fix: remove wide permission to send logs from lambdas (#159)

Author: edersonbrilhante

modules/integrations/splunk_aws_billing/README.md

@@ -33,9 +33,6 @@
 | [aws_cloudwatch_log_group.cur_per_resource](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_group) | resource |
 | [aws_cloudwatch_log_group.cur_per_resource_process](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_group) | resource |
 | [aws_cloudwatch_log_group.cur_per_service](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_group) | resource |
-| [aws_iam_policy.lambda_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
-| [aws_iam_role.lambda_exec_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
-| [aws_iam_role_policy_attachment.attach_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
 | [aws_lambda_permission.cur_per_resource](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_permission) | resource |
 | [aws_lambda_permission.cur_per_resource_process](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_permission) | resource |
 | [aws_lambda_permission.cur_per_service](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_permission) | resource |
@@ -49,9 +46,6 @@
 | [aws_s3_bucket_versioning.aws_billing_report](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_versioning) | resource |
 | [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
 | [aws_iam_policy_document.cur_bucket_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
-| [aws_iam_policy_document.cur_per_resource](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
-| [aws_iam_policy_document.cur_per_resource_process](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
-| [aws_iam_policy_document.cur_per_service](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_iam_policy_document.lambda_policy_document](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_secretsmanager_secret.secrets](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/secretsmanager_secret) | data source |
 | [aws_secretsmanager_secret_version.secrets](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/secretsmanager_secret_version) | data source |

modules/integrations/splunk_aws_billing/billing_per_resource.tf

@@ -36,10 +36,9 @@ module "cur_per_resource" {
 
   attach_policy_jsons = true
   policy_jsons = [
-    data.aws_iam_policy_document.cur_per_resource.json,
     data.aws_iam_policy_document.lambda_policy_document.json,
   ]
-  number_of_policy_jsons = 2
+  number_of_policy_jsons = 1
 
   tags = local.all_security_tags
 
@@ -65,20 +64,6 @@ resource "aws_cloudwatch_log_group" "cur_per_resource" {
   tags_all          = local.all_security_tags
 }
 
-data "aws_iam_policy_document" "cur_per_resource" {
-  statement {
-    actions = [
-      "logs:CreateLogStream",
-      "logs:PutLogEvents"
-    ]
-    effect = "Allow"
-
-    resources = [
-      "arn:aws:logs:*:${data.aws_caller_identity.current.account_id}:log-group:${aws_cloudwatch_log_group.cur_per_resource.name}*:*"
-    ]
-  }
-}
-
 resource "aws_bcmdataexports_export" "cur_per_resource" {
   export {
     name = "aws-billing-report-per-resource"

modules/integrations/splunk_aws_billing/billing_per_resource_process.tf

@@ -36,10 +36,9 @@ module "cur_per_resource_process" {
 
   attach_policy_jsons = true
   policy_jsons = [
-    data.aws_iam_policy_document.cur_per_resource_process.json,
     data.aws_iam_policy_document.lambda_policy_document.json,
   ]
-  number_of_policy_jsons = 2
+  number_of_policy_jsons = 1
 
   tags = local.all_security_tags
 
@@ -64,17 +63,3 @@ resource "aws_cloudwatch_log_group" "cur_per_resource_process" {
   tags              = local.all_security_tags
   tags_all          = local.all_security_tags
 }
-
-data "aws_iam_policy_document" "cur_per_resource_process" {
-  statement {
-    actions = [
-      "logs:CreateLogStream",
-      "logs:PutLogEvents"
-    ]
-    effect = "Allow"
-
-    resources = [
-      "arn:aws:logs:*:${data.aws_caller_identity.current.account_id}:log-group:${aws_cloudwatch_log_group.cur_per_resource_process.name}*:*"
-    ]
-  }
-}

modules/integrations/splunk_aws_billing/billing_per_service.tf

@@ -36,10 +36,9 @@ module "cur_per_service" {
 
   attach_policy_jsons = true
   policy_jsons = [
-    data.aws_iam_policy_document.cur_per_service.json,
     data.aws_iam_policy_document.lambda_policy_document.json,
   ]
-  number_of_policy_jsons = 2
+  number_of_policy_jsons = 1
 
   tags = local.all_security_tags
 
@@ -65,20 +64,6 @@ resource "aws_cloudwatch_log_group" "cur_per_service" {
   tags_all          = local.all_security_tags
 }
 
