[ELI-731] addressing comments

TOEL2 · TOEL2 · commit d20d6ad0528d · 2026-04-21T08:37:27.000+01:00
diff --git a/infrastructure/stacks/iams-developer-roles/github_actions_policies.tf b/infrastructure/stacks/iams-developer-roles/github_actions_policies.tf
@@ -852,11 +852,9 @@ data "aws_iam_policy_document" "regression_test_permissions" {
     effect = "Allow"
     actions = [
       "secretsmanager:GetSecretValue",
-      "secretsmanager:PutSecretValue",
-      "secretsmanager:DescribeSecret",
-      "secretsmanager:UpdateSecretVersionStage"
+      "secretsmanager:DescribeSecret"
       ]
-    resources = ["*"]
+    resources = ["arn:aws:secretsmanager:${var.default_aws_region}:${data.aws_caller_identity.current.account_id}:secret:eligibility-signposting-api-*"]
   }
 
   statement {
@@ -900,10 +898,7 @@ data "aws_iam_policy_document" "regression_test_permissions" {
       "ssm:GetParametersByPath"
     ]
     resources = [
-      "arn:aws:ssm:${var.default_aws_region}:${data.aws_caller_identity.current.account_id}:parameter/${var.environment}/*",
-      "arn:aws:ssm:${var.default_aws_region}:${data.aws_caller_identity.current.account_id}:parameter/splunk/*",
-      "arn:aws:ssm:${var.default_aws_region}:${data.aws_caller_identity.current.account_id}:parameter/ptl/*",
-      "arn:aws:ssm:${var.default_aws_region}:${data.aws_caller_identity.current.account_id}:parameter/prod/*"
+      "arn:aws:ssm:${var.default_aws_region}:${data.aws_caller_identity.current.account_id}:parameter/${var.environment}/*"
     ]
   }
 }

Original file line number	Diff line number	Diff line change
`@@ -852,11 +852,9 @@ data "aws_iam_policy_document" "regression_test_permissions" {`
`852`	`852`	`effect = "Allow"`
`853`	`853`	`actions = [`
`854`	`854`	`"secretsmanager:GetSecretValue",`
`855`		`- "secretsmanager:PutSecretValue",`
`856`		`- "secretsmanager:DescribeSecret",`
`857`		`- "secretsmanager:UpdateSecretVersionStage"`
	`855`	`+ "secretsmanager:DescribeSecret"`
`858`	`856`	`]`
`859`		`- resources = ["*"]`
	`857`	`+ resources = ["arn:aws:secretsmanager:${var.default_aws_region}:${data.aws_caller_identity.current.account_id}:secret:eligibility-signposting-api-*"]`
`860`	`858`	`}`
`861`	`859`
`862`	`860`	`statement {`
`@@ -900,10 +898,7 @@ data "aws_iam_policy_document" "regression_test_permissions" {`
`900`	`898`	`"ssm:GetParametersByPath"`
`901`	`899`	`]`
`902`	`900`	`resources = [`
`903`		`- "arn:aws:ssm:${var.default_aws_region}:${data.aws_caller_identity.current.account_id}:parameter/${var.environment}/*",`
`904`		`- "arn:aws:ssm:${var.default_aws_region}:${data.aws_caller_identity.current.account_id}:parameter/splunk/*",`
`905`		`- "arn:aws:ssm:${var.default_aws_region}:${data.aws_caller_identity.current.account_id}:parameter/ptl/*",`
`906`		`- "arn:aws:ssm:${var.default_aws_region}:${data.aws_caller_identity.current.account_id}:parameter/prod/*"`
	`901`	`+ "arn:aws:ssm:${var.default_aws_region}:${data.aws_caller_identity.current.account_id}:parameter/${var.environment}/*"`
`907`	`902`	`]`
`908`	`903`	`}`
`909`	`904`	`}`