diff --git a/terraform/lambda.tf b/terraform/lambda.tf index c3469eb..1611c1c 100644 --- a/terraform/lambda.tf +++ b/terraform/lambda.tf @@ -33,11 +33,10 @@ EOF # ----------------------------------------------------------------------------------------------------------- # IAM Role for Log Parsing Lambda -data "aws_iam_policy_document" "s3_bucket_readonly" { +data "aws_iam_policy_document" "s3_bucket_access" { statement { actions = [ - "s3:Get*", - "s3:List*", + "s3:*", ] resources = [ @@ -80,6 +79,7 @@ resource "aws_iam_role_policy_attachment" "ipixel_parser" { policy_arn = "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole" } + resource "aws_iam_role_policy" "ipixel_parser_cloudwatch_log_group" { name = "cloudwatch-log-group" role = aws_iam_role.ipixel_parser.name @@ -89,5 +89,5 @@ resource "aws_iam_role_policy" "ipixel_parser_cloudwatch_log_group" { resource "aws_iam_role_policy" "lambda_s3_bucket_readonly" { name = "s3-bucket-readonly" role = aws_iam_role.ipixel_parser.name - policy = data.aws_iam_policy_document.s3_bucket_readonly.json + policy = data.aws_iam_policy_document.s3_bucket_access.json } diff --git a/terraform/tracking.tf b/terraform/tracking.tf index fccbd94..154bd39 100644 --- a/terraform/tracking.tf +++ b/terraform/tracking.tf @@ -30,9 +30,25 @@ resource "aws_s3_bucket_object" "ipixel" { content_type = "image/gif" } +data "aws_canonical_user_id" "current" {} + resource "aws_s3_bucket" "ipixel_logs" { bucket = "${var.site}-analytics" + grant { + id = data.aws_canonical_user_id.current.id + permissions = ["FULL_CONTROL"] + type = "CanonicalUser" + } + + grant { + # Grant CloudFront awslogsdelivery logs access to your Amazon S3 Bucket + # https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/AccessLogs.html#AccessLogsBucketAndFileOwnership + id = "c4c1ede66af53448b93c283ce9448c4ba468c9432aa01d700d3878632f77d2d0" + permissions = ["FULL_CONTROL"] + type = "CanonicalUser" + } + lifecycle_rule { id = "logfiles" enabled = true