CCM-8752 Replace inline policies with attached policies (#334)

Author: aidenvaines-cgi

.github/workflows/cicd-1-pull-request.yaml

@@ -36,9 +36,9 @@ jobs:
           echo "build_datetime=$datetime" >> $GITHUB_OUTPUT
           echo "build_timestamp=$(date --date=$datetime -u +'%Y%m%d%H%M%S')" >> $GITHUB_OUTPUT
           echo "build_epoch=$(date --date=$datetime -u +'%s')" >> $GITHUB_OUTPUT
-          echo "nodejs_version=$(grep "^nodejs " .tool-versions | cut -f2 -d' ')" >> $GITHUB_OUTPUT
-          echo "python_version=$(grep "^python " .tool-versions | cut -f2 -d' ')" >> $GITHUB_OUTPUT
-          echo "terraform_version=$(grep "^terraform " .tool-versions | cut -f2 -d' ')" >> $GITHUB_OUTPUT
+          echo "nodejs_version=$(grep "^nodejs\s" .tool-versions | cut -f2 -d' ')" >> $GITHUB_OUTPUT
+          echo "python_version=$(grep "^python\s" .tool-versions | cut -f2 -d' ')" >> $GITHUB_OUTPUT
+          echo "terraform_version=$(grep "^terraform\s" .tool-versions | cut -f2 -d' ')" >> $GITHUB_OUTPUT
           echo "version=$(head -n 1 .version 2> /dev/null || echo unknown)" >> $GITHUB_OUTPUT
       - name: "Check if pull request exists for this branch"
         id: pr_exists

infrastructure/terraform/components/app/iam_role_amplify.tf

@@ -26,6 +26,11 @@ resource "aws_iam_role_policy_attachment" "amplify_amplify" {
   policy_arn = aws_iam_policy.amplify.arn
 }
 
+resource "aws_iam_role_policy_attachment" "amplify_execution" {
+  role       = aws_iam_role.amplify.name
+  policy_arn = aws_iam_policy.amplify.arn
+}
+
 resource "aws_iam_policy" "amplify" {
   name        = "${local.csi}-amplify"
   description = "Amplify "

infrastructure/terraform/modules/backend-api/iam_role_api_gateway_execution_role.tf

@@ -7,15 +7,18 @@ resource "aws_iam_role" "api_gateway_execution_role" {
 resource "aws_iam_role_policy_attachment" "cloudwatch_logs" {
   role       = aws_iam_role.api_gateway_execution_role.name
   policy_arn = "arn:aws:iam::aws:policy/service-role/AmazonAPIGatewayPushToCloudWatchLogs"
-
 }
 
-resource "aws_iam_role_policy" "api_gateway_execution_policy" {
-  role   = aws_iam_role.api_gateway_execution_role.name
+resource "aws_iam_policy" "api_gateway_execution_policy" {
   name   = "${local.csi}-apig-execution-policy"
   policy = data.aws_iam_policy_document.api_gateway_execution_policy.json
 }
 
+resource "aws_iam_role_policy_attachment" "api_gateway_execution" {
+  role       = aws_iam_role.api_gateway_execution_role.name
+  policy_arn = aws_iam_policy.api_gateway_execution_policy.arn
+}
+
 data "aws_iam_policy_document" "api_gateway_service_trust_policy" {
   statement {
     sid    = "ApiGatewayAssumeRole"
@@ -35,7 +38,6 @@ data "aws_iam_policy_document" "api_gateway_service_trust_policy" {
   }
 }
 
-
 data "aws_iam_policy_document" "api_gateway_execution_policy" {
   statement {
     sid    = "AllowInvokeLambda"

infrastructure/terraform/modules/lambda-function/iam_role_lambda_execution_role.tf

@@ -1,19 +1,19 @@
-# TODO: CCM-8418
-# tfsec:ignore:aws-iam-no-policy-wildcards
 resource "aws_iam_role" "lambda_execution_role" {
   name               = var.function_name
   description        = "IAM Role for Lambda function ${var.function_name}"
   assume_role_policy = data.aws_iam_policy_document.lambda_service_trust_policy.json
 }
 
-resource "aws_iam_role_policy" "lambda_execution_policy" {
-  role   = aws_iam_role.lambda_execution_role.name
+resource "aws_iam_policy" "lambda_execution_policy" {
   name   = "${var.function_name}-execution-policy"
   policy = data.aws_iam_policy_document.lambda_execution_policy.json
 }
 
-# TODO: CCM-8418
-# tfsec:ignore:aws-iam-no-policy-wildcards
+resource "aws_iam_role_policy_attachment" "lambda_execution" {
+  role       = aws_iam_role.lambda_execution_role.name
+  policy_arn = aws_iam_policy.lambda_execution_policy.arn
+}
+
 data "aws_iam_policy_document" "lambda_service_trust_policy" {
   statement {
     sid    = "LambdaAssumeRole"