Build Stalwart log group; give instances write access

Author: ryanjjung

pulumi/__main__.py

@@ -82,6 +82,7 @@ def __stalwart_cluster(jumphost_rules: list[dict]):
     return stalwart.StalwartCluster(
         f'{project.name_prefix}-stalwart',
         project=project,
+        log_group_arn=logdests['stalwart'].resources['iam_policies']['write'].arn,
         private_subnets=vpc.resources['private_subnets'],
         public_subnets=vpc.resources['public_subnets'],
         node_additional_ingress_rules=jumphost_rules,

pulumi/config.dev.yaml

@@ -8,6 +8,15 @@ resources:
         - stalwart.postboot.keycloak_backend
       recovery_window_in_days: 0
 
+  tb:cloudwatch:LogDestination:
+    stalwart:
+      log_group:
+        retention_in_days: 7
+      log_streams:
+        api: api
+        mail: mail
+      org_name: tb
+
   tb:network:MultiTierVpc:
     vpc:
       cidr_block: 10.2.0.0/16

pulumi/stalwart/__init__.py

@@ -274,6 +274,7 @@ def __init__(
         self,
         name: str,
         project: tb_pulumi.ThunderbirdPulumiProject,
+        log_group_arn: str,
         private_subnets: list[aws.ec2.Subnet],
         public_subnets: list[aws.ec2.Subnet],
         https_features: list = [],
@@ -343,8 +344,16 @@ def __init__(
         s3_bucket, s3_secret, s3_policy = stalwart_s3.s3(self=self)
 
         # Build an IAM role with a policy to enable node bootstrapping
-        profile_policy, role, profile_postboot_attachment, profile_s3_attachment, profile = stalwart_iam.iam(
+        (
+            profile_policy,
+            role,
+            profile_postboot_attachment,
+            profile_s3_attachment,
+            profile_logwrite_attachment,
+            profile,
+        ) = stalwart_iam.iam(
             self,
+            log_group_arn=log_group_arn,
             s3_policy=s3_policy,
         )
 
@@ -463,6 +472,7 @@ def __init__(
                 'spam_filter_secret': config_secrets['spam_filter'],
                 'node_profile': profile,
                 'node_profile_policy': profile_policy,
+                'node_profile_logwrite_attachment': profile_logwrite_attachment,
                 'node_profile_postboot_policy_attachment': profile_postboot_attachment,
                 'node_profile_s3_policy_attachment': profile_s3_attachment,
                 'node_sgs': self.node_sgs,

pulumi/stalwart/iam.py

@@ -10,6 +10,7 @@
 
 def iam(
     self,
+    log_group_arn: str,
     s3_policy: aws.iam.Policy,
 ) -> tuple[
     aws.iam.Policy, aws.iam.Role, aws.iam.RolePolicyAttachment, aws.iam.RolePolicyAttachment, aws.iam.InstanceProfile
@@ -32,14 +33,18 @@ def iam(
             + f':secret:mailstrom/{self.project.stack}/stalwart.postboot.*'
         ),
     ]
-    profile_postboot_policy_doc = IAM_POLICY_DOCUMENT.copy()
-    profile_postboot_policy_doc['Statement'][0].update(
-        {
-            'Sid': 'AllowPostbootSecretAccess',
-            'Action': ['secretsmanager:GetSecretValue'],
-            'Resource': bootstrap_secret_arns,
-        }
-    )
+    profile_postboot_policy_doc = {
+        'Version': '2012-10-17',
+        'Statement': [
+            {
+                'Sid': 'AllowPostbootSecretAccess',
+                'Effect': 'Allow',
+                'Action': ['secretsmanager:GetSecretValue'],
+                'Resource': bootstrap_secret_arns,
+            }
+        ],
+    }
+
     profile_policy = aws.iam.Policy(
         f'{self.name}-policy-nodeprofile',
         path='/',
@@ -64,7 +69,19 @@ def iam(
         role=role.name,
         policy_arn=s3_policy.arn,
     )
+    profile_logwrite_attachment = aws.iam.RolePolicyAttachment(
+        f'{self.name}-rpa-nodeprofile-logs',
+        role=role.name,
+        policy_arn=log_group_arn,
+    )
 
     profile = aws.iam.InstanceProfile(f'{self.name}-ip-nodeprofile', name=f'{self.name}-nodeprofile', role=role.name)
 
-    return profile_policy, role, profile_postboot_attachment, profile_s3_attachment, profile
+    return (
+        profile_policy,
+        role,
+        profile_postboot_attachment,
+        profile_s3_attachment,
+        profile_logwrite_attachment,
+        profile,
+    )