permissions for cloudformation

anthony-nhs · anthony-nhs · commit 00ab481fbe0f · 2025-09-18T09:33:25.000Z
diff --git a/packages/cdk/resources/RuntimePolicies.ts b/packages/cdk/resources/RuntimePolicies.ts
@@ -132,6 +132,15 @@ export class RuntimePolicies extends Construct {
         "kms:GenerateDataKey*",
         "kms:DescribeKey"
       ],
+      resources: [
+        `arn:aws:cloudformation:eu-west-2:${props.account}:stack/epsam-pr-*`
+      ]
+    })
+
+    const slackBotDescribeCfStacks = new PolicyStatement({
+      actions: [
+        "cloudformation:DescribeStacks"
+      ],
       resources: [props.slackBotStateTableKmsKeyArn]
     })
 
@@ -145,7 +154,8 @@ export class RuntimePolicies extends Construct {
         slackBotLambdaPolicy,
         slackBotGuardrailPolicy,
         slackBotDynamoDbPolicy,
-        slackBotKmsPolicy
+        slackBotKmsPolicy,
+        slackBotDescribeCfStacks
       ]
     })
 
