Update lambda manager code to add permission for each log group [CDS-1136]

src/lambda-manager/CHANGELOG.md

@@ -2,6 +2,10 @@
 
 ## lambda-manager
 
+## 2.0.1  / 04-2-2024
+### 💡 Enhancements 💡
+- Update lambda code so it will not require the allow all policy
+
 ## 2.0.0 🎉 / 02-20-2024
 ### 🛑 Breaking changes 🛑
 - New CloudFormation Template does not deploy firehose stream as part of the deployment.

src/lambda-manager/README.md

@@ -61,27 +61,6 @@ Trust relationships
 }
 ```
 
-### Lamba
-
-Lambda destination does not need a specific role, but please check that the execution role of the destination lambda has the following resource based policy.
-
-```
-{
-    "Sid": "lsdmvpsdf",
-    "Effect": "Allow",
-    "Principal": {
-        Service": "logs.amazonaws.com"
-    },
-    "Action": "lambda:InvokeFunction",
-    "Resource": "arn:aws:lambda:us-east-1:771039649440:function:coralogix-aws-shipper",
-    "Condition": {
-        "ArnLike": {
-        "AWS:SourceArn": "arn:aws:logs:us-east-1:771039649440:*:*:*"
-        }
-    }
-}
-```
-
 ## License
 
 This project is licensed under the Apache-2.0 License.

src/lambda-manager/lambda_function.py

@@ -14,7 +14,7 @@ def identify_arn_service(arn):
     else:
         return "Unknown AWS Service"
 
-def list_log_groups_and_subscriptions(cloudwatch_logs, regex_pattern, logs_filter, destination_arn, role_arn, filter_name):
+def list_log_groups_and_subscriptions(cloudwatch_logs, regex_pattern, logs_filter, destination_arn, role_arn, filter_name, context):
     log_groups = []
     response = {'nextToken': None}  # Initialize with a dict containing nextToken as None
     print("Scanning all log groups")
@@ -51,9 +51,19 @@ def list_log_groups_and_subscriptions(cloudwatch_logs, regex_pattern, logs_filte
                         continue
                 elif destination_type == 'lambda':
                     try:
+                        lambda_client = boto3.client('lambda')
+                        region = context.invoked_function_arn.split(":")[3]
+                        account_id = context.invoked_function_arn.split(":")[4]
+                        lambda_client.add_permission(
+                          FunctionName=destination_arn,
+                          StatementId=f'allow-trigger-from-{log_group_name}',
+                          Action='lambda:InvokeFunction',
+                          Principal='logs.amazonaws.com',
+                          SourceArn=f'arn:aws:logs:{region}:{account_id}:log-group:{log_group_name}:*',
+                        )
                         cloudwatch_logs.put_subscription_filter(
                             destinationArn=destination_arn,
-                            filterName= filter_name,
+                            filterName= "coralogix-aws-shipper-cloudwatch-trigger",
                             filterPattern=logs_filter,
                             logGroupName=log_group_name,
                         )
@@ -89,9 +99,19 @@ def list_log_groups_and_subscriptions(cloudwatch_logs, regex_pattern, logs_filte
                         continue
                 elif destination_type == 'lambda':
                     try:
+                        lambda_client = boto3.client('lambda')
+                        region = context.invoked_function_arn.split(":")[3]
+                        account_id = context.invoked_function_arn.split(":")[4]
+                        lambda_client.add_permission(
+                          FunctionName=destination_arn,
+                          StatementId=f'allow-trigger-from-{log_group_name}',
+                          Action='lambda:InvokeFunction',
+                          Principal='logs.amazonaws.com',
+                          SourceArn=f'arn:aws:logs:{region}:{account_id}:log-group:{log_group_name}:*',
+                        )
                         cloudwatch_logs.put_subscription_filter(
                             destinationArn=destination_arn,
-                            filterName= filter_name,
+                            filterName= "coralogix-aws-shipper-cloudwatch-trigger",
                             filterPattern=logs_filter,
                             logGroupName=log_group_name,
                         )
@@ -114,7 +134,7 @@ def lambda_handler(event, context):
     filter_name = 'Coralogix_Filter_' + str(uuid.uuid4())
     print(f"Scanning all log groups: {scan_all_log_groups}")
     if scan_all_log_groups == 'true':
-        list_log_groups_and_subscriptions(cloudwatch_logs, regex_pattern, logs_filter, destination_arn, role_arn, filter_name)
+        list_log_groups_and_subscriptions(cloudwatch_logs, regex_pattern, logs_filter, destination_arn, role_arn, filter_name, context)
         lambda_client = boto3.client('lambda')
         function_name = context.function_name
 
@@ -151,9 +171,19 @@ def lambda_handler(event, context):
                         print(f"Failed to put subscription filter for {log_group_to_subscribe}: {e}")
             elif destination_type == 'lambda':
                 try:
+                    lambda_client = boto3.client('lambda')
+                    region = context.invoked_function_arn.split(":")[3]
+                    account_id = context.invoked_function_arn.split(":")[4]
+                    lambda_client.add_permission(
+                      FunctionName=destination_arn,
+                      StatementId=f'allow-trigger-from-{log_group_to_subscribe}',
+                      Action='lambda:InvokeFunction',
+                      Principal='logs.amazonaws.com',
+                      SourceArn=f'arn:aws:logs:{region}:{account_id}:log-group:{log_group_to_subscribe}:*',
+                    )
                     cloudwatch_logs.put_subscription_filter(
                         destinationArn=destination_arn,
-                        filterName= filter_name,
+                        filterName= "coralogix-aws-shipper-cloudwatch-trigger",
                         filterPattern=logs_filter,
                         logGroupName=log_group_to_subscribe,
                     )

src/lambda-manager/template.yaml

@@ -16,7 +16,7 @@ Metadata:
       - cloudwatch
       - lambda
     HomePageUrl: https://coralogix.com
-    SemanticVersion: 2.0.0
+    SemanticVersion: 2.0.1
     SourceCodeUrl: https://github.com/coralogix/coralogix-aws-serverless
   AWS::CloudFormation::Interface:
     ParameterGroups:
@@ -139,6 +139,7 @@ Resources:
               Action:
                 - lambda:UpdateFunctionConfiguration
                 - lambda:GetFunctionConfiguration
+                - lambda:AddPermission
               Resource: !Sub "arn:aws:lambda:${AWS::Region}:${AWS::AccountId}:function:*"
             - Sid: CWSubscriptionPolicy
               Effect: Allow
@@ -153,7 +154,7 @@ Resources:
               Action: 
                 - iam:PassRole
               Resource: 
-                - !Sub "arn:aws:iam::${AWS::AccountId}:role/*"      
+                - !Sub "arn:aws:iam::${AWS::AccountId}:role/*"
       EventInvokeConfig:
         DestinationConfig:
           OnFailure: