diff --git a/serverless-config.yml b/serverless-config.yml index 9d81c1b..a1c8c12 100644 --- a/serverless-config.yml +++ b/serverless-config.yml @@ -1,4 +1,7 @@ lambda: + install: + roleName: calendar2slack-prod-us-east-1-lambdaRole + policyName: calendar2slack-prod-us-east-1-lambdaRole-policy update: roleName: hudl-cal2slack-lambda-update policyName: hudl-cal2slack-lambda-update-policy diff --git a/serverless.yml b/serverless.yml index b6a1de8..90c0df0 100644 --- a/serverless.yml +++ b/serverless.yml @@ -30,7 +30,7 @@ functions: - http: path: 'slack/install' method: get - role: slackbotRole + role: slackInstallRole create-user: handler: src/index.createUser events: @@ -201,6 +201,61 @@ resources: - Ref: 'AWS::Region' - Ref: 'AWS::AccountId' - 'table/cal2slack-usersettings' + slackInstallRole: + Type: AWS::IAM::Role + Properties: + Path: / + RoleName: ${self:custom.lambda.install.roleName} + AssumeRolePolicyDocument: + Version: '2012-10-17' + Statement: + - Effect: Allow + Principal: + Service: + - lambda.amazonaws.com + Action: sts:AssumeRole + Policies: + - PolicyName: ${self:custom.lambda.install.policyName} + PolicyDocument: + Version: '2012-10-17' + Statement: + - Effect: Allow + Action: + - logs:CreateLogGroup + - logs:CreateLogStream + - logs:PutLogEvents + Resource: + - 'Fn::Join': + - ':' + - - 'arn:aws:logs' + - Ref: 'AWS::Region' + - Ref: 'AWS::AccountId' + - 'log-group:/aws/lambda/*:*:*' + - Effect: Allow + Action: + - secretsmanager:GetSecretValue + Resource: + - 'Fn::Join': + - ':' + - - 'arn:aws:secretsmanager' + - Ref: 'AWS::Region' + - Ref: 'AWS::AccountId' + - 'secret:${self:custom.lambda.slackbot.secretsPrefix}/*' + - Effect: Allow + Action: + - dynamodb:Scan + - dynamodb:Query + - dynamodb:GetItem + - dynamodb:BatchGetItem + - dynamodb:PutItem + - dynamodb:UpdateItem + Resource: + - 'Fn::Join': + - ':' + - - 'arn:aws:dynamodb' + - Ref: 'AWS::Region' + - Ref: 'AWS::AccountId' + - 'table/cal2slack-usersettings' Outputs: UserSettingsTableArn: Description: 'The ARN for the cal2slack-usersettings table'