Add tag based authorization for CW Logs

[kalleeh]

Right now CloudWatch Log Groups doesn't get tags inherited from their CloudFormation stags.
CW Logs doesn't support tag based authorization either.

Currently the Cognito IAM Roles inherited by users through Cognito Groups can read from any log group but when this is added we could easily tag the log groups and then modify the IAM Role that cognito users assume to add tag based authorization to their respective log group similar to CFN templates etc.

https://docs.aws.amazon.com/IAM/latest/UserGuide/access_tags.html

{
    "Effect": "Allow",
    "Action": [
        "logs:FilterLogEvents"
    ],
    "Resource": "arn:aws:logs:[region]:[account-id]:log-group:*",
    "Condition": {
        "StringEquals": {"ec2:ResourceTag/gureume-groups": "team1"}
    }
}

[kalleeh]

*** this is not supported by AWS as of today ***

[kalleeh]

This can be implemented using tagging on Log Groups now, however it isn't supported by CloudFormation. Would need to implement tag-management after stack creation or update.

Policy to support tag based authorization for the IAM roles.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
                "logs:FilterLogEvents"
            ],
            "Effect": "Allow",
            "Resource": "arn:aws:logs:eu-west-1:[AWS-ACCOUNT-ID]:log-group:*",
            "Condition": {
                "StringLike": {
                    "logs:ResourceTag/gureume-groups": "${aws:PrincipalTag/gureume-groups}"
                }
            }
        },
        {
            "Effect": "Allow",
            "Action": "codecommit:*",
            "Resource": "*",
            "Condition": {
                "StringEquals": {
                    "aws:ResourceTag/gureume-groups": "${aws:PrincipalTag/gureume-groups}"
                }
            }
        }
    ]
}```

[kalleeh]

Optimized policy that only requires one statement and can then include multiple actions.
CloudWatch Log Groups cannot be tagged through CloudFormation so this needs to be done through the API.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "codecommit:*",
                "logs:FilterLogEvents"
            ],
            "Resource": "*",
            "Condition": {
                "StringEquals": {
                    "aws:ResourceTag/gurum-groups": "${aws:PrincipalTag/gurum-groups}"
                }
            }
        }
    ]
}

[kalleeh]

Task that needs to be done is to automatically tag the log group with the right group tag since CloudFormation doesn't support this yet.
Authorization is tested and works if using the CLI/API to set the tags on the LogGroup post creation.
aws logs tag-log-group

[kalleeh]

Postponing until CloudFormation adds tag support for CloudWatch Log Groups.

[kalleeh]

For now could add something like this to propagate tags from the CFN stack automatically.
https://serverlessrepo.aws.amazon.com/applications/arn:aws:serverlessrepo:us-east-1:374852340823:applications~propagate-cfn-tags

[kalleeh]

Add documentation for current process using CFN tag propagation

[kalleeh]

Closing this since it's "solved" by using a helper tagging function.
Tracked in kalleeh/gurum-products#12 to change to native CloudFormation tagging when supported.