From f8d38a75f5ac313626ba90bea211855f6645ffe3 Mon Sep 17 00:00:00 2001
From: xss <michaela@michaela.lgbt>
Date: Mon, 23 Oct 2023 16:25:28 +1100
Subject: [PATCH] IAM cleanup

---
 es.tf            | 265 ++++++++++++++++++++++-------------------------
 ham_aprs.tf      |  58 ++++-------
 ham_ingestion.tf | 148 ++++++++++++--------------
 ham_predictor.tf |  98 ++++++++----------
 historic.tf      | 171 ++++++++++++------------------
 iam.tf           |  19 ++++
 ingestion.tf     | 143 +++++++++++--------------
 main.tf          | 115 +++++++++-----------
 predictor.tf     | 183 ++++++++++++++------------------
 recovered.tf     |  77 ++++++--------
 sqs_to_elk.tf    | 151 ++++++++++++---------------
 websockets.tf    | 237 +++++++++++++-----------------------------
 12 files changed, 695 insertions(+), 970 deletions(-)
 create mode 100644 iam.tf

diff --git a/es.tf b/es.tf
index 130e149..7d71502 100644
--- a/es.tf
+++ b/es.tf
@@ -1,4 +1,14 @@
+data "aws_iam_policy_document" "es_access_policy" {
+  statement {
+    resources = ["arn:aws:es:us-east-1:${data.aws_caller_identity.current.account_id}:domain/sondes-v2*"]
+    actions   = ["es:*"]
 
+    principals {
+      type        = "AWS"
+      identifiers = ["*"]
+    }
+  }
+}
 
 resource "aws_elasticsearch_domain" "ElasticsearchDomain" {
   domain_name           = "sondes-v2-7-9"
@@ -21,24 +31,12 @@ resource "aws_elasticsearch_domain" "ElasticsearchDomain" {
     enforce_https                   = true
     tls_security_policy             = "Policy-Min-TLS-1-2-2019-07"
     custom_endpoint                 = "es.v2.sondehub.org"
-    custom_endpoint_certificate_arn = "arn:aws:acm:us-east-1:143841941773:certificate/a7da821c-bdbc-404b-aa12-bce28d86cdeb"
+    custom_endpoint_certificate_arn = "arn:aws:acm:us-east-1:${data.aws_caller_identity.current.account_id}:certificate/a7da821c-bdbc-404b-aa12-bce28d86cdeb"
     custom_endpoint_enabled         = true
   }
-  access_policies = <<EOF
-    {
-    "Version": "2012-10-17",
-    "Statement": [
-        {
-            "Effect": "Allow",
-            "Principal": {
-                "AWS": "*"
-            },
-            "Action": "es:*",
-            "Resource": "arn:aws:es:us-east-1:${data.aws_caller_identity.current.account_id}:domain/sondes-v2*"
-        }
-    ]
-}
-EOF
+
+  access_policies = data.aws_iam_policy_document.es_access_policy.json
+
   encrypt_at_rest {
     enabled    = true
     kms_key_id = data.aws_kms_key.es.arn
@@ -49,7 +47,7 @@ EOF
   advanced_security_options {
     enabled = true
     master_user_options {
-      master_user_arn = "arn:aws:iam::143841941773:role/es-admin"
+      master_user_arn = "arn:aws:iam::${data.aws_caller_identity.current.account_id}:role/es-admin"
     }
   }
   advanced_options = {
@@ -63,17 +61,17 @@ EOF
     iops        = 3000
   }
   log_publishing_options {
-    cloudwatch_log_group_arn = "arn:aws:logs:us-east-1:143841941773:log-group:/aws/aes/domains/sondes-v2/application-logs"
+    cloudwatch_log_group_arn = "arn:aws:logs:us-east-1:${data.aws_caller_identity.current.account_id}:log-group:/aws/aes/domains/sondes-v2/application-logs"
     enabled                  = true
     log_type                 = "ES_APPLICATION_LOGS"
   }
   log_publishing_options {
-    cloudwatch_log_group_arn = "arn:aws:logs:us-east-1:143841941773:log-group:/aws/aes/domains/sondes-v2/index-logs"
+    cloudwatch_log_group_arn = "arn:aws:logs:us-east-1:${data.aws_caller_identity.current.account_id}:log-group:/aws/aes/domains/sondes-v2/index-logs"
     enabled                  = true
     log_type                 = "INDEX_SLOW_LOGS"
   }
   log_publishing_options {
-    cloudwatch_log_group_arn = "arn:aws:logs:us-east-1:143841941773:log-group:/aws/aes/domains/sondes-v2/search-logs"
+    cloudwatch_log_group_arn = "arn:aws:logs:us-east-1:${data.aws_caller_identity.current.account_id}:log-group:/aws/aes/domains/sondes-v2/search-logs"
     enabled                  = true
     log_type                 = "SEARCH_SLOW_LOGS"
   }
@@ -245,7 +243,7 @@ resource "aws_route53_record" "auth" {
   type     = each.key
   alias {
     name                   = "${aws_cognito_user_pool_domain.main.cloudfront_distribution_arn}."
-    zone_id                = "Z2FDTNDATAQYW2"
+    zone_id                = aws_cognito_user_pool_domain.main.cloudfront_distribution_zone_id
     evaluate_target_health = false
   }
   zone_id = aws_route53_zone.Route53HostedZone.zone_id
@@ -261,74 +259,82 @@ resource "aws_route53_record" "es" {
   zone_id = aws_route53_zone.Route53HostedZone.zone_id
 }
 
+data "aws_iam_policy_document" "es_auth_role" {
+  statement {
+    effect  = "Allow"
+    actions = ["sts:AssumeRoleWithWebIdentity"]
+
+    condition {
+      test     = "StringEquals"
+      variable = "cognito-identity.amazonaws.com:aud"
+      values   = [aws_cognito_identity_pool.CognitoIdentityPool.id]
+    }
+
+    condition {
+      test     = "ForAnyValue:StringLike"
+      variable = "cognito-identity.amazonaws.com:amr"
+      values   = ["authenticated"]
+    }
+
+    principals {
+      type        = "Federated"
+      identifiers = ["cognito-identity.amazonaws.com"]
+    }
+  }
+}
 
 resource "aws_iam_role" "auth_role" {
   path                 = "/"
   name                 = "Cognito_sondesAuth_Role"
-  assume_role_policy   = <<EOF
-{
-    "Version": "2012-10-17",
-    "Statement": [{
-        "Effect": "Allow",
-        "Principal": {
-            "Federated": "cognito-identity.amazonaws.com"
-        },
-        "Action": "sts:AssumeRoleWithWebIdentity",
-        "Condition": {
-            "StringEquals": {
-                "cognito-identity.amazonaws.com:aud": "${aws_cognito_identity_pool.CognitoIdentityPool.id}"
-            },
-            "ForAnyValue:StringLike": {
-                "cognito-identity.amazonaws.com:amr": "authenticated"
-            }
-        }
-    }]
-}
-EOF
+  assume_role_policy   = data.aws_iam_policy_document.es_auth_role.json
   max_session_duration = 3600
 }
 
+data "aws_iam_policy_document" "es_unauth_role" {
+  statement {
+    actions = ["sts:AssumeRoleWithWebIdentity"]
+
+    condition {
+      test     = "StringEquals"
+      variable = "cognito-identity.amazonaws.com:aud"
+      values   = ["${aws_cognito_identity_pool.CognitoIdentityPool.id}"]
+    }
+
+    condition {
+      test     = "ForAnyValue:StringLike"
+      variable = "cognito-identity.amazonaws.com:amr"
+      values   = ["unauthenticated"]
+    }
+
+    principals {
+      type        = "Federated"
+      identifiers = ["cognito-identity.amazonaws.com"]
+    }
+  }
+}
+
 resource "aws_iam_role" "unauth_role" {
   path                 = "/"
   name                 = "Cognito_sondesUnauth_Role"
-  assume_role_policy   = <<EOF
-{
-    "Version": "2012-10-17",
-    "Statement": [{
-        "Effect": "Allow",
-        "Principal": {
-            "Federated": "cognito-identity.amazonaws.com"
-        },
-        "Action": "sts:AssumeRoleWithWebIdentity",
-        "Condition": {
-            "StringEquals": {
-                "cognito-identity.amazonaws.com:aud": "${aws_cognito_identity_pool.CognitoIdentityPool.id}"
-            },
-            "ForAnyValue:StringLike": {
-                "cognito-identity.amazonaws.com:amr": "unauthenticated"
-            }
-        }
-    }]
-}
-EOF
+  assume_role_policy   = data.aws_iam_policy_document.es_unauth_role.json
   max_session_duration = 3600
 }
 
