diff --git a/src/lambda-manager/CHANGELOG.md b/src/lambda-manager/CHANGELOG.md index ebd3607..ef75337 100644 --- a/src/lambda-manager/CHANGELOG.md +++ b/src/lambda-manager/CHANGELOG.md @@ -2,6 +2,10 @@ ## lambda-manager +## 2.0.1 / 04-2-2024 +### 💡 Enhancements 💡 +- Update lambda code so it will not require the allow all policy + ## 2.0.0 🎉 / 02-20-2024 ### 🛑 Breaking changes 🛑 - New CloudFormation Template does not deploy firehose stream as part of the deployment. diff --git a/src/lambda-manager/README.md b/src/lambda-manager/README.md index 521a21f..0421b2c 100644 --- a/src/lambda-manager/README.md +++ b/src/lambda-manager/README.md @@ -61,27 +61,6 @@ Trust relationships } ``` -### Lamba - -Lambda destination does not need a specific role, but please check that the execution role of the destination lambda has the following resource based policy. - -``` -{ - "Sid": "lsdmvpsdf", - "Effect": "Allow", - "Principal": { - Service": "logs.amazonaws.com" - }, - "Action": "lambda:InvokeFunction", - "Resource": "arn:aws:lambda:us-east-1:771039649440:function:coralogix-aws-shipper", - "Condition": { - "ArnLike": { - "AWS:SourceArn": "arn:aws:logs:us-east-1:771039649440:*:*:*" - } - } -} -``` - ## License This project is licensed under the Apache-2.0 License. diff --git a/src/lambda-manager/lambda_function.py b/src/lambda-manager/lambda_function.py index ff1957f..4711c48 100644 --- a/src/lambda-manager/lambda_function.py +++ b/src/lambda-manager/lambda_function.py @@ -14,7 +14,7 @@ def identify_arn_service(arn): else: return "Unknown AWS Service" -def list_log_groups_and_subscriptions(cloudwatch_logs, regex_pattern, logs_filter, destination_arn, role_arn, filter_name): +def list_log_groups_and_subscriptions(cloudwatch_logs, regex_pattern, logs_filter, destination_arn, role_arn, filter_name, context): log_groups = [] response = {'nextToken': None} # Initialize with a dict containing nextToken as None print("Scanning all log groups") @@ -51,9 +51,19 @@ def list_log_groups_and_subscriptions(cloudwatch_logs, regex_pattern, logs_filte continue elif destination_type == 'lambda': try: + lambda_client = boto3.client('lambda') + region = context.invoked_function_arn.split(":")[3] + account_id = context.invoked_function_arn.split(":")[4] + lambda_client.add_permission( + FunctionName=destination_arn, + StatementId=f'allow-trigger-from-{log_group_name}', + Action='lambda:InvokeFunction', + Principal='logs.amazonaws.com', + SourceArn=f'arn:aws:logs:{region}:{account_id}:log-group:{log_group_name}:*', + ) cloudwatch_logs.put_subscription_filter( destinationArn=destination_arn, - filterName= filter_name, + filterName= "coralogix-aws-shipper-cloudwatch-trigger", filterPattern=logs_filter, logGroupName=log_group_name, ) @@ -89,9 +99,19 @@ def list_log_groups_and_subscriptions(cloudwatch_logs, regex_pattern, logs_filte continue elif destination_type == 'lambda': try: + lambda_client = boto3.client('lambda') + region = context.invoked_function_arn.split(":")[3] + account_id = context.invoked_function_arn.split(":")[4] + lambda_client.add_permission( + FunctionName=destination_arn, + StatementId=f'allow-trigger-from-{log_group_name}', + Action='lambda:InvokeFunction', + Principal='logs.amazonaws.com', + SourceArn=f'arn:aws:logs:{region}:{account_id}:log-group:{log_group_name}:*', + ) cloudwatch_logs.put_subscription_filter( destinationArn=destination_arn, - filterName= filter_name, + filterName= "coralogix-aws-shipper-cloudwatch-trigger", filterPattern=logs_filter, logGroupName=log_group_name, ) @@ -114,7 +134,7 @@ def lambda_handler(event, context): filter_name = 'Coralogix_Filter_' + str(uuid.uuid4()) print(f"Scanning all log groups: {scan_all_log_groups}") if scan_all_log_groups == 'true': - list_log_groups_and_subscriptions(cloudwatch_logs, regex_pattern, logs_filter, destination_arn, role_arn, filter_name) + list_log_groups_and_subscriptions(cloudwatch_logs, regex_pattern, logs_filter, destination_arn, role_arn, filter_name, context) lambda_client = boto3.client('lambda') function_name = context.function_name @@ -151,9 +171,19 @@ def lambda_handler(event, context): print(f"Failed to put subscription filter for {log_group_to_subscribe}: {e}") elif destination_type == 'lambda': try: + lambda_client = boto3.client('lambda') + region = context.invoked_function_arn.split(":")[3] + account_id = context.invoked_function_arn.split(":")[4] + lambda_client.add_permission( + FunctionName=destination_arn, + StatementId=f'allow-trigger-from-{log_group_to_subscribe}', + Action='lambda:InvokeFunction', + Principal='logs.amazonaws.com', + SourceArn=f'arn:aws:logs:{region}:{account_id}:log-group:{log_group_to_subscribe}:*', + ) cloudwatch_logs.put_subscription_filter( destinationArn=destination_arn, - filterName= filter_name, + filterName= "coralogix-aws-shipper-cloudwatch-trigger", filterPattern=logs_filter, logGroupName=log_group_to_subscribe, ) diff --git a/src/lambda-manager/template.yaml b/src/lambda-manager/template.yaml index 41c1478..c871efa 100644 --- a/src/lambda-manager/template.yaml +++ b/src/lambda-manager/template.yaml @@ -16,7 +16,7 @@ Metadata: - cloudwatch - lambda HomePageUrl: https://coralogix.com - SemanticVersion: 2.0.0 + SemanticVersion: 2.0.1 SourceCodeUrl: https://github.com/coralogix/coralogix-aws-serverless AWS::CloudFormation::Interface: ParameterGroups: @@ -139,6 +139,7 @@ Resources: Action: - lambda:UpdateFunctionConfiguration - lambda:GetFunctionConfiguration + - lambda:AddPermission Resource: !Sub "arn:aws:lambda:${AWS::Region}:${AWS::AccountId}:function:*" - Sid: CWSubscriptionPolicy Effect: Allow @@ -153,7 +154,7 @@ Resources: Action: - iam:PassRole Resource: - - !Sub "arn:aws:iam::${AWS::AccountId}:role/*" + - !Sub "arn:aws:iam::${AWS::AccountId}:role/*" EventInvokeConfig: DestinationConfig: OnFailure: