[ndr-387] adding ReadOnlyAccess policy to all

Author: tim-knight-nhs

base_iam/iam_github_role.tf

@@ -65,8 +65,7 @@ resource "aws_iam_role" "github_actions" {
   )
 }
 
-resource "aws_iam_role_policy_attachment" "ReadOnlyAccess_dev" {
-  count      = local.is_sandbox_or_dev ? 1 : 0
+resource "aws_iam_role_policy_attachment" "ReadOnlyAccess" {
   role       = aws_iam_role.github_actions.name
   policy_arn = "arn:aws:iam::aws:policy/ReadOnlyAccess"
 }

base_iam/iam_github_test.tf

@@ -53,118 +53,6 @@ resource "aws_iam_policy" "github_actions_test" {
         Effect   = "Allow"
         Resource = "*"
       },
-      {
-        Action = [
-          "backup:TagResource",
-          "backup:UntagResource",
-          "cognito-identity:TagResource",
-          "cognito-identity:UntagResource",
-          "elasticloadbalancing:AddTags",
-          "elasticloadbalancing:RemoveTags",
-          "events:TagResource",
-          "events:UntagResource",
-          "iam:TagInstanceProfile",
-          "iam:TagPolicy",
-          "iam:TagRole",
-          "iam:UntagInstanceProfile",
-          "iam:UntagPolicy",
-          "iam:UntagRole",
-          "lambda:TagResource",
-          "lambda:UntagResource",
-          "logs:TagResource",
-          "logs:UntagResource",
-          "resource-groups:DeleteGroup",
-          "resource-groups:GetGroup",
-          "resource-groups:GetGroupConfiguration",
-          "resource-groups:GetGroupQuery",
-          "resource-groups:GetTags",
-          "resource-groups:ListGroupResources",
-          "resource-groups:Tag",
-          "resource-groups:Untag",
-          "resource-groups:UpdateGroup",
-          "resource-groups:UpdateGroupQuery",
-          "sns:TagResource",
-          "sns:UntagResource"
-        ]
-        Effect = "Allow"
-        Resource = [
-          "*",
-          "arn:aws:backup:*:694282683086:backup-plan:*",
-          "arn:aws:backup:*:694282683086:backup-vault:*",
-          "arn:aws:backup:*:694282683086:framework:*-*",
-          "arn:aws:backup:*:694282683086:legal-hold:*",
-          "arn:aws:backup:*:694282683086:report-plan:*-*",
-          "arn:aws:backup:*:694282683086:restore-testing-plan:*-*",
-          "arn:aws:cognito-identity:*:694282683086:identitypool/*",
-          "arn:aws:elasticloadbalancing:*:694282683086:listener-rule/app/*/*/*/*",
-          "arn:aws:elasticloadbalancing:*:694282683086:listener-rule/net/*/*/*/*",
-          "arn:aws:elasticloadbalancing:*:694282683086:listener/app/*/*/*",
-          "arn:aws:elasticloadbalancing:*:694282683086:listener/gwy/*/*/*",
-          "arn:aws:elasticloadbalancing:*:694282683086:listener/net/*/*/*",
-          "arn:aws:elasticloadbalancing:*:694282683086:loadbalancer/app/*/*",
-          "arn:aws:elasticloadbalancing:*:694282683086:loadbalancer/gwy/*/*",
-          "arn:aws:elasticloadbalancing:*:694282683086:loadbalancer/net/*/*",
-          "arn:aws:elasticloadbalancing:*:694282683086:targetgroup/*/*",
-          "arn:aws:elasticloadbalancing:*:694282683086:truststore/*/*",
-          "arn:aws:events:*:694282683086:event-bus/*",
-          "arn:aws:events:*:694282683086:rule/*/*",
-          "arn:aws:iam::694282683086:instance-profile/*",
-          "arn:aws:iam::694282683086:policy/*",
-          "arn:aws:iam::694282683086:role/*",
-          "arn:aws:lambda:*:694282683086:code-signing-config:*",
-          "arn:aws:lambda:*:694282683086:event-source-mapping:*",
-          "arn:aws:lambda:*:694282683086:function:*",
-          "arn:aws:logs:*:694282683086:anomaly-detector:*",
-          "arn:aws:logs:*:694282683086:delivery-destination:*",
-          "arn:aws:logs:*:694282683086:delivery-source:*",
-          "arn:aws:logs:*:694282683086:delivery:*",
-          "arn:aws:logs:*:694282683086:destination:*",
-          "arn:aws:logs:*:694282683086:log-group:*",
-          "arn:aws:resource-groups:*:694282683086:group/*",
-          "arn:aws:sns:*:694282683086:*"
-        ]
-      },
-      {
-        Action = [
-          "elasticloadbalancing:AddTags",
-          "elasticloadbalancing:RemoveTags"
-        ]
-        Effect = "Allow"
-        Resource = [
-          "arn:aws:elasticloadbalancing:*:694282683086:listener-rule/app/*/*/*/*",
-          "arn:aws:elasticloadbalancing:*:694282683086:listener-rule/net/*/*/*/*",
-          "arn:aws:elasticloadbalancing:*:694282683086:listener/app/*/*/*",
-          "arn:aws:elasticloadbalancing:*:694282683086:listener/gwy/*/*/*",
-          "arn:aws:elasticloadbalancing:*:694282683086:listener/net/*/*/*",
-          "arn:aws:elasticloadbalancing:*:694282683086:loadbalancer/app/*/*",
-          "arn:aws:elasticloadbalancing:*:694282683086:loadbalancer/gwy/*/*",
-          "arn:aws:elasticloadbalancing:*:694282683086:loadbalancer/net/*/*",
-          "arn:aws:elasticloadbalancing:*:694282683086:targetgroup/*/*",
-          "arn:aws:elasticloadbalancing:*:694282683086:truststore/*/*"
-        ]
-      },
-      {
-        Action = [
-          "elasticloadbalancing:AddTags",
-          "elasticloadbalancing:RemoveTags",
-          "events:TagResource",
-          "events:UntagResource"
-        ]
-        Effect = "Allow"
-        Resource = [
-          "arn:aws:elasticloadbalancing:*:694282683086:listener-rule/app/*/*/*/*",
-          "arn:aws:elasticloadbalancing:*:694282683086:listener-rule/net/*/*/*/*",
-          "arn:aws:elasticloadbalancing:*:694282683086:listener/app/*/*/*",
-          "arn:aws:elasticloadbalancing:*:694282683086:listener/gwy/*/*/*",
-          "arn:aws:elasticloadbalancing:*:694282683086:listener/net/*/*/*",
-          "arn:aws:elasticloadbalancing:*:694282683086:loadbalancer/app/*/*",
-          "arn:aws:elasticloadbalancing:*:694282683086:loadbalancer/gwy/*/*",
-          "arn:aws:elasticloadbalancing:*:694282683086:loadbalancer/net/*/*",
-          "arn:aws:elasticloadbalancing:*:694282683086:targetgroup/*/*",
-          "arn:aws:elasticloadbalancing:*:694282683086:truststore/*/*",
-          "arn:aws:events:*:694282683086:rule/*"
-        ]
-      },
     ]
   })
 }