+data "aws_iam_policy_document" "es_assume_role_policy" {
+  statement {
+    actions = ["sts:AssumeRole"]
+
+    principals {
+      type        = "Service"
+      identifiers = ["es.amazonaws.com"]
+    }
+  }
+}
+
 resource "aws_iam_role" "IAMRole3" {
   path                 = "/service-role/"
   name                 = "CognitoAccessForAmazonES"
-  assume_role_policy   = <<EOF
-{
-    "Version": "2012-10-17",
-    "Statement": [{
-        "Effect": "Allow",
-        "Principal": {
-            "Service": "es.amazonaws.com"
-        },
-        "Action": "sts:AssumeRole"
-    }]
-}
-EOF
+  assume_role_policy   = data.aws_iam_policy_document.es_assume_role_policy.json
   max_session_duration = 3600
 }
 
@@ -337,87 +343,64 @@ resource "aws_iam_service_linked_role" "IAMServiceLinkedRole" {
   aws_service_name = "es.amazonaws.com"
 }
 
+data "aws_iam_policy_document" "es_access" {
+  statement {
+    resources = ["arn:aws:es:us-east-1:${data.aws_caller_identity.current.account_id}:domain/sondes-*"]
+    actions   = ["es:*"]
+  }
 
-resource "aws_iam_role_policy" "IAMPolicy" {
-  policy = <<EOF
-{
-    "Version": "2012-10-17",
-    "Statement": [
-               {
-            "Effect": "Allow",
-            "Action": "es:*",
-            "Resource": "arn:aws:es:us-east-1:${data.aws_caller_identity.current.account_id}:domain/sondes-*"
-        },
-        {
-            "Effect": "Allow",
-            "Action": "es:*",
-            "Resource": "arn:aws:es:us-east-1:${data.aws_caller_identity.current.account_id}:domain/sondes-*"
-        }
-    ]
+  statement {
+    resources = ["arn:aws:es:us-east-1:${data.aws_caller_identity.current.account_id}:domain/sondes-*"]
+    actions   = ["es:*"]
+  }
 }
-EOF
+
+resource "aws_iam_role_policy" "IAMPolicy" {
+  policy = data.aws_iam_policy_document.es_access.json
   role   = aws_iam_role.auth_role.name
 }
 
-resource "aws_iam_role_policy" "IAMPolicy2" {
-  policy = <<EOF
-{
-  "Version": "2012-10-17",
-  "Statement": [
-    {
-      "Effect": "Allow",
-      "Action": [
-        "mobileanalytics:PutEvents",
-        "cognito-sync:*"
-      ],
-      "Resource": [
-        "*"
-      ]
-    }
-  ]
+data "aws_iam_policy_document" "unauth_cognito_policy" {
+  statement {
+    resources = ["*"]
+
+    actions = [
+      "mobileanalytics:PutEvents",
+      "cognito-sync:*",
+    ]
+  }
 }
-EOF
+
+resource "aws_iam_role_policy" "IAMPolicy2" {
+  policy = data.aws_iam_policy_document.unauth_cognito_policy.json
   role   = aws_iam_role.unauth_role.name
 }
 
-resource "aws_iam_role_policy" "IAMPolicy3" {
-  policy = <<EOF
-{
-  "Version": "2012-10-17",
-  "Statement": [
-    {
-      "Effect": "Allow",
-      "Action": [
-        "mobileanalytics:PutEvents",
-        "cognito-sync:*",
-        "cognito-identity:*"
-      ],
-      "Resource": [
-        "*"
-      ]
-    }
-  ]
+data "aws_iam_policy_document" "auth_cognito_policy" {
+  statement {
+    resources = ["*"]
+
+    actions = [
+      "mobileanalytics:PutEvents",
+      "cognito-sync:*",
+      "cognito-identity:*",
+    ]
+  }
 }
-EOF
+
+resource "aws_iam_role_policy" "IAMPolicy3" {
+  policy = data.aws_iam_policy_document.auth_cognito_policy.json
   role   = aws_iam_role.auth_role.name
 }
 
-resource "aws_iam_role_policy" "IAMPolicy4" {
-  policy = <<EOF
-{
-    "Version": "2012-10-17",
-    "Statement": [
-        {
-            "Effect": "Allow",
-            "Action": [
-                "execute-api:*"
-            ],
-            "Resource": [
-                "arn:aws:execute-api:us-east-1:${data.aws_caller_identity.current.account_id}:${aws_apigatewayv2_api.main.id}/*/*/amateur/flightdoc"
-            ]
-        }
-    ]
+data "aws_iam_policy_document" "flight_doc_cognito" {
+  statement {
+    resources = ["arn:aws:execute-api:us-east-1:${data.aws_caller_identity.current.account_id}:${aws_apigatewayv2_api.main.id}/*/*/amateur/flightdoc"]
+    actions   = ["execute-api:*"]
+  }
 }
-EOF
+
+resource "aws_iam_role_policy" "IAMPolicy4" {
+  policy = data.aws_iam_policy_document.flight_doc_cognito.json
   role   = aws_iam_role.auth_role.name
 }
\ No newline at end of file
diff --git a/ham_aprs.tf b/ham_aprs.tf
index 301971a..e78c2ec 100644
--- a/ham_aprs.tf
+++ b/ham_aprs.tf
@@ -15,7 +15,7 @@ resource "aws_ecs_task_definition" "aprsgw" {
           { "name" : "SNS", "value" : aws_sns_topic.ham_telem.arn }
         ],
         essential = true
-        image     = "143841941773.dkr.ecr.us-east-1.amazonaws.com/aprsgw:latest"
+        image     = "${data.aws_caller_identity.current.account_id}.dkr.ecr.us-east-1.amazonaws.com/aprsgw:latest"
         logConfiguration = {
           logDriver = "awslogs"
           options = {
@@ -33,34 +33,20 @@ resource "aws_ecs_task_definition" "aprsgw" {
     ]
   )
   cpu                = "256"
-  execution_role_arn = "arn:aws:iam::143841941773:role/aprsgw"
+  execution_role_arn = "arn:aws:iam::${data.aws_caller_identity.current.account_id}:role/aprsgw"
   memory             = "512"
   network_mode       = "awsvpc"
   requires_compatibilities = [
     "FARGATE",
   ]
   tags          = {}
-  task_role_arn = "arn:aws:iam::143841941773:role/aprsgw"
+  task_role_arn = "arn:aws:iam::${data.aws_caller_identity.current.account_id}:role/aprsgw"
 }
 
 resource "aws_iam_role" "aprsgw" {
   name                 = "aprsgw"
   description          = "Allows EC2 instances to call AWS services on your behalf."
-  assume_role_policy   = <<EOF
-{
-  "Version": "2012-10-17",
-  "Statement": [
-    {
-      "Sid": "",
-      "Effect": "Allow",
-      "Principal": {
-        "Service": "ecs-tasks.amazonaws.com"
-      },
-      "Action": "sts:AssumeRole"
-    }
-  ]
-}
-EOF
+  assume_role_policy   = data.aws_iam_policy_document.ecs_task_assume_role_policy.json
   max_session_duration = 3600
 }
 
@@ -71,29 +57,27 @@ resource "aws_iam_role_policy_attachment" "aprsgw" {
   policy_arn = "arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy"
 }
 
+data "aws_iam_policy_document" "aprsgw" {
+  statement {
+    resources = ["*"]
+    actions   = ["sns:Publish"]
+  }
+
+  statement {
+    resources = [
+      aws_secretsmanager_secret.mqtt.arn,
+      aws_secretsmanager_secret.radiosondy.arn,
+    ]
+
+    actions = ["secretsmanager:GetSecretValue"]
+  }
+}
+
 resource "aws_iam_role_policy" "aprsgw" {
   name = "aprsgw"
   role = aws_iam_role.aprsgw.id
 
