[PRMT-2395] Add missing CIEnvLinker permissions

oktawia-kata-nhs · oktawia-kata-nhs · commit bb8116c755c1 · 2021-10-29T10:39:08.000+01:00
diff --git a/terraform-cross-account/iam-ci/iam_gocd.tf b/terraform-cross-account/iam-ci/iam_gocd.tf
@@ -43,10 +43,21 @@ data "aws_iam_policy_document" "cross_ci_ssm" {
   statement {
     effect = "Allow"
     actions = [
-      "ssm:GetParameter"
+      "ssm:GetParameter*",
+      "ssm:ListTagsForResource",
+      "ssm:PutParameter",
+      "ssm:AddTagsToResource"
     ]
     resources = ["arn:aws:ssm:*:327778747031:parameter/*"]
   }
+
+  statement {
+    effect = "Allow"
+    actions = [
+      "ssm:DescribeParameters",
+    ]
+    resources = ["arn:aws:ssm:*:327778747031:*"]
+  }
 }
 
 resource "aws_iam_role_policy_attachment" "ci_to_env_linker_write" {
@@ -77,9 +88,10 @@ data "aws_iam_policy_document" "cross_ci_write" {
     actions = [
       "route53:DisassociateVPCFromHostedZone",
       "route53:AssociateVPCWithHostedZone",
+      "route53:ListTagsForResource",
       "route53:ChangeResourceRecordSets",
       "route53:DeleteVPCAssociationAuthorization",
-      "route53:CreateVPCAssociationAuthorization"
+      "route53:CreateVPCAssociationAuthorization",
     ]
     resources = ["arn:aws:route53:::hostedzone/*"]
   }
diff --git a/terraform/main.tf b/terraform/main.tf
@@ -8,7 +8,7 @@ provider "aws" {
   region  = var.region
   assume_role {
     role_arn     = "arn:aws:iam::${var.common_account_id}:role/${var.common_account_role}"
-    session_name = "common-dev-cross-account"
+    session_name = "common-${var.environment}-cross-account"
   }
 }
 

Original file line number	Diff line number	Diff line change
`@@ -8,7 +8,7 @@ provider "aws" {`
`8`	`8`	`region = var.region`
`9`	`9`	`assume_role {`
`10`	`10`	`role_arn = "arn:aws:iam::${var.common_account_id}:role/${var.common_account_role}"`
`11`		`- session_name = "common-dev-cross-account"`
	`11`	`+ session_name = "common-${var.environment}-cross-account"`
`12`	`12`	`}`
`13`	`13`	`}`
`14`	`14`