eli-204 more permissions

eddalmond1 · eddalmond1 · commit 2f2d6bbc0fd3 · 2025-05-29T10:48:18.000+01:00
diff --git a/infrastructure/stacks/api-layer/data.tf b/infrastructure/stacks/api-layer/data.tf
@@ -15,6 +15,10 @@ data "aws_acm_certificate" "validation_cert" {
   most_recent = true
 }
 
+data "aws_kms_alias" "networking_ssm_key" {
+  name = "alias/${var.environment}-networking-ssm-parameters"
+}
+
 data "aws_ssm_parameter" "mtls_api_client_cert" {
   name = "/${var.environment}/mtls/api_client_cert"
 }
diff --git a/infrastructure/stacks/iams-developer-roles/github_actions_policies.tf b/infrastructure/stacks/iams-developer-roles/github_actions_policies.tf
@@ -59,9 +59,11 @@ resource "aws_iam_policy" "api_infrastructure" {
           "kms:List*",
           "kms:Describe*",
           "kms:GetKeyPolicy*",
+          "kms:GetKeyRotationStatus",
 
           # Cloudwatch permissions
           "logs:Describe*",
+          "logs:ListTagsForResource",
 
           #EC2 permissions
           "ec2:Describe*",
@@ -83,6 +85,7 @@ resource "aws_iam_policy" "api_infrastructure" {
           "acm:ListCertificates",
           "acm:DescribeCertificate",
           "acm:GetCertificate",
+          "acm:ListTagsForCertificate",
         ],
 
 

Original file line number	Diff line number	Diff line change
`@@ -15,6 +15,10 @@ data "aws_acm_certificate" "validation_cert" {`
`15`	`15`	`most_recent = true`
`16`	`16`	`}`
`17`	`17`
	`18`	`+data "aws_kms_alias" "networking_ssm_key" {`
	`19`	`+ name = "alias/${var.environment}-networking-ssm-parameters"`
	`20`	`+}`
	`21`	`+`
`18`	`22`	`data "aws_ssm_parameter" "mtls_api_client_cert" {`
`19`	`23`	`name = "/${var.environment}/mtls/api_client_cert"`
`20`	`24`	`}`