From 0d9c5a154a91742f1d589f23bd6ac74845f60a85 Mon Sep 17 00:00:00 2001
From: Stefan Freitag <stefan.freitag@udo.edu>
Date: Sat, 21 Oct 2023 09:33:04 +0200
Subject: [PATCH] feat: split IAM policy into two

- Modified index.py to use list_clusters_v2() and describe_cluster_v2()
- Added a new IAM policy statement for kafka:ListClustersV2
- Added a new IAM policy statement for kafka:DescribeClusterV2 with specific resource ARN
---
 examples/01_default_configuration/README.md |  4 ++++
 functions/check-msk-status/index.py         |  6 +++---
 main.tf                                     | 11 ++++++++---
 3 files changed, 15 insertions(+), 6 deletions(-)

diff --git a/examples/01_default_configuration/README.md b/examples/01_default_configuration/README.md
index 315973f..8a979a0 100644
--- a/examples/01_default_configuration/README.md
+++ b/examples/01_default_configuration/README.md
@@ -1,3 +1,7 @@
+## Example 01
+
+Create a MSK status monitor with only a tag attached.
+
 <!-- BEGIN_TF_DOCS -->
 ## Requirements
 
diff --git a/functions/check-msk-status/index.py b/functions/check-msk-status/index.py
index 3bb6404..cf8eb20 100644
--- a/functions/check-msk-status/index.py
+++ b/functions/check-msk-status/index.py
@@ -9,7 +9,7 @@ def lambda_handler(event, context):
     # Create an MSK client
     client = boto3.client("kafka", region_name=region)
     # Retrieve a list of clusters
-    response = client.list_clusters()
+    response = client.list_clusters_v2()
     # Extract the cluster ARNs from the response
     cluster_arns = response["ClusterInfoList"]
 
@@ -22,9 +22,9 @@ def lambda_handler(event, context):
 
     for cluster in cluster_arns:
         arn = cluster["ClusterArn"]
-        response = client.describe_cluster(ClusterArn=arn)
+        response = client.describe_cluster_v2(ClusterArn=arn)
         status = response["ClusterInfo"]["State"]
-        print("The cluster is in state {}.".format(status))
+        print("The cluster {} is in state {}.".format(arn,status))
         sns_client = boto3.client("sns")
         if status not in valid_states:
             print("The MSK cluster: {} needs attention.".format(arn))
diff --git a/main.tf b/main.tf
index 98ab7b7..243eb24 100644
--- a/main.tf
+++ b/main.tf
@@ -68,13 +68,18 @@ resource "aws_iam_policy" "msk_health_lambda_role_policy" {
         },
         {
             "Action": [
-                "kafka:ListClusters",
-                "kafka:DescribeCluster",
-                "kafka:DescribeClusterV2"
+                "kafka:ListClustersV2"
             ],
             "Resource": "*",
             "Effect": "Allow"
         },
+        {
+            "Action": [
+                "kafka:DescribeClusterV2"
+            ],
+            "Resource": "arn:aws:kafka:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:cluster/*",
+            "Effect": "Allow"
+        },
         {
             "Action": [
                 "sns:Publish"