From 2f6c581a7454ca78612d161e5e01ba7cddee7fe0 Mon Sep 17 00:00:00 2001 From: TomJKing Date: Fri, 24 Jan 2025 10:29:13 +0000 Subject: [PATCH 1/2] Require the connection name not arn EventBridge API request to update a connection use the name of the connection not the arn Using the full arn of the connection in the IAM policy also doesn't work and the truncated form is needed --- lambda/rotate_keycloak_secrets.tf | 18 +++++++++--------- .../rotate_keycloak_secrets_policy.json.tpl | 7 +------ lambda/variables.tf | 2 +- 3 files changed, 11 insertions(+), 16 deletions(-) diff --git a/lambda/rotate_keycloak_secrets.tf b/lambda/rotate_keycloak_secrets.tf index 64d74de..1ebd382 100644 --- a/lambda/rotate_keycloak_secrets.tf +++ b/lambda/rotate_keycloak_secrets.tf @@ -11,11 +11,11 @@ resource "aws_lambda_function" "rotate_keycloak_secrets_lambda_function" { tags = var.common_tags environment { variables = { - AUTH_URL = var.auth_url - AUTH_SECRET_PATH = var.rotate_secrets_client_path - ENVIRONMENT = local.environment - SNS_TOPIC = var.notifications_topic - CONSIGNMENT_API_CONNECTION_ARN = var.api_connection_arn + AUTH_URL = var.auth_url + AUTH_SECRET_PATH = var.rotate_secrets_client_path + ENVIRONMENT = local.environment + SNS_TOPIC = var.notifications_topic + CONSIGNMENT_API_CONNECTION_NAME = var.api_connection_name } } @@ -39,10 +39,10 @@ resource "aws_cloudwatch_log_group" "rotate_keycloak_secrets_lambda_log_group" { resource "aws_iam_policy" "rotate_keycloak_secrets_lambda_policy" { count = local.count_rotate_keycloak_secrets policy = templatefile("${path.module}/templates/rotate_keycloak_secrets_policy.json.tpl", { - account_id = data.aws_caller_identity.current.account_id, - environment = local.environment, - kms_arn = var.kms_key_arn - api_connection_arn = var.api_connection_arn + account_id = data.aws_caller_identity.current.account_id, + environment = local.environment, + kms_arn = var.kms_key_arn + api_connection_name = var.api_connection_name }) name = "${upper(var.project)}RotateKeycloakSecretsLambdaPolicy${title(local.environment)}" } diff --git a/lambda/templates/rotate_keycloak_secrets_policy.json.tpl b/lambda/templates/rotate_keycloak_secrets_policy.json.tpl index 563512c..088d52b 100644 --- a/lambda/templates/rotate_keycloak_secrets_policy.json.tpl +++ b/lambda/templates/rotate_keycloak_secrets_policy.json.tpl @@ -46,12 +46,7 @@ "events:DescribeConnection", "events:UpdateConnection" ], - "Resource": "${api_connection_arn}", - "Condition": { - "StringEquals": { - "aws:SourceAccount": "${account_id}" - } - } + "Resource": "arn:aws:events:eu-west-2:${account_id}:connection/${api_connection_name}" } ] } diff --git a/lambda/variables.tf b/lambda/variables.tf index 139b3a1..ce22d6c 100644 --- a/lambda/variables.tf +++ b/lambda/variables.tf @@ -381,7 +381,7 @@ variable "notifications_vpc_config" { } } -variable "api_connection_arn" { +variable "api_connection_name" { description = "Arn of the EventBridge connection for the Consignment Api" default = "" } From 44185cc19d8cbe789a62c951c6a18a8717850f7c Mon Sep 17 00:00:00 2001 From: TomJKing Date: Fri, 24 Jan 2025 10:33:06 +0000 Subject: [PATCH 2/2] Fix variable description --- lambda/variables.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lambda/variables.tf b/lambda/variables.tf index ce22d6c..42739d9 100644 --- a/lambda/variables.tf +++ b/lambda/variables.tf @@ -382,6 +382,6 @@ variable "notifications_vpc_config" { } variable "api_connection_name" { - description = "Arn of the EventBridge connection for the Consignment Api" + description = "Name of the EventBridge connection for the Consignment Api" default = "" }