@@ -226,23 +226,33 @@ resource "aws_iam_policy" "github_actions_deploy_policy" {
226226 " dynamodb:CreateTable"
227227 " dynamodb:DeleteTable"
228228 " dynamodb:DescribeTable"
229- " dynamodb:UpdateTable"
229+ " dynamodb:UpdateTable"
230+ " dynamodb:GetItem"
231+ " dynamodb:PutItem"
232+ " dynamodb:DeleteItem"
233+ " dynamodb:DescribeContinuousBackups"
234+ " dynamodb:DescribeTimeToLive"
235+ " dynamodb:ListTagsOfResource"
230236 ],
231237 " Resource" : " arn:aws:dynamodb:*:*:table/*"
232238 },
233239 {
234240 " Sid" : " LambdaPermissions"
235241 " Effect" : " Allow"
236242 " Action" : [
243+ " lambda:GetPolicy"
237244 " lambda:CreateFunction"
238245 " lambda:DeleteFunction"
239246 " lambda:GetFunction"
240247 " lambda:UpdateFunctionConfiguration"
241248 " lambda:AddPermission"
242249 " lambda:RemovePermission"
243- " lambda:UpdateFunctionCode"
250+ " lambda:UpdateFunctionCode"
251+ " lambda:GetLayerVersion"
252+ " lambda:ListVersionsByFunction"
253+ " lambda:GetFunctionCodeSigningConfig"
244254 ],
245- " Resource" : " arn:aws:lambda:*:*:function: *"
255+ " Resource" : " *"
246256 },
247257 {
248258 " Sid" : " IAMPermissions"
@@ -256,9 +266,17 @@ resource "aws_iam_policy" "github_actions_deploy_policy" {
256266 " iam:DeleteRolePolicy"
257267 " iam:DetachRolePolicy"
258268 " iam:PutRolePolicy"
259- " iam:PassRole"
269+ " iam:PassRole"
270+ " iam:ListRolePolicies"
271+ " iam:GetPolicy"
272+ " iam:GetRolePolicy"
273+ " iam:ListAttachedRolePolicies"
274+ " iam:GetPolicyVersion"
260275 ],
261- " Resource" : " arn:aws:iam::*:role/*"
276+ " Resource" : [
277+ " arn:aws:iam::*:role/*"
278+ " arn:aws:iam::*:policy/*"
279+ ]
262280 },
263281 {
264282 " Sid" : " APIGatewayPermissions"
@@ -282,7 +300,9 @@ resource "aws_iam_policy" "github_actions_deploy_policy" {
282300 " events:DeleteRule"
283301 " events:DescribeRule"
284302 " events:PutPermission"
285- " events:RemovePermission"
303+ " events:RemovePermission"
304+ " events:ListTagsForResource"
305+ " events:ListTargetsByRule"
286306 ],
287307 " Resource" : " arn:aws:events:*:*:rule/*"
288308 },
@@ -293,7 +313,9 @@ resource "aws_iam_policy" "github_actions_deploy_policy" {
293313 " sns:CreateTopic"
294314 " sns:DeleteTopic"
295315 " sns:Publish"
296- " sns:SetTopicAttributes"
316+ " sns:SetTopicAttributes"
317+ " sns:GetTopicAttributes"
318+ " sns:ListTagsForResource"
297319 ],
298320 " Resource" : " arn:aws:sns:*:*:*"
299321 },
@@ -302,7 +324,8 @@ resource "aws_iam_policy" "github_actions_deploy_policy" {
302324 " Effect" : " Allow"
303325 " Action" : [
304326 " logs:CreateLogGroup"
305- " logs:DescribeLogGroups"
327+ " logs:DescribeLogGroups"
328+ " logs:ListTagsForResource"
306329 ],
307330 " Resource" : " arn:aws:logs:*:*:log-group:*"
308331 },
@@ -319,9 +342,40 @@ resource "aws_iam_policy" "github_actions_deploy_policy" {
319342 " s3:PutBucketEncryption"
320343 " s3:PutObject"
321344 " s3:GetObject"
322- " s3:DeleteObject"
345+ " s3:DeleteObject"
346+ " s3:GetBucketPolicy"
347+ " s3:GetBucketAcl"
348+ " s3:GetBucketCORS"
349+ " s3:GetBucketWebsite"
350+ " s3:GetBucketVersioning"
351+ " s3:GetAccelerateConfiguration"
352+ " s3:GetBucