[ndr-387] removed count for global permissions

tim-knight-nhs · tim-knight-nhs · commit cb565b3f7a37 · 2026-03-24T16:07:24.000Z
diff --git a/base_iam/iam_github_dev_test_pre-prod_prod.tf b/base_iam/iam_github_dev_test_pre-prod_prod.tf
@@ -1,13 +1,18 @@
+
+resource "aws_iam_role_policy_attachment" "ReadOnlyAccess" {
+  role       = aws_iam_role.github_actions.name
+  policy_arn = "arn:aws:iam::aws:policy/ReadOnlyAccess"
+}
+
 # POLICY SPLIT INTO 3 PARTS TO AVOID HITTING THE 6,144 CHARACTER LIMIT FOR AWS IAM POLICIES
 
 resource "aws_iam_role_policy_attachment" "github_actions_dev_test_pre-prod_prod_1" {
-  count      = local.is_dev_test_pre-prod_prod ? 1 : 0
+
   role       = aws_iam_role.github_actions.name
   policy_arn = aws_iam_policy.github_actions_dev_test_pre-prod_prod_1[0].arn
 }
 
 resource "aws_iam_policy" "github_actions_dev_test_pre-prod_prod_1" {
-  count = local.is_dev_test_pre-prod_prod ? 1 : 0
   name  = "${terraform.workspace}-github-actions-policy-dev_test_pre-prod_prod_1"
   path  = "/"
   policy = jsonencode({
@@ -114,13 +119,11 @@ resource "aws_iam_policy" "github_actions_dev_test_pre-prod_prod_1" {
 
 
 resource "aws_iam_role_policy_attachment" "github_actions_dev_test_pre-prod_prod_2" {
-  count      = local.is_dev_test_pre-prod_prod ? 1 : 0
   role       = aws_iam_role.github_actions.name
   policy_arn = aws_iam_policy.github_actions_dev_test_pre-prod_prod_2[0].arn
 }
 
 resource "aws_iam_policy" "github_actions_dev_test_pre-prod_prod_2" {
-  count = local.is_dev_test_pre-prod_prod ? 1 : 0
   name  = "${terraform.workspace}-github-actions-policy-dev_test_pre-prod_prod_2"
   path  = "/"
   policy = jsonencode({
@@ -266,13 +269,11 @@ resource "aws_iam_policy" "github_actions_dev_test_pre-prod_prod_2" {
 
 
 resource "aws_iam_role_policy_attachment" "github_actions_dev_test_pre-prod_prod_3" {
-  count      = local.is_dev_test_pre-prod_prod ? 1 : 0
   role       = aws_iam_role.github_actions.name
   policy_arn = aws_iam_policy.github_actions_dev_test_pre-prod_prod_3[0].arn
 }
 
 resource "aws_iam_policy" "github_actions_dev_test_pre-prod_prod_3" {
-  count = local.is_dev_test_pre-prod_prod ? 1 : 0
   name  = "${terraform.workspace}-github-actions-policy-dev_test_pre-prod_prod_3"
   path  = "/"
   policy = jsonencode({
diff --git a/base_iam/iam_github_role.tf b/base_iam/iam_github_role.tf
@@ -64,8 +64,3 @@ resource "aws_iam_role" "github_actions" {
     }
   )
 }
-
-resource "aws_iam_role_policy_attachment" "ReadOnlyAccess" {
-  role       = aws_iam_role.github_actions.name
-  policy_arn = "arn:aws:iam::aws:policy/ReadOnlyAccess"
-}
diff --git a/base_iam/variables.tf b/base_iam/variables.tf
@@ -31,7 +31,7 @@ locals {
   shared_terraform_state_bucket = "ndr-${var.environment}-terraform-state-${data.aws_caller_identity.current.account_id}"
 
   is_dev_pre-prod_prod      = !contains(["ndr-test"], terraform.workspace)
-  is_dev_test_pre-prod_prod = true
+  # is_dev_test_pre-prod_prod = true
   is_dev_test               = !contains(["pre-prod", "prod"], terraform.workspace)
   is_dev                    = !contains(["ndr-test", "pre-prod", "prod"], terraform.workspace)
   is_pre-prod_prod          = contains(["pre-prod", "prod"], terraform.workspace)

Original file line number	Diff line number	Diff line change
`@@ -64,8 +64,3 @@ resource "aws_iam_role" "github_actions" {`
`64`	`64`	`}`
`65`	`65`	`)`
`66`	`66`	`}`
`67`		`-`
`68`		`-resource "aws_iam_role_policy_attachment" "ReadOnlyAccess" {`
`69`		`- role = aws_iam_role.github_actions.name`
`70`		`- policy_arn = "arn:aws:iam::aws:policy/ReadOnlyAccess"`
`71`		`-}`