feat: add missing cloud watch role policies

api-keys.tf

@@ -58,6 +58,12 @@ resource "aws_cloudwatch_log_group" "api_keys_authorizer_cloudwatch_log_group" {
   retention_in_days = 14
 }
 
+resource "aws_iam_role_policy" "api_keys_authorizer_cloudwatch_role_policy" {
+  name   = "${local.name_prefix}.api-keys-authorizer.cloud-watch-role-policy"
+  role   = aws_iam_role.api_keys_authorizer_execution_role.id
+  policy = data.aws_iam_policy_document.cloud_watch_role_policy_document.json
+}
+
 data "aws_iam_policy_document" "api_keys_authorizer_execution_policy" {
   statement {
     effect  = "Allow"

api-lambda.tf

@@ -26,45 +26,51 @@ resource "aws_lambda_function" "api_routes" {
   handler          = "index.handler"
   timeout          = 20
   memory_size      = 2048
-  role             = aws_iam_role.api_routes_roles.arn
+  role             = aws_iam_role.api_route_execution_role.arn
   source_code_hash = local.s3_objects_map["v0/${each.value.operationId}.zip"].etag
   description      = each.value.description
 }
 
-resource "aws_cloudwatch_log_group" "api_routes" {
+resource "aws_cloudwatch_log_group" "api_routes_log_group" {
   for_each = aws_lambda_function.api_routes
 
-  name = "/aws/lambda/${each.value.function_name}"
+  name              = "/aws/lambda/${each.value.function_name}"
+  retention_in_days = 14
+}
 
-  retention_in_days = 30
+resource "aws_iam_role_policy" "api_route_role_policy" {
+  name   = "${local.name_prefix}.api-routes.cloud-watch-role-policy"
+  role   = aws_iam_role.api_route_execution_role.id
+  policy = data.aws_iam_policy_document.cloud_watch_role_policy_document.json
 }
 
-resource "aws_iam_role" "api_routes_roles" {
-  name = "api_routes_roles"
+data "aws_iam_policy_document" "api_route_execution_policy" {
+  statement {
+    effect  = "Allow"
+    actions = ["sts:AssumeRole"]
+
+    principals {
+      identifiers = ["lambda.amazonaws.com"]
+      type        = "Service"
+    }
+  }
+}
 
-  assume_role_policy = jsonencode({
-    Version = "2012-10-17"
-    Statement = [
-      {
-        Action = "sts:AssumeRole"
-        Effect = "Allow"
-        Sid    = ""
-        Principal = {
-          Service = "lambda.amazonaws.com"
-        }
-      }
-    ]
-  })
+resource "aws_iam_role" "api_route_execution_role" {
+  name               = "api-routes-role"
+  description        = "References a policy document that can assume role for api route"
+  tags               = local.tags
+  assume_role_policy = data.aws_iam_policy_document.api_route_execution_policy.json
 }
 
 resource "aws_iam_policy_attachment" "sources_table_policy_attachment" {
   name       = "sources_table_policy_attachment"
   policy_arn = aws_iam_policy.sources_table_policy.arn
-  roles      = [aws_iam_role.api_routes_roles.name]
+  roles      = [aws_iam_role.api_route_execution_role.name]
 }
 
 resource "aws_iam_policy_attachment" "lieux_inclusion_numerique_table_policy_attachment" {
   name       = "lieux_inclusion_numerique_table_policy_attachment"
   policy_arn = aws_iam_policy.lieux_inclusion_numerique_table_policy.arn
-  roles      = [aws_iam_role.api_routes_roles.name]
+  roles      = [aws_iam_role.api_route_execution_role.name]
 }

cloud-watch.tf

@@ -9,9 +9,3 @@ data "aws_iam_policy_document" "cloud_watch_role_policy_document" {
     resources = ["arn:aws:logs:*:*:*"]
   }
 }
-
-resource "aws_iam_role_policy" "cloud_watch_role_policy" {
-  name   = "${local.name_prefix}.cloud-watch-role-policy"
-  role   = aws_iam_role.api_keys_authorizer_execution_role.id
-  policy = data.aws_iam_policy_document.cloud_watch_role_policy_document.json
-}

database.tf

@@ -118,12 +118,12 @@ data "aws_iam_policy_document" "read_from_s3_policy_document" {
 
 resource "aws_iam_role_policy" "read_from_s3_role_policy" {
   name   = "${local.name_prefix}.read-from-s3-role-policy"
-  role   = aws_iam_role.import_from_s3_role.id
+  role   = aws_iam_role.import_from_s3_execution_role.id
   policy = data.aws_iam_policy_document.read_from_s3_policy_document.json
 }
 
 resource "aws_iam_role_policy" "import_in_dynamo_table_role_policy" {
   name   = "${local.name_prefix}.import-in-dynamo-table-role-policy"
-  role   = aws_iam_role.import_from_s3_role.id
+  role   = aws_iam_role.import_from_s3_execution_role.id
   policy = data.aws_iam_policy_document.lieux_inclusion_numerique_table_policy_document.json
 }

import-from-s3-lambda.tf

@@ -16,7 +16,7 @@ resource "aws_lambda_function" "import_from_s3" {
   s3_bucket        = fileexists("${path.module}/import-from-s3/index.mjs") ? null : aws_s3_bucket.api.id
   s3_key           = fileexists("${path.module}/import-from-s3/index.mjs") ? null : "utilities/import-from-s3.zip"
   function_name    = "import-from-s3"
-  role             = aws_iam_role.import_from_s3_role.arn
+  role             = aws_iam_role.import_from_s3_execution_role.arn
   handler          = "index.handler"
   runtime          = "nodejs18.x"
   memory_size      = 1024
@@ -29,6 +29,13 @@ resource "aws_cloudwatch_log_group" "import_from_s3_cloudwatch_log_group" {
   retention_in_days = 14
 }
 
+resource "aws_iam_role_policy" "import_from_s3_cloudwatch_role_policy" {
+  name   = "${local.name_prefix}.import-from-s3.cloud-watch-role-policy"
+  role   = aws_iam_role.import_from_s3_execution_role.id
+  policy = data.aws_iam_policy_document.cloud_watch_role_policy_document.json
+}
+
+
 data "aws_iam_policy_document" "lambda_execution_policy" {
   statement {
     effect  = "Allow"
@@ -41,7 +48,7 @@ data "aws_iam_policy_document" "lambda_execution_policy" {
   }
 }
 
-resource "aws_iam_role" "import_from_s3_role" {
+resource "aws_iam_role" "import_from_s3_execution_role" {
   name               = "import-from-s3-lambda-role"
   description        = "References a policy document that can assume role for import from s3 lambda trigger"
   tags               = local.tags