eli-510 adding additional permissions to allow assume role

Author: eddalmond1

infrastructure/stacks/api-layer/csoc_log_forwarding.tf

@@ -14,13 +14,7 @@ data "aws_iam_policy_document" "cwl_subscription_assume_role" {
 
     principals {
       type        = "Service"
-      identifiers = ["logs.${var.default_aws_region}.amazonaws.com"]
-    }
-
-    condition {
-      test     = "StringLike"
-      variable = "aws:SourceArn"
-      values   = ["${module.eligibility_signposting_api_gateway.cloudwatch_destination_arn}:*"]
+      identifiers = ["logs.amazonaws.com"]
     }
 
     condition {

infrastructure/stacks/iams-developer-roles/github_actions_policies.tf

@@ -266,6 +266,17 @@ resource "aws_iam_policy" "api_infrastructure" {
           "arn:aws:logs:${var.default_aws_region}:${data.aws_caller_identity.current.account_id}:log-group:/aws/kinesisfirehose/*"
         ]
       },
+      {
+        Effect = "Allow",
+        Action = [
+          # CloudWatch Logs subscription to CSOC cross-account destination
+          "logs:PutSubscriptionFilter"
+        ],
+        Resource = [
+          # CSOC cross-account destination for API Gateway logs
+          "arn:aws:logs:${var.default_aws_region}:693466633220:destination:api_gateway_log_destination"
+        ]
+      },
       {
         Effect = "Allow",
         Action = [
@@ -464,6 +475,7 @@ resource "aws_iam_policy" "iam_management" {
           "iam:CreateRole",
           "iam:DeleteRole",
           "iam:UpdateRole",
+          "iam:UpdateAssumeRolePolicy",
           "iam:PutRolePolicy",
           "iam:PutRolePermissionsBoundary",
           "iam:AttachRolePolicy",

infrastructure/stacks/iams-developer-roles/iams_permissions_boundary.tf

@@ -101,6 +101,7 @@ data "aws_iam_policy_document" "permissions_boundary" {
       "iam:CreateRole",
       "iam:DeleteRole",
       "iam:UpdateRole",
+      "iam:UpdateAssumeRolePolicy",
       "iam:PutRolePolicy",
       "iam:PutRolePermissionsBoundary",
       "iam:AttachRolePolicy",