NHSDigital · eddalmond1 · Apr 27, 2026 · Apr 27, 2026 · eddalmond1 · Apr 27, 2026
@@ -836,6 +836,7 @@ data "aws_iam_policy_document" "regression_test_permissions" {
       "dynamodb:Scan",
       "dynamodb:UpdateItem",
       "dynamodb:DeleteItem",
+      "dynamodb:BatchWriteItem",
       "dynamodb:DescribeTable",
       "dynamodb:DeleteTable",
       "dynamodb:TagResource",
@@ -851,19 +852,21 @@ data "aws_iam_policy_document" "regression_test_permissions" {
     sid    = "DynamoGlobal"
     effect = "Allow"
     actions = [
-    "dynamodb:ListTables",
-    "dynamodb:CreateTable"
+      "dynamodb:ListTables",
+      "dynamodb:CreateTable"
     ]
     resources = ["*"]
   }
 
   statement {
-    sid = "SecretsManagerAccess"
+    sid    = "SecretsManagerAccess"
     effect = "Allow"
     actions = [
       "secretsmanager:GetSecretValue",
-      "secretsmanager:DescribeSecret"
-      ]
+      "secretsmanager:DescribeSecret",
+      "secretsmanager:UpdateSecretVersionStage",
+      "secretsmanager:PutSecretValue"
+    ]
     resources = ["arn:aws:secretsmanager:${var.default_aws_region}:${data.aws_caller_identity.current.account_id}:secret:eligibility-signposting-api-*"]
   }
 
@@ -949,8 +952,8 @@ data "aws_iam_policy_document" "github_actions_assume_role" {
   dynamic "statement" {
     for_each = var.environment == "dev" ? [1] : []
     content {
-      sid    = "AllowDevSSORoleToAssumeIamBootstrap"
-      effect = "Allow"
+      sid     = "AllowDevSSORoleToAssumeIamBootstrap"
+      effect  = "Allow"
       actions = ["sts:AssumeRole"]
 
       principals {
@@ -966,8 +969,8 @@ data "aws_iam_policy_document" "github_actions_assume_role" {
 # Assume role policy document for GitHub Actions
 data "aws_iam_policy_document" "regression_repo_assume_role" {
   statement {
-    sid    = "OidcAssumeRoleWithWebIdentity"
-    effect = "Allow"
+    sid     = "OidcAssumeRoleWithWebIdentity"
+    effect  = "Allow"
     actions = ["sts:AssumeRoleWithWebIdentity"]
 
     principals {
@@ -980,21 +983,16 @@ data "aws_iam_policy_document" "regression_repo_assume_role" {
     condition {
       test     = "StringLike"
       variable = "token.actions.githubusercontent.com:sub"
-      values = ["repo:${var.github_org}/${var.regression_repo}:*"]
-    }
-
-    condition {
-      test     = "StringLike"
-      variable = "token.actions.githubusercontent.com:job_workflow_ref"
       values = [
-        "${var.github_org}/${var.regression_repo}/.github/workflows/regression_tests.yml@*"
+        "repo:${var.github_org}/${var.regression_repo}:*",
+        "repo:${var.github_org}/${var.github_repo}:*",
       ]
     }
 
     condition {
       test     = "StringEquals"
       variable = "token.actions.githubusercontent.com:aud"
-      values = ["sts.amazonaws.com"]
+      values   = ["sts.amazonaws.com"]
     }
   }
 }

@@ -246,9 +246,9 @@ data "aws_iam_policy_document" "permissions_boundary" {
   }
   # Environment-specific actions
   dynamic "statement" {
-    for_each = var.environment == "preprod" ? [1] : []
+    for_each = contains(["dev", "test", "preprod"], var.environment) ? [1] : []
     content {
-      sid    = "AllowPreprodDynamoDBItemOps"
+      sid    = "AllowDynamoDBItemOps"
       effect = "Allow"
       actions = [
         "dynamodb:GetItem",