Address PR review comments: scope IAM permissions and add CLI prerequisites

agawanea · agawanea · commit 9b1f5cf247d5 · 2025-12-06T00:03:07.000+05:30
diff --git a/lambda-durable-order-processing-sam/README.md b/lambda-durable-order-processing-sam/README.md
@@ -60,6 +60,17 @@ Each step is automatically checkpointed, allowing the workflow to resume from th
 * [AWS SAM CLI](https://docs.aws.amazon.com/serverless-application-model/latest/developerguide/serverless-sam-cli-install.html) installed
 * [Node.js 18+](https://nodejs.org/) installed
 
+### Required IAM Permissions
+
+Your AWS CLI user/role needs the following permissions for deployment and testing:
+- **CloudFormation**: `cloudformation:DescribeStacks`, `cloudformation:DeleteStack`
+- **Lambda**: `lambda:CreateFunction`, `lambda:InvokeFunction`, `lambda:GetFunction`
+- **DynamoDB**: `dynamodb:Scan`, `dynamodb:GetItem`
+- **CloudWatch Logs**: `logs:DescribeLogGroups`, `logs:FilterLogEvents`, `logs:GetLogEvents`, `logs:TailLogEvents`
+- **API Gateway**: `apigateway:GET`
+- **IAM**: `iam:CreateRole`, `iam:AttachRolePolicy`, `iam:PassRole`
+
+
 ## Deployment
 
 1. Navigate to the pattern directory:
@@ -244,7 +255,7 @@ Processing payment { orderId: 'order-1764821208592', amount: 91.98 }
 Waiting for warehouse processing { orderId: 'order-1764821208592' }
 ```
 
-### Step 6: Verify DynamoDB Storage
+### Step 6: Verify Amazon DynamoDB Storage
 
 Check orders stored in DynamoDB:
 
diff --git a/lambda-durable-order-processing-sam/template.yaml b/lambda-durable-order-processing-sam/template.yaml
@@ -1,6 +1,6 @@
 AWSTemplateFormatVersion: '2010-09-09'
 Transform: AWS::Serverless-2016-10-31
-Description: Order Processing Workflow using Lambda Durable Functions
+Description: Order Processing Workflow using AWS Lambda Durable Functions
 
 Globals:
   Function:
@@ -34,7 +34,6 @@ Resources:
     Properties:
       CodeUri: src/
       Handler: index.handler
-      Runtime: nodejs22.x
       Timeout: 120
       AutoPublishAlias: live
       DurableConfig:
@@ -47,15 +46,14 @@ Resources:
           - Effect: Allow
             Action:
               - lambda:CheckpointDurableExecution
-            Resource: '*'
+            Resource: !Sub 'arn:aws:lambda:${AWS::Region}:${AWS::AccountId}:function:${AWS::StackName}-OrderProcessingFunction-*'
 
   # Order Status Function (Non-Durable)
   OrderStatusFunction:
     Type: AWS::Serverless::Function
     Properties:
       CodeUri: src/
       Handler: status.handler
-      Runtime: nodejs22.x
       Timeout: 30
       Policies:
         - DynamoDBReadPolicy:
