eli-420 adding back prod AWS to job (we can extend to other tiers)

Author: eddalmond1

.github/workflows/monthly-capacity-report.yml

@@ -29,7 +29,7 @@ jobs:
       - name: "Configure AWS Credentials"
         uses: aws-actions/configure-aws-credentials@v5
         with:
-          role-to-assume: arn:aws:iam::${{ secrets.AWS_DEV_ACCOUNT_ID }}:role/service-roles/github-actions-api-deployment-role
+          role-to-assume: arn:aws:iam::${{ secrets.AWS_PROD_ACCOUNT_ID }}:role/service-roles/github-actions-api-deployment-role
           aws-region: eu-west-2
 
       - name: Generate dashboard report

infrastructure/stacks/iams-developer-roles/github_actions_policies.tf

@@ -639,13 +639,23 @@ resource "aws_iam_policy" "firehose_readonly" {
 }
 
 resource "aws_iam_policy" "cloudwatch_management" {
+  #checkov:skip=CKV_AWS_355: GetMetricWidgetImage requires wildcard resource
+  #checkov:skip=CKV_AWS_290: GetMetricWidgetImage requires wildcard resource
   name        = "cloudwatch-management"
   description = "Allow GitHub Actions to manage CloudWatch logs, alarms, and SNS topics"
   path        = "/service-policies/"
 
   policy = jsonencode({
     Version = "2012-10-17",
     Statement = [
+      {
+        Effect = "Allow",
+        Action = [
+          # GetMetricWidgetImage does not support resource-level permissions
+          "cloudwatch:GetMetricWidgetImage"
+        ],
+        Resource = "*"
+      },
       {
         Effect = "Allow",
         Action = [
@@ -664,7 +674,6 @@ resource "aws_iam_policy" "cloudwatch_management" {
           "cloudwatch:TagResource",
           "cloudwatch:UntagResource",
           "cloudwatch:GetDashboard",
-          "cloudwatch:GetMetricWidgetImage",
 
           "sns:CreateTopic",
           "sns:DeleteTopic",