[PRM-134-v2] add permission to get alarms from tags for alerting lambda

steph-torres-nhs · steph-torres-nhs · commit ee45543023ce · 2025-05-29T15:50:04.000+01:00
diff --git a/infrastructure/lambda-im-alerting.tf b/infrastructure/lambda-im-alerting.tf
@@ -53,7 +53,8 @@ resource "aws_iam_policy" "alerting_lambda_alarms" {
       {
         Action = [
           "cloudwatch:DescribeAlarms",
-          "cloudwatch:ListTagsForResource"
+          "cloudwatch:ListTagsForResource",
+          "tag:GetResources"
         ]
         Effect   = "Allow"
         Resource = "arn:aws:cloudwatch:${var.region}:${data.aws_caller_identity.current.account_id}:alarm:*"

Original file line number	Diff line number	Diff line change
`@@ -53,7 +53,8 @@ resource "aws_iam_policy" "alerting_lambda_alarms" {`
`53`	`53`	`{`
`54`	`54`	`Action = [`
`55`	`55`	`"cloudwatch:DescribeAlarms",`
`56`		`- "cloudwatch:ListTagsForResource"`
	`56`	`+ "cloudwatch:ListTagsForResource",`
	`57`	`+ "tag:GetResources"`
`57`	`58`	`]`
`58`	`59`	`Effect = "Allow"`
`59`	`60`	`Resource = "arn:aws:cloudwatch:${var.region}:${data.aws_caller_identity.current.account_id}:alarm:*"`