github roles

Author: Karthikeyannhs

infrastructure/stacks/iams-developer-roles/github_actions_policies.tf

@@ -65,11 +65,14 @@ resource "aws_iam_policy" "lambda_management" {
           "lambda:GetPolicy",
           "lambda:GetAlias",
           "lambda:GetFunction",
-          "lambda:GetProvisionedConcurrencyConfig"
+          "lambda:GetProvisionedConcurrencyConfig",
+          "lambda:GetLayerVersion",
+          "lambda:PutProvisionedConcurrencyConfig"
         ],
         Resource = [
           "arn:aws:lambda:*:${data.aws_caller_identity.current.account_id}:function:eligibility_signposting_api",
-          "arn:aws:lambda:*:${data.aws_caller_identity.current.account_id}:function:eligibility_signposting_api:*"
+          "arn:aws:lambda:*:${data.aws_caller_identity.current.account_id}:function:eligibility_signposting_api:*",
+          "arn:aws:lambda:*:580247275435:layer:LambdaInsightsExtension:*"
         ]
       }
     ]

infrastructure/stacks/iams-developer-roles/iams_permissions_boundary.tf

@@ -152,6 +152,8 @@ data "aws_iam_policy_document" "permissions_boundary" {
       "lambda:GetPolicy",
       "lambda:GetAlias",
       "lambda:GetProvisionedConcurrencyConfig",
+      "lambda:GetLayerVersion",
+      "lambda:PutProvisionedConcurrencyConfig",
 
       # CloudWatch Logs - log management
       "logs:CreateLogGroup",