diff --git a/aws/logs_monitoring/template.yaml b/aws/logs_monitoring/template.yaml index 59316af6..34585367 100644 --- a/aws/logs_monitoring/template.yaml +++ b/aws/logs_monitoring/template.yaml @@ -433,6 +433,13 @@ Conditions: - Fn::Equals: - Ref: ReservedConcurrency - "" + SetForwarderBucket: + Fn::Or: + - Condition: CreateS3Bucket + - Fn::Not: + - Fn::Equals: + - Ref: DdForwarderExistingBucketName + - "" Rules: MustSetDdApiKey: Assertions: @@ -561,7 +568,10 @@ Resources: - Ref: DdPort - Ref: AWS::NoValue DD_STORE_FAILED_EVENTS: - Ref: DdStoreFailedEvents + Fn::If: + - SetForwarderBucket + - Ref: DdStoreFailedEvents + - Ref: AWS::NoValue REDACT_IP: Fn::If: - SetRedactIp @@ -702,33 +712,39 @@ Resources: Version: "2012-10-17" Statement: # Access the s3 bucket that is used by the forwarder as a datastore - - Action: - - s3:GetObject - - s3:PutObject - - s3:DeleteObject - - s3:ListBucket - Resource: - - Fn::If: - - CreateS3Bucket - - Fn::Join: - - "/" - - - Fn::GetAtt: ForwarderBucket.Arn - - "*" - - Fn::Sub: "arn:aws:s3:::${DdForwarderExistingBucketName}/*" - Effect: Allow + - Fn::If: + - SetForwarderBucket + - Action: + - s3:GetObject + - s3:PutObject + - s3:DeleteObject + - s3:ListBucket + Resource: + - Fn::If: + - CreateS3Bucket + - Fn::Join: + - "/" + - - Fn::GetAtt: ForwarderBucket.Arn + - "*" + - Fn::Sub: "arn:aws:s3:::${DdForwarderExistingBucketName}/*" + Effect: Allow + - Ref: AWS::NoValue # Get the actual log content from the s3 bucket based on the received s3 event. # Use PermissionsBoundaryArn to limit (allow/deny) access if needed. - - Action: - - s3:ListBucket - Resource: - - Fn::If: - - CreateS3Bucket - - Fn::GetAtt: ForwarderBucket.Arn - - Fn::Sub: "arn:aws:s3:::${DdForwarderExistingBucketName}" - Condition: - StringLike: - s3:prefix: "retry/*" - Effect: Allow + - Fn::If: + - SetForwarderBucket + - Action: + - s3:ListBucket + Resource: + - Fn::If: + - CreateS3Bucket + - Fn::GetAtt: ForwarderBucket.Arn + - Fn::Sub: "arn:aws:s3:::${DdForwarderExistingBucketName}" + Condition: + StringLike: + s3:prefix: "retry/*" + Effect: Allow + - Ref: AWS::NoValue - Action: - s3:GetObject Resource: "*" @@ -1074,6 +1090,7 @@ Outputs: Fn::Sub: ${AWS::StackName}-ApiKeySecretArn Condition: CreateDdApiKeySecret ForwarderBucketName: + Condition: SetForwarderBucket Description: Name of the S3 bucket used by the Forwarder Value: Fn::If: