ELI-577: Fixes permissions for test

shweta-nhs · shweta-nhs · commit 6e49c9f7fc48 · 2026-01-15T16:01:26.000Z
diff --git a/infrastructure/stacks/iams-developer-roles/github_actions_policies.tf b/infrastructure/stacks/iams-developer-roles/github_actions_policies.tf
@@ -291,7 +291,8 @@ resource "aws_iam_policy" "api_infrastructure" {
           # CloudWatch Logs subscription filters for CSOC forwarding
           "logs:PutSubscriptionFilter",
           "logs:DeleteSubscriptionFilter",
-          "logs:DescribeSubscriptionFilters"
+          "logs:DescribeSubscriptionFilters",
+          "logs:PutRetentionPolicy"
         ],
         Resource = [
           # VPC Flow Logs
@@ -429,7 +430,9 @@ resource "aws_iam_policy" "api_infrastructure" {
           # State Machine
           "states:DescribeStateMachine",
           "states:ListStateMachineVersions",
-          "states:ListTagsForResource"
+          "states:ListTagsForResource",
+          "states:ValidateStateMachineDefinition",
+          "states:CreateStateMachine"
         ],
 
 
@@ -452,7 +455,7 @@ resource "aws_iam_policy" "api_infrastructure" {
           "arn:aws:events:${var.default_aws_region}:${data.aws_caller_identity.current.account_id}:rule/cloudwatch-alarm-state-change-to-splunk*",
           "arn:aws:wafv2:${var.default_aws_region}:${data.aws_caller_identity.current.account_id}:regional/webacl/*",
           "arn:aws:wafv2:${var.default_aws_region}:${data.aws_caller_identity.current.account_id}:regional/managedruleset/*",
-          "arn:aws:states:${var.default_aws_region}:${data.aws_caller_identity.current.account_id}:stateMachine:SecretRotationWorkflow",
+          "arn:aws:states:${var.default_aws_region}:${data.aws_caller_identity.current.account_id}:stateMachine:*",
         ]
       },
     ]
diff --git a/infrastructure/stacks/iams-developer-roles/iams_permissions_boundary.tf b/infrastructure/stacks/iams-developer-roles/iams_permissions_boundary.tf
@@ -256,7 +256,9 @@ data "aws_iam_policy_document" "permissions_boundary" {
       # State Machine management
       "states:DescribeStateMachine",
       "states:ListStateMachineVersions",
-      "states:ListTagsForResource"
+      "states:ListTagsForResource",
+      "states:ValidateStateMachineDefinition",
+      "states:CreateStateMachine"
     ]
 
     resources = ["*"]