-  policy = <<EOF
-{
-    "Version": "2012-10-17",
-    "Statement": [
-        {
-            "Effect": "Allow",
-            "Action": "sns:Publish",
-            "Resource": "*"
-        },
-        {
-          "Action": [
-            "secretsmanager:GetSecretValue"
-          ],
-          "Effect": "Allow",
-          "Resource": ["${aws_secretsmanager_secret.mqtt.arn}", "${aws_secretsmanager_secret.radiosondy.arn}"]
-        }
-    ]
-}
-EOF
+  policy = data.aws_iam_policy_document.aprsgw.json
 }
 
 resource "aws_ecs_cluster" "aprsgw" {
diff --git a/ham_ingestion.tf b/ham_ingestion.tf
index 0397043..a20c537 100644
--- a/ham_ingestion.tf
+++ b/ham_ingestion.tf
@@ -22,64 +22,48 @@ EOF
 resource "aws_iam_role" "ham_sqs_to_elk" {
   path                 = "/service-role/"
   name                 = "ham_sqs-to-elk"
-  assume_role_policy   = <<EOF
-{
-    "Version": "2012-10-17",
-    "Statement": [{
-        "Effect": "Allow",
-        "Principal": {
-            "Service": "lambda.amazonaws.com"
-        },
-        "Action": "sts:AssumeRole"
-    }]
-}
-EOF
+  assume_role_policy   = data.aws_iam_policy_document.lambda_assume_role_policy.json
   max_session_duration = 3600
 }
 
+data "aws_iam_policy_document" "ham_sqs_to_elk" {
+  statement {
+    resources = ["arn:aws:logs:us-east-1:${data.aws_caller_identity.current.account_id}:*"]
+    actions   = ["logs:CreateLogGroup"]
+  }
+
+  statement {
+    resources = ["arn:aws:logs:us-east-1:${data.aws_caller_identity.current.account_id}:log-group:/aws/lambda/*"]
+
+    actions = [
+      "logs:CreateLogStream",
+      "logs:PutLogEvents",
+    ]
+  }
+
+  statement {
+    resources = ["*"]
+    actions   = ["es:*"]
+  }
+
+  statement {
+    resources = ["*"]
+    actions   = ["sqs:*"]
+  }
+
+  statement {
+    resources = [
+      aws_secretsmanager_secret.mqtt.arn,
+      aws_secretsmanager_secret.radiosondy.arn,
+    ]
+    actions = ["secretsmanager:GetSecretValue"]
+  }
+}
 
 resource "aws_iam_role_policy" "ham_sqs_to_elk" {
   name   = "ham_sqs_to_elk"
   role   = aws_iam_role.ham_sqs_to_elk.name
-  policy = <<EOF
-{
-    "Version": "2012-10-17",
-    "Statement": [
-        {
-            "Effect": "Allow",
-            "Action": "logs:CreateLogGroup",
-            "Resource": "arn:aws:logs:us-east-1:${data.aws_caller_identity.current.account_id}:*"
-        },
-        {
-            "Effect": "Allow",
-            "Action": [
-                "logs:CreateLogStream",
-                "logs:PutLogEvents"
-            ],
-            "Resource": [
-                "arn:aws:logs:us-east-1:${data.aws_caller_identity.current.account_id}:log-group:/aws/lambda/*"
-            ]
-        },
-        {
-            "Effect": "Allow",
-            "Action": "es:*",
-            "Resource": "*"
-        },
-        {
-            "Effect": "Allow",
-            "Action": "sqs:*",
-            "Resource": "*"
-        },
-        {
-          "Action": [
-            "secretsmanager:GetSecretValue"
-          ],
-          "Effect": "Allow",
-          "Resource": ["${aws_secretsmanager_secret.mqtt.arn}", "${aws_secretsmanager_secret.radiosondy.arn}"]
-        }
-    ]
-}
-EOF
+  policy = data.aws_iam_policy_document.ham_sqs_to_elk.json
 }
 
 resource "aws_lambda_function" "ham_sqs_to_elk" {
@@ -137,39 +121,39 @@ resource "aws_sqs_queue" "ham_sqs_to_elk_dlq" {
 
 }
 
-resource "aws_sqs_queue_policy" "ham_sqs_to_elk" {
-  queue_url = aws_sqs_queue.ham_sqs_to_elk.id
-  policy    = <<EOF
-{
-  "Version": "2008-10-17",
-  "Id": "__default_policy_ID",
-  "Statement": [
-    {
-      "Sid": "__owner_statement",
-      "Effect": "Allow",
-      "Principal": {
-        "AWS": "arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"
-      },
-      "Action": "SQS:*",
-      "Resource": "${aws_sqs_queue.ham_sqs_to_elk.arn}"
-    },
-    {
-      "Sid": "to-elk",
-      "Effect": "Allow",
-      "Principal": {
-        "AWS": "*"
-      },
-      "Action": "SQS:SendMessage",
-      "Resource": "${aws_sqs_queue.ham_sqs_to_elk.arn}",
-      "Condition": {
-        "ArnLike": {
-          "aws:SourceArn": "${aws_sns_topic.ham_telem.arn}"
-        }
-      }
+data "aws_iam_policy_document" "ham_sqs_to_elk_queue" {
+  statement {
+    sid       = "__owner_statement"
+    resources = [aws_sqs_queue.ham_sqs_to_elk.arn]
+    actions   = ["SQS:*"]
+
+    principals {
+      type        = "AWS"
+      identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"]
     }
-  ]
+  }
+
+  statement {
+    sid       = "to-elk"
+    resources = [aws_sqs_queue.ham_sqs_to_elk.arn]
+    actions   = ["SQS:SendMessage"]
+
+    condition {
+      test     = "ArnLike"
+      variable = "aws:SourceArn"
+      values   = [aws_sns_topic.ham_telem.arn]
+    }
+
+    principals {
+      type        = "AWS"
+      identifiers = ["*"]
+    }
+  }
 }
-EOF
+
+resource "aws_sqs_queue_policy" "ham_sqs_to_elk" {
+  queue_url = aws_sqs_queue.ham_sqs_to_elk.id
+  policy    = data.aws_iam_policy_document.ham_sqs_to_elk_queue.json
 }
 
 
diff --git a/ham_predictor.tf b/ham_predictor.tf
index f0767d3..75a5ceb 100644
--- a/ham_predictor.tf
+++ b/ham_predictor.tf
@@ -1,69 +1,55 @@
 resource "aws_iam_role" "ham_predict_updater" {
   path                 = "/service-role/"
   name                 = "ham-predict-updater"
-  assume_role_policy   = <<EOF
-{
-    "Version": "2012-10-17",
-    "Statement": [{
-        "Effect": "Allow",
-        "Principal": {
-            "Service": "lambda.amazonaws.com"
-        },
-        "Action": "sts:AssumeRole"
-    }]
-}
-EOF
+  assume_role_policy   = data.aws_iam_policy_document.lambda_assume_role_policy.json
   max_session_duration = 3600
 }
 
+data "aws_iam_policy_document" "ham_predict_updater" {
+  statement {
+    resources = ["arn:aws:logs:us-east-1:${data.aws_caller_identity.current.account_id}:*"]
+    actions   = ["logs:CreateLogGroup"]
+  }
+
+  statement {
+    resources = ["arn:aws:logs:us-east-1:${data.aws_caller_identity.current.account_id}:log-group:/aws/lambda/*"]
+
+    actions = [
+      "logs:CreateLogStream",
+      "logs:PutLogEvents",
+    ]
+  }
+
+  statement {
+    resources = ["*"]
+    actions   = ["es:*"]
+  }
+
+  statement {
+    resources = ["*"]
+    actions   = ["sqs:*"]
+  }
+
+  statement {
+    resources = ["*"]
+    actions   = ["s3:*"]
+  }
+
+  statement {
+
+    resources = [
+      aws_secretsmanager_secret.mqtt.arn,
+      aws_secretsmanager_secret.radiosondy.arn,
+    ]
+
+    actions = ["secretsmanager:GetSecretValue"]
+  }
+}
 
