gergo-dryrun · March 19, 2017 17:37
diff --git a/policy.yaml b/policy.yaml
 LambdaRolePolicies:
    Type: AWS::IAM::Policy
    Properties:
      PolicyName: es-http-permissions
      PolicyDocument:
        Version: 2012-10-17
        Statement:
          -
            Effect: Allow
            Action:
              - s3:ListAllMyBuckets
              - s3:GetBucketLocation
            Resource: arn:aws:s3:::*
          -
            Effect: Allow
            Action: s3:ListBucket
            Resource:
              Fn::Sub:
                - arn:aws:s3:::${BucketName}
                - BucketName:
                    Fn::Select:
                      - 0
                      - Fn::Split: ['/', !Ref ConfigLocation]
          -
            Effect: Allow
            Action: s3:GetObject
            Resource: !Sub arn:aws:s3:::${ConfigLocation}
          -
            Effect: Allow
            Action: es:ESHttp*
            Resource:
              !Sub |-
                arn:aws:es:${AWS::Region}:${AWS::AccountId}:domain/*
          -
            Effect: Allow
            Action:
              - logs:CreateLogGroup
            Resource:
              !Sub |-
                arn:aws:logs:${AWS::Region}:${AWS::AccountId}:*
          -
            Effect: Allow
            Action:
              - logs:CreateLogStream
              - logs:PutLogEvents
            Resource:
              !Sub |-
                arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/lambda/aws-elasticsearch-curator:*
      Roles:
        -
          !Ref LambdaExecutionerRole
	LambdaRolePolicies:
	Type: AWS::IAM::Policy
	Properties:
	PolicyName: es-http-permissions
	PolicyDocument:
	Version: 2012-10-17
	Statement:
	-
	Effect: Allow
	Action:
	- s3:ListAllMyBuckets
	- s3:GetBucketLocation
	Resource: arn:aws:s3:::*
	-
	Effect: Allow
	Action: s3:ListBucket
	Resource:
	Fn::Sub:
	- arn:aws:s3:::${BucketName}
	- BucketName:
	Fn::Select:
	- 0
	- Fn::Split: ['/', !Ref ConfigLocation]
	-
	Effect: Allow
	Action: s3:GetObject
	Resource: !Sub arn:aws:s3:::${ConfigLocation}
	-
	Effect: Allow
	Action: es:ESHttp*
	Resource:
	!Sub \|-
	arn:aws:es:${AWS::Region}:${AWS::AccountId}:domain/*
	-
	Effect: Allow
	Action:
	- logs:CreateLogGroup
	Resource:
	!Sub \|-
	arn:aws:logs:${AWS::Region}:${AWS::AccountId}:*
	-
	Effect: Allow
	Action:
	- logs:CreateLogStream
	- logs:PutLogEvents
	Resource:
	!Sub \|-
	arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/lambda/aws-elasticsearch-curator:*
	Roles:
	-
	!Ref LambdaExecutionerRole