eli-445 correcting linting and checkov

eddalmond1 · eddalmond1 · commit 592c858b49ed · 2026-02-16T16:46:08.000Z
diff --git a/infrastructure/stacks/iams-developer-roles/github_actions_iam_bootstrap_policies.tf b/infrastructure/stacks/iams-developer-roles/github_actions_iam_bootstrap_policies.tf
@@ -72,7 +72,11 @@ data "aws_iam_policy_document" "iam_bootstrap_iam_management" {
       "iam:Get*",
       "iam:List*",
     ]
-    resources = ["*"]
+    resources = [
+      "arn:aws:iam::${data.aws_caller_identity.current.account_id}:role/*",
+      "arn:aws:iam::${data.aws_caller_identity.current.account_id}:policy/*",
+      "arn:aws:iam::${data.aws_caller_identity.current.account_id}:oidc-provider/*",
+    ]
   }
 
   # DENY: Prevent modifying the bootstrap role itself
diff --git a/infrastructure/stacks/iams-developer-roles/iams_permissions_boundary.tf b/infrastructure/stacks/iams-developer-roles/iams_permissions_boundary.tf
@@ -357,7 +357,11 @@ data "aws_iam_policy_document" "iam_bootstrap_permissions_boundary" {
       "iam:Get*",
       "iam:List*",
     ]
-    resources = ["*"]
+    resources = [
+      "arn:aws:iam::${data.aws_caller_identity.current.account_id}:role/*",
+      "arn:aws:iam::${data.aws_caller_identity.current.account_id}:policy/*",
+      "arn:aws:iam::${data.aws_caller_identity.current.account_id}:oidc-provider/*",
+    ]
   }
 
   # Allow Terraform state bucket access

Original file line number	Diff line number	Diff line change
`@@ -72,7 +72,11 @@ data "aws_iam_policy_document" "iam_bootstrap_iam_management" {`
`72`	`72`	`"iam:Get*",`
`73`	`73`	`"iam:List*",`
`74`	`74`	`]`
`75`		`- resources = ["*"]`
	`75`	`+ resources = [`
	`76`	`+ "arn:aws:iam::${data.aws_caller_identity.current.account_id}:role/*",`
	`77`	`+ "arn:aws:iam::${data.aws_caller_identity.current.account_id}:policy/*",`
	`78`	`+ "arn:aws:iam::${data.aws_caller_identity.current.account_id}:oidc-provider/*",`
	`79`	`+ ]`
`76`	`80`	`}`
`77`	`81`
`78`	`82`	`# DENY: Prevent modifying the bootstrap role itself`
Original file line number	Diff line number	Diff line change
`@@ -357,7 +357,11 @@ data "aws_iam_policy_document" "iam_bootstrap_permissions_boundary" {`
`357`	`357`	`"iam:Get*",`
`358`	`358`	`"iam:List*",`
`359`	`359`	`]`
`360`		`- resources = ["*"]`
	`360`	`+ resources = [`
	`361`	`+ "arn:aws:iam::${data.aws_caller_identity.current.account_id}:role/*",`
	`362`	`+ "arn:aws:iam::${data.aws_caller_identity.current.account_id}:policy/*",`
	`363`	`+ "arn:aws:iam::${data.aws_caller_identity.current.account_id}:oidc-provider/*",`
	`364`	`+ ]`
`361`	`365`	`}`
`362`	`366`
`363`	`367`	`# Allow Terraform state bucket access`