 resource "aws_iam_role_policy" "ham_predict_updater" {
   name   = "ham_predict_updater"
   role   = aws_iam_role.ham_predict_updater.name
-  policy = <<EOF
-{
-    "Version": "2012-10-17",
-    "Statement": [
-        {
-            "Effect": "Allow",
-            "Action": "logs:CreateLogGroup",
-            "Resource": "arn:aws:logs:us-east-1:${data.aws_caller_identity.current.account_id}:*"
-        },
-        {
-            "Effect": "Allow",
-            "Action": [
-                "logs:CreateLogStream",
-                "logs:PutLogEvents"
-            ],
-            "Resource": [
-                "arn:aws:logs:us-east-1:${data.aws_caller_identity.current.account_id}:log-group:/aws/lambda/*"
-            ]
-        },
-        {
-            "Effect": "Allow",
-            "Action": "es:*",
-            "Resource": "*"
-        },
-        {
-            "Effect": "Allow",
-            "Action": "sqs:*",
-            "Resource": "*"
-        },
-        {
-            "Effect": "Allow",
-            "Action": "s3:*",
-            "Resource": "*"
-        },
-        {
-          "Action": [
-            "secretsmanager:GetSecretValue"
-          ],
-          "Effect": "Allow",
-          "Resource": ["${aws_secretsmanager_secret.mqtt.arn}", "${aws_secretsmanager_secret.radiosondy.arn}"]
-        }
-    ]
-}
-EOF
+  policy = data.aws_iam_policy_document.ham_predict_updater.json
 }
 
 
diff --git a/historic.tf b/historic.tf
index 1e6303c..5ef78ed 100644
--- a/historic.tf
+++ b/historic.tf
@@ -3,62 +3,45 @@
 resource "aws_iam_role" "historic" {
   path                 = "/service-role/"
   name                 = "historic"
-  assume_role_policy   = <<EOF
-{
-    "Version": "2012-10-17",
-    "Statement": [{
-        "Effect": "Allow",
-        "Principal": {
-            "Service": "lambda.amazonaws.com"
-        },
-        "Action": "sts:AssumeRole"
-    }]
-}
-EOF
+  assume_role_policy   = data.aws_iam_policy_document.lambda_assume_role_policy.json
   max_session_duration = 3600
 }
 
+data "aws_iam_policy_document" "historic" {
+  statement {
+    resources = ["arn:aws:logs:us-east-1:${data.aws_caller_identity.current.account_id}:*"]
+    actions   = ["logs:CreateLogGroup"]
+  }
+
+  statement {
+    resources = ["arn:aws:logs:us-east-1:${data.aws_caller_identity.current.account_id}:log-group:/aws/lambda/*"]
+
+    actions = [
+      "logs:CreateLogStream",
+      "logs:PutLogEvents",
+    ]
+  }
+
+  statement {
+    resources = ["*"]
+    actions   = ["es:*"]
+  }
+
+  statement {
+    resources = ["*"]
+    actions   = ["sqs:*"]
+  }
+
+  statement {
+    resources = ["*"]
+    actions   = ["s3:*"]
+  }
+}
 
 resource "aws_iam_role_policy" "historic" {
   name   = "historic"
   role   = aws_iam_role.historic.name
-  policy = <<EOF
-{
-    "Version": "2012-10-17",
-    "Statement": [
-        {
-            "Effect": "Allow",
-            "Action": "logs:CreateLogGroup",
-            "Resource": "arn:aws:logs:us-east-1:${data.aws_caller_identity.current.account_id}:*"
-        },
-        {
-            "Effect": "Allow",
-            "Action": [
-                "logs:CreateLogStream",
-                "logs:PutLogEvents"
-            ],
-            "Resource": [
-                "arn:aws:logs:us-east-1:${data.aws_caller_identity.current.account_id}:log-group:/aws/lambda/*"
-            ]
-        },
-        {
-            "Effect": "Allow",
-            "Action": "es:*",
-            "Resource": "*"
-        },
-        {
-            "Effect": "Allow",
-            "Action": "sqs:*",
-            "Resource": "*"
-        },
-        {
-            "Effect": "Allow",
-            "Action": "s3:*",
-            "Resource": "*"
-        }
-    ]
-}
-EOF
+  policy = data.aws_iam_policy_document.historic.json
 }
 
 
@@ -157,18 +140,7 @@ resource "aws_lambda_permission" "history_cron" {
 
 resource "aws_iam_role" "history" {
   name                 = "history"
-  assume_role_policy   = <<EOF
-{
-    "Version": "2012-10-17",
-    "Statement": [{
-        "Effect": "Allow",
-        "Principal": {
-            "Service": "lambda.amazonaws.com"
-        },
-        "Action": "sts:AssumeRole"
-    }]
-}
-EOF
+  assume_role_policy   = data.aws_iam_policy_document.lambda_assume_role_policy.json
   max_session_duration = 3600
 }
 
@@ -182,50 +154,45 @@ resource "aws_apigatewayv2_integration" "history" {
   payload_format_version = "2.0"
 }
 
+data "aws_iam_policy_document" "history" {
+  statement {
+    resources = ["arn:aws:s3:::sondehub-open-data/*"]
+    actions   = ["s3:*"]
+  }
 
-resource "aws_iam_role_policy" "history" {
-  policy = <<EOF
-{
-    "Version": "2012-10-17",
-    "Statement": [
-        {
-            "Effect": "Allow",
-            "Action": "s3:*",
-            "Resource": "arn:aws:s3:::sondehub-open-data/*"
-        },
-        {
-            "Effect": "Allow",
-            "Action": "s3:*",
-            "Resource": "arn:aws:s3:::sondehub-open-data"
-        },
-          {
-            "Effect": "Allow",
-            "Action": "logs:CreateLogGroup",
-            "Resource": "arn:aws:logs:us-east-1:${data.aws_caller_identity.current.account_id}:*"
-        },
-        {
-            "Effect": "Allow",
-            "Action": [
-                "logs:CreateLogStream",
-                "logs:PutLogEvents"
-            ],
-            "Resource": [
-                "arn:aws:logs:us-east-1:${data.aws_caller_identity.current.account_id}:log-group:/aws/lambda/*"
-            ]
-        },
-                       {
-            "Effect": "Allow",
-            "Action": "es:*",
-            "Resource": "arn:aws:es:us-east-1:${data.aws_caller_identity.current.account_id}:domain/sondes-v2*"
-        },
-        {
-            "Effect": "Allow",
-            "Action": "es:*",
-            "Resource": "arn:aws:es:us-east-1:${data.aws_caller_identity.current.account_id}:domain/sondes-v2*"
-        }
+  statement {
+    resources = ["arn:aws:s3:::sondehub-open-data"]
+    actions   = ["s3:*"]
+  }
+
+  statement {
+    resources = ["arn:aws:logs:us-east-1:${data.aws_caller_identity.current.account_id}:*"]
+    actions   = ["logs:CreateLogGroup"]
+  }
+
+  statement {
+    resources = ["arn:aws:logs:us-east-1:${data.aws_caller_identity.current.account_id}:log-group:/aws/lambda/*"]
+
+    actions = [
+      "logs:CreateLogStream",
+      "logs:PutLogEvents",
     ]
+  }
+
+  statement {
+    resources = ["arn:aws:es:us-east-1:${data.aws_caller_identity.current.account_id}:domain/sondes-v2*"]
+    actions   = ["es:*"]
+  }
+
+  statement {
+    resources = ["arn:aws:es:us-east-1:${data.aws_caller_identity.current.account_id}:domain/sondes-v2*"]
+    actions   = ["es:*"]
+  }
 }
-EOF
+
+
+resource "aws_iam_role_policy" "history" {
+  policy = data.aws_iam_policy_document.history.json
   role   = aws_iam_role.history.name
 }
 
diff --git a/iam.tf b/iam.tf
new file mode 100644
index 0000000..a0c086f
--- /dev/null
+++ b/iam.tf
@@ -0,0 +1,19 @@
+data "aws_iam_policy_document" "lambda_assume_role_policy" {
+  statement {
+    actions = ["sts:AssumeRole"]
+    principals {
+      type        = "Service"
+      identifiers = ["lambda.amazonaws.com", "edgelambda.amazonaws.com"]
+    }
+  }
+}
+
+data "aws_iam_policy_document" "ecs_task_assume_role_policy" {
+  statement {
+    actions = ["sts:AssumeRole"]
+    principals {
+      type        = "Service"
+      identifiers = ["ecs-tasks.amazonaws.com"]
+    }
+  }
+}
diff --git a/ingestion.tf b/ingestion.tf
index 570c7e9..6305716 100644
--- a/ingestion.tf
+++ b/ingestion.tf
@@ -2,95 +2,76 @@
 resource "aws_iam_role" "ingestion_lambda_role" { # need a specific role so that we can disable cloudwatch logs
   path                 = "/service-role/"
   name_prefix          = "sonde-ingestion-"
-  assume_role_policy   = <<EOF
-{
-    "Version": "2012-10-17",
-    "Statement": [{
-        "Effect": "Allow",
-        "Principal": {
-            "Service": "lambda.amazonaws.com"
-        },
-        "Action": "sts:AssumeRole"
-    },
-    {
-        "Effect": "Allow",
-        "Principal": {
-            "Service": "edgelambda.amazonaws.com"
-        },
-        "Action": "sts:AssumeRole"
-    }]
-}
-EOF
+  assume_role_policy   = data.aws_iam_policy_document.lambda_assume_role_policy.json
   max_session_duration = 3600
 }
 
