Skip to content

Commit 5103c61

Browse files
eddalmond1eddalmond1
authored
Merge pull request #658 from NHSDigital/feature/eja-eli-731-finessing-regression-test-role-permissions
eli-731 adding missing permissions that the regression test role needs
2 parents ebf6265 + 204d5dd commit 5103c61

2 files changed

Lines changed: 17 additions & 19 deletions

File tree

infrastructure/stacks/iams-developer-roles/github_actions_policies.tf

Lines changed: 15 additions & 17 deletions
Original file line numberDiff line numberDiff line change
@@ -836,6 +836,7 @@ data "aws_iam_policy_document" "regression_test_permissions" {
836836
"dynamodb:Scan",
837837
"dynamodb:UpdateItem",
838838
"dynamodb:DeleteItem",
839+
"dynamodb:BatchWriteItem",
839840
"dynamodb:DescribeTable",
840841
"dynamodb:DeleteTable",
841842
"dynamodb:TagResource",
@@ -851,19 +852,21 @@ data "aws_iam_policy_document" "regression_test_permissions" {
851852
sid = "DynamoGlobal"
852853
effect = "Allow"
853854
actions = [
854-
"dynamodb:ListTables",
855-
"dynamodb:CreateTable"
855+
"dynamodb:ListTables",
856+
"dynamodb:CreateTable"
856857
]
857858
resources = ["*"]
858859
}
859860

860861
statement {
861-
sid = "SecretsManagerAccess"
862+
sid = "SecretsManagerAccess"
862863
effect = "Allow"
863864
actions = [
864865
"secretsmanager:GetSecretValue",
865-
"secretsmanager:DescribeSecret"
866-
]
866+
"secretsmanager:DescribeSecret",
867+
"secretsmanager:UpdateSecretVersionStage",
868+
"secretsmanager:PutSecretValue"
869+
]
867870
resources = ["arn:aws:secretsmanager:${var.default_aws_region}:${data.aws_caller_identity.current.account_id}:secret:eligibility-signposting-api-*"]
868871
}
869872

@@ -949,8 +952,8 @@ data "aws_iam_policy_document" "github_actions_assume_role" {
949952
dynamic "statement" {
950953
for_each = var.environment == "dev" ? [1] : []
951954
content {
952-
sid = "AllowDevSSORoleToAssumeIamBootstrap"
953-
effect = "Allow"
955+
sid = "AllowDevSSORoleToAssumeIamBootstrap"
956+
effect = "Allow"
954957
actions = ["sts:AssumeRole"]
955958

956959
principals {
@@ -966,8 +969,8 @@ data "aws_iam_policy_document" "github_actions_assume_role" {
966969
# Assume role policy document for GitHub Actions
967970
data "aws_iam_policy_document" "regression_repo_assume_role" {
968971
statement {
969-
sid = "OidcAssumeRoleWithWebIdentity"
970-
effect = "Allow"
972+
sid = "OidcAssumeRoleWithWebIdentity"
973+
effect = "Allow"
971974
actions = ["sts:AssumeRoleWithWebIdentity"]
972975

973976
principals {
@@ -980,21 +983,16 @@ data "aws_iam_policy_document" "regression_repo_assume_role" {
980983
condition {
981984
test = "StringLike"
982985
variable = "token.actions.githubusercontent.com:sub"
983-
values = ["repo:${var.github_org}/${var.regression_repo}:*"]
984-
}
985-
986-
condition {
987-
test = "StringLike"
988-
variable = "token.actions.githubusercontent.com:job_workflow_ref"
989986
values = [
990-
"${var.github_org}/${var.regression_repo}/.github/workflows/regression_tests.yml@*"
987+
"repo:${var.github_org}/${var.regression_repo}:*",
988+
"repo:${var.github_org}/${var.github_repo}:*",
991989
]
992990
}
993991

994992
condition {
995993
test = "StringEquals"
996994
variable = "token.actions.githubusercontent.com:aud"
997-
values = ["sts.amazonaws.com"]
995+
values = ["sts.amazonaws.com"]
998996
}
999997
}
1000998
}

infrastructure/stacks/iams-developer-roles/iams_permissions_boundary.tf

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -246,9 +246,9 @@ data "aws_iam_policy_document" "permissions_boundary" {
246246
}
247247
# Environment-specific actions
248248
dynamic "statement" {
249-
for_each = var.environment == "preprod" ? [1] : []
249+
for_each = contains(["dev", "test", "preprod"], var.environment) ? [1] : []
250250
content {
251-
sid = "AllowPreprodDynamoDBItemOps"
251+
sid = "AllowDynamoDBItemOps"
252252
effect = "Allow"
253253
actions = [
254254
"dynamodb:GetItem",

0 commit comments

Comments
 (0)