feat: split IAM policy into two

- Modified index.py to use list_clusters_v2() and describe_cluster_v2() - Added a new IAM policy statement for kafka:ListClustersV2 - Added a new IAM policy statement for kafka:DescribeClusterV2 with specific resource ARN
stefanfreitag · Oct 21, 2023 · 0d9c5a1 · 0d9c5a1
1 parent dc42bb0
commit 0d9c5a1
Show file tree

Hide file tree

Showing 3 changed files with 15 additions and 6 deletions.
diff --git a/examples/01_default_configuration/README.md b/examples/01_default_configuration/README.md
@@ -1,3 +1,7 @@
+## Example 01
+
+Create a MSK status monitor with only a tag attached.
+
 <!-- BEGIN_TF_DOCS -->
 ## Requirements
 

diff --git a/functions/check-msk-status/index.py b/functions/check-msk-status/index.py
@@ -9,7 +9,7 @@ def lambda_handler(event, context):
     # Create an MSK client
     client = boto3.client("kafka", region_name=region)
     # Retrieve a list of clusters
-    response = client.list_clusters()
+    response = client.list_clusters_v2()
     # Extract the cluster ARNs from the response
     cluster_arns = response["ClusterInfoList"]
 
@@ -22,9 +22,9 @@ def lambda_handler(event, context):
 
     for cluster in cluster_arns:
         arn = cluster["ClusterArn"]
-        response = client.describe_cluster(ClusterArn=arn)
+        response = client.describe_cluster_v2(ClusterArn=arn)
         status = response["ClusterInfo"]["State"]
-        print("The cluster is in state {}.".format(status))
+        print("The cluster {} is in state {}.".format(arn,status))
         sns_client = boto3.client("sns")
         if status not in valid_states:
             print("The MSK cluster: {} needs attention.".format(arn))

diff --git a/main.tf b/main.tf
@@ -68,13 +68,18 @@ resource "aws_iam_policy" "msk_health_lambda_role_policy" {
         },
         {
             "Action": [
-                "kafka:ListClusters",
-                "kafka:DescribeCluster",
-                "kafka:DescribeClusterV2"
+                "kafka:ListClustersV2"
             ],
             "Resource": "*",
             "Effect": "Allow"
         },
+        {
+            "Action": [
+                "kafka:DescribeClusterV2"
+            ],
+            "Resource": "arn:aws:kafka:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:cluster/*",
+            "Effect": "Allow"
+        },
         {
             "Action": [
                 "sns:Publish"