 
+data "aws_iam_policy_document" "ingestion" {
+  statement {
+    resources = ["*"]
+    actions   = ["s3:*"]
+  }
 
+  statement {
+    resources = ["*"]
+    actions   = ["sns:*"]
+  }
 
-resource "aws_iam_role_policy" "ingestion_lambda_role" {
-  policy = <<EOF
-{
-    "Version": "2012-10-17",
-    "Statement": [
-        {
-            "Effect": "Allow",
-            "Action": "s3:*",
-            "Resource": "*"
-        },
-        {
-            "Effect": "Allow",
-            "Action": "sns:*",
-            "Resource": "*"
-        },
-        {
-            "Effect": "Allow",
-            "Action": "logs:CreateLogGroup",
-            "Resource": "arn:aws:logs:us-east-1:${data.aws_caller_identity.current.account_id}:*"
-        },
-        {
-            "Effect": "Allow",
-            "Action": [
-                "logs:CreateLogStream",
-                "logs:PutLogEvents"
-            ],
-            "Resource": [
-                "arn:aws:logs:us-east-1:${data.aws_caller_identity.current.account_id}:log-group:/ingestion",
-                "arn:aws:logs:us-east-1:${data.aws_caller_identity.current.account_id}:log-group:/sns_to_mqtt"
-            ]
-        },
-        {
-            "Effect": "Allow",
-            "Action": [
-                "logs:CreateLogStream",
-                "logs:PutLogEvents"
-            ],
-            "Resource": [
-                "arn:aws:logs:us-east-1:${data.aws_caller_identity.current.account_id}:log-group:/ingestion*",
-                "arn:aws:logs:us-east-1:${data.aws_caller_identity.current.account_id}:log-group:/sns_to_mqtt*"
-            ]
-        },
-        {
-            "Action": [
-                "ec2:DescribeNetworkInterfaces",
-                "ec2:CreateNetworkInterface",
-                "ec2:DeleteNetworkInterface",
-                "ec2:DescribeInstances",
-                "ec2:AttachNetworkInterface"
-            ],
-            "Effect": "Allow",
-            "Resource": "*"
-        },
-        {
-          "Action": [
-            "secretsmanager:GetSecretValue"
-          ],
-          "Effect": "Allow",
-          "Resource": ["${aws_secretsmanager_secret.mqtt.arn}", "${aws_secretsmanager_secret.radiosondy.arn}"]
-        }
-                    
+  statement {
+    resources = ["arn:aws:logs:us-east-1:${data.aws_caller_identity.current.account_id}:*"]
+    actions   = ["logs:CreateLogGroup"]
+  }
+
+  statement {
+    resources = [
+      "arn:aws:logs:us-east-1:${data.aws_caller_identity.current.account_id}:log-group:/ingestion",
+      "arn:aws:logs:us-east-1:${data.aws_caller_identity.current.account_id}:log-group:/sns_to_mqtt",
+    ]
+
+    actions = [
+      "logs:CreateLogStream",
+      "logs:PutLogEvents",
+    ]
+  }
+
+  statement {
+    resources = [
+      "arn:aws:logs:us-east-1:${data.aws_caller_identity.current.account_id}:log-group:/ingestion*",
+      "arn:aws:logs:us-east-1:${data.aws_caller_identity.current.account_id}:log-group:/sns_to_mqtt*",
     ]
+
+    actions = [
+      "logs:CreateLogStream",
+      "logs:PutLogEvents",
+    ]
+  }
+
+  statement {
+    resources = ["*"]
+
+    actions = [
+      "ec2:DescribeNetworkInterfaces",
+      "ec2:CreateNetworkInterface",
+      "ec2:DeleteNetworkInterface",
+      "ec2:DescribeInstances",
+      "ec2:AttachNetworkInterface",
+    ]
+  }
+
+  statement {
+
+    resources = [
+      aws_secretsmanager_secret.mqtt.arn,
+      aws_secretsmanager_secret.radiosondy.arn,
+    ]
+
+    actions = ["secretsmanager:GetSecretValue"]
+  }
 }
-EOF
+
+resource "aws_iam_role_policy" "ingestion_lambda_role" {
+  policy = data.aws_iam_policy_document.ingestion.json
   role   = aws_iam_role.ingestion_lambda_role.name
 }
 
diff --git a/main.tf b/main.tf
index 2af9f6d..3df4ab8 100644
--- a/main.tf
+++ b/main.tf
@@ -19,82 +19,61 @@ data "aws_caller_identity" "current" {}
 resource "aws_iam_role" "basic_lambda_role" {
   path                 = "/service-role/"
   name                 = "sonde-api-to-iot-core-role-z9zes3f5"
-  assume_role_policy   = <<EOF
-{
-    "Version": "2012-10-17",
-    "Statement": [{
-        "Effect": "Allow",
-        "Principal": {
-            "Service": "lambda.amazonaws.com"
-        },
-        "Action": "sts:AssumeRole"
-    },
-    {
-        "Effect": "Allow",
-        "Principal": {
-            "Service": "edgelambda.amazonaws.com"
-        },
-        "Action": "sts:AssumeRole"
-    }]
-}
-EOF
+  assume_role_policy   = data.aws_iam_policy_document.lambda_assume_role_policy.json
   max_session_duration = 3600
 }
 
 
+data "aws_iam_policy_document" "basic_lambda_role" {
+  statement {
+    resources = ["*"]
+    actions   = ["s3:*"]
+  }
 
+  statement {
+    resources = ["*"]
+    actions   = ["sns:*"]
+  }
 
-resource "aws_iam_role_policy" "basic_lambda_role" {
-  policy = <<EOF
-{
-    "Version": "2012-10-17",
-    "Statement": [
-        {
-            "Effect": "Allow",
-            "Action": "s3:*",
-            "Resource": "*"
-        },
-        {
-            "Effect": "Allow",
-            "Action": "sns:*",
-            "Resource": "*"
-        },
-        {
-            "Effect": "Allow",
-            "Action": "logs:CreateLogGroup",
-            "Resource": "arn:aws:logs:us-east-1:${data.aws_caller_identity.current.account_id}:*"
-        },
-        {
-            "Effect": "Allow",
-            "Action": [
-                "logs:CreateLogStream",
-                "logs:PutLogEvents"
-            ],
-            "Resource": [
-                "arn:aws:logs:us-east-1:${data.aws_caller_identity.current.account_id}:log-group:/aws/lambda/*"
-            ]
-        },
-        {
-            "Action": [
-                "ec2:DescribeNetworkInterfaces",
-                "ec2:CreateNetworkInterface",
-                "ec2:DeleteNetworkInterface",
-                "ec2:DescribeInstances",
-                "ec2:AttachNetworkInterface"
-            ],
-            "Effect": "Allow",
-            "Resource": "*"
-        },
-        {
-          "Action": [
-            "secretsmanager:GetSecretValue"
-          ],
-          "Effect": "Allow",
-          "Resource": ["${aws_secretsmanager_secret.mqtt.arn}", "${aws_secretsmanager_secret.radiosondy.arn}"]
-        }
+  statement {
+    resources = ["arn:aws:logs:us-east-1:${data.aws_caller_identity.current.account_id}:*"]
+    actions   = ["logs:CreateLogGroup"]
+  }
+
+  statement {
+    resources = ["arn:aws:logs:us-east-1:${data.aws_caller_identity.current.account_id}:log-group:/aws/lambda/*"]
+
+    actions = [
+      "logs:CreateLogStream",
+      "logs:PutLogEvents",
     ]
+  }
+
+  statement {
+    resources = ["*"]
+
+    actions = [
+      "ec2:DescribeNetworkInterfaces",
+      "ec2:CreateNetworkInterface",
+      "ec2:DeleteNetworkInterface",
+      "ec2:DescribeInstances",
+      "ec2:AttachNetworkInterface",
+    ]
+  }
+
+  statement {
+
+    resources = [
+      aws_secretsmanager_secret.mqtt.arn,
+      aws_secretsmanager_secret.radiosondy.arn,
+    ]
+
+    actions = ["secretsmanager:GetSecretValue"]
+  }
 }
-EOF
+
+resource "aws_iam_role_policy" "basic_lambda_role" {
+  policy = data.aws_iam_policy_document.basic_lambda_role.json
   role   = aws_iam_role.basic_lambda_role.name
 }
 
diff --git a/predictor.tf b/predictor.tf
index d553f33..e2105f3 100644
--- a/predictor.tf
+++ b/predictor.tf
@@ -1,80 +1,67 @@
 resource "aws_iam_role" "predict_updater" {
   path                 = "/service-role/"
   name                 = "predict-updater"
-  assume_role_policy   = <<EOF
-{
-    "Version": "2012-10-17",
-    "Statement": [{
-        "Effect": "Allow",
-        "Principal": {
-            "Service": "lambda.amazonaws.com"
-        },
-        "Action": "sts:AssumeRole"
-    }]
-}
-EOF
+  assume_role_policy   = data.aws_iam_policy_document.lambda_assume_role_policy.json
   max_session_duration = 3600
 }
 
