Merge branch 'main' into feature/ELI-707-enforce-codeowners

TOEL2 · web-flow · commit a3b4ad3132d3 · 2026-04-01T12:15:39.000+01:00
diff --git a/.github/workflows/cicd-3-test-deploy.yaml b/.github/workflows/cicd-3-test-deploy.yaml
@@ -66,6 +66,17 @@ jobs:
         with:
           terraform_version: ${{ needs.metadata.outputs.terraform_version }}
 
+      - name: "Configure AWS Credentials (IAM Bootstrap Role)"
+        uses: aws-actions/configure-aws-credentials@v6
+        with:
+          role-to-assume: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/service-roles/github-actions-iam-bootstrap-role
+          aws-region: eu-west-2
+
+      - name: "Deploy IAM roles (iams-developer-roles stack)"
+        working-directory: ./infrastructure
+        run: |
+          make terraform env=test stack=iams-developer-roles tf-command=apply workspace=default
+
       - name: "Configure AWS Credentials"
         uses: aws-actions/configure-aws-credentials@v6
         with:
diff --git a/infrastructure/stacks/api-layer/s3_buckets.tf b/infrastructure/stacks/api-layer/s3_buckets.tf
@@ -60,7 +60,7 @@ module "s3_dq_metrics_bucket" {
 
 module "s3_cloudtrail_bucket" {
   source       = "../../modules/s3"
-  bucket_name  = "eli-cloudwatch-logs"
+  bucket_name  = "eli-cloudwatch"
   environment  = var.environment
   project_name = var.project_name
   stack_name   = local.stack_name
diff --git a/infrastructure/stacks/iams-developer-roles/github_actions_policies.tf b/infrastructure/stacks/iams-developer-roles/github_actions_policies.tf
@@ -235,10 +235,10 @@ resource "aws_iam_policy" "s3_management" {
           "arn:aws:s3:::*eligibility-signposting-api-${var.environment}-dq-metrics/*",
           "arn:aws:s3:::*eligibility-signposting-api-${var.environment}-dq-metrics-access-logs",
           "arn:aws:s3:::*eligibility-signposting-api-${var.environment}-dq-metrics-access-logs/*",
-          "arn:aws:s3:::*eligibility-signposting-api-${var.environment}-eli-cloudwatch-logs",
-          "arn:aws:s3:::*eligibility-signposting-api-${var.environment}-eli-cloudwatch-logs/*",
-          "arn:aws:s3:::*eligibility-signposting-api-${var.environment}-eli-cloudwatch-logs-access-logs",
-          "arn:aws:s3:::*eligibility-signposting-api-${var.environment}-eli-cloudwatch-logs-access-logs/*",
+          "arn:aws:s3:::*eligibility-signposting-api-${var.environment}-eli-cloudwatch",
+          "arn:aws:s3:::*eligibility-signposting-api-${var.environment}-eli-cloudwatch/*",
+          "arn:aws:s3:::*eligibility-signposting-api-${var.environment}-eli-cloudwatch-access-logs",
+          "arn:aws:s3:::*eligibility-signposting-api-${var.environment}-eli-cloudwatch-access-logs/*",
         ]
       }
     ]

Original file line number	Diff line number	Diff line change
`@@ -235,10 +235,10 @@ resource "aws_iam_policy" "s3_management" {`
`235`	`235`	`"arn:aws:s3:::eligibility-signposting-api-${var.environment}-dq-metrics/",`
`236`	`236`	`"arn:aws:s3:::*eligibility-signposting-api-${var.environment}-dq-metrics-access-logs",`
`237`	`237`	`"arn:aws:s3:::eligibility-signposting-api-${var.environment}-dq-metrics-access-logs/",`
`238`		`- "arn:aws:s3:::*eligibility-signposting-api-${var.environment}-eli-cloudwatch-logs",`
`239`		`- "arn:aws:s3:::eligibility-signposting-api-${var.environment}-eli-cloudwatch-logs/",`
`240`		`- "arn:aws:s3:::*eligibility-signposting-api-${var.environment}-eli-cloudwatch-logs-access-logs",`
`241`		`- "arn:aws:s3:::eligibility-signposting-api-${var.environment}-eli-cloudwatch-logs-access-logs/",`
	`238`	`+ "arn:aws:s3:::*eligibility-signposting-api-${var.environment}-eli-cloudwatch",`
	`239`	`+ "arn:aws:s3:::eligibility-signposting-api-${var.environment}-eli-cloudwatch/",`
	`240`	`+ "arn:aws:s3:::*eligibility-signposting-api-${var.environment}-eli-cloudwatch-access-logs",`
	`241`	`+ "arn:aws:s3:::eligibility-signposting-api-${var.environment}-eli-cloudwatch-access-logs/",`
`242`	`242`	`]`
`243`	`243`	`}`
`244`	`244`	`]`