github actions roles updated

Karthikeyannhs · Karthikeyannhs · commit f881b2be001c · 2025-08-20T17:27:57.000+01:00
diff --git a/infrastructure/stacks/iams-developer-roles/github_actions_policies.tf b/infrastructure/stacks/iams-developer-roles/github_actions_policies.tf
@@ -62,10 +62,13 @@ resource "aws_iam_policy" "lambda_management" {
           "lambda:ListAliases",
           "lambda:AddPermission",
           "lambda:RemovePermission",
-          "lambda:GetPolicy"
+          "lambda:GetPolicy",
+          "lambda:GetAlias",
+          "lambda:GetFunction"
         ],
         Resource = [
-          "arn:aws:lambda:*:${data.aws_caller_identity.current.account_id}:function:*eligibility_signposting_api"
+          "arn:aws:lambda:*:${data.aws_caller_identity.current.account_id}:function:eligibility_signposting_api",
+          "arn:aws:lambda:*:${data.aws_caller_identity.current.account_id}:function:eligibility_signposting_api:*"
         ]
       }
     ]
@@ -440,8 +443,8 @@ resource "aws_iam_policy" "iam_management" {
 # Assume role policy document for GitHub Actions
 data "aws_iam_policy_document" "github_actions_assume_role" {
   statement {
-    sid     = "OidcAssumeRoleWithWebIdentity"
-    effect  = "Allow"
+    sid    = "OidcAssumeRoleWithWebIdentity"
+    effect = "Allow"
     actions = ["sts:AssumeRoleWithWebIdentity"]
 
     principals {
@@ -454,40 +457,17 @@ data "aws_iam_policy_document" "github_actions_assume_role" {
     condition {
       test     = "StringLike"
       variable = "token.actions.githubusercontent.com:sub"
-      values   = ["repo:${var.github_org}/${var.github_repo}:*"]
+      values = ["repo:${var.github_org}/${var.github_repo}:*"]
     }
 
     condition {
       test     = "StringEquals"
       variable = "token.actions.githubusercontent.com:aud"
-      values   = ["sts.amazonaws.com"]
+      values = ["sts.amazonaws.com"]
     }
   }
 }
 
-resource "aws_iam_policy" "cloudwatch_logging" {
-  name        = "cloudwatch-logging-management"
-  description = "Allow access to logging resources"
-  path        = "/service-policies/"
-
-  policy = jsonencode({
-    Version = "2012-10-17",
-    Statement = [
-      {
-        Effect = "Allow",
-        Action = [
-          "logs:ListTagsForResource",
-          "logs:DescribeLogGroups",
-          "logs:PutRetentionPolicy"
-        ],
-        Resource = "arn:aws:logs:${var.default_aws_region}:${data.aws_caller_identity.current.account_id}:log-group:/aws/kinesisfirehose/*"
-      }
-    ]
-  })
-
-  tags = merge(local.tags, { Name = "cloudwatch-logging-management" })
-}
-
 resource "aws_iam_policy" "firehose_readonly" {
   name        = "firehose-describe-access"
   description = "Allow GitHub Actions to describe Firehose delivery stream"
@@ -518,9 +498,9 @@ resource "aws_iam_policy" "firehose_readonly" {
   tags = merge(local.tags, { Name = "firehose-describe-access" })
 }
 
-resource "aws_iam_policy" "cloudwatch_alarms" {
-  name        = "cloudwatch-alarms-management"
-  description = "Allow GitHub Actions to manage CloudWatch alarms and SNS topics"
+resource "aws_iam_policy" "cloudwatch_management" {
+  name        = "cloudwatch-management"
+  description = "Allow GitHub Actions to manage CloudWatch logs, alarms, and SNS topics"
   path        = "/service-policies/"
 
