Match development policy to deployment policy

jameslinnell · jameslinnell · commit 7466630b115a · 2025-04-01T10:43:18.000+01:00
diff --git a/scripts/infrastructure/policies/development1-policy.json b/scripts/infrastructure/policies/development1-policy.json
@@ -91,20 +91,6 @@
       ],
       "Resource": ["arn:aws:cloudformation:*:${ACCOUNT_ID}:stack/*/*"]
     },
-    {
-      "Sid": "StepFunctionPermissions",
-      "Effect": "Allow",
-      "Action": [
-        "states:DescribeStateMachine",
-        "states:ListStateMachineVersions",
-        "states:ListTagsForResource",
-        "states:CreateStateMachine",
-        "states:UpdateStateMachine",
-        "states:DeleteStateMachine",
-        "states:TagResource"
-      ],
-      "Resource": ["arn:aws:states:*:${ACCOUNT_ID}:stateMachine:*"]
-    },
     {
       "Sid": "Route53Permissions",
       "Effect": "Allow",
@@ -134,22 +120,6 @@
       ],
       "Resource": ["*"]
     },
-    {
-      "Sid": "EventsPermissions",
-      "Effect": "Allow",
-      "Action": [
-        "events:TagResource",
-        "events:PutRule",
-        "events:DescribeRule",
-        "events:ListTagsForResource",
-        "events:DeleteRule",
-        "events:PutTargets",
-        "events:ListTargetsByRule",
-        "events:RemoveTargets",
-        "events:DisableRule"
-      ],
-      "Resource": ["*"]
-    },
     {
       "Sid": "VpcPermissionsPlan",
       "Effect": "Allow",
@@ -188,22 +158,6 @@
       ],
       "Resource": ["arn:aws:ec2:eu-west-2:${ACCOUNT_ID}:vpc/vpc-*"]
     },
-    {
-      "Sid": "VpcEndpointPermissions",
-      "Effect": "Allow",
-      "Action": [
-        "ec2:CreateVpcEndpoint",
-        "ec2:CreateTags",
-        "ec2:DeleteVpcEndpoints"
-      ],
-      "Resource": ["arn:aws:ec2:eu-west-2:${ACCOUNT_ID}:vpc-endpoint/*"]
-    },
-    {
-      "Sid": "VpcEndpointPermissions2",
-      "Effect": "Allow",
-      "Action": ["ec2:ModifyVpcEndpoint"],
-      "Resource": ["arn:aws:ec2:eu-west-2:${ACCOUNT_ID}:vpc-endpoint/vpce-*"]
-    },
     {
       "Sid": "SubnetPermissions",
       "Effect": "Allow",
@@ -232,7 +186,6 @@
       "Action": [
         "ec2:DeleteSecurityGroup",
         "ec2:RevokeSecurityGroupEgress",
-        "ec2:ModifyVpcEndpoint",
         "ec2:AuthorizeSecurityGroupIngress",
         "ec2:AuthorizeSecurityGroupEgress"
       ],
diff --git a/scripts/infrastructure/policies/development2-policy.json b/scripts/infrastructure/policies/development2-policy.json
@@ -152,17 +152,7 @@
       "Resource": ["arn:aws:s3:::*"]
     },
     {
-      "Sid": "S3ObjectPermissions",
-      "Effect": "Allow",
-      "Action": [
-        "s3:DeleteObject",
-        "s3:DeleteObjectVersion",
-        "s3:DeleteBucket"
-      ],
-      "Resource": ["arn:aws:s3:::*--etl/*"]
-    },
-    {
-      "Sid": "ApigeeSecretsIntegrationPermissions",
+      "Sid": "SecretsIntegrationPermissions",
       "Effect": "Allow",
       "Action": ["secretsmanager:GetSecretValue"],
       "Resource": [
@@ -172,21 +162,6 @@
         "arn:aws:secretsmanager:*:${ACCOUNT_ID}:secret:*-etl-notify-slack-webhook-url-*"
       ]
     },
-    {
-      "Sid": "SQSPermissions",
-      "Effect": "Allow",
-      "Action": [
-        "sqs:createqueue",
-        "sqs:tagqueue",
-        "sqs:setqueueattributes",
-        "sqs:getqueueattributes",
-        "sqs:listqueuetags",
-        "sqs:deletequeue",
-        "sqs:PurgeQueue",
-        "sqs:GetQueueUrl"
-      ],
-      "Resource": ["arn:aws:sqs:eu-west-2:${ACCOUNT_ID}:*-sqs*"]
-    },
     {
       "Sid": "EventSourceMappingPermissions",
       "Effect": "Allow",
@@ -218,7 +193,6 @@
         "ssm:DescribeParameters",
         "dynamodb:ListTables",
         "firehose:ListDeliveryStreams",
-        "sqs:listqueues",
         "states:ListStateMachines",
         "events:ListRules",
         "acm:ListCertificates",
@@ -232,6 +206,8 @@
         "SNS:ListTagsForResource",
         "budgets:ModifyBudget",
         "budgets:ViewBudget",
+        "budgets:ListTagsForResource",
+        "budgets:TagResource",
         "SNS:DeleteTopic",
         "SNS:CreateTopic",
         "SNS:TagResource",
