NHSDigital
diff --git a/‎infrastructure/policies.tf‎
Lines changed: 23 additions & 0 deletions b/‎infrastructure/policies.tf‎
Lines changed: 23 additions & 0 deletions
@@ -17,3 +17,26 @@ resource "aws_iam_policy" "ssm_access_policy" {
     ]
   })
 }
+
+resource "aws_iam_policy" "read_only_role_extra_permissions" {
+  count = local.is_sandbox ? 0 : 1
+  name  = "ReadOnlyExtraAccess"
+  policy = jsonencode({
+    Version = "2012-10-17",
+    Statement = [
+      {
+        Effect = "Allow",
+        Action = [
+          "kms:Decrypt",
+        ],
+        Resource = [
+          "arn:aws:lambda:eu-west-2:${data.aws_caller_identity.current.account_id}:function:*",
+        ]
+      }
+    ]
+  })
+  tags = {
+    Name      = "ReadOnlyExtraAccess"
+    Workspace = "core"
+  }
+}