From f617390832d2d35674d6b757b61abdad0cdb71ac Mon Sep 17 00:00:00 2001 From: Matthew <106278637+Matthew-Grayson@users.noreply.github.com> Date: Fri, 29 Sep 2023 11:07:36 -0500 Subject: [PATCH] Cloud watch bucket policy (#2266) * Add policy to cloudwatch bucket. --- infrastructure/cloudwatch.tf | 32 ++++++++++++++++++++++++++++++++ 1 file changed, 32 insertions(+) diff --git a/infrastructure/cloudwatch.tf b/infrastructure/cloudwatch.tf index 14d544fa9..1f4d16603 100644 --- a/infrastructure/cloudwatch.tf +++ b/infrastructure/cloudwatch.tf @@ -15,4 +15,36 @@ resource "aws_cloudwatch_log_group" "cloudwatch_bucket" { project = var.project stage = var.stage } +} + +resource "aws_s3_bucket_policy" "cloudwatch_bucket" { + bucket = aws_s3_bucket.cloudwatch_bucket.id + policy = jsonencode({ + "Version" : "2012-10-17", + "Statement" : [ + { + "Sid" : "Allow Cloudwatch to check bucket permissions", + "Effect" : "Allow", + "Principal" : { + "Service" : "logs.amazonaws.com" + }, + "Action" : "s3:GetBucketAcl", + "Resource" : "arn:aws:s3:::${var.cloudwatch_bucket_name}" + }, + { + "Sid" : "Allow Cloudwatch to write to bucket", + "Effect" : "Allow", + "Principal" : { + "Service" : "logs.amazonaws.com" + }, + "Action" : "s3:PutObject", + "Resource" : "arn:aws:s3:::${var.cloudwatch_bucket_name}/*", + "Condition" : { + "StringEquals" : { + "s3:x-amz-acl" : "bucket-owner-full-control" + } + } + } + ] + }) } \ No newline at end of file