improve policy description

2025-06-21 10:36:01 +09:00 · 2025-06-21 10:36:01 +09:00 · 49946b6546
commit 49946b6546
parent b7ac98ed9a
1 changed files with 25 additions and 2 deletions
--- a/infra/deployment.ts
+++ b/infra/deployment.ts
@ -21,7 +21,7 @@ new aws.iam.RolePolicyAttachment(`${prefix}-policy-codebuild`, {
  role: role.name,
  policyArn: aws.iam.ManagedPolicies.AWSCodeBuildDeveloperAccess,
 });
-new aws.iam.RolePolicy(`${prefix}-role-policy`, {
+new aws.iam.RolePolicy(`${prefix}-role-policy-bucket`, {
  role: role.name,
  policy: pulumi.all([backend.bucket.arn, frontend.bucket.arn]).apply(([be, fe]) => JSON.stringify({
    Version: "2012-10-17",
@ -42,6 +42,29 @@ new aws.iam.RolePolicy(`${prefix}-role-policy`, {
        ],
        Resource: [ be, fe, ],
      },
+    ]
+  })),
+});
+new aws.iam.RolePolicy(`${prefix}-role-policy-lambda`, {
+  role: role.name,
+  policy: pulumi.all([backend.lambda.arn]).apply(([lambda]) => JSON.stringify({
+    Version: "2012-10-17",
+    Statement: [
+      {
+        Effect: "Allow",
+        Action: [
+          "lambda:UpdateFunctionCode",
+        ],
+        Resource: lambda,
+      },
+    ]
+  })),
+});
+new aws.iam.RolePolicy(`${prefix}-role-policy-logs`, {
+  role: role.name,
+  policy: JSON.stringify({
+    Version: "2012-10-17",
+    Statement: [
      {
        Effect: "Allow",
        Action: [
@ -52,7 +75,7 @@ new aws.iam.RolePolicy(`${prefix}-role-policy`, {
        Resource: "*",
      },
    ]
-  })),
+  }),
 });