From aa4f907c076a1810df7045b51657b6a89a567250 Mon Sep 17 00:00:00 2001 From: Chris Park Date: Fri, 19 Apr 2024 14:34:10 +0930 Subject: [PATCH] compress iam role policy under the limit of 10240 bytes --- packages/serverless-deploy-iam/bin/app.ts | 104 +++------------------- 1 file changed, 14 insertions(+), 90 deletions(-) diff --git a/packages/serverless-deploy-iam/bin/app.ts b/packages/serverless-deploy-iam/bin/app.ts index 6f481f7..e126faf 100644 --- a/packages/serverless-deploy-iam/bin/app.ts +++ b/packages/serverless-deploy-iam/bin/app.ts @@ -111,22 +111,7 @@ export class ServiceDeployIAM extends cdk.Stack { `:log-stream:*`, `${serviceName}*`, ], - actions: [ - "logs:CreateLogGroup", - "logs:DescribeLogGroups", - "logs:DeleteLogGroup", - "logs:CreateLogStream", - "logs:DescribeLogStreams", - "logs:DeleteLogStream", - "logs:FilterLogEvents", - "logs:TagResource", - "logs:UntagResource", - "logs:DescribeMetricFilters", - "logs:PutMetricFilter", - "logs:ListTagsForResource", - "logs:PutDataProtectionPolicy", - "logs:UpdateDataProtectionPolicy", - ], + actions: ["logs:*"], }, { name: "CLOUD_WATCH", @@ -138,17 +123,11 @@ export class ServiceDeployIAM extends cdk.Stack { prefix: `arn:aws:cloudwatch:${region}:${accountId}:alarm:`, qualifiers: [`TaskTimedOutAlarm`, `${serviceName}*`], actions: [ - "cloudwatch:ListMetrics", - "cloudwatch:ListMetricStreams", - "cloudwatch:ListTagsForResource", - "cloudwatch:ListDashboards", + "cloudwatch:List*", "cloudwatch:DescribeAlarms", "cloudwatch:DeleteAlarms", "cloudwatch:EnableAlarmActions", - "cloudwatch:PutMetricAlarm", - "cloudwatch:PutDashboard", - "cloudwatch:PutMetricData", - "cloudwatch:PutMetricStream", + "cloudwatch:Put*", "cloudwatch:SetAlarmState", "cloudwatch:TagResource", "cloudwatch:StartMetricStreams", @@ -159,34 +138,7 @@ export class ServiceDeployIAM extends cdk.Stack { name: "LAMBDA", prefix: `arn:aws:lambda:${region}:${accountId}:function:`, qualifiers: [`${serviceName}*`], - actions: [ - "lambda:GetFunction", - "lambda:CreateFunction", - "lambda:DeleteFunction", - "lambda:UpdateFunctionConfiguration", - "lambda:UpdateFunctionCode", - "lambda:ListVersionsByFunction", - "lambda:PublishVersion", - "lambda:CreateAlias", - "lambda:DeleteAlias", - "lambda:UpdateAlias", - "lambda:GetFunctionConfiguration", - "lambda:AddPermission", - "lambda:RemovePermission", - "lambda:InvokeFunction", - "lambda:ListTags", - "lambda:TagResource", - "lambda:UntagResource", - "lambda:PutFunctionConcurrency", - "lambda:DeleteEventSourceMapping", - "lambda:UpdateEventSourceMapping", - "lambda:CreateFunctionUrlConfig", - "lambda:DeleteFunctionUrlConfig", - "lambda:GetFunctionUrlConfig", - "lambda:ListFunctionUrlConfigs", - "lambda:UpdateFunctionUrlConfig", - "lambda:DeleteFunctionConcurrency", - ], + actions: ["lambda:*"], }, { name: "LAMBDA", @@ -335,15 +287,9 @@ export class ServiceDeployIAM extends cdk.Stack { actions: [ "cognito-sync:BulkPublish", "cognito-sync:DeleteDataset", - "cognito-sync:DescribeDataset", - "cognito-sync:DescribeIdentityPoolUsage", - "cognito-sync:DescribeIdentityUsage", - "cognito-sync:GetBulkPublishDetails", - "cognito-sync:GetCognitoEvents", - "cognito-sync:GetIdentityPoolConfiguration", - "cognito-sync:ListDatasets", - "cognito-sync:ListIdentityPoolUsage", - "cognito-sync:ListRecords", + "cognito-sync:Describe*", + "cognito-sync:Get*", + "cognito-sync:List*", "cognito-sync:QueryRecords", "cognito-sync:RegisterDevice", "cognito-sync:SetCognitoEvents", @@ -355,17 +301,9 @@ export class ServiceDeployIAM extends cdk.Stack { "cognito-identity:CreateIdentityPool", "cognito-identity:DeleteIdentities", "cognito-identity:DeleteIdentityPool", - "cognito-identity:DescribeIdentity", - "cognito-identity:DescribeIdentityPool", - "cognito-identity:GetCredentialsForIdentity", - "cognito-identity:GetId", - "cognito-identity:GetIdentityPoolRoles", - "cognito-identity:GetOpenIdToken", - "cognito-identity:GetOpenIdTokenForDeveloperIdentity", - "cognito-identity:GetPrincipalTagAttributeMap", - "cognito-identity:ListIdentities", - "cognito-identity:ListIdentityPools", - "cognito-identity:ListTagsForResource", + "cognito-identity:Describe*", + "cognito-identity:Get*", + "cognito-identity:List*", "cognito-identity:LookupDeveloperIdentity", "cognito-identity:MergeDeveloperIdentities", "cognito-identity:SetIdentityPoolRoles", @@ -381,17 +319,7 @@ export class ServiceDeployIAM extends cdk.Stack { name: "COGNITO_IDP", prefix: `arn:aws:cognito-idp:${region}:${accountId}:userpool`, qualifiers: [`${serviceName}*`, `${region}_*`], - actions: [ - "cognito-idp:Create*", - "cognito-idp:Delete*", - "cognito-idp:Describe*", - "cognito-idp:Get*", - "cognito-idp:List*", - "cognito-idp:Set*", - "cognito-idp:TagResource", - "cognito-idp:UntagResource", - "cognito-idp:Update*", - ], + actions: ["cognito-idp:*"], }, { name: "COGNITO_IDP_CREATEUSERPOOL", @@ -509,18 +437,14 @@ export class ServiceDeployIAM extends cdk.Stack { qualifiers: [`${serviceName}*`], actions: [ "cloudformation:CreateStack", - "cloudformation:DescribeStacks", + "cloudformation:Describe*", + "cloudformation:List*", + "cloudformation:Get*", "cloudformation:DeleteStack", - "cloudformation:DescribeStackEvents", "cloudformation:UpdateStack", "cloudformation:ExecuteChangeSet", "cloudformation:CreateChangeSet", "cloudformation:DeleteChangeSet", - "cloudformation:DescribeChangeSet", - "cloudformation:ListStackResources", - "cloudformation:DescribeStackResource", - "cloudformation:DescribeStackResources", - "cloudformation:GetTemplate", ], }, {