Skip to content

Commit 49591da

Browse files
eddalmond1eddalmond1
committed
eli-384 adding Github OIDC permissions for WAF deployment
1 parent 635e458 commit 49591da

File tree

1 file changed

+20
-2
lines changed

1 file changed

+20
-2
lines changed

infrastructure/stacks/iams-developer-roles/github_actions_policies.tf

Lines changed: 20 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -237,7 +237,10 @@ resource "aws_iam_policy" "api_infrastructure" {
237237
# ACM for certs
238238
"acm:DescribeCertificate",
239239
"acm:GetCertificate",
240-
"acm:ListCertificates"
240+
"acm:ListCertificates",
241+
# WAF v2 list operations
242+
"wafv2:ListWebACLs",
243+
"wafv2:ListTagsForResource"
241244

242245
],
243246
Resource = "*"
@@ -367,7 +370,20 @@ resource "aws_iam_policy" "api_infrastructure" {
367370
"events:ListTagsForResource",
368371
"events:DeleteRule",
369372
"events:ListTargetsByRule",
370-
"events:RemoveTargets"
373+
"events:RemoveTargets",
374+
375+
# WAF v2
376+
"wafv2:CreateWebACL",
377+
"wafv2:DeleteWebACL",
378+
"wafv2:GetWebACL",
379+
"wafv2:UpdateWebACL",
380+
"wafv2:TagResource",
381+
"wafv2:UntagResource",
382+
"wafv2:AssociateWebACL",
383+
"wafv2:DisassociateWebACL",
384+
"wafv2:PutLoggingConfiguration",
385+
"wafv2:GetLoggingConfiguration",
386+
"wafv2:DeleteLoggingConfiguration"
371387
],
372388

373389

@@ -388,6 +404,7 @@ resource "aws_iam_policy" "api_infrastructure" {
388404
"arn:aws:ssm:${var.default_aws_region}:${data.aws_caller_identity.current.account_id}:parameter/splunk/*",
389405
"arn:aws:acm:${var.default_aws_region}:${data.aws_caller_identity.current.account_id}:certificate/*",
390406
"arn:aws:events:${var.default_aws_region}:${data.aws_caller_identity.current.account_id}:rule/cloudwatch-alarm-state-change-to-splunk*",
407+
"arn:aws:wafv2:${var.default_aws_region}:${data.aws_caller_identity.current.account_id}:regional/webacl/*",
391408
]
392409
},
393410
]
@@ -625,6 +642,7 @@ resource "aws_iam_policy" "cloudwatch_management" {
625642
],
626643
Resource = [
627644
"arn:aws:logs:${var.default_aws_region}:${data.aws_caller_identity.current.account_id}:log-group:/aws/kinesisfirehose/*",
645+
"arn:aws:logs:${var.default_aws_region}:${data.aws_caller_identity.current.account_id}:log-group:/aws/wafv2/*",
628646
"arn:aws:cloudwatch:${var.default_aws_region}:${data.aws_caller_identity.current.account_id}:alarm:*",
629647
"arn:aws:sns:${var.default_aws_region}:${data.aws_caller_identity.current.account_id}:cloudwatch-security-alarms*",
630648
"arn:aws:logs:${var.default_aws_region}:${data.aws_caller_identity.current.account_id}:log-group:/aws/apigateway/default-eligibility-signposting-api*",

0 commit comments

Comments
 (0)