From 4c754b5bc7b1d526bef8f82babb3f21acb254242 Mon Sep 17 00:00:00 2001
From: Ryan Goh <1871494+ryanoolala@users.noreply.github.com>
Date: Tue, 23 Jul 2024 10:17:05 +0800
Subject: [PATCH] chore: update flowlogs iam service role permissions to be
 more restrictive

---
 vpc-flow-logs.tf | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/vpc-flow-logs.tf b/vpc-flow-logs.tf
index ac9f25758..95432d0e5 100644
--- a/vpc-flow-logs.tf
+++ b/vpc-flow-logs.tf
@@ -109,6 +109,6 @@ data "aws_iam_policy_document" "vpc_flow_log_cloudwatch" {
       "logs:DescribeLogStreams",
     ]
 
-    resources = ["*"]
+    resources = ["${var.flow_log_cloudwatch_log_group_name_prefix}${local.flow_log_cloudwatch_log_group_name_suffix}/*"]
   }
 }