data "aws_caller_identity" "current" {} resource "aws_iam_role" "this" { name = "362_role_green" assume_role_policy = <<EOF { "Version": "2012-10-17", "Statement": [ { "Action": "sts:AssumeRole", "Principal": { "Service": [ "airflow-env.amazonaws.com", "airflow.amazonaws.com" ] }, "Effect": "Allow", "Sid": "" } ] } EOF } resource "aws_iam_role_policy" "this" { name = "362_policy_green" role = aws_iam_role.this.id policy = <<-EOF { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "airflow:PublishMetrics" ], "Resource": "arn:aws:airflow:${var.default-region}:${data.aws_caller_identity.current.account_id}:environment/mwaa_362_green" }, { "Effect": "Allow", "Action": [ "s3:GetObject*", "s3:GetBucket*", "s3:List*" ], "Resource": [ "${aws_s3_bucket.this.arn}", "${aws_s3_bucket.this.arn}/*" ] }, { "Effect": "Allow", "Action": "logs:DescribeLogGroups", "Resource": ["*"] }, { "Effect": "Allow", "Action": [ "logs:CreateLogStream", "logs:CreateLogGroup", "logs:PutLogEvents", "logs:GetLogEvents", "logs:GetLogRecord", "logs:GetLogGroupFields", "logs:GetQueryResults" ], "Resource": [ "arn:aws:logs:${var.default-region}:${data.aws_caller_identity.current.account_id}:log-group:airflow-mwaa_362_green-*" ] }, { "Effect": "Allow", "Action": "cloudwatch:PutMetricData", "Resource": "*" }, { "Effect": "Allow", "Action": [ "sqs:ChangeMessageVisibility", "sqs:DeleteMessage", "sqs:GetQueueAttributes", "sqs:GetQueueUrl", "sqs:ReceiveMessage", "sqs:SendMessage" ], "Resource": "arn:aws:sqs:${var.default-region}:*:airflow-celery-*" }, { "Effect": "Allow", "Action": [ "kms:Decrypt", "kms:DescribeKey", "kms:GenerateDataKey*", "kms:Encrypt" ], "Resource": "arn:aws:kms:${var.default-region}:${data.aws_caller_identity.current.account_id}:key/${aws_kms_key.this.key_id}", "Condition": { "StringLike": { "kms:ViaService": [ "sqs.us-east-1.amazonaws.com", "s3.us-east-1.amazonaws.com" ] } } } ] } EOF }