Merge pull request #29 from mackerelio-labs/inline-policy-block-is-de…

…precated [cloudwatch-logs-aggregator] replace deprecated inline_policy block of aws_iam_role resource
mackerelio-labs · Oct 7, 2024 · bfb508e · bfb508e
2 parents 4155433 + 7ef6087
commit bfb508e
Showing 1 changed file with 22 additions and 21 deletions.
diff --git a/cloudwatch-logs-aggregator/lambda/main.tf b/cloudwatch-logs-aggregator/lambda/main.tf
@@ -25,28 +25,29 @@ resource "aws_iam_role" "this" {
   })
 
   managed_policy_arns = ["arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"]
+}
+
+resource "aws_iam_role_policy" "this" {
+  role   = aws_iam_role.this.id
+  name   = "cloudwatch-logs-aggregator-lambda"
+  policy = data.aws_iam_policy_document.this.json
+}
 
-  inline_policy {
-    name = "cloudwatch-logs-aggregator-lambda"
-    policy = jsonencode({
-      Version = "2012-10-17"
-      Statement = [
-        {
-          Effect   = "Allow"
-          Action   = ["ssm:GetParameter"]
-          Resource = "*"
-        },
-        {
-          Effect = "Allow"
-          Action = [
-            "logs:StartQuery",
-            "logs:StopQuery",
-            "logs:GetQueryResults",
-          ]
-          Resource = "*"
-        },
-      ]
-    })
+data "aws_iam_policy_document" "this" {
+  version = "2012-10-17"
+  statement {
+    effect    = "Allow"
+    actions   = ["ssm:GetParameter"]
+    resources = ["*"]
+  }
+  statement {
+    effect = "Allow"
+    actions = [
+      "logs:StartQuery",
+      "logs:StopQuery",
+      "logs:GetQueryResults",
+    ]
+    resources = ["*"]
   }
 }