   policy = jsonencode({
@@ -529,15 +509,18 @@ resource "aws_iam_policy" "cloudwatch_alarms" {
       {
         Effect = "Allow",
         Action = [
-          # CloudWatch Alarms management
+          "logs:ListTagsForResource",
+          "logs:DescribeLogGroups",
+          "logs:PutRetentionPolicy",
+
           "cloudwatch:PutMetricAlarm",
           "cloudwatch:DeleteAlarms",
           "cloudwatch:DescribeAlarms",
           "cloudwatch:DescribeAlarmsForMetric",
           "cloudwatch:ListTagsForResource",
           "cloudwatch:TagResource",
           "cloudwatch:UntagResource",
-          # SNS Topic management for alarm notifications
+
           "sns:CreateTopic",
           "sns:DeleteTopic",
           "sns:GetTopicAttributes",
@@ -552,14 +535,40 @@ resource "aws_iam_policy" "cloudwatch_alarms" {
           "sns:ListSubscriptionsByTopic"
         ],
         Resource = [
+          "arn:aws:logs:${var.default_aws_region}:${data.aws_caller_identity.current.account_id}:log-group:/aws/kinesisfirehose/*",
           "arn:aws:cloudwatch:${var.default_aws_region}:${data.aws_caller_identity.current.account_id}:alarm:*",
           "arn:aws:sns:${var.default_aws_region}:${data.aws_caller_identity.current.account_id}:cloudwatch-security-alarms*"
         ]
       }
     ]
   })
 
-  tags = merge(local.tags, { Name = "cloudwatch-alarms-management" })
+  tags = merge(local.tags, { Name = "cloudwatch-management" })
+}
+
+# SQS Management Policy for GetQueueAttributes
+resource "aws_iam_policy" "sqs_management" {
+  name        = "sqs-management"
+  description = "Policy granting permissions to get SQS queue attributes"
+  path        = "/service-policies/"
+
+  policy = jsonencode({
+    Version = "2012-10-17",
+    Statement = [
+      {
+        Effect = "Allow",
+        Action = [
+          "sqs:GetQueueAttributes",
+          "sqs:listqueuetags"
+        ],
+        Resource = [
+          "arn:aws:sqs:eu-west-2:${data.aws_caller_identity.current.account_id}:*"
+        ]
+      }
+    ]
+  })
+
+  tags = merge(local.tags, { Name = "sqs-management" })
 }
 
 # Attach the policies to the role
@@ -598,17 +607,18 @@ resource "aws_iam_role_policy_attachment" "iam_management" {
   policy_arn = aws_iam_policy.iam_management.arn
 }
 
-resource "aws_iam_role_policy_attachment" "cloudwatch_logging" {
+resource "aws_iam_role_policy_attachment" "firehose_readonly_attach" {
   role       = aws_iam_role.github_actions.name
-  policy_arn = aws_iam_policy.cloudwatch_logging.arn
+  policy_arn = aws_iam_policy.firehose_readonly.arn
 }
 
-resource "aws_iam_role_policy_attachment" "firehose_readonly_attach" {
+resource "aws_iam_role_policy_attachment" "cloudwatch_management" {
   role       = aws_iam_role.github_actions.name
-  policy_arn = aws_iam_policy.firehose_readonly.arn
+  policy_arn = aws_iam_policy.cloudwatch_management.arn
 }
 
-resource "aws_iam_role_policy_attachment" "cloudwatch_alarms" {
+resource "aws_iam_role_policy_attachment" "sqs_management" {
   role       = aws_iam_role.github_actions.name
-  policy_arn = aws_iam_policy.cloudwatch_alarms.arn
+  policy_arn = aws_iam_policy.sqs_management.arn
 }
+
diff --git a/infrastructure/stacks/iams-developer-roles/iams_permissions_boundary.tf b/infrastructure/stacks/iams-developer-roles/iams_permissions_boundary.tf
@@ -150,6 +150,7 @@ data "aws_iam_policy_document" "permissions_boundary" {
       "lambda:AddPermission",
       "lambda:RemovePermission",
       "lambda:GetPolicy",
+      "lambda:GetAlias",
 
       # CloudWatch Logs - log management
       "logs:CreateLogGroup",
@@ -220,7 +221,9 @@ data "aws_iam_policy_document" "permissions_boundary" {
       "ssm:AddTagsToResource",
 
       #SQS - message management
-      "sqs:SendMessage"
+      "sqs:SendMessage",
+      "sqs:GetQueueAttributes",
+      "sqs:listqueuetags"
     ]
 
     resources = ["*"]
