VED-726: Apply consistent permissions for the DPS account in all environments.

mfjarvis · mfjarvis · commit 08cc3e732a42 · 2025-08-15T07:56:21.000+01:00
diff --git a/terraform/dps_role_creation.tf b/terraform/dps_role_creation.tf
@@ -22,14 +22,9 @@ resource "aws_iam_role_policy" "dynamo_s3_access_policy" {
     Statement = [
       {
         Effect = "Allow",
-        Action = var.environment == "prod" ? [
-          "dynamodb:GetItem",
-          "dynamodb:Query"
-          ] : [
+        Action = [
           "dynamodb:BatchGetItem",
           "dynamodb:GetItem",
-          "dynamodb:PutItem",
-          "dynamodb:UpdateItem",
           "dynamodb:Query"
         ],
         Resource = [
diff --git a/terraform/id_sync_lambda.tf b/terraform/id_sync_lambda.tf
@@ -10,7 +10,7 @@ locals {
   # Calculate SHA for both directories
   shared_dir_sha         = sha1(join("", [for f in local.shared_files : filesha1("${local.shared_dir}/${f}")]))
   id_sync_lambda_dir_sha = sha1(join("", [for f in local.id_sync_lambda_files : filesha1("${local.id_sync_lambda_dir}/${f}")]))
-  id_sync_lambda_name = "${local.short_prefix}-id_sync_lambda"
+  id_sync_lambda_name    = "${local.short_prefix}-id_sync_lambda"
 }
 
 resource "aws_ecr_repository" "id_sync_lambda_repository" {
@@ -225,14 +225,14 @@ resource "aws_iam_policy" "id_sync_lambda_kms_access_policy" {
           data.aws_kms_key.existing_s3_encryption_key.arn,
         ]
       },
-	  {
-		Effect = "Allow"
-		Action = [
-		  "kms:Decrypt",
-		  "kms:GenerateDataKey*"
-		]
-		Resource = data.aws_kms_key.existing_dynamo_encryption_key.arn
-	  }
+      {
+        Effect = "Allow"
+        Action = [
+          "kms:Decrypt",
+          "kms:GenerateDataKey*"
+        ]
+        Resource = data.aws_kms_key.existing_dynamo_encryption_key.arn
+      }
     ]
   })
 }
diff --git a/terraform/sqs_id_sync.tf b/terraform/sqs_id_sync.tf
@@ -1,7 +1,7 @@
 resource "aws_sqs_queue" "id_sync_queue" {
-  name                        = "${local.short_prefix}-id-sync-queue"
-  kms_master_key_id           = data.aws_kms_key.existing_id_sync_sqs_encryption_key.arn
-  visibility_timeout_seconds  = 360
+  name                       = "${local.short_prefix}-id-sync-queue"
+  kms_master_key_id          = data.aws_kms_key.existing_id_sync_sqs_encryption_key.arn
+  visibility_timeout_seconds = 360
   redrive_policy = jsonencode({
     deadLetterTargetArn = aws_sqs_queue.id_sync_dlq.arn
     maxReceiveCount     = 4
