// Data Resource for IAM Policy Document
// String interpolation
// Separate IAM Policy attached to IAM Role
data "aws_iam_policy_document" "cloudwatch_logs_write_policy" {
statement {
actions = [
"logs:CreateLogStream",
"logs:PutLogEvents",
"logs:PutLogEventsBatch",
]
resources = [
"arn:aws:logs:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:log-group:/dev/app/${var.project}:*"
]
}
}
resource "aws_iam_policy" "cloudwatch_logs_write_policy" {
name = "cloudwatch_logs_write_policy"
policy = data.aws_iam_policy_document.cloudwatch_logs_write_policy.json
}
resource "aws_iam_role_policy_attachment" "cloudwatch_logs_write_policy" {
role = aws_iam_role.vm_iam_role.name
policy_arn = aws_iam_policy.cloudwatch_logs_write_policy.arn
}
// jsonencode function for IAM Policy Document
// String format for large literals
// Separate IAM Policy attached to IAM Role
resource "aws_iam_policy" "cloudwatch_logs_write_policy" {
name = "${var.project}_cloudwatch_logs_write_policy"
policy = jsonencode({
Statement = [{
Effect = "Allow"
Action = [
"logs:CreateLogStream",
"logs:PutLogEvents",
"logs:PutLogEventsBatch",
]
Resource = format("arn:aws:logs:%s:%s:log-group:/dev/app/%s:*",
data.aws_region.current.name,
data.aws_caller_identity.current.account_id,
var.project)
}]
Version = "2012-10-17"
})
}
resource "aws_iam_role_policy_attachment" "cloudwatch_logs_write_policy" {
role = aws_iam_role.vm_iam_role.name
policy_arn = aws_iam_policy.cloudwatch_logs_write_policy.arn
}
// jsonencode function for IAM Policy Document
// String format for large literals
// IAM Policy embedded to IAM Role
resource "aws_iam_role_policy" "cloudwatch_logs_write_policy" {
name = "${var.project}_cloudwatch_logs_write_policy"
role = aws_iam_role.vm_iam_role.id
policy = jsonencode({
Statement = [{
Effect = "Allow"
Action = [
"logs:CreateLogStream",
"logs:PutLogEvents",
"logs:PutLogEventsBatch",
]
Resource = format("arn:aws:logs:%s:%s:log-group:/dev/app/%s:*",
data.aws_region.current.name,
data.aws_caller_identity.current.account_id,
var.project)
}]
Version = "2012-10-17"
})
}