From 9b99f7cfa5bc832636855e136b2bb2ee240eface Mon Sep 17 00:00:00 2001
From: Ash Davies <3853061+DrizzlyOwl@users.noreply.github.com>
Date: Wed, 14 Dec 2022 17:22:11 +0000
Subject: [PATCH] added wildcard to arn target

---
 main.tf | 34 +++++++++++++++-------------------
 1 file changed, 15 insertions(+), 19 deletions(-)

diff --git a/main.tf b/main.tf
index 1f07a42..310c352 100644
--- a/main.tf
+++ b/main.tf
@@ -16,11 +16,11 @@ data "aws_iam_policy_document" "bucket" {
     effect = "Allow"
 
     principals {
-      type = "Service"
+      type        = "Service"
       identifiers = ["cloudtrail.amazonaws.com"]
     }
 
-    actions = ["s3:GetBucketAcl"]
+    actions   = ["s3:GetBucketAcl"]
     resources = ["arn:aws:s3:::${local.bucketname}"]
   }
 
@@ -28,17 +28,17 @@ data "aws_iam_policy_document" "bucket" {
     effect = "Allow"
 
     principals {
-      type = "Service"
+      type        = "Service"
       identifiers = ["cloudtrail.amazonaws.com"]
     }
 
-    actions = ["s3:PutObject"]
+    actions   = ["s3:PutObject"]
     resources = ["arn:aws:s3:::${local.bucketname}/*"]
 
     condition {
-      test = "StringEquals"
+      test     = "StringEquals"
       variable = "s3:x-amz-acl"
-      values = ["bucket-owner-full-control"]
+      values   = ["bucket-owner-full-control"]
     }
   }
 }
@@ -46,10 +46,10 @@ data "aws_iam_policy_document" "bucket" {
 data "aws_iam_policy_document" "assume_role" {
   statement {
     effect = "Allow"
-    sid = ""
+    sid    = ""
 
     principals {
-      type = "Service"
+      type        = "Service"
       identifiers = ["cloudtrail.amazonaws.com"]
     }
 
@@ -59,15 +59,11 @@ data "aws_iam_policy_document" "assume_role" {
 
 data "aws_iam_policy_document" "logs" {
   statement {
-    effect = "Allow"
-    actions = ["logs:CreateLogStream"]
-    resources = [aws_cloudwatch_log_group.cloudtrail.arn]
-  }
-
-  statement {
-    effect = "Allow"
-    actions = ["logs:PutLogEvents"]
-    resources = [aws_cloudwatch_log_group.cloudtrail.arn]
+    effect  = "Allow"
+    actions = ["logs:CreateLogStream", "logs:PutLogEvents"]
+    resources = [
+      "${aws_cloudwatch_log_group.cloudtrail.arn}:*"
+    ]
   }
 }
 
@@ -112,8 +108,8 @@ resource "aws_iam_role" "cloudtrail_cloudwatch_logs_role" {
 }
 
 resource "aws_iam_policy" "cloudtrail_cloudwatch_logs_policy" {
-  name = "${var.namespace}-cloudtrail-cloudwatch-logs"
-  path = "/"
+  name   = "${var.namespace}-cloudtrail-cloudwatch-logs"
+  path   = "/"
   policy = data.aws_iam_policy_document.logs.json
 }