eli-204 finessing permissions and boundary permissions

eddalmond1 · eddalmond1 · commit 4923a2d86d1b · 2025-05-29T10:12:33.000+01:00
diff --git a/infrastructure/stacks/api-layer/iam_roles.tf b/infrastructure/stacks/api-layer/iam_roles.tf
@@ -1,8 +1,4 @@
 
-data "aws_iam_policy" "permissions_boundary" {
-  arn = "arn:aws:iam::${local.current_account_id}:policy/${upper(var.project_name)}-PermissionsBoundary"
-}
-
 
 # Lambda trust policy
 data "aws_iam_policy_document" "lambda_assume_role" {
@@ -30,12 +26,12 @@ data "aws_iam_policy_document" "dps_assume_role" {
 resource "aws_iam_role" "eligibility_lambda_role" {
   name                 = "eligibility_lambda-role${terraform.workspace == "default" ? "" : "-${terraform.workspace}"}"
   assume_role_policy   = data.aws_iam_policy_document.lambda_assume_role.json
-  permissions_boundary = data.aws_iam_policy.permissions_boundary.arn
+  permissions_boundary = data.aws_iam_policy.assumed_role_permissions_boundary.arn
 }
 
 
 resource "aws_iam_role" "write_access_role" {
   name                 = "external-write-role-${terraform.workspace == "default" ? "" : "-${terraform.workspace}"}"
   assume_role_policy   = data.aws_iam_policy_document.dps_assume_role.json
-  permissions_boundary = data.aws_iam_policy.permissions_boundary.arn
+  permissions_boundary = data.aws_iam_policy.assumed_role_permissions_boundary.arn
 }
diff --git a/infrastructure/stacks/iams-developer-roles/github_actions_policies.tf b/infrastructure/stacks/iams-developer-roles/github_actions_policies.tf
@@ -81,6 +81,8 @@ resource "aws_iam_policy" "api_infrastructure" {
 
           # acm
           "acm:ListCertificates",
+          "acm:DescribeCertificate",
+          "acm:GetCertificate",
         ],
 
 
diff --git a/infrastructure/stacks/iams-developer-roles/iams_permissions_boundary.tf b/infrastructure/stacks/iams-developer-roles/iams_permissions_boundary.tf
@@ -45,6 +45,20 @@ data "aws_iam_policy_document" "permissions_boundary" {
     }
   }
 
+  # Allow access to IAM actions for us-east-1 region only
+  statement {
+    sid       = "AllowIamActionsInUsEast1"
+    effect    = "Allow"
+    actions   = ["iam:*"]
+    resources = ["*"]
+
+    condition {
+      test     = "StringEquals"
+      variable = "aws:RequestedRegion"
+      values   = ["us-east-1"]
+    }
+  }
+
   statement {
     sid       = "DenyPrivEsculationViaIamRoles"
     effect    = "Deny"
