[ELI-702] - expanding github role permissions with new policy

TOEL2 · TOEL2 · commit f4e192481315 · 2026-03-25T20:53:13.000Z
diff --git a/infrastructure/stacks/iams-developer-roles/github_actions_policies.tf b/infrastructure/stacks/iams-developer-roles/github_actions_policies.tf
@@ -709,6 +709,57 @@ resource "aws_iam_policy" "kinesis_management" {
   tags = merge(local.tags, { Name = "kinesis-management" })
 }
 
+resource "aws_iam_policy" "code_signing_management" {
+  name        = "code-signing-management"
+  description = "Allow GitHub Actions to manage Lambda code signing and start Signer jobs"
+  path        = "/service-policies/"
+
+  policy = jsonencode({
+    Version = "2012-10-17",
+    Statement = [
+      {
+        Sid    = "LambdaCodeSigningConfigManagement",
+        Effect = "Allow",
+        Action = [
+          "lambda:CreateCodeSigningConfig",
+          "lambda:UpdateCodeSigningConfig",
+          "lambda:DeleteCodeSigningConfig",
+          "lambda:GetCodeSigningConfig",
+          "lambda:ListCodeSigningConfigs",
+          "lambda:GetFunctionCodeSigningConfig"
+        ],
+        Resource = "*"
+      },
+      {
+        Sid    = "SignerJobUsage",
+        Effect = "Allow",
+        Action = [
+          "signer:StartSigningJob",
+          "signer:DescribeSigningJob"
+        ],
+        Resource = "*"
+      },
+      {
+        Sid    = "SignerProfileManagement",
+        Effect = "Allow",
+        Action = [
+          "signer:PutSigningProfile",
+          "signer:GetSigningProfile",
+          "signer:ListSigningProfiles",
+          "signer:ListTagsForResource",
+          "signer:TagResource",
+          "signer:UntagResource",
+          "signer:CancelSigningProfile",
+          "signer:RevokeSignature"
+        ],
+        Resource = "*"
+      }
+    ]
+  })
+
+  tags = merge(local.tags, { Name = "code-signing-management" })
+}
+
 resource "aws_iam_policy" "cloudwatch_management" {
   #checkov:skip=CKV_AWS_355: GetMetricWidgetImage requires wildcard resource
   #checkov:skip=CKV_AWS_290: GetMetricWidgetImage requires wildcard resource
@@ -828,3 +879,8 @@ resource "aws_iam_role_policy_attachment" "kinesis_management_attach" {
   role       = aws_iam_role.github_actions.name
   policy_arn = aws_iam_policy.kinesis_management.arn
 }
+
+resource "aws_iam_role_policy_attachment" "code_signing_management" {
+  role       = aws_iam_role.github_actions.name
+  policy_arn = aws_iam_policy.code_signing_management.arn
+}
