From 6e6a0c7e897f89689f64e526b9fb1d37082a3617 Mon Sep 17 00:00:00 2001
From: Shweta <216860557+shweta-nhs@users.noreply.github.com>
Date: Thu, 15 Jan 2026 15:15:31 +0000
Subject: [PATCH 1/3] ELI-577: Fixes permissions for test

---
 .../stacks/iams-developer-roles/github_actions_policies.tf    | 4 +++-
 .../stacks/iams-developer-roles/iams_permissions_boundary.tf  | 1 +
 2 files changed, 4 insertions(+), 1 deletion(-)

diff --git a/infrastructure/stacks/iams-developer-roles/github_actions_policies.tf b/infrastructure/stacks/iams-developer-roles/github_actions_policies.tf
index 1619a8bc0..7bbfbbe3e 100644
--- a/infrastructure/stacks/iams-developer-roles/github_actions_policies.tf
+++ b/infrastructure/stacks/iams-developer-roles/github_actions_policies.tf
@@ -70,6 +70,7 @@ resource "aws_iam_policy" "lambda_management" {
           "lambda:PutProvisionedConcurrencyConfig",
           "lambda:DeleteProvisionedConcurrencyConfig",
           "lambda:ListProvisionedConcurrencyConfigs",
+          "lambda:PutFunctionConcurrency",
 
         ],
         Resource = [
@@ -304,7 +305,8 @@ resource "aws_iam_policy" "api_infrastructure" {
           # WAF v2 logs (both naming conventions)
           "arn:aws:logs:${var.default_aws_region}:${data.aws_caller_identity.current.account_id}:log-group:/aws/wafv2/*",
           "arn:aws:logs:${var.default_aws_region}:${data.aws_caller_identity.current.account_id}:log-group:aws-wafv2-logs-*",
-          "arn:aws:logs:${var.default_aws_region}:${data.aws_caller_identity.current.account_id}:log-group:aws-waf-logs-*"
+          "arn:aws:logs:${var.default_aws_region}:${data.aws_caller_identity.current.account_id}:log-group:aws-waf-logs-*",
+          "arn:aws:logs:${var.default_aws_region}:${data.aws_caller_identity.current.account_id}:log-group:/aws/stepfunctions/*"
         ]
       },
       {
diff --git a/infrastructure/stacks/iams-developer-roles/iams_permissions_boundary.tf b/infrastructure/stacks/iams-developer-roles/iams_permissions_boundary.tf
index 359c90445..9ae6ccc5f 100644
--- a/infrastructure/stacks/iams-developer-roles/iams_permissions_boundary.tf
+++ b/infrastructure/stacks/iams-developer-roles/iams_permissions_boundary.tf
@@ -171,6 +171,7 @@ data "aws_iam_policy_document" "permissions_boundary" {
       "lambda:PutProvisionedConcurrencyConfig",
       "lambda:DeleteProvisionedConcurrencyConfig",
       "lambda:ListProvisionedConcurrencyConfigs",
+      "lambda:PutFunctionConcurrency",
 
       # CloudWatch Logs - log management
       "logs:*",

From 6e49c9f7fc48a61df7fc948c7657a74e1dd8a413 Mon Sep 17 00:00:00 2001
From: Shweta <216860557+shweta-nhs@users.noreply.github.com>
Date: Thu, 15 Jan 2026 16:01:26 +0000
Subject: [PATCH 2/3] ELI-577: Fixes permissions for test

---
 .../iams-developer-roles/github_actions_policies.tf      | 9 ++++++---
 .../iams-developer-roles/iams_permissions_boundary.tf    | 4 +++-
 2 files changed, 9 insertions(+), 4 deletions(-)

diff --git a/infrastructure/stacks/iams-developer-roles/github_actions_policies.tf b/infrastructure/stacks/iams-developer-roles/github_actions_policies.tf
index 7bbfbbe3e..9c92546fd 100644
--- a/infrastructure/stacks/iams-developer-roles/github_actions_policies.tf
+++ b/infrastructure/stacks/iams-developer-roles/github_actions_policies.tf
@@ -291,7 +291,8 @@ resource "aws_iam_policy" "api_infrastructure" {
           # CloudWatch Logs subscription filters for CSOC forwarding
           "logs:PutSubscriptionFilter",
           "logs:DeleteSubscriptionFilter",
-          "logs:DescribeSubscriptionFilters"
+          "logs:DescribeSubscriptionFilters",
+          "logs:PutRetentionPolicy"
         ],
         Resource = [
           # VPC Flow Logs
@@ -429,7 +430,9 @@ resource "aws_iam_policy" "api_infrastructure" {
           # State Machine
           "states:DescribeStateMachine",
           "states:ListStateMachineVersions",
-          "states:ListTagsForResource"
+          "states:ListTagsForResource",
+          "states:ValidateStateMachineDefinition",
+          "states:CreateStateMachine"
         ],
 
