eli-413 setting s3 object tagging to ignore tags_all

eddalmond1 · eddalmond1 · commit 23ad76c98bed · 2025-10-03T10:50:34.000+01:00
diff --git a/infrastructure/stacks/api-layer/truststore_s3_bucket.tf b/infrastructure/stacks/api-layer/truststore_s3_bucket.tf
@@ -54,6 +54,12 @@ resource "aws_s3_object" "pem_file" {
   key     = "truststore.pem"
   content = local.pem_file_content
 
-  acl  = "private"
-  tags = null # Exclude from default_tags due to S3 object 10-tag limit
+  acl = "private"
+
+  # Explicitly set empty tags to override default_tags due to S3 object 10-tag limit
+  tags = {}
+
+  lifecycle {
+    ignore_changes = [tags_all]
+  }
 }
diff --git a/infrastructure/stacks/iams-developer-roles/github_actions_policies.tf b/infrastructure/stacks/iams-developer-roles/github_actions_policies.tf
@@ -104,6 +104,7 @@ resource "aws_iam_policy" "dynamodb_management" {
             "dynamodb:DeleteTable",
             "dynamodb:CreateTable",
             "dynamodb:TagResource",
+            "dynamodb:UntagResource",
             "dynamodb:ListTagsOfResource",
             "dynamodb:UpdateTable",
           ],
@@ -570,6 +571,7 @@ resource "aws_iam_policy" "cloudwatch_management" {
           "logs:ListTagsForResource",
           "logs:DescribeLogGroups",
           "logs:PutRetentionPolicy",
+          "logs:TagResource",
           "logs:UntagResource",
 
           "cloudwatch:PutMetricAlarm",
@@ -596,7 +598,8 @@ resource "aws_iam_policy" "cloudwatch_management" {
         Resource = [
           "arn:aws:logs:${var.default_aws_region}:${data.aws_caller_identity.current.account_id}:log-group:/aws/kinesisfirehose/*",
           "arn:aws:cloudwatch:${var.default_aws_region}:${data.aws_caller_identity.current.account_id}:alarm:*",
-          "arn:aws:sns:${var.default_aws_region}:${data.aws_caller_identity.current.account_id}:cloudwatch-security-alarms*"
+          "arn:aws:sns:${var.default_aws_region}:${data.aws_caller_identity.current.account_id}:cloudwatch-security-alarms*",
+          "arn:aws:logs:${var.default_aws_region}:${data.aws_caller_identity.current.account_id}:log-group:/aws/apigateway/default-eligibility-signposting-api*",
         ]
       }
     ]
diff --git a/infrastructure/stacks/iams-developer-roles/iams_permissions_boundary.tf b/infrastructure/stacks/iams-developer-roles/iams_permissions_boundary.tf
@@ -35,6 +35,7 @@ data "aws_iam_policy_document" "permissions_boundary" {
       "dynamodb:DeleteTable",
       "dynamodb:CreateTable",
       "dynamodb:TagResource",
+      "dynamodb:UntagResource",
       "dynamodb:ListTagsOfResource",
       "dynamodb:UpdateTable",
 
