ELI-597: Adds permissions for github role (#542)

shweta-nhs · web-flow · commit 7c09013918f0 · 2026-01-12T21:08:04.000Z
diff --git a/infrastructure/stacks/iams-developer-roles/github_actions_policies.tf b/infrastructure/stacks/iams-developer-roles/github_actions_policies.tf
@@ -269,7 +269,9 @@ resource "aws_iam_policy" "api_infrastructure" {
           "logs:CreateLogDelivery",
           "logs:DeleteLogDelivery",
           # IAM service-linked role for WAF logging
-          "iam:CreateServiceLinkedRole"
+          "iam:CreateServiceLinkedRole",
+          # IAM to list tags
+          "logs:ListTagsForResource"
 
         ],
         Resource = "*"
@@ -569,7 +571,11 @@ resource "aws_iam_policy" "iam_management" {
           # Eventbridge to firehose role
           "arn:aws:iam::*:role/*-eventbridge-to-firehose-role*",
           # Firehose splunk role
-          "arn:aws:iam::*:role/splunk-firehose-role"
+          "arn:aws:iam::*:role/splunk-firehose-role",
+          # Eventbridge invoke step functions role
+          "arn:aws:iam::*:role/eventbridge_invoke_sfn_role",
+          "arn:aws:iam::*:role/secret_rotation_lambda_role",
+          "arn:aws:iam::*:role/secret_rotation_workflow_role"
         ]
       }
     ]
@@ -696,6 +702,7 @@ resource "aws_iam_policy" "cloudwatch_management" {
           "arn:aws:cloudwatch:${var.default_aws_region}:${data.aws_caller_identity.current.account_id}:alarm:*",
           "arn:aws:cloudwatch::${data.aws_caller_identity.current.account_id}:dashboard/Demand_And_Capacity_*",
           "arn:aws:sns:${var.default_aws_region}:${data.aws_caller_identity.current.account_id}:cloudwatch-security-alarms*",
+          "arn:aws:sns:${var.default_aws_region}:${data.aws_caller_identity.current.account_id}:secret-rotation-notifications*",
           "arn:aws:logs:${var.default_aws_region}:${data.aws_caller_identity.current.account_id}:log-group:/aws/apigateway/default-eligibility-signposting-api*",
         ]
       }

Original file line number	Diff line number	Diff line change
`@@ -269,7 +269,9 @@ resource "aws_iam_policy" "api_infrastructure" {`
`269`	`269`	`"logs:CreateLogDelivery",`
`270`	`270`	`"logs:DeleteLogDelivery",`
`271`	`271`	`# IAM service-linked role for WAF logging`
`272`		`- "iam:CreateServiceLinkedRole"`
	`272`	`+ "iam:CreateServiceLinkedRole",`
	`273`	`+ # IAM to list tags`
	`274`	`+ "logs:ListTagsForResource"`
`273`	`275`
`274`	`276`	`],`
`275`	`277`	`Resource = "*"`
`@@ -569,7 +571,11 @@ resource "aws_iam_policy" "iam_management" {`
`569`	`571`	`# Eventbridge to firehose role`
`570`	`572`	`"arn:aws:iam:::role/-eventbridge-to-firehose-role*",`
`571`	`573`	`# Firehose splunk role`
`572`		`- "arn:aws:iam::*:role/splunk-firehose-role"`
	`574`	`+ "arn:aws:iam::*:role/splunk-firehose-role",`
	`575`	`+ # Eventbridge invoke step functions role`
	`576`	`+ "arn:aws:iam::*:role/eventbridge_invoke_sfn_role",`
	`577`	`+ "arn:aws:iam::*:role/secret_rotation_lambda_role",`
	`578`	`+ "arn:aws:iam::*:role/secret_rotation_workflow_role"`
`573`	`579`	`]`
`574`	`580`	`}`
`575`	`581`	`]`
`@@ -696,6 +702,7 @@ resource "aws_iam_policy" "cloudwatch_management" {`
`696`	`702`	`"arn:aws:cloudwatch:${var.default_aws_region}:${data.aws_caller_identity.current.account_id}:alarm:*",`
`697`	`703`	`"arn:aws:cloudwatch::${data.aws_caller_identity.current.account_id}:dashboard/Demand_And_Capacity_*",`
`698`	`704`	`"arn:aws:sns:${var.default_aws_region}:${data.aws_caller_identity.current.account_id}:cloudwatch-security-alarms*",`
	`705`	`+ "arn:aws:sns:${var.default_aws_region}:${data.aws_caller_identity.current.account_id}:secret-rotation-notifications*",`
`699`	`706`	`"arn:aws:logs:${var.default_aws_region}:${data.aws_caller_identity.current.account_id}:log-group:/aws/apigateway/default-eligibility-signposting-api*",`
`700`	`707`	`]`
`701`	`708`	`}`