def _create_analytics_processing_lambda_role()

in Gems/AWSMetrics/cdv1/aws_metrics/real_time_data_processing.py [0:0]


    def _create_analytics_processing_lambda_role(self, function_name: str) -> iam.Role:
        """
        Generate the IAM role for the analytics processing lambda to send metrics to CloudWatch.

        @param function_name Name of the Lambda function.
        @return The created IAM role.
        """
        analytics_processing_policy_document = iam.PolicyDocument(
            statements=[
                # The following policy limits the user to publishing metrics only in the namespace named AWSMetrics.
                # Check the following document for more details:
                # https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/iam-cw-condition-keys-namespace.html
                iam.PolicyStatement(
                    actions=[
                        'cloudwatch:PutMetricData',
                    ],
                    effect=iam.Effect.ALLOW,
                    resources=[
                        '*'
                    ],
                    conditions={
                        "StringEquals": {
                            "cloudwatch:namespace": "AWSMetrics"
                        }
                    }
                ),
                iam.PolicyStatement(
                    actions=[
                        'logs:CreateLogGroup',
                        'logs:CreateLogStream',
                        'logs:PutDestination',
                        'logs:PutLogEvents'
                    ],
                    effect=iam.Effect.ALLOW,
                    resources=[
                        core.Fn.sub(
                            'arn:${AWS::Partition}:logs:${AWS::Region}:${AWS::AccountId}:log-group:'
                            '/aws/lambda/${FunctionName}*',
                            variables={
                                'FunctionName': function_name
                            }
                        )
                    ]
                )
            ]
        )

        analytics_processing_lambda_role = iam.Role(
            self._stack,
            id='AnalyticsLambdaRole',
            role_name=resource_name_sanitizer.sanitize_resource_name(
                f'{self._stack.stack_name}-AnalyticsLambdaRole', 'iam_role'),
            assumed_by=iam.ServicePrincipal(
                service='lambda.amazonaws.com'
            ),
            inline_policies={
                'AnalyticsProcessingPolicy': analytics_processing_policy_document
            }
        )

        return analytics_processing_lambda_role