TDRD 88: Some more permissions required to set up infrastructure for …

…new draft metadata checks
nationalarchives · May 7, 2024 · 3f96210 · 3f96210
1 parent 299684d
commit 3f96210
Show file tree

Hide file tree

Showing 2 changed files with 6 additions and 1 deletion.
diff --git a/modules/environment-roles/root.tf b/modules/environment-roles/root.tf
@@ -64,7 +64,9 @@ resource "aws_iam_policy" "consignment_api_connection_secret_creation_policy" {
       {
         Effect = "Allow"
         Action = [
-          "secretsmanager:CreateSecret"
+          "secretsmanager:CreateSecret",
+          "secretsmanager:PutSecretValue",
+          "secretsmanager:GetSecretValue"
         ]
         Resource = "arn:aws:secretsmanager:*:*:secret:events!connection/TDRConsignmentAPIConnection${title(var.tdr_environment)}/*"
       }

diff --git a/modules/environment-roles/templates/shared_iam_terraform_policy.json.tpl b/modules/environment-roles/templates/shared_iam_terraform_policy.json.tpl
@@ -25,6 +25,8 @@
         "arn:aws:iam::${account_id}:policy/TDRApiUpdatePolicy",
         "arn:aws:iam::${account_id}:policy/TDRBackendChecks*Policy${title(environment)}",
         "arn:aws:iam::${account_id}:policy/TDRMetadataChecksPolicy${title(environment)}",
+        "arn:aws:iam::${account_id}:policy/TDRMetadataChecksAPIGatewayStepFunctionExecutionPolicy${title(environment)}",
+        "arn:aws:iam::${account_id}:policy/TDRAPIInvokePolicy${title(environment)}",
         "arn:aws:iam::${account_id}:policy/TDRChecksumPolicy",
         "arn:aws:iam::${account_id}:policy/TDRCloudwatch${title(environment)}",
         "arn:aws:iam::${account_id}:policy/TDRConfig${title(environment)}",
@@ -71,6 +73,7 @@
         "arn:aws:iam::${account_id}:role/TDRApiUpdateRole",
         "arn:aws:iam::${account_id}:role/TDRBackendChecks*Role${title(environment)}",
         "arn:aws:iam::${account_id}:role/TDRMetadataChecks${title(environment)}-role",
+        "arn:aws:iam::${account_id}:role/TDRMetadataChecksAPIGatewayExecutionRole${title(environment)}",
         "arn:aws:iam::${account_id}:role/TDRChecksumRole",
         "arn:aws:iam::${account_id}:role/TDRCloudTrail${title(environment)}",
         "arn:aws:iam::${account_id}:role/TDRCognitoAuthorisedRole${title(environment)}",