From 9ce14de408883bec98ab29aadf49e633104d5eef Mon Sep 17 00:00:00 2001 From: Michael Harrison Date: Tue, 16 Sep 2025 15:46:56 +0100 Subject: [PATCH] CCM-11163: inline standard lambda policies to reduce policy resource usage --- infrastructure/modules/lambda/iam_policy_publish.tf | 7 ------- infrastructure/modules/lambda/iam_policy_put_logs.tf | 5 ----- infrastructure/modules/lambda/iam_policy_send_message.tf | 7 ------- .../modules/lambda/iam_role_policy_attachment_publish.tf | 6 ------ .../modules/lambda/iam_role_policy_attachment_put_logs.tf | 4 ---- .../lambda/iam_role_policy_attachment_send_message.tf | 6 ------ infrastructure/modules/lambda/iam_role_policy_publish.tf | 7 +++++++ infrastructure/modules/lambda/iam_role_policy_put_logs.tf | 5 +++++ .../modules/lambda/iam_role_policy_send_message.tf | 7 +++++++ 9 files changed, 19 insertions(+), 35 deletions(-) delete mode 100644 infrastructure/modules/lambda/iam_policy_publish.tf delete mode 100644 infrastructure/modules/lambda/iam_policy_put_logs.tf delete mode 100644 infrastructure/modules/lambda/iam_policy_send_message.tf delete mode 100644 infrastructure/modules/lambda/iam_role_policy_attachment_publish.tf delete mode 100644 infrastructure/modules/lambda/iam_role_policy_attachment_put_logs.tf delete mode 100644 infrastructure/modules/lambda/iam_role_policy_attachment_send_message.tf create mode 100644 infrastructure/modules/lambda/iam_role_policy_publish.tf create mode 100644 infrastructure/modules/lambda/iam_role_policy_put_logs.tf create mode 100644 infrastructure/modules/lambda/iam_role_policy_send_message.tf diff --git a/infrastructure/modules/lambda/iam_policy_publish.tf b/infrastructure/modules/lambda/iam_policy_publish.tf deleted file mode 100644 index 7bd2a14..0000000 --- a/infrastructure/modules/lambda/iam_policy_publish.tf +++ /dev/null @@ -1,7 +0,0 @@ -resource "aws_iam_policy" "publish" { - count = var.enable_dlq_and_notifications ? 1 : 0 - - name = "${local.csi}-publish" - description = "SNS Publish policy for ${var.function_name} Lambda" - policy = data.aws_iam_policy_document.publish[0].json -} diff --git a/infrastructure/modules/lambda/iam_policy_put_logs.tf b/infrastructure/modules/lambda/iam_policy_put_logs.tf deleted file mode 100644 index 29e9c50..0000000 --- a/infrastructure/modules/lambda/iam_policy_put_logs.tf +++ /dev/null @@ -1,5 +0,0 @@ -resource "aws_iam_policy" "put_logs" { - name = "${local.csi}-put-logs" - description = "Logging policy for ${var.function_name} Lambda" - policy = data.aws_iam_policy_document.put_logs.json -} diff --git a/infrastructure/modules/lambda/iam_policy_send_message.tf b/infrastructure/modules/lambda/iam_policy_send_message.tf deleted file mode 100644 index 5a52f52..0000000 --- a/infrastructure/modules/lambda/iam_policy_send_message.tf +++ /dev/null @@ -1,7 +0,0 @@ -resource "aws_iam_policy" "send_message" { - count = var.enable_dlq_and_notifications ? 1 : 0 - - name = "${local.csi}-send-message" - description = "SQS DLQ SendMessage policy for ${var.function_name} Lambda" - policy = data.aws_iam_policy_document.send_message[0].json -} diff --git a/infrastructure/modules/lambda/iam_role_policy_attachment_publish.tf b/infrastructure/modules/lambda/iam_role_policy_attachment_publish.tf deleted file mode 100644 index 71fbf61..0000000 --- a/infrastructure/modules/lambda/iam_role_policy_attachment_publish.tf +++ /dev/null @@ -1,6 +0,0 @@ -resource "aws_iam_role_policy_attachment" "publish" { - count = var.enable_dlq_and_notifications ? 1 : 0 - - role = aws_iam_role.main.name - policy_arn = aws_iam_policy.publish[0].arn -} diff --git a/infrastructure/modules/lambda/iam_role_policy_attachment_put_logs.tf b/infrastructure/modules/lambda/iam_role_policy_attachment_put_logs.tf deleted file mode 100644 index e994a2b..0000000 --- a/infrastructure/modules/lambda/iam_role_policy_attachment_put_logs.tf +++ /dev/null @@ -1,4 +0,0 @@ -resource "aws_iam_role_policy_attachment" "put_logs" { - role = aws_iam_role.main.name - policy_arn = aws_iam_policy.put_logs.arn -} diff --git a/infrastructure/modules/lambda/iam_role_policy_attachment_send_message.tf b/infrastructure/modules/lambda/iam_role_policy_attachment_send_message.tf deleted file mode 100644 index ea666ca..0000000 --- a/infrastructure/modules/lambda/iam_role_policy_attachment_send_message.tf +++ /dev/null @@ -1,6 +0,0 @@ -resource "aws_iam_role_policy_attachment" "send_message" { - count = var.enable_dlq_and_notifications ? 1 : 0 - - role = aws_iam_role.main.name - policy_arn = aws_iam_policy.send_message[0].arn -} diff --git a/infrastructure/modules/lambda/iam_role_policy_publish.tf b/infrastructure/modules/lambda/iam_role_policy_publish.tf new file mode 100644 index 0000000..8ae6e36 --- /dev/null +++ b/infrastructure/modules/lambda/iam_role_policy_publish.tf @@ -0,0 +1,7 @@ +resource "aws_iam_role_policy" "publish" { + count = var.enable_dlq_and_notifications ? 1 : 0 + + name = "${local.csi}-publish" + role = aws_iam_role.main.id + policy = data.aws_iam_policy_document.publish[0].json +} diff --git a/infrastructure/modules/lambda/iam_role_policy_put_logs.tf b/infrastructure/modules/lambda/iam_role_policy_put_logs.tf new file mode 100644 index 0000000..c0645bd --- /dev/null +++ b/infrastructure/modules/lambda/iam_role_policy_put_logs.tf @@ -0,0 +1,5 @@ +resource "aws_iam_role_policy" "put_logs" { + name = "${local.csi}-put-logs" + role = aws_iam_role.main.id + policy = data.aws_iam_policy_document.put_logs.json +} diff --git a/infrastructure/modules/lambda/iam_role_policy_send_message.tf b/infrastructure/modules/lambda/iam_role_policy_send_message.tf new file mode 100644 index 0000000..771b1fe --- /dev/null +++ b/infrastructure/modules/lambda/iam_role_policy_send_message.tf @@ -0,0 +1,7 @@ +resource "aws_iam_role_policy" "send_message" { + count = var.enable_dlq_and_notifications ? 1 : 0 + + name = "${local.csi}-send-message" + role = aws_iam_role.main.id + policy = data.aws_iam_policy_document.send_message[0].json +}