adrianhall · November 27, 2018 23:04
diff --git a/serverless.yml b/serverless.yml
 ElasticSearchStreamingLambdaIAMRole:
      Type: AWS::IAM::Role
      Properties:
        RoleName: ${self:custom.api}-ESStreamingLambdaRole
        AssumeRolePolicyDocument:
          Version: "2012-10-17"
          Statement:
            - Effect: Allow
              Principal:
                Service: "lambda.amazonaws.com"
              Action: "sts:AssumeRole"
        Policies:
          - PolicyName: ElasticSearchAccess
            PolicyDocument:
              Version: "2012-10-17"
              Statement:
                - Action:
                    - "es:ESHttpPost"
                  Effect: Allow
                  Resource:
                    - "arn:aws:es:#{AWS::Region}:#{AWS::AccountId}:domain/${self:custom.es_domain}/_bulk"
          - PolicyName: DynamoDBStreamAccess
            PolicyDocument:
              Version: "2012-10-17"
              Statement:
                - Action:
                    - "dynamodb:DescribeStream"
                    - "dynamodb:GetRecords"
                    - "dynamodb:GetShardIterator"
                    - "dynamodb:ListStreams"
                  Effect: Allow
                  Resource:
                    - { Fn::GetAtt: [ DynamoDBTable, StreamArn ]}
          - PolicyName: CloudWatchLogsAccess
            PolicyDocument:
              Version: "2012-10-17"
              Statement:
                - Action:
                    - "logs:CreateLogGroup"
                    - "logs:CreateLogStream"
                    - "logs:PutLogEvents"
                  Effect: Allow
                  Resource:
                    - "arn:aws:logs:#{AWS::Region}:#{AWS::AccountId}:*"
	ElasticSearchStreamingLambdaIAMRole:
	Type: AWS::IAM::Role
	Properties:
	RoleName: ${self:custom.api}-ESStreamingLambdaRole
	AssumeRolePolicyDocument:
	Version: "2012-10-17"
	Statement:
	- Effect: Allow
	Principal:
	Service: "lambda.amazonaws.com"
	Action: "sts:AssumeRole"
	Policies:
	- PolicyName: ElasticSearchAccess
	PolicyDocument:
	Version: "2012-10-17"
	Statement:
	- Action:
	- "es:ESHttpPost"
	Effect: Allow
	Resource:
	- "arn:aws:es:#{AWS::Region}:#{AWS::AccountId}:domain/${self:custom.es_domain}/_bulk"
	- PolicyName: DynamoDBStreamAccess
	PolicyDocument:
	Version: "2012-10-17"
	Statement:
	- Action:
	- "dynamodb:DescribeStream"
	- "dynamodb:GetRecords"
	- "dynamodb:GetShardIterator"
	- "dynamodb:ListStreams"
	Effect: Allow
	Resource:
	- { Fn::GetAtt: [ DynamoDBTable, StreamArn ]}
	- PolicyName: CloudWatchLogsAccess
	PolicyDocument:
	Version: "2012-10-17"
	Statement:
	- Action:
	- "logs:CreateLogGroup"
	- "logs:CreateLogStream"
	- "logs:PutLogEvents"
	Effect: Allow
	Resource:
	- "arn:aws:logs:#{AWS::Region}:#{AWS::AccountId}:*"