[PRM-752] Allow ReadOnly users to save/delete CloudWatch saved queries (#636)

chrisbloe · web-flow · commit 2c10aa64e547 · 2026-03-13T15:05:20.000Z
diff --git a/infrastructure/policies.tf b/infrastructure/policies.tf
@@ -32,6 +32,16 @@ resource "aws_iam_policy" "read_only_role_extra_permissions" {
         Resource = [
           "arn:aws:kms:eu-west-2:${data.aws_caller_identity.current.account_id}:key/*",
         ]
+      },
+      {
+        Effect = "Allow",
+        Action = [
+          "logs:PutQueryDefinition",
+          "logs:DeleteQueryDefinition",
+        ],
+        Resource = [
+          "arn:aws:logs:eu-west-2:${data.aws_caller_identity.current.account_id}:log-group::log-stream:",
+        ]
       }
     ]
   })

Original file line number	Diff line number	Diff line change
`@@ -32,6 +32,16 @@ resource "aws_iam_policy" "read_only_role_extra_permissions" {`
`32`	`32`	`Resource = [`
`33`	`33`	`"arn:aws:kms:eu-west-2:${data.aws_caller_identity.current.account_id}:key/*",`
`34`	`34`	`]`
	`35`	`+ },`
	`36`	`+ {`
	`37`	`+ Effect = "Allow",`
	`38`	`+ Action = [`
	`39`	`+ "logs:PutQueryDefinition",`
	`40`	`+ "logs:DeleteQueryDefinition",`
	`41`	`+ ],`
	`42`	`+ Resource = [`
	`43`	`+ "arn:aws:logs:eu-west-2:${data.aws_caller_identity.current.account_id}:log-group::log-stream:",`
	`44`	`+ ]`
`35`	`45`	`}`
`36`	`46`	`]`
`37`	`47`	`})`