fix: adiciona statement específico para permitir auto-atualização da …

[maxsonferovante]

…política IAM

• Adiciona permissões explícitas para a Role gerenciar sua própria política
• Permite que github-actions-policy seja atualizada pela própria Role
• NOTA: Primeira aplicação precisa ser feita manualmente com credenciais admin

[github-actions]

Terraform Plan (shared)

Terraform used the selected providers to generate the following execution
plan. Resource actions are indicated with the following symbols:
  ~ update in-place

Terraform will perform the following actions:

  # aws_iam_policy.github_actions_policy will be updated in-place
  ~ resource "aws_iam_policy" "github_actions_policy" {
        id               = "arn:aws:iam::334318883918:policy/github-actions-policy"
        name             = "github-actions-policy"
      ~ policy           = jsonencode(
          ~ {
              ~ Statement = [
                  ~ {
                      ~ Action   = [
                            # (1 unchanged element hidden)
                            "iam:TagRole",
                          + "iam:SetDefaultPolicyVersion",
                            "iam:PutRolePolicy",
                            "iam:ListRolePolicies",
                          + "iam:ListPolicyVersions",
                            "iam:ListAttachedRolePolicies",
                            # (6 unchanged elements hidden)
                            "iam:DeleteRole",
                          + "iam:DeletePolicyVersion",
                            "iam:CreateRole",
                          + "iam:CreatePolicyVersion",
                            "iam:AttachRolePolicy",
                        ]
                        # (2 unchanged attributes hidden)
                    },
                  ~ {
                      ~ Resource = [
                            # (1 unchanged element hidden)
                            "arn:aws:s3:::tech-floripa-plan-artifacts",
                          ~ "arn:aws:s3:::tech-floripa-certificates-dev-tf-state/*" -> "arn:aws:s3:::tech-floripa-certificates-dev-state/*",
                          ~ "arn:aws:s3:::tech-floripa-certificates-dev-tf-state" -> "arn:aws:s3:::tech-floripa-certificates-dev-state",
                            "arn:aws:s3:::tech-floripa-certificates-dev-bucket/*",
                            # (1 unchanged element hidden)
                        ]
                        # (2 unchanged attributes hidden)
                    },
                    {
                        Action   = [
                            "ecr:UntagResource",
                            "ecr:TagResource",
                            "ecr:PutLifecyclePolicy",
                            "ecr:PutImageTagMutability",
                            "ecr:PutImageScanningConfiguration",
                            "ecr:ListTagsForResource",
                            "ecr:GetLifecyclePolicy",
                            "ecr:DeleteRepository",
                            "ecr:DeleteLifecyclePolicy",
                            "ecr:CreateRepository",
                        ]
                        Effect   = "Allow"
                        Resource = [
                            "arn:aws:ecr:us-east-1:334318883918:repository/tech-floripa-certificates-notification-dev",
                            "arn:aws:ecr:us-east-1:334318883918:repository/tech-floripa-certificates-builder-dev",
                            "arn:aws:ecr:us-east-1:334318883918:repository/tech-floripa-certificates-api-dev",
                        ]
                    },
                    # (9 unchanged elements hidden)
                    {
                        Action   = "logs:DescribeLogGroups"
                        Effect   = "Allow"
                        Resource = "*"
                    },
                  + {
                      + Action   = [
                          + "iam:SetDefaultPolicyVersion",
                          + "iam:ListPolicyVersions",
                          + "iam:GetPolicyVersion",
                          + "iam:GetPolicy",
                          + "iam:DeletePolicyVersion",
                          + "iam:CreatePolicyVersion",
                        ]
                      + Effect   = "Allow"
                      + Resource = "arn:aws:iam::334318883918:policy/github-actions-policy"
                    },
                ]
                # (1 unchanged attribute hidden)
            }
        )
        tags             = {}
        # (7 unchanged attributes hidden)
    }

Plan: 0 to add, 1 to change, 0 to destroy.

[github-actions]

Terraform Plan (dev)

Terraform used the selected providers to generate the following execution
plan. Resource actions are indicated with the following symbols:
  + create

Terraform will perform the following actions:

  # module.s3.aws_s3_bucket.certificates_bucket will be created
  + resource "aws_s3_bucket" "certificates_bucket" {
      + acceleration_status         = (known after apply)
      + acl                         = (known after apply)
      + arn                         = (known after apply)
      + bucket                      = "tech-floripa-certificates-dev-bucket"
      + bucket_domain_name          = (known after apply)
      + bucket_prefix               = (known after apply)
      + bucket_region               = (known after apply)
      + bucket_regional_domain_name = (known after apply)
      + force_destroy               = true
      + hosted_zone_id              = (known after apply)
      + id                          = (known after apply)
      + object_lock_enabled         = (known after apply)
      + policy                      = (known after apply)
      + region                      = "us-east-1"
      + request_payer               = (known after apply)
      + tags                        = {
          + "Environment" = "dev"
          + "Name"        = "tech-floripa-certificates-dev-bucket"
          + "Project"     = "tech-floripa-certificates"
          + "Region"      = "us-east-1"
        }
      + tags_all                    = {
          + "Environment" = "dev"
          + "ManagedBy"   = "terraform"
          + "Name"        = "tech-floripa-certificates-dev-bucket"
          + "Project"     = "tech-floripa-certificates"
          + "Region"      = "us-east-1"
        }
      + website_domain              = (known after apply)
      + website_endpoint            = (known after apply)

      + cors_rule (known after apply)

      + grant (known after apply)

      + lifecycle_rule (known after apply)

      + logging (known after apply)

      + object_lock_configuration (known after apply)

      + replication_configuration (known after apply)

      + server_side_encryption_configuration (known after apply)

      + versioning (known after apply)

      + website (known after apply)
    }

  # module.s3.aws_s3_bucket_lifecycle_configuration.certificates_bucket_lifecycle_config[0] will be created
  + resource "aws_s3_bucket_lifecycle_configuration" "certificates_bucket_lifecycle_config" {
      + bucket                                 = (known after apply)
      + expected_bucket_owner                  = (known after apply)
      + id                                     = (known after apply)
      + region                                 = "us-east-1"
      + transition_default_minimum_object_size = "all_storage_classes_128K"

      + rule {
          + id     = "lifecycle-rule"
          + status = "Enabled"
            # (1 unchanged attribute hidden)

          + expiration {
              + days                         = 90
              + expired_object_delete_marker = false
            }

          + filter {
              + prefix = "certificates/"
            }
        }
    }

Plan: 2 to add, 0 to change, 0 to destroy.

Changes to Outputs:
  + s3_bucket_arn  = (known after apply)
  + s3_bucket_name = (known after apply)