fix: Add missing IAM permissions for new version of log forwarder (#18)

jani-flaaming-rebase · Jani Flaaming · web-flow · commit b741a4b565b8 · 2020-10-24T18:40:08.000-07:00
To fix following errors introduced in Datadog Lambda Forwarder 3.17.0:

User:
arn:aws:sts::XXX:assumed-role/datadog-integration-role/vault-app3.eu1.prod.dog-datadog-delancie-crawler
is not authorized to perform: states:ListStateMachines on resource:
arn:aws:states:XXX:XXX:stateMachine:*

User:
arn:aws:sts::XXX:assumed-role/datadog-integration-role/vault-app3.eu1.prod.dog-datadog-delancie-crawler
is not authorized to perform: elasticfilesystem:DescribeAccessPoints on
the specified resource

Co-authored-by: Jani Flaaming &lt;jani.flaaming@vaisala.com&gt;
diff --git a/main.tf b/main.tf
@@ -76,6 +76,7 @@ resource "aws_iam_policy" "datadog-core" {
         "ecs:List*",
         "elasticache:Describe*",
         "elasticache:List*",
+        "elasticfilesystem:DescribeAccessPoints",
         "elasticfilesystem:DescribeFileSystems",
         "elasticfilesystem:DescribeTags",
         "elasticloadbalancing:Describe*",
@@ -115,6 +116,7 @@ resource "aws_iam_policy" "datadog-core" {
         "sns:List*",
         "sns:Publish",
         "sqs:ListQueues",
+        "states:ListStateMachines",
         "support:*",
         "tag:GetResources",
         "tag:GetTagKeys",
