IAM conditioning

coralogix · Oct 9, 2024 · 7ba5738 · 7ba5738
1 parent c61fa59
commit 7ba5738
Show file tree

Hide file tree

Showing 2 changed files with 35 additions and 20 deletions.
diff --git a/src/resource-metadata/package.json b/src/resource-metadata/package.json
@@ -1,7 +1,7 @@
 {
   "name": "coralogix-resource-tags",
   "title": "AWS Resource Tags Lambda function for Coralogix",
-  "version": "1.2.8",
+  "version": "1.2.10",
   "description": "AWS Lambda function to send AWS resource tags to Coralogix",
   "homepage": "https://coralogix.com",
   "license": "Apache-2.0",

diff --git a/src/resource-metadata/template.yaml b/src/resource-metadata/template.yaml
@@ -211,6 +211,14 @@ Conditions:
       - Fn::Equals:
           - Ref: CreateSecret
           - 'True'
+  IsEC2ResourceTypeFilter:
+    Fn::Equals:
+      - Ref: ResourceTypeFilter
+      - ec2
+  IsLambdaResourceTypeFilter:
+    Fn::Equals:
+      - Ref: ResourceTypeFilter
+      - lambda
 Resources:
   LambdaFunction:
     Condition: IsNotSMEnabled
@@ -264,6 +272,7 @@ Resources:
           OnFailure:
             Type: SNS
       Policies:
+        - !If 
         - Version: "2012-10-17"
           Statement:
             - Sid: GetEc2Metadata
@@ -349,25 +358,31 @@ Resources:
           OnFailure:
             Type: SNS
       Policies:
-        - Version: "2012-10-17"
-          Statement:
-            - Sid: GetEc2Metadata
-              Effect: Allow
-              Action:
-                - ec2:DescribeInstances
-              Resource: "*"
-        - Version: "2012-10-17"
-          Statement:
-            - Sid: GetLambdaMetadata
-              Effect: Allow
-              Action:
-                - lambda:ListFunctions
-                - lambda:ListVersionsByFunction
-                - lambda:GetFunction
-                - lambda:ListAliases
-                - lambda:ListEventSourceMappings
-                - lambda:GetPolicy
-              Resource: "*"
+        - !If 
+          - IsEC2ResourceTypeFilter
+          - Version: "2012-10-17"
+            Statement:
+              - Sid: GetEc2Metadata
+                Effect: Allow
+                Action:
+                  - ec2:DescribeInstances
+                Resource: "*"
+          - !Ref 'AWS::NoValue'
+        - If:
+          - IsLambdaResourceTypeFilter
+          - Version: "2012-10-17"
+            Statement:
+              - Sid: GetLambdaMetadata
+                Effect: Allow
+                Action:
+                  - lambda:ListFunctions
+                  - lambda:ListVersionsByFunction
+                  - lambda:GetFunction
+                  - lambda:ListAliases
+                  - lambda:ListEventSourceMappings
+                  - lambda:GetPolicy
+                Resource: "*"
+          - !Ref 'AWS::NoValue' 
         - Version: "2012-10-17"
           Statement:
             - Sid: GetResourcesByTags