From 3abcfef5d78dc582aeb28a61acdcd168eaf63b80 Mon Sep 17 00:00:00 2001
From: karthikeyannhs <174426205+Karthikeyannhs@users.noreply.github.com>
Date: Fri, 4 Jul 2025 15:57:57 +0100
Subject: [PATCH] github role permissions - reduced

---
 .../iams-developer-roles/github_actions_policies.tf       | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/infrastructure/stacks/iams-developer-roles/github_actions_policies.tf b/infrastructure/stacks/iams-developer-roles/github_actions_policies.tf
index 2cf94cf87..78e909d86 100644
--- a/infrastructure/stacks/iams-developer-roles/github_actions_policies.tf
+++ b/infrastructure/stacks/iams-developer-roles/github_actions_policies.tf
@@ -13,7 +13,8 @@ resource "aws_iam_policy" "terraform_state" {
           "s3:ListBucket",
           "s3:GetObject",
           "s3:PutObject",
-          "s3:DeleteObject"
+          "s3:DeleteObject",
+          "s3:GetObject"
         ],
         Resource = [
           "${local.terraform_state_bucket_arn}",
@@ -147,6 +148,7 @@ resource "aws_iam_policy" "s3_management" {
           "s3:PutBucketLogging",
           "s3:GetObjectTagging",
           "s3:PutObjectTagging",
+          "s3:GetObjectVersion"
         ],
         Resource = [
           "arn:aws:s3:::*eligibility-signposting-api-${var.environment}-eli-rules",
@@ -296,9 +298,13 @@ resource "aws_iam_policy" "kms_creation" {
         Effect = "Allow",
         Action = [
           "kms:CreateKey",
+          "kms:DescribeKey",
           "kms:CreateAlias",
           "kms:List*",
           "kms:ListAliases",
+          "kms:Decrypt",
+          "kms:Encrypt",
+          "kms:ReEncrypt*",
         ],
         Resource = "*"
       },