+data "aws_iam_policy_document" "predict_updater" {
+  statement {
+    resources = ["arn:aws:logs:us-east-1:${data.aws_caller_identity.current.account_id}:*"]
+    actions   = ["logs:CreateLogGroup"]
+  }
+
+  statement {
+    resources = ["arn:aws:logs:us-east-1:${data.aws_caller_identity.current.account_id}:log-group:/aws/lambda/*"]
+
+    actions = [
+      "logs:CreateLogStream",
+      "logs:PutLogEvents",
+    ]
+  }
+
+  statement {
+    resources = ["*"]
+    actions   = ["es:*"]
+  }
+
+  statement {
+    resources = ["*"]
+    actions   = ["sqs:*"]
+  }
+
+  statement {
+    resources = ["*"]
+    actions   = ["s3:*"]
+  }
+
+  statement {
+    resources = ["*"]
+
+    actions = [
+      "ec2:DescribeNetworkInterfaces",
+      "ec2:CreateNetworkInterface",
+      "ec2:DeleteNetworkInterface",
+      "ec2:DescribeInstances",
+      "ec2:AttachNetworkInterface",
+    ]
+  }
+
+  statement {
+    resources = [
+      aws_secretsmanager_secret.mqtt.arn,
+      aws_secretsmanager_secret.radiosondy.arn,
+    ]
+
+    actions = ["secretsmanager:GetSecretValue"]
+  }
+}
+
 
 resource "aws_iam_role_policy" "predict_updater" {
   name   = "predict_updater"
   role   = aws_iam_role.predict_updater.name
-  policy = <<EOF
-{
-    "Version": "2012-10-17",
-    "Statement": [
-        {
-            "Effect": "Allow",
-            "Action": "logs:CreateLogGroup",
-            "Resource": "arn:aws:logs:us-east-1:${data.aws_caller_identity.current.account_id}:*"
-        },
-        {
-            "Effect": "Allow",
-            "Action": [
-                "logs:CreateLogStream",
-                "logs:PutLogEvents"
-            ],
-            "Resource": [
-                "arn:aws:logs:us-east-1:${data.aws_caller_identity.current.account_id}:log-group:/aws/lambda/*"
-            ]
-        },
-        {
-            "Effect": "Allow",
-            "Action": "es:*",
-            "Resource": "*"
-        },
-        {
-            "Effect": "Allow",
-            "Action": "sqs:*",
-            "Resource": "*"
-        },
-        {
-            "Effect": "Allow",
-            "Action": "s3:*",
-            "Resource": "*"
-        },
-        {
-            "Action": [
-                "ec2:DescribeNetworkInterfaces",
-                "ec2:CreateNetworkInterface",
-                "ec2:DeleteNetworkInterface",
-                "ec2:DescribeInstances",
-                "ec2:AttachNetworkInterface"
-            ],
-            "Effect": "Allow",
-            "Resource": "*"
-        },
-        {
-          "Action": [
-            "secretsmanager:GetSecretValue"
-          ],
-          "Effect": "Allow",
-          "Resource": ["${aws_secretsmanager_secret.mqtt.arn}", "${aws_secretsmanager_secret.radiosondy.arn}"]
-        }
-    ]
-}
-EOF
+  policy = data.aws_iam_policy_document.predict_updater.json
 }
 
 
@@ -609,51 +596,33 @@ resource "aws_route53_record" "tawhiri_AAAA" {
 
 resource "aws_iam_role" "predictor_update_trigger_lambda" {
   path                 = "/service-role/"
-  assume_role_policy   = <<EOF
-{
-    "Version": "2012-10-17",
-    "Statement": [
-        {
-            "Effect": "Allow",
-            "Principal": {
-                "Service": "lambda.amazonaws.com"
-            },
-            "Action": "sts:AssumeRole"
-        }
-    ]
-}
-EOF
+  assume_role_policy   = data.aws_iam_policy_document.lambda_assume_role_policy.json
   max_session_duration = 3600
 }
 
-resource "aws_iam_role_policy" "predictor_update_trigger_lambda" {
-  policy = <<EOF
-{
-    "Version": "2012-10-17",
-    "Statement": [
-        {
-            "Effect": "Allow",
-            "Action": "ecs:UpdateService",
-            "Resource": "*"
-        },
-        {
-            "Effect": "Allow",
-            "Action": "logs:CreateLogGroup",
-            "Resource": "arn:aws:logs:us-east-1:${data.aws_caller_identity.current.account_id}:*"
-        },
-        {
-            "Effect": "Allow",
-            "Action": [
-                "logs:CreateLogStream",
-                "logs:PutLogEvents"
-            ],
-            "Resource": [
-                "arn:aws:logs:us-east-1:${data.aws_caller_identity.current.account_id}:log-group:/aws/lambda/*"
-            ]
-        }
+data "aws_iam_policy_document" "predictor_update_trigger_lambda" {
+  statement {
+    resources = ["*"]
+    actions   = ["ecs:UpdateService"]
+  }
+
+  statement {
+    resources = ["arn:aws:logs:us-east-1:${data.aws_caller_identity.current.account_id}:*"]
+    actions   = ["logs:CreateLogGroup"]
+  }
+
+  statement {
+    resources = ["arn:aws:logs:us-east-1:${data.aws_caller_identity.current.account_id}:log-group:/aws/lambda/*"]
+
+    actions = [
+      "logs:CreateLogStream",
+      "logs:PutLogEvents",
     ]
+  }
 }
-EOF
+
+resource "aws_iam_role_policy" "predictor_update_trigger_lambda" {
+  policy = data.aws_iam_policy_document.predictor_update_trigger_lambda.json
   role   = aws_iam_role.predictor_update_trigger_lambda.name
 }
 
diff --git a/recovered.tf b/recovered.tf
index 8e637f6..33e33c4 100644
--- a/recovered.tf
+++ b/recovered.tf
@@ -2,59 +2,44 @@
 resource "aws_iam_role" "recovered" {
   path                 = "/service-role/"
   name                 = "recovered"
-  assume_role_policy   = <<EOF
-{
-    "Version": "2012-10-17",
-    "Statement": [{
-        "Effect": "Allow",
-        "Principal": {
-            "Service": "lambda.amazonaws.com"
-        },
-        "Action": "sts:AssumeRole"
-    }]
-}
-EOF
+  assume_role_policy   = data.aws_iam_policy_document.lambda_assume_role_policy.json
   max_session_duration = 3600
 }
 
