iam child module at aws-infra-terraform/iam/. The module is invoked from the root main.tf and receives table ARNs, secret ARNs, and configuration variables as inputs.
Module structure
IAM user and group
User: WallenstamTenant
Group: Wallenstam
WallenstamTenant is a member of the Wallenstam group, which has the following AWS-managed policies attached:
| Policy | Purpose |
|---|---|
AmazonCognitoPowerUser | Manage Cognito identity pools |
AmazonDynamoDBFullAccess | Read/write all DynamoDB tables |
AmazonEC2ContainerRegistryFullAccess | Push Docker images to ECR (for parse_invoice) |
AmazonS3FullAccess | Manage S3 buckets and objects |
AmazonSNSFullAccess | Publish to SNS topics |
AWSLambda_FullAccess | Deploy and manage Lambda functions |
CloudWatchEventsFullAccess | Manage EventBridge rules |
CloudWatchLogsFullAccess | Read and manage CloudWatch log groups |
IAMFullAccess | Manage IAM resources via Terraform |
SecretsManagerReadWrite | Create and manage secrets |
- TerraformAutoScalingPermissions —
application-autoscaling:Describe*andListTagsForResourcefor managing DynamoDB autoscaling - APIGatewayFullAccessPolicy —
apigateway:*for managing API Gateway resources
Lambda execution roles
Wallenstam-Lambda-Role
The primary shared execution role used by most Lambda functions. Attached managed policies:AmazonDynamoDBFullAccessAmazonS3FullAccessAmazonSNSFullAccessCloudWatchLogsFullAccessSecretsManagerReadWrite
Per-function roles
Several Lambda functions have dedicated execution roles with narrowly scoped inline policies. These are defined in the per-function IAM files:| Role name | File | Function |
|---|---|---|
Login-Lambda-Role | iam_login_lambda.tf | login_user |
Signup-Lambda-Role | iam_signup_lambda.tf | signup_user |
delete_user_lambda_role | iam_delete_user_lambda.tf | delete_user |
get_rental_invoices_lambda_role | iam_get_rental_invoices_lambda.tf | get_rental_invoices |
get_rental_invoice_lambda_role | iam_get_rental_invoice_lambda.tf | get_rental_invoice |
get_user_profile_lambda_role | iam_get_user_profile_lambda.tf | get_user_profile |
gmail_store_tokens_lambda_role | iam_gmail_store_tokens_lambda.tf | gmail_store_tokens |
aws_iam_role with a Lambda trust policy, an aws_iam_policy with the minimum required permissions (typically DynamoDB table access and Secrets Manager read), and an aws_iam_role_policy_attachment binding the two.
Role ARNs are exported via outputs.tf and passed into the lambdas module by the root main.tf:
App identity role
WallenstamAppIdentityRole
This role is assumed by unauthenticated identities via the Cognito identity pool (WallenstamAppIdentityPool). It is used by the iOS app to register its APNs device token with SNS for push notifications.
| Policy | Permissions |
|---|---|
cognito-unauthenticated | cognito-identity:GetCredentialsForIdentity |
wallenstam_sns_policy | sns:CreatePlatformEndpoint |
AmazonDynamoDBReadOnlyAccess managed policy is also attached to allow the iOS app to read invoice data directly from DynamoDB if needed.
Cognito identity pool
TheWallenstamAppIdentityPool Cognito identity pool is defined in cognito.tf. It provides unauthenticated guest access for the iOS app, enabling it to call sns:CreatePlatformEndpoint to register for push notifications without requiring a full Cognito user pool login.
The identity pool is linked to WallenstamAppIdentityRole as its unauthenticated role.