feat: add IoTActionRole

bifravst · Apr 11, 2024 · ad2b9e5 · ad2b9e5
1 parent 97c7888
commit ad2b9e5
Showing 1 changed file with 33 additions and 0 deletions.
diff --git a/src/IoTActionRole.ts b/src/IoTActionRole.ts
@@ -0,0 +1,33 @@
+import { aws_iam as IAM, Stack } from 'aws-cdk-lib'
+import { Construct } from 'constructs'
+
+/**
+ * Base role for IoT Actions that allows to publish to the 'errors' topic
+ */
+export class IoTActionRole extends Construct {
+	public readonly role: IAM.IRole
+	public readonly roleArn: string
+	constructor(parent: Construct) {
+		super(parent, 'errorActionRole')
+		this.role = new IAM.Role(this, 'iot-action-role', {
+			assumedBy: new IAM.ServicePrincipal(
+				'iot.amazonaws.com',
+			) as IAM.IPrincipal,
+			inlinePolicies: {
+				rootPermissions: new IAM.PolicyDocument({
+					statements: [
+						new IAM.PolicyStatement({
+							actions: ['iot:Publish'],
+							resources: [
+								`arn:aws:iot:${Stack.of(this).region}:${
+									Stack.of(this).account
+								}:topic/errors`,
+							],
+						}),
+					],
+				}),
+			},
+		})
+		this.roleArn = this.role.roleArn
+	}
+}