::Region}:${AWS::AccountId}:event-bus/default
+                Sid: AllowDefaultEventBusPut
+            Version: "2012-10-17"
+          PolicyName: SlackRelaySnsPublish
+      Tags:
+        - { Key: prx:meta:tagging-version, Value: "2021-04-07" }
+        - { Key: prx:cloudformation:stack-name, Value: !Ref AWS::StackName }
+        - { Key: prx:cloudformation:stack-id, Value: !Ref AWS::StackId }
+        - { Key: prx:ops:environment, Value: Production }
+        - { Key: prx:dev:application, Value: Eventbrite Toolkit }
+  TicketNotificationsSelfInvokePolicy:
+    Type: AWS::IAM::Policy
+    Properties:
+      PolicyDocument:
+        Version: "2012-10-17"
+        Statement:
+          - Action: lambda:Invoke*
+            Effect: Allow
+            Resource: !GetAtt TicketNotificationsFunction.Arn
+            Sid: AllowSelfInvoke
+      PolicyName: !Sub ${AWS::StackName}-TicketNotificationsSelfInvokePolicy
+      Roles:
+        - !Ref TicketNotificationsRole
   TicketNotificationsFunction:
     Type: AWS::Serverless::Function
     Properties:
@@ -22,17 +62,7 @@ Resources:
         InvokeMode: BUFFERED
       Handler: index.handler
       MemorySize: 128
-      Policies:
-        - Statement:
-            - Action: events:PutEvents
-              Effect: Allow
-              Resource: !Sub arn:${AWS::Partition}:events:${AWS::Region}:${AWS::AccountId}:event-bus/default
-              Sid: AllowDefaultEventBusPut
-            - Action: lambda:Invoke
-              Effect: Allow
-              Resource: !Sub arn:${AWS::Partition}:lambda:${AWS::Region}:${AWS::AccountId}:function:eventbrite-toolkit-TicketNotificationsFunction-*
-              Sid: AllowSelfInvoke
-          Version: "2012-10-17"
+      Role: !GetAtt TicketNotificationsRole.Arn
       Runtime: nodejs20.x
       Tags:
         prx:meta:tagging-version: 2021-04-07