Change policy

justsmth · Jan 23, 2024 · e63b933 · e63b933
1 parent 72037f0
commit e63b933
Show file tree

Hide file tree

Showing 2 changed files with 44 additions and 3 deletions.
diff --git a/tests/ci/cdk/cdk/aws_lc_github_ci_stack.py b/tests/ci/cdk/cdk/aws_lc_github_ci_stack.py
@@ -5,7 +5,7 @@
 from constructs import Construct
 
 from cdk.components import PruneStaleGitHubBuilds
-from util.iam_policies import code_build_batch_policy_in_json, code_build_publish_metrics_in_json
+from util.iam_policies import code_build_batch_policy_in_json, code_build_publish_metrics_in_json, code_build_cloudwatch_logs_policy_in_json
 from util.metadata import CAN_AUTOLOAD, GITHUB_PUSH_CI_BRANCH_TARGETS, GITHUB_REPO_OWNER, GITHUB_REPO_NAME
 from util.build_spec_loader import BuildSpecLoader
 
@@ -39,17 +39,27 @@ def __init__(self,
         code_build_batch_policy = iam.PolicyDocument.from_json(
             code_build_batch_policy_in_json([id])
         )
+
+
+        log_group = logs.LogGroup(self, id="{}-public-logs".format(id))
+
+        code_build_cloudwatch_logs_policy = iam.PolicyDocument.from_json(
+            code_build_cloudwatch_logs_policy_in_json([log_group.log_group_name])
+        )
         metrics_policy = iam.PolicyDocument.from_json(code_build_publish_metrics_in_json())
         inline_policies = {"code_build_batch_policy": code_build_batch_policy,
-                           "metrics_policy": metrics_policy}
+                           "metrics_policy": metrics_policy,
+                           "code_build_cloudwatch_logs_policy": code_build_cloudwatch_logs_policy
+                           }
         role = iam.Role(scope=self,
                         id="{}-role".format(id),
                         assumed_by=iam.ServicePrincipal("codebuild.amazonaws.com"),
                         inline_policies=inline_policies)
 
+
         logging_options = codebuild.LoggingOptions(
             cloud_watch=codebuild.CloudWatchLoggingOptions(
-                log_group=logs.LogGroup(self, id="{}-public-logs".format(id))
+                log_group=log_group
             )
         )
 

diff --git a/tests/ci/cdk/util/iam_policies.py b/tests/ci/cdk/util/iam_policies.py
@@ -99,6 +99,37 @@ def code_build_batch_policy_in_json(project_ids):
         ]
     }
 
+def code_build_cloudwatch_logs_policy_in_json(log_groups):
+    """
+    Define an IAM policy statement for CloudWatch logs associated with CodeBuild projects.
+    :param project_ids: a list of CodeBuild project id.
+    :return: an IAM policy statement in json.
+    """
+    resources = []
+    for log_group in log_groups:
+        resources.append("arn:aws:logs:{}:{}:log-group:{}".format(AWS_REGION, AWS_ACCOUNT, log_group))
+        resources.append("arn:aws:logs:{}:{}:log-group:{}:*".format(AWS_REGION, AWS_ACCOUNT, log_group))
+    return {
+        "Version": "2012-10-17",
+        "Statement": [
+            {
+                "Effect": "Allow",
+                "Action": [
+                    "logs:Get*",
+                    "logs:List*",
+                    "logs:StartQuery",
+                    "logs:StopQuery",
+                    "logs:TestMetricFilter",
+                    "logs:FilterLogEvents",
+                    "logs:StartLiveTail",
+                    "logs:StopLiveTail",
+                    "cloudwatch:GenerateQuery"
+                ],
+                "Resource": resources
+            }
+        ]
+    }
+
 def code_build_publish_metrics_in_json():
     """
     Define an IAM policy that only grants access to publish CloudWatch metrics to the current region in the same