eli-420 adding github permissions

eddalmond1 · eddalmond1 · commit df2ed9a55d78 · 2025-12-09T14:27:19.000Z
diff --git a/.github/workflows/monthly-capacity-report.yml b/.github/workflows/monthly-capacity-report.yml
@@ -29,7 +29,7 @@ jobs:
       - name: "Configure AWS Credentials"
         uses: aws-actions/configure-aws-credentials@v5
         with:
-          role-to-assume: arn:aws:iam::${{ secrets.AWS_PROD_ACCOUNT_ID }}:role/service-roles/github-actions-api-deployment-role
+          role-to-assume: arn:aws:iam::${{ secrets.AWS_DEV_ACCOUNT_ID }}:role/service-roles/github-actions-api-deployment-role
           aws-region: eu-west-2
 
       - name: Generate dashboard report
diff --git a/infrastructure/stacks/iams-developer-roles/github_actions_policies.tf b/infrastructure/stacks/iams-developer-roles/github_actions_policies.tf
@@ -663,6 +663,8 @@ resource "aws_iam_policy" "cloudwatch_management" {
           "cloudwatch:ListTagsForResource",
           "cloudwatch:TagResource",
           "cloudwatch:UntagResource",
+          "cloudwatch:GetDashboard",
+          "cloudwatch:GetMetricWidgetImage",
 
           "sns:CreateTopic",
           "sns:DeleteTopic",
@@ -683,6 +685,7 @@ resource "aws_iam_policy" "cloudwatch_management" {
           "arn:aws:logs:${var.default_aws_region}:${data.aws_caller_identity.current.account_id}:log-group:aws-wafv2-logs-*",
           "arn:aws:logs:${var.default_aws_region}:${data.aws_caller_identity.current.account_id}:log-group:aws-waf-logs-*",
           "arn:aws:cloudwatch:${var.default_aws_region}:${data.aws_caller_identity.current.account_id}:alarm:*",
+          "arn:aws:cloudwatch::${data.aws_caller_identity.current.account_id}:dashboard/Demand_And_Capacity_*",
           "arn:aws:sns:${var.default_aws_region}:${data.aws_caller_identity.current.account_id}:cloudwatch-security-alarms*",
           "arn:aws:logs:${var.default_aws_region}:${data.aws_caller_identity.current.account_id}:log-group:/aws/apigateway/default-eligibility-signposting-api*",
         ]
diff --git a/infrastructure/stacks/iams-developer-roles/iams_permissions_boundary.tf b/infrastructure/stacks/iams-developer-roles/iams_permissions_boundary.tf
@@ -26,6 +26,8 @@ data "aws_iam_policy_document" "permissions_boundary" {
       "cloudwatch:ListTagsForResource",
       "cloudwatch:TagResource",
       "cloudwatch:UntagResource",
+      "cloudwatch:GetDashboard",
+      "cloudwatch:GetMetricWidgetImage",
 
       # DynamoDB - table management
       "dynamodb:DescribeTimeToLive",
