From 9da78633b3490846b6c5281e1f6fdf8c46b6925f Mon Sep 17 00:00:00 2001 From: TOEL2 Date: Tue, 13 Jan 2026 15:20:39 +0000 Subject: [PATCH] [BUG] added to permissions boundry --- .../github_actions_policies.tf | 16 ++++++++++++++-- .../iams_permissions_boundary.tf | 8 +++++++- 2 files changed, 21 insertions(+), 3 deletions(-) diff --git a/infrastructure/stacks/iams-developer-roles/github_actions_policies.tf b/infrastructure/stacks/iams-developer-roles/github_actions_policies.tf index 7ede27455..1619a8bc0 100644 --- a/infrastructure/stacks/iams-developer-roles/github_actions_policies.tf +++ b/infrastructure/stacks/iams-developer-roles/github_actions_policies.tf @@ -75,6 +75,8 @@ resource "aws_iam_policy" "lambda_management" { Resource = [ "arn:aws:lambda:*:${data.aws_caller_identity.current.account_id}:function:eligibility_signposting_api", "arn:aws:lambda:*:${data.aws_caller_identity.current.account_id}:function:eligibility_signposting_api:*", + "arn:aws:lambda:*:${data.aws_caller_identity.current.account_id}:function:default-CreatePendingSecretFunction", + "arn:aws:lambda:*:${data.aws_caller_identity.current.account_id}:function:default-PromoteToCurrentFunction", "arn:aws:lambda:*:580247275435:layer:LambdaInsightsExtension:*" ] } @@ -420,7 +422,12 @@ resource "aws_iam_policy" "api_infrastructure" { "wafv2:DisassociateWebACL", "wafv2:PutLoggingConfiguration", "wafv2:GetLoggingConfiguration", - "wafv2:DeleteLoggingConfiguration" + "wafv2:DeleteLoggingConfiguration", + + # State Machine + "states:DescribeStateMachine", + "states:ListStateMachineVersions", + "states:ListTagsForResource" ], @@ -443,6 +450,7 @@ resource "aws_iam_policy" "api_infrastructure" { "arn:aws:events:${var.default_aws_region}:${data.aws_caller_identity.current.account_id}:rule/cloudwatch-alarm-state-change-to-splunk*", "arn:aws:wafv2:${var.default_aws_region}:${data.aws_caller_identity.current.account_id}:regional/webacl/*", "arn:aws:wafv2:${var.default_aws_region}:${data.aws_caller_identity.current.account_id}:regional/managedruleset/*", + "arn:aws:states:${var.default_aws_region}:${data.aws_caller_identity.current.account_id}:stateMachine:SecretRotationWorkflow", ] }, ] @@ -562,6 +570,9 @@ resource "aws_iam_policy" "iam_management" { "arn:aws:iam::*:policy/*PermissionsBoundary", "arn:aws:iam::*:policy/*PutSubscriptionFilterPolicy", "arn:aws:iam::*:policy/*CWLogsToCSOCDestinationPolicy", + "arn:aws:iam::*:policy/rotation_secrets_policy", + "arn:aws:iam::*:policy/rotation_sfn_policy", + "arn:aws:iam::*:policy/eventbridge_sfn_start_policy", # VPC flow logs role "arn:aws:iam::*:role/vpc-flow-logs-role", # API role @@ -692,7 +703,8 @@ resource "aws_iam_policy" "cloudwatch_management" { "sns:Subscribe", "sns:Unsubscribe", "sns:ListSubscriptions", - "sns:ListSubscriptionsByTopic" + "sns:ListSubscriptionsByTopic", + "sns:GetSubscriptionAttributes" ], Resource = [ "arn:aws:logs:${var.default_aws_region}:${data.aws_caller_identity.current.account_id}:log-group:/aws/kinesisfirehose/*", diff --git a/infrastructure/stacks/iams-developer-roles/iams_permissions_boundary.tf b/infrastructure/stacks/iams-developer-roles/iams_permissions_boundary.tf index ecda1d674..359c90445 100644 --- a/infrastructure/stacks/iams-developer-roles/iams_permissions_boundary.tf +++ b/infrastructure/stacks/iams-developer-roles/iams_permissions_boundary.tf @@ -223,6 +223,7 @@ data "aws_iam_policy_document" "permissions_boundary" { "sns:Unsubscribe", "sns:ListSubscriptions", "sns:ListSubscriptionsByTopic", + "sns:GetSubscriptionAttributes", # SSM - parameter management "ssm:DescribeParameters", @@ -249,7 +250,12 @@ data "aws_iam_policy_document" "permissions_boundary" { "wafv2:DeleteLoggingConfiguration", # Secret Manager - "secretsmanager:*" + "secretsmanager:*", + + # State Machine management + "states:DescribeStateMachine", + "states:ListStateMachineVersions", + "states:ListTagsForResource" ] resources = ["*"]