Merge pull request #1461 from alphagov/samsimpson1/amazonmq

Grant extra permissions to TFC IAM role

terraform/deployments/tfc-aws-config/aws_oidc.tf

@@ -51,10 +51,12 @@ data "aws_iam_policy_document" "tfc_policy" {
       "elasticfilesystem:*",
       "es:*",
       "events:*",
+      "glue:*",
       "iam:*InstanceProfile*",
       "iam:*CloudFrontPublicKey*",
       "iam:*OpenIDConnectProvider*",
       "iam:*Policy",
+      "iam:*Policies",
       "iam:*PolicyVersion*",
       "iam:*RolePolicies",
       "iam:*RoleTags",
@@ -111,6 +113,14 @@ data "aws_iam_policy_document" "tfc_policy" {
     actions   = ["iam:PassRole"]
     resources = ["arn:aws:iam::*:role/rds-monitoring-role"]
   }
+  statement {
+    actions   = ["iam:*Role"]
+    resources = ["arn:aws:iam::*:role/AWSLambdaRole-transition-executor"]
+  }
+  statement {
+    actions   = ["iam:*User"]
+    resources = ["arn:aws:iam::*:user/govuk-*-transition-downloader"]
+  }
   statement {
     effect    = "Deny"
     resources = ["*"]