+data "aws_iam_policy_document" "recovered" {
+  statement {
+    resources = ["arn:aws:logs:us-east-1:${data.aws_caller_identity.current.account_id}:*"]
+    actions   = ["logs:CreateLogGroup"]
+  }
+
+  statement {
+    resources = ["arn:aws:logs:us-east-1:${data.aws_caller_identity.current.account_id}:log-group:/aws/lambda/*"]
+
+    actions = [
+      "logs:CreateLogStream",
+      "logs:PutLogEvents",
+    ]
+  }
+
+  statement {
+    resources = ["*"]
+    actions   = ["es:*"]
+  }
+
+  statement {
+    resources = [
+      aws_secretsmanager_secret.mqtt.arn,
+      aws_secretsmanager_secret.radiosondy.arn,
+    ]
+
+    actions = ["secretsmanager:GetSecretValue"]
+  }
+}
 
 resource "aws_iam_role_policy" "recovered" {
   name   = "recovered"
   role   = aws_iam_role.recovered.name
-  policy = <<EOF
-{
-    "Version": "2012-10-17",
-    "Statement": [
-        {
-            "Effect": "Allow",
-            "Action": "logs:CreateLogGroup",
-            "Resource": "arn:aws:logs:us-east-1:${data.aws_caller_identity.current.account_id}:*"
-        },
-        {
-            "Effect": "Allow",
-            "Action": [
-                "logs:CreateLogStream",
-                "logs:PutLogEvents"
-            ],
-            "Resource": [
-                "arn:aws:logs:us-east-1:${data.aws_caller_identity.current.account_id}:log-group:/aws/lambda/*"
-            ]
-        },
-        {
-            "Effect": "Allow",
-            "Action": "es:*",
-            "Resource": "*"
-        },
-        {
-          "Action": [
-            "secretsmanager:GetSecretValue"
-          ],
-          "Effect": "Allow",
-          "Resource": ["${aws_secretsmanager_secret.mqtt.arn}", "${aws_secretsmanager_secret.radiosondy.arn}"]
-        }
-    ]
-}
-EOF
+  policy = data.aws_iam_policy_document.recovered.json
 }
 
 
diff --git a/sqs_to_elk.tf b/sqs_to_elk.tf
index 8a083e6..9e4f4fb 100644
--- a/sqs_to_elk.tf
+++ b/sqs_to_elk.tf
@@ -1,64 +1,49 @@
 resource "aws_iam_role" "sqs_to_elk" {
   path                 = "/service-role/"
   name                 = "sqs-to-elk"
-  assume_role_policy   = <<EOF
-{
-    "Version": "2012-10-17",
-    "Statement": [{
-        "Effect": "Allow",
-        "Principal": {
-            "Service": "lambda.amazonaws.com"
-        },
-        "Action": "sts:AssumeRole"
-    }]
-}
-EOF
+  assume_role_policy   = data.aws_iam_policy_document.lambda_assume_role_policy.json
   max_session_duration = 3600
 }
 
+data "aws_iam_policy_document" "sqs_to_elk" {
+  statement {
+    resources = ["arn:aws:logs:us-east-1:${data.aws_caller_identity.current.account_id}:*"]
+    actions   = ["logs:CreateLogGroup"]
+  }
+
+  statement {
+    resources = ["arn:aws:logs:us-east-1:${data.aws_caller_identity.current.account_id}:log-group:/aws/lambda/*"]
+
+    actions = [
+      "logs:CreateLogStream",
+      "logs:PutLogEvents",
+    ]
+  }
+
+  statement {
+    resources = ["*"]
+    actions   = ["es:*"]
+  }
+
+  statement {
+    resources = ["*"]
+    actions   = ["sqs:*"]
+  }
+
+  statement {
+    resources = [
+      aws_secretsmanager_secret.mqtt.arn,
+      aws_secretsmanager_secret.radiosondy.arn,
+    ]
+
+    actions = ["secretsmanager:GetSecretValue"]
+  }
+}
 
 resource "aws_iam_role_policy" "sqs_to_elk" {
   name   = "sqs_to_elk"
   role   = aws_iam_role.sqs_to_elk.name
-  policy = <<EOF
-{
-    "Version": "2012-10-17",
-    "Statement": [
-        {
-            "Effect": "Allow",
-            "Action": "logs:CreateLogGroup",
-            "Resource": "arn:aws:logs:us-east-1:${data.aws_caller_identity.current.account_id}:*"
-        },
-        {
-            "Effect": "Allow",
-            "Action": [
-                "logs:CreateLogStream",
-                "logs:PutLogEvents"
-            ],
-            "Resource": [
-                "arn:aws:logs:us-east-1:${data.aws_caller_identity.current.account_id}:log-group:/aws/lambda/*"
-            ]
-        },
-        {
-            "Effect": "Allow",
-            "Action": "es:*",
-            "Resource": "*"
-        },
-        {
-            "Effect": "Allow",
-            "Action": "sqs:*",
-            "Resource": "*"
-        },
-        {
-          "Action": [
-            "secretsmanager:GetSecretValue"
-          ],
-          "Effect": "Allow",
-          "Resource": ["${aws_secretsmanager_secret.mqtt.arn}", "${aws_secretsmanager_secret.radiosondy.arn}"]
-        }
-    ]
-}
-EOF
+  policy = data.aws_iam_policy_document.sqs_to_elk.json
 }
 
 resource "aws_lambda_function" "sqs_to_elk" {
@@ -103,44 +88,44 @@ resource "aws_sqs_queue" "sqs_to_elk" {
 
   redrive_policy = jsonencode(
     {
-      deadLetterTargetArn = "arn:aws:sqs:us-east-1:143841941773:to-elk-dlq"
+      deadLetterTargetArn = "arn:aws:sqs:us-east-1:${data.aws_caller_identity.current.account_id}:to-elk-dlq"
       maxReceiveCount     = 100
     }
   )
   visibility_timeout_seconds = 10
 }
 
-resource "aws_sqs_queue_policy" "sqs_to_elk" {
-  queue_url = aws_sqs_queue.sqs_to_elk.id
-  policy    = <<EOF
-{
-  "Version": "2008-10-17",
-  "Id": "__default_policy_ID",
-  "Statement": [
-    {
-      "Sid": "__owner_statement",
-      "Effect": "Allow",
-      "Principal": {
-        "AWS": "arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"
-      },
-      "Action": "SQS:*",
-      "Resource": "${aws_sqs_queue.sqs_to_elk.arn}"
-    },
-    {
-      "Sid": "to-elk",
-      "Effect": "Allow",
-      "Principal": {
-        "AWS": "*"
-      },
-      "Action": "SQS:SendMessage",
-      "Resource": "${aws_sqs_queue.sqs_to_elk.arn}",
-      "Condition": {
-        "ArnLike": {
-          "aws:SourceArn": "${aws_sns_topic.sonde_telem.arn}"
-        }
-      }
+data "aws_iam_policy_document" "sqs_to_elk_queue_policy" {
+  statement {
+    sid       = "__owner_statement"
+    resources = ["${aws_sqs_queue.sqs_to_elk.arn}"]
+    actions   = ["SQS:*"]
+
+    principals {
+      type        = "AWS"
+      identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"]
+    }
+  }
+
+  statement {
+    sid       = "to-elk"
+    resources = ["${aws_sqs_queue.sqs_to_elk.arn}"]
+    actions   = ["SQS:SendMessage"]
+
+    condition {
+      test     = "ArnLike"
+      variable = "aws:SourceArn"
+      values   = ["${aws_sns_topic.sonde_telem.arn}"]
+    }
+
+    principals {
+      type        = "AWS"
+      identifiers = ["*"]
     }
-  ]
+  }
 }
-EOF
+
+resource "aws_sqs_queue_policy" "sqs_to_elk" {
+  queue_url = aws_sqs_queue.sqs_to_elk.id
+  policy    = data.aws_iam_policy_document.sqs_to_elk_queue_policy.json
 }
diff --git a/websockets.tf b/websockets.tf
index 5e72135..864b709 100644
--- a/websockets.tf
+++ b/websockets.tf
@@ -8,18 +8,7 @@ resource "aws_apigatewayv2_route" "sign_socket" {
 
 resource "aws_iam_role" "sign_socket" {
   name                 = "sign_socket"
-  assume_role_policy   = <<EOF
-{
-    "Version": "2012-10-17",
-    "Statement": [{
-        "Effect": "Allow",
-        "Principal": {
-            "Service": "lambda.amazonaws.com"
-        },
-        "Action": "sts:AssumeRole"
-    }]
-}
-EOF
+  assume_role_policy   = data.aws_iam_policy_document.lambda_assume_role_policy.json
   max_session_duration = 3600
 }
 
@@ -236,7 +225,7 @@ resource "aws_ecs_task_definition" "ws_reader_ec2" {
   ]
 
   tags          = {}
-  task_role_arn = "arn:aws:iam::143841941773:role/ws"
+  task_role_arn = aws_iam_role.ws.arn
 
 
   volume {
@@ -333,14 +322,14 @@ resource "aws_ecs_task_definition" "ws" {
     ]
   )
   cpu                = "256"
-  execution_role_arn = "arn:aws:iam::143841941773:role/ws"
+  execution_role_arn = aws_iam_role.ws.arn
   memory             = "512"
   network_mode       = "awsvpc"
   requires_compatibilities = [
     "FARGATE",
   ]
   tags          = {}
-  task_role_arn = "arn:aws:iam::143841941773:role/ws"
+  task_role_arn = aws_iam_role.ws.arn
 
 
   volume {
@@ -527,34 +516,9 @@ resource "aws_security_group_rule" "ws_writer_lightsail_lb" {
   cidr_blocks       = ["172.26.0.0/16"]
 }
 
