From 33a630fd0711251df4d223919011c3569a8feaad Mon Sep 17 00:00:00 2001
From: Edd Almond <edd.almond1@nhs.net>
Date: Wed, 23 Jul 2025 10:16:22 +0100
Subject: [PATCH 1/2] bugfix - Github action needs permission to modify public
 access block

---
 .../stacks/iams-developer-roles/github_actions_policies.tf       | 1 +
 1 file changed, 1 insertion(+)

diff --git a/infrastructure/stacks/iams-developer-roles/github_actions_policies.tf b/infrastructure/stacks/iams-developer-roles/github_actions_policies.tf
index 78e909d86..f364c77f4 100644
--- a/infrastructure/stacks/iams-developer-roles/github_actions_policies.tf
+++ b/infrastructure/stacks/iams-developer-roles/github_actions_policies.tf
@@ -238,6 +238,7 @@ resource "aws_iam_policy" "api_infrastructure" {
           "ec2:ReplaceNetworkAclAssociation",
           "ec2:DeleteSecurityGroup",
           "ec2:DeleteNetworkAcl",
+          "ec2:ModifyVpcBlockPublicAccessOptions",
 
           # ssm
           "ssm:GetParameter",

From 9b16ba0270d093cbc50d3dc5c1dbcf2b80789ada Mon Sep 17 00:00:00 2001
From: Edd Almond <edd.almond1@nhs.net>
Date: Wed, 23 Jul 2025 11:14:17 +0100
Subject: [PATCH 2/2] bugfix - changing permission to be wildcard resource, as
 it's an account level permission

---
 .../stacks/iams-developer-roles/github_actions_policies.tf     | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/infrastructure/stacks/iams-developer-roles/github_actions_policies.tf b/infrastructure/stacks/iams-developer-roles/github_actions_policies.tf
index f364c77f4..1227415e7 100644
--- a/infrastructure/stacks/iams-developer-roles/github_actions_policies.tf
+++ b/infrastructure/stacks/iams-developer-roles/github_actions_policies.tf
@@ -190,6 +190,7 @@ resource "aws_iam_policy" "api_infrastructure" {
           "ssm:DescribeParameters",
           "ec2:Describe*",
           "ec2:DescribeVpcs",
+          "ec2:ModifyVpcBlockPublicAccessOptions",
           # API Gateway domain and deployment
           "apigateway:*",
           # ACM for certs
@@ -204,6 +205,7 @@ resource "aws_iam_policy" "api_infrastructure" {
           "logs:PutLogEvents",
           # IAM PassRole for logging role association (if needed)
           "iam:PassRole"
+
         ],
         Resource = "*"
         #checkov:skip=CKV_AWS_289: Actions require wildcard resource
@@ -238,7 +240,6 @@ resource "aws_iam_policy" "api_infrastructure" {
           "ec2:ReplaceNetworkAclAssociation",
           "ec2:DeleteSecurityGroup",
           "ec2:DeleteNetworkAcl",
-          "ec2:ModifyVpcBlockPublicAccessOptions",
 
           # ssm
           "ssm:GetParameter",