-data "aws_iam_policy_document" "cur_per_service" {
-  statement {
-    actions = [
-      "logs:CreateLogStream",
-      "logs:PutLogEvents"
-    ]
-    effect = "Allow"
-
-    resources = [
-      "arn:aws:logs:*:${data.aws_caller_identity.current.account_id}:log-group:${aws_cloudwatch_log_group.cur_per_service.name}*:*"
-    ]
-  }
-}
-
 resource "aws_bcmdataexports_export" "cur_per_service" {
   export {
     name = "aws-billing-report-per-service"

modules/integrations/splunk_aws_billing/role.tf

@@ -1,12 +1,4 @@
 data "aws_iam_policy_document" "lambda_policy_document" {
-  statement {
-    actions = [
-      "logs:CreateLogStream",
-      "logs:PutLogEvents"
-    ]
-    effect    = "Allow"
-    resources = ["arn:aws:logs:*:*:*"]
-  }
 
   statement {
     actions = [
@@ -50,29 +42,3 @@ data "aws_iam_policy_document" "lambda_policy_document" {
     ]
   }
 }
-
-resource "aws_iam_policy" "lambda_policy" {
-  name        = "cur-to-splunk-lambda-policy"
-  description = "Policy for Lambda to access S3 and CloudWatch logs"
-  policy      = data.aws_iam_policy_document.lambda_policy_document.json
-}
-
-resource "aws_iam_role_policy_attachment" "attach_policy" {
-  role       = aws_iam_role.lambda_exec_role.name
-  policy_arn = aws_iam_policy.lambda_policy.arn
-}
-
-resource "aws_iam_role" "lambda_exec_role" {
-  name = "cur-to-splunk-lambda-role"
-
-  assume_role_policy = jsonencode({
-    Version = "2012-10-17"
-    Statement = [{
-      Action = "sts:AssumeRole"
-      Effect = "Allow"
-      Principal = {
-        Service = "lambda.amazonaws.com"
-      }
-    }]
-  })
-}

modules/integrations/splunk_cloud_data_manager/sec_meta_ec2_tags/data.tf

@@ -33,17 +33,6 @@ module "splunk_dm_metadata_ec2inst_pattern_tags_lambda" {
 }
 
 data "aws_iam_policy_document" "splunk_dm_metadata_ec2inst_pattern_tags_lambda" {
-  statement {
-    actions = [
-      "logs:CreateLogStream",
-      "logs:PutLogEvents"
-    ]
-    effect = "Allow"
-
-    resources = [
-      "arn:aws:logs:*:${data.aws_caller_identity.current.account_id}:log-group:${aws_cloudwatch_log_group.splunk_dm_metadata_ec2inst_pattern_tags_lambda.name}*:*"
-    ]
-  }
 
   statement {
     actions = [

modules/integrations/splunk_cloud_data_manager/sec_meta_ec2_tags/main.tf

@@ -46,7 +46,6 @@ module "update_runner_ami_lambda" {
 }
 
 data "aws_iam_policy_document" "update_runner_ami_lambda" {
-
   statement {
     effect = "Allow"
     actions = [

modules/platform/ec2_deployment/update_ssm_ami_id.tf

@@ -111,14 +111,6 @@ module "clean_global_lock_lambda" {
 }
 
 data "aws_iam_policy_document" "clean_global_lock_lambda" {
-  statement {
-    actions = [
-      "logs:CreateLogStream",
-      "logs:PutLogEvents"
-    ]
-    effect    = "Allow"
-    resources = ["*"]
-  }
   statement {
     actions = [
       "secretsmanager:GetSecretValue",

modules/platform/forge_runners/global_lock.tf

@@ -44,14 +44,6 @@ module "register_github_app_runner_group_lambda" {
 }
 
 data "aws_iam_policy_document" "register_github_app_runner_group_lambda" {
-  statement {
-    actions = [
-      "logs:CreateLogStream",
-      "logs:PutLogEvents"
-    ]
-    effect    = "Allow"
-    resources = ["*"]
-  }
   statement {
     actions = [
       "secretsmanager:GetSecretValue",