add tracing; update permissions

cyphronix · cyphronix · commit 3fec5a117e0b · 2024-12-05T15:25:21.000-07:00
diff --git a/aws_sra_examples/solutions/genai/bedrock_org/lambda/src/sra_cloudwatch.py b/aws_sra_examples/solutions/genai/bedrock_org/lambda/src/sra_cloudwatch.py
@@ -68,7 +68,7 @@ def find_metric_filter(self, log_group_name: str, filter_name: str) -> bool:
             if error.response["Error"]["Code"] == "ResourceNotFoundException":
                 return False
             else:
-                self.LOGGER.info(self.UNEXPECTED)
+                self.LOGGER.info(f"{self.UNEXPECTED} error finding metric filter: {error}")
                 raise ValueError("Unexpected error executing Lambda function. Review CloudWatch logs for details.") from None
 
     def create_metric_filter(
diff --git a/aws_sra_examples/solutions/genai/bedrock_org/templates/sra-bedrock-org-main.yaml b/aws_sra_examples/solutions/genai/bedrock_org/templates/sra-bedrock-org-main.yaml
@@ -443,7 +443,9 @@ Resources:
                   - 'iam:CreateRole'
                   - 'iam:DeleteRole'
                   - 'iam:TagRole'
-                Resource: '*'     
+                Resource:
+                  - !Sub 'arn:${AWS::Partition}:iam::${AWS::AccountId}:role/CloudWatch-CrossAccountSharingRole'
+                  - !Sub 'arn:${AWS::Partition}:iam::${AWS::AccountId}:role/${pSRASolutionName}-lambda'
           PolicyName: !Sub '${pSRASolutionName}-iam-policy'
         - PolicyDocument:
             Version: '2012-10-17'
@@ -458,7 +460,7 @@ Resources:
                   - 'kms:GenerateDataKey'
                   - 'kms:ScheduleKeyDeletion'
                   - 'kms:TagResource'
-                Resource: '*'     
+                Resource: '*' #  required because of CreateKey operation
           PolicyName: !Sub '${pSRASolutionName}-kms-policy'
         - PolicyDocument:
             Version: '2012-10-17'
@@ -475,7 +477,8 @@ Resources:
                   - 'lambda:CreateAlias'
                   - 'lambda:UpdateFunctionCode'
                   - 'lambda:RemovePermission'
-                Resource: '*'     
+                Resource:
+                  - !Sub 'arn:${AWS::Partition}:lambda:${AWS::Region}:${AWS::AccountId}:function:${pSRASolutionName}'
           PolicyName: !Sub '${pSRASolutionName}-lambda-policy'
         - PolicyDocument:
             Version: '2012-10-17'
@@ -488,8 +491,11 @@ Resources:
                   - 'logs:DescribeMetricFilters'
                   - 'logs:TagResource'
                   - 'logs:Link'
-                Resource: '*' 
-                #     arn:aws:logs:<HOME REGION>:<MGMT ACCOUNT>:log-group:*
+                Resource:
+                  - !Sub 'arn:${AWS::Partition}:logs:${AWS::Region}:${AWS::AccountId}:metric-filter:*'
+                  - !Sub 'arn:${AWS::Partition}:logs:${AWS::Region}:${AWS::AccountId}:log-group:*:log-stream:*'
+                  # - !Sub 'arn:${AWS::Partition}:logs:${AWS::Region}:${AWS::AccountId}:metric-filter:sra-bedrock-filter-service-changes'
+                  # - !Sub 'arn:${AWS::Partition}:logs:${AWS::Region}:${AWS::AccountId}:metric-filter:sra-bedrock-filter-bucket-changes'
           PolicyName: !Sub '${pSRASolutionName}-logs-policy'
         - PolicyDocument:
             Version: '2012-10-17'
@@ -501,7 +507,10 @@ Resources:
                   - 'cloudwatch:DeleteAlarms'
                   - 'cloudwatch:TagResource'
                   - 'cloudwatch:Link'
-                Resource: '*'     
+                Resource: '*'
+                  # - !Sub 'arn:${AWS::Partition}:cloudwatch:${AWS::Region}:${AWS::AccountId}:alarm:*'
+                  # - !Sub 'arn:${AWS::Partition}:cloudwatch:${AWS::Region}:${AWS::AccountId}:alarm:sra-bedrock-filter-service-changes-alarm'
+                  # - !Sub 'arn:${AWS::Partition}:cloudwatch:${AWS::Region}:${AWS::AccountId}:alarm:sra-bedrock-filter-bucket-changes-alarm'
           PolicyName: !Sub '${pSRASolutionName}-cloudwatch-policy'
         - PolicyDocument:
             Version: '2012-10-17'
@@ -512,7 +521,9 @@ Resources:
                   - 'oam:CreateLink'
                   - 'oam:DeleteLink'
                   - 'oam:TagResource'
-                Resource: '*'     
+                Resource:
+                  - !Sub 'arn:${AWS::Partition}:oam:${AWS::Region}:${AWS::AccountId}:link/*'
+                  - !Sub 'arn:${AWS::Partition}:oam:${AWS::Region}:${AWS::AccountId}:/ListLinks*'
           PolicyName: !Sub '${pSRASolutionName}-oam-policy'
         - PolicyDocument:
             Version: '2012-10-17'
@@ -542,7 +553,9 @@ Resources:
                   - 'sns:SetTopicAttributes'
                   - 'sns:TagResource'
                   - 'sns:Publish'
-                Resource: '*'     
+                Resource:
+                  - !Sub 'arn:${AWS::Partition}:sns:${AWS::Region}:${AWS::AccountId}:${pSRASolutionName}-configuration'
+                  - !Sub 'arn:${AWS::Partition}:sns:${AWS::Region}:${AWS::AccountId}:${pSRASolutionName}-alarms'
           PolicyName: !Sub '${pSRASolutionName}-sns-policy'
         - PolicyDocument:
             Version: '2012-10-17'