 
@@ -452,7 +455,7 @@ resource "aws_iam_policy" "api_infrastructure" {
           "arn:aws:events:${var.default_aws_region}:${data.aws_caller_identity.current.account_id}:rule/cloudwatch-alarm-state-change-to-splunk*",
           "arn:aws:wafv2:${var.default_aws_region}:${data.aws_caller_identity.current.account_id}:regional/webacl/*",
           "arn:aws:wafv2:${var.default_aws_region}:${data.aws_caller_identity.current.account_id}:regional/managedruleset/*",
-          "arn:aws:states:${var.default_aws_region}:${data.aws_caller_identity.current.account_id}:stateMachine:SecretRotationWorkflow",
+          "arn:aws:states:${var.default_aws_region}:${data.aws_caller_identity.current.account_id}:stateMachine:*",
         ]
       },
     ]
diff --git a/infrastructure/stacks/iams-developer-roles/iams_permissions_boundary.tf b/infrastructure/stacks/iams-developer-roles/iams_permissions_boundary.tf
index 9ae6ccc5f..767cb82ce 100644
--- a/infrastructure/stacks/iams-developer-roles/iams_permissions_boundary.tf
+++ b/infrastructure/stacks/iams-developer-roles/iams_permissions_boundary.tf
@@ -256,7 +256,9 @@ data "aws_iam_policy_document" "permissions_boundary" {
       # State Machine management
       "states:DescribeStateMachine",
       "states:ListStateMachineVersions",
-      "states:ListTagsForResource"
+      "states:ListTagsForResource",
+      "states:ValidateStateMachineDefinition",
+      "states:CreateStateMachine"
     ]
 
     resources = ["*"]

From 47a0901a3199182fa9f7f086969998b89bc1a6be Mon Sep 17 00:00:00 2001
From: Shweta <216860557+shweta-nhs@users.noreply.github.com>
Date: Thu, 15 Jan 2026 16:08:24 +0000
Subject: [PATCH 3/3] ELI-577: Fixes permissions for test

---
 .../stacks/iams-developer-roles/github_actions_policies.tf     | 3 ++-
 .../stacks/iams-developer-roles/iams_permissions_boundary.tf   | 3 ++-
 2 files changed, 4 insertions(+), 2 deletions(-)

diff --git a/infrastructure/stacks/iams-developer-roles/github_actions_policies.tf b/infrastructure/stacks/iams-developer-roles/github_actions_policies.tf
index 9c92546fd..ea0105a33 100644
--- a/infrastructure/stacks/iams-developer-roles/github_actions_policies.tf
+++ b/infrastructure/stacks/iams-developer-roles/github_actions_policies.tf
@@ -432,7 +432,8 @@ resource "aws_iam_policy" "api_infrastructure" {
           "states:ListStateMachineVersions",
           "states:ListTagsForResource",
           "states:ValidateStateMachineDefinition",
-          "states:CreateStateMachine"
+          "states:CreateStateMachine",
+          "states:TagResource"
         ],
 
 
diff --git a/infrastructure/stacks/iams-developer-roles/iams_permissions_boundary.tf b/infrastructure/stacks/iams-developer-roles/iams_permissions_boundary.tf
index 767cb82ce..615072e80 100644
--- a/infrastructure/stacks/iams-developer-roles/iams_permissions_boundary.tf
+++ b/infrastructure/stacks/iams-developer-roles/iams_permissions_boundary.tf
@@ -258,7 +258,8 @@ data "aws_iam_policy_document" "permissions_boundary" {
       "states:ListStateMachineVersions",
       "states:ListTagsForResource",
       "states:ValidateStateMachineDefinition",
-      "states:CreateStateMachine"
+      "states:CreateStateMachine",
+      "states:TagResource"
     ]
 
     resources = ["*"]