github role permissions

Author: Karthikeyannhs

infrastructure/stacks/iams-developer-roles/github_actions_policies.tf

@@ -13,7 +13,8 @@ resource "aws_iam_policy" "terraform_state" {
           "s3:ListBucket",
           "s3:GetObject",
           "s3:PutObject",
-          "s3:DeleteObject"
+          "s3:DeleteObject",
+          "s3:GetObject"
         ],
         Resource = [
           "${local.terraform_state_bucket_arn}",
@@ -147,6 +148,7 @@ resource "aws_iam_policy" "s3_management" {
           "s3:PutBucketLogging",
           "s3:GetObjectTagging",
           "s3:PutObjectTagging",
+          "s3:GetObjectVersion"
         ],
         Resource = [
           "arn:aws:s3:::*eligibility-signposting-api-${var.environment}-eli-rules",
@@ -295,30 +297,41 @@ resource "aws_iam_policy" "kms_creation" {
       {
         Effect = "Allow",
         Action = [
-          "kms:CreateKey",
-          "kms:CreateAlias",
-          "kms:List*",
+          "kms:Decrypt",
+          "kms:Encrypt",
+          "kms:ReEncrypt*",
+          "kms:GenerateDataKey*",
+          "kms:DescribeKey",
           "kms:ListAliases",
+          "kms:CreateKey",
         ],
         Resource = "*"
       },
       {
         Effect = "Allow",
         Action = [
+          "kms:Create*",
+          "kms:PutKeyPolicy",
+          "kms:GetKeyPolicy",
           "kms:Describe*",
-          "kms:GetKeyPolicy*",
-          "kms:GetKeyRotationStatus",
-          "kms:Decrypt*",
-          "kms:DeleteAlias",
-          "kms:UpdateKeyDescription",
-          "kms:CreateGrant",
-          "kms:TagResource",
+          "kms:List*",
+          "kms:Encrypt",
+          "kms:Decrypt",
+          "kms:ReEncrypt*",
+          "kms:GenerateDataKey*",
           "kms:EnableKeyRotation",
+          "kms:DisableKeyRotation",
           "kms:ScheduleKeyDeletion",
-          "kms:PutKeyPolicy",
-          "kms:Encrypt",
+          "kms:CancelKeyDeletion",
           "kms:TagResource",
-          "kms:GenerateDataKey",
+          "kms:UntagResource",
+          "kms:CreateAlias",
+          "kms:DeleteAlias",
+          "kms:UpdateAlias",
+          "kms:ListAliases",
+          "kms:UpdateKeyDescription",
+          "kms:CreateGrant",
+          "kms:GetKeyRotationStatus"
         ],
         Resource = [
           "arn:aws:kms:${var.default_aws_region}:${data.aws_caller_identity.current.account_id}:key/*",
@@ -389,8 +402,8 @@ resource "aws_iam_policy" "iam_management" {
 # Assume role policy document for GitHub Actions
 data "aws_iam_policy_document" "github_actions_assume_role" {
   statement {
-    sid     = "OidcAssumeRoleWithWebIdentity"
-    effect  = "Allow"
+    sid    = "OidcAssumeRoleWithWebIdentity"
+    effect = "Allow"
     actions = ["sts:AssumeRoleWithWebIdentity"]
 
     principals {
@@ -403,13 +416,13 @@ data "aws_iam_policy_document" "github_actions_assume_role" {
     condition {
       test     = "StringLike"
       variable = "token.actions.githubusercontent.com:sub"
-      values   = ["repo:${var.github_org}/${var.github_repo}:*"]
+      values = ["repo:${var.github_org}/${var.github_repo}:*"]
     }
 
     condition {
       test     = "StringEquals"
       variable = "token.actions.githubusercontent.com:aud"
-      values   = ["sts.amazonaws.com"]
+      values = ["sts.amazonaws.com"]
     }
   }
 }