Merge pull request #544 from NHSDigital/ELI-577

ELI-577: Fixes permissions for test

Author: TOEL2

infrastructure/stacks/iams-developer-roles/github_actions_policies.tf

@@ -70,6 +70,7 @@ resource "aws_iam_policy" "lambda_management" {
           "lambda:PutProvisionedConcurrencyConfig",
           "lambda:DeleteProvisionedConcurrencyConfig",
           "lambda:ListProvisionedConcurrencyConfigs",
+          "lambda:PutFunctionConcurrency",
 
         ],
         Resource = [
@@ -290,7 +291,8 @@ resource "aws_iam_policy" "api_infrastructure" {
           # CloudWatch Logs subscription filters for CSOC forwarding
           "logs:PutSubscriptionFilter",
           "logs:DeleteSubscriptionFilter",
-          "logs:DescribeSubscriptionFilters"
+          "logs:DescribeSubscriptionFilters",
+          "logs:PutRetentionPolicy"
         ],
         Resource = [
           # VPC Flow Logs
@@ -304,7 +306,8 @@ resource "aws_iam_policy" "api_infrastructure" {
           # WAF v2 logs (both naming conventions)
           "arn:aws:logs:${var.default_aws_region}:${data.aws_caller_identity.current.account_id}:log-group:/aws/wafv2/*",
           "arn:aws:logs:${var.default_aws_region}:${data.aws_caller_identity.current.account_id}:log-group:aws-wafv2-logs-*",
-          "arn:aws:logs:${var.default_aws_region}:${data.aws_caller_identity.current.account_id}:log-group:aws-waf-logs-*"
+          "arn:aws:logs:${var.default_aws_region}:${data.aws_caller_identity.current.account_id}:log-group:aws-waf-logs-*",
+          "arn:aws:logs:${var.default_aws_region}:${data.aws_caller_identity.current.account_id}:log-group:/aws/stepfunctions/*"
         ]
       },
       {
@@ -427,7 +430,10 @@ resource "aws_iam_policy" "api_infrastructure" {
           # State Machine
           "states:DescribeStateMachine",
           "states:ListStateMachineVersions",
-          "states:ListTagsForResource"
+          "states:ListTagsForResource",
+          "states:ValidateStateMachineDefinition",
+          "states:CreateStateMachine",
+          "states:TagResource"
         ],
 
 
@@ -450,7 +456,7 @@ resource "aws_iam_policy" "api_infrastructure" {
           "arn:aws:events:${var.default_aws_region}:${data.aws_caller_identity.current.account_id}:rule/cloudwatch-alarm-state-change-to-splunk*",
           "arn:aws:wafv2:${var.default_aws_region}:${data.aws_caller_identity.current.account_id}:regional/webacl/*",
           "arn:aws:wafv2:${var.default_aws_region}:${data.aws_caller_identity.current.account_id}:regional/managedruleset/*",
-          "arn:aws:states:${var.default_aws_region}:${data.aws_caller_identity.current.account_id}:stateMachine:SecretRotationWorkflow",
+          "arn:aws:states:${var.default_aws_region}:${data.aws_caller_identity.current.account_id}:stateMachine:*",
         ]
       },
     ]

infrastructure/stacks/iams-developer-roles/iams_permissions_boundary.tf

@@ -171,6 +171,7 @@ data "aws_iam_policy_document" "permissions_boundary" {
       "lambda:PutProvisionedConcurrencyConfig",
       "lambda:DeleteProvisionedConcurrencyConfig",
       "lambda:ListProvisionedConcurrencyConfigs",
+      "lambda:PutFunctionConcurrency",
 
       # CloudWatch Logs - log management
       "logs:*",
@@ -255,7 +256,10 @@ data "aws_iam_policy_document" "permissions_boundary" {
       # State Machine management
       "states:DescribeStateMachine",
       "states:ListStateMachineVersions",
-      "states:ListTagsForResource"
+      "states:ListTagsForResource",
+      "states:ValidateStateMachineDefinition",
+      "states:CreateStateMachine",
+      "states:TagResource"
     ]
 
     resources = ["*"]