-# resource "aws_s3_bucket" "ws" {
-#   bucket = "sondehub-ws-config"
-#   acl    = "private"
-#   versioning {
-#     enabled = true
-#   }
-#   lifecycle {
-#     ignore_changes = [bucket]
-#   }
-# }
-
 resource "aws_iam_role" "ecs_execution" {
   name                 = "ecsTaskExecutionRole"
-  assume_role_policy   = <<EOF
-{
-  "Version": "2008-10-17",
-  "Statement": [
-    {
-      "Sid": "",
-      "Effect": "Allow",
-      "Principal": {
-        "Service": "ecs-tasks.amazonaws.com"
-      },
-      "Action": "sts:AssumeRole"
-    }
-  ]
-}
-EOF
+  assume_role_policy   = data.aws_iam_policy_document.ecs_task_assume_role_policy.json
   max_session_duration = 3600
 }
 
@@ -563,105 +527,76 @@ resource "aws_iam_role_policy_attachment" "ecs_execution" {
   policy_arn = "arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy"
 }
 
+data "aws_iam_policy_document" "efs" {
+  statement {
+    resources = ["*"]
+    actions   = ["elasticfilesystem:*"]
+  }
+}
+
 resource "aws_iam_role_policy" "efs" {
   name = "EFS"
   role = aws_iam_role.ecs_execution.id
 
-  policy = <<EOF
-{
-    "Version": "2012-10-17",
-    "Statement": [
-        {
-            "Sid": "VisualEditor0",
-            "Effect": "Allow",
-            "Action": "elasticfilesystem:*",
-            "Resource": "*"
-        }
-    ]
+  policy = data.aws_iam_policy_document.efs.json
 }
-EOF
+
+data "aws_iam_policy_document" "ws_secrets" {
+  statement {
+    resources = [
+      aws_secretsmanager_secret.mqtt.arn,
+      aws_secretsmanager_secret.radiosondy.arn,
+    ]
+
+    actions = ["secretsmanager:GetSecretValue"]
+  }
 }
 
 resource "aws_iam_role_policy" "secrets" {
   name = "secrests"
   role = aws_iam_role.ecs_execution.id
 
-  policy = <<EOF
-{
-    "Version": "2012-10-17",
-    "Statement": [
-        {
-          "Action": [
-            "secretsmanager:GetSecretValue"
-          ],
-          "Effect": "Allow",
-          "Resource": ["${aws_secretsmanager_secret.mqtt.arn}", "${aws_secretsmanager_secret.radiosondy.arn}"]
-        }
-    ]
+  policy = data.aws_iam_policy_document.ws_secrets.json
 }
-EOF
+
+data "aws_iam_policy_document" "websocket_ssm" {
+  statement {
+    resources = ["*"]
+
+    actions = [
+      "ssmmessages:CreateControlChannel",
+      "ssmmessages:CreateDataChannel",
+      "ssmmessages:OpenControlChannel",
+      "ssmmessages:OpenDataChannel",
+    ]
+  }
 }
 
 resource "aws_iam_role_policy" "ssm" {
   name = "SSM"
   role = aws_iam_role.ecs_execution.id
 
-  policy = jsonencode(
-    {
-      Statement = [
-        {
-          Action = [
-            "ssmmessages:CreateControlChannel",
-            "ssmmessages:CreateDataChannel",
-            "ssmmessages:OpenControlChannel",
-            "ssmmessages:OpenDataChannel",
-          ]
-          Effect   = "Allow"
-          Resource = "*"
-        }
-      ]
-      Version = "2012-10-17"
-    }
-  )
+  policy = data.aws_iam_policy_document.websocket_ssm.json
+}
+
+data "aws_iam_policy_document" "ws_kms" {
+  statement {
+    resources = ["*"]
+    actions   = ["kms:*"]
+  }
 }
 
 resource "aws_iam_role_policy" "kms" {
   name = "kms"
   role = aws_iam_role.ecs_execution.id
 
-  policy = <<EOF
-{
-    "Version": "2012-10-17",
-    "Statement": [
-        {
-            "Sid": "VisualEditor0",
-            "Effect": "Allow",
-            "Action": "kms:*",
-            "Resource": "*"
-        }
-    ]
-}
-EOF
+  policy = data.aws_iam_policy_document.ws_kms.json
 }
 
 resource "aws_iam_role" "ws" {
   name                 = "ws"
   description          = "Allows EC2 instances to call AWS services on your behalf."
-  assume_role_policy   = <<EOF
-{
-  "Version": "2012-10-17",
-  "Statement": [
-    {
-      "Sid": "",
-      "Effect": "Allow",
-      "Principal": {
-        "Service": "ecs-tasks.amazonaws.com"
-      },
-      "Action": "sts:AssumeRole"
-    }
-  ]
-}
-EOF
+  assume_role_policy   = data.aws_iam_policy_document.ecs_task_assume_role_policy.json
   max_session_duration = 3600
 }
 
@@ -670,68 +605,36 @@ resource "aws_iam_role_policy_attachment" "ws" {
   policy_arn = "arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy"
 }
 
-resource "aws_iam_role_policy" "s3_config" {
-  name = "s3-config"
-  role = aws_iam_role.ws.id
-
-  policy = <<EOF
-{
-    "Version": "2012-10-17",
-    "Statement": [
-        {
-            "Sid": "VisualEditor0",
-            "Effect": "Allow",
-            "Action": [
-                "s3:GetObjectAcl",
-                "s3:GetObject",
-                "s3:ListBucket"
-            ],
-            "Resource": [
-                "arn:aws:s3:::sondehub-ws-config",
-                "arn:aws:s3:::sondehub-ws-config/*"
-            ]
-        },
-        {
-          "Action": [
-            "secretsmanager:GetSecretValue"
-          ],
-          "Effect": "Allow",
-          "Resource": ["${aws_secretsmanager_secret.mqtt.arn}", "${aws_secretsmanager_secret.radiosondy.arn}"]
-        }
+data "aws_iam_policy_document" "ws_s3_config" {
+  statement {
+    resources = [
+      "arn:aws:s3:::sondehub-ws-config",
+      "arn:aws:s3:::sondehub-ws-config/*",
     ]
-}
-EOF
-}
-
-# resource "aws_appautoscaling_target" "ws_reader" {
-#   service_namespace  = "ecs"
-#   scalable_dimension = "ecs:service:DesiredCount"
-#   resource_id        = "service/ws/ws-reader"
-#   min_capacity       = 0
-#   max_capacity       = 0
-# }
 
-# resource "aws_appautoscaling_policy" "ws_reader" {
-#   name               = "ws-reader-tt"
-#   service_namespace  = aws_appautoscaling_target.ws_reader.service_namespace
-#   scalable_dimension = aws_appautoscaling_target.ws_reader.scalable_dimension
-#   resource_id        = aws_appautoscaling_target.ws_reader.resource_id
-#   policy_type        = "TargetTrackingScaling"
+    actions = [
+      "s3:GetObjectAcl",
+      "s3:GetObject",
+      "s3:ListBucket",
+    ]
+  }
 
-#   target_tracking_scaling_policy_configuration {
-#     predefined_metric_specification {
-#       predefined_metric_type = "ECSServiceAverageCPUUtilization"
-#     }
+  statement {
+    resources = [
+      aws_secretsmanager_secret.mqtt.arn,
+      aws_secretsmanager_secret.radiosondy.arn,
+    ]
 
-#     target_value       = 60
-#     scale_in_cooldown  = 200
-#     scale_out_cooldown = 200
-#   }
-# }
+    actions = ["secretsmanager:GetSecretValue"]
+  }
+}
 
-# TODO
-# s3 config bucket
+resource "aws_iam_role_policy" "s3_config" {
+  name = "s3-config"
+  role = aws_iam_role.ws.id
 
+  policy = data.aws_iam_policy_document.ws_s3_config.json
+}
 
 
 resource "aws_route53_record" "ws_reader_CNAME" {