remove depricated inline policy; use new resource instead

Sanja Kosier · Sanja Kosier · commit 8e40ce72e1f6 · 2024-10-07T12:15:18.000+02:00
diff --git a/modules/integrations/cloud-logs/README.md b/modules/integrations/cloud-logs/README.md
@@ -31,6 +31,7 @@ No modules.
 |----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------|
 | [random_id.suffix](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/id) | resource |
 | [aws_iam_role.cloudlogs_s3_access](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role)                                                         | resource |
+| [aws_iam_role_policy.cloudlogs_s3_access_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy)                                                         | resource |
 | [aws_iam_policy_document.assume_cloudlogs_s3_access_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document)                    | data source |
 | [aws_iam_policy_document.cloudlogs_s3_access](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document)                                | data source |
 | [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
diff --git a/modules/integrations/cloud-logs/main.tf b/modules/integrations/cloud-logs/main.tf
@@ -27,7 +27,6 @@ data "sysdig_secure_tenant_external_id" "external_id" {}
 locals {
   account_id_hash  = substr(md5(data.aws_caller_identity.current.account_id), 0, 4)
   role_name = "${var.name}-${random_id.suffix.hex}-${local.account_id_hash}"
-
   bucket_arn = regex("^([^/]+)", var.folder_arn)[0]
 }
 
@@ -43,12 +42,14 @@ resource "random_id" "suffix" {
 resource "aws_iam_role" "cloudlogs_s3_access" {
   name = local.role_name
   tags = var.tags
-
   assume_role_policy = data.aws_iam_policy_document.assume_cloudlogs_s3_access_role.json
-  inline_policy {
-    name   = "cloudlogs_s3_access_policy"
-    policy = data.aws_iam_policy_document.cloudlogs_s3_access.json
-  }
+}
+
+// AWS IAM Role Policy that will be used by CloudIngestion to access the CloudTrail-associated s3 bucket
+resource "aws_iam_role_policy" "cloudlogs_s3_access_policy" {
+  name   = "cloudlogs_s3_access_policy"
+  role   = aws_iam_role.cloudlogs_s3_access.name
+  policy = data.aws_iam_policy_document.cloudlogs_s3_access.json
 }
 
 # IAM Policy Document used for the assume role policy
