fix: Add additional permissions required to deploy.

jamesiarmes · jamesiarmes · commit f5dc98c998aa · 2025-10-22T11:09:33.000-04:00
diff --git a/tofu/modules/deployment/main.tf b/tofu/modules/deployment/main.tf
@@ -21,3 +21,25 @@ resource "aws_iam_role_policy" "deployment" {
     system_environment : local.system_environment
   })))
 }
+
+# Create a separate policy for state access to avoid size limits on the main
+# policy.
+resource "aws_iam_policy" "state" {
+  name        = "${var.project}-${local.system_environment}-state-policy"
+  description = "Allow access to S3 bucket and DynamoDB table for Terraform state."
+
+  policy = jsonencode(yamldecode(templatefile("${path.module}/templates/state-policy.yaml.tftpl", {
+    account_id : data.aws_caller_identity.identity.account_id
+    environment : var.environment
+    region : data.aws_region.current.region
+    partition : data.aws_partition.current.partition
+    project : var.project
+  })))
+
+  tags = var.tags
+}
+
+resource "aws_iam_role_policy_attachments_exclusive" "attach" {
+  role_name = aws_iam_role.deployment.name
+  policy_arns = [aws_iam_policy.state.arn]
+}
diff --git a/tofu/modules/deployment/templates/iam-policy.yaml.tftpl b/tofu/modules/deployment/templates/iam-policy.yaml.tftpl
@@ -1,30 +1,5 @@
 Version: "2012-10-17"
 Statement:
-  - Sid: InfraStateAccess
-    Effect: Allow
-    Action:
-      - s3:CreateBucket
-      - s3:ListBucket
-      - s3:GetBucketLocation
-      - s3:GetObject
-      - s3:PutObject
-      - s3:DeleteObject
-    Resource:
-      - arn:${partition}:s3:::${project}-${environment}-tfstate
-      - arn:${partition}:s3:::${project}-${environment}-tfstate/*
-  - Sid: InfraLockAccess
-    Effect: Allow
-    Action:
-      - dynamodb:CreateTable
-      - dynamodb:DescribeTable
-      - dynamodb:DeleteTable
-      - dynamodb:UpdateTable
-      - dynamodb:GetItem
-      - dynamodb:PutItem
-      - dynamodb:DeleteItem
-    Resource:
-      - arn:${partition}:dynamodb:${region}:${account_id}:table/${environment}.tfstate
-
   - Sid: GlobalActions
     Effect: Allow
     Action:
@@ -171,6 +146,21 @@ Statement:
       - arn:${partition}:ecs:${region}:${account_id}:task/${project}-${system_environment}-*
       - arn:${partition}:ecs:${region}:${account_id}:task-definition/${project}-${system_environment}-*
 
+  - Sid: EventBridgeAccess
+    Effect: Allow
+    Action:
+      - events:DeleteRule
+      - events:DescribeRule
+      - events:ListTagsForResource
+      - events:ListTargetsByRule
+      - events:PutRule
+      - events:PutTargets
+      - events:RemoveTargets
+      - events:TagResource
+      - events:UntagResource
+    Resource:
+      - arn:${partition}:events:${region}:${account_id}:rule/${project}-${system_environment}-*
+
   - Sid: IAMAccess
     Effect: Allow
     Action:
