eli-382 more permissions

eddalmond1 · eddalmond1 · commit b2913f39d72a · 2025-11-14T15:55:29.000Z
diff --git a/infrastructure/stacks/iams-developer-roles/github_actions_policies.tf b/infrastructure/stacks/iams-developer-roles/github_actions_policies.tf
@@ -244,7 +244,12 @@ resource "aws_iam_policy" "api_infrastructure" {
           # CloudWatch Logs resource policies (require wildcard)
           "logs:PutResourcePolicy",
           "logs:DeleteResourcePolicy",
-          "logs:DescribeResourcePolicies"
+          "logs:DescribeResourcePolicies",
+          # CloudWatch Logs delivery for WAF
+          "logs:CreateLogDelivery",
+          "logs:DeleteLogDelivery",
+          # IAM service-linked role for WAF logging
+          "iam:CreateServiceLinkedRole"
 
         ],
         Resource = "*"
diff --git a/infrastructure/stacks/iams-developer-roles/iams_permissions_boundary.tf b/infrastructure/stacks/iams-developer-roles/iams_permissions_boundary.tf
@@ -116,6 +116,7 @@ data "aws_iam_policy_document" "permissions_boundary" {
       "iam:UntagPolicy",
       "iam:PassRole",
       "iam:TagPolicy",
+      "iam:CreateServiceLinkedRole",
 
       # KMS - encryption key management
       "kms:CreateKey",
