fix: Added additional permissions to the deployment role.

Author: jamesiarmes

tofu/modules/deployment/templates/iam-policy.yaml.tftpl

@@ -25,6 +25,55 @@ Statement:
   Resource:
     - arn:${partition}:dynamodb:${region}:${account_id}:table/${environment}.tfstate
 
+- Sid: ServiceCatalogAccess
+  Effect: Allow
+  Action:
+  - servicecatalog:CreateApplication
+  - servicecatalog:GetApplication
+  - servicecatalog:DeleteApplication
+  - servicecatalog:ListTagsForResource
+  - servicecatalog:TagResource
+  - servicecatalog:UntagResource
+  - servicecatalog:UpdateApplication
+  Resource: "*"
+  Condition:
+    ForAnyValue:StringEquals:
+      aws:ResourceTag/project: sqs-senzing
+
+- Sid: SQSAccess
+  Effect: Allow
+  Action:
+  - sqs:CreateQueue
+  - sqs:DeleteQueue
+  - sqs:GetQueueAttributes
+  - sqs:GetQueueUrl
+  - sqs:ListQueues
+  - sqs:ListQueueTags
+  - sqs:SetQueueAttributes
+  - sqs:TagQueue
+  - sqs:UntagQueue
+  Resource: arn:${partition}:sqs:${region}:${account_id}:${project}-${system_environment}-*
+
+- Sid: S3Access
+  Effect: Allow
+  Action:
+  - s3:CreateBucket
+  - s3:DeleteBucket
+  - s3:DeleteObject
+  - s3:GetBucketAcl
+  - s3:GetBucketLocation
+  - s3:GetBucketPolicy
+  - s3:GetBucketTagging
+  - s3:GetObject
+  - s3:ListBucket
+  - s3:PutBucketAcl
+  - s3:PutBucketPolicy
+  - s3:PutBucketTagging
+  - s3:PutObject
+  Resource:
+  - arn:${partition}:s3:::${project}-${system_environment}-*
+  - arn:${partition}:s3:::${project}-${system_environment}-*/*
+
 - Effect: Allow
   Action:
   - ec2:DescribeAddresses
@@ -125,9 +174,7 @@ Statement:
   - s3:PutEncryptionConfiguration
   - s3:PutLifecycleConfiguration
   Resource: arn:${partition}:s3:::*
-- Effect: Allow
-  Action: sqs:CreateQueue
-  Resource: arn:${partition}:sqs:${region}:${account_id}:*
 - Effect: Allow
   Action: ssm:GetParameter
-  Resource: arn:${partition}:ssm:${region}:${account_id}:parameter/${project}/${environment}/*
+  Resource:
+    - arn:${partition}:ssm:${region}:${account_id}:parameter/${project}/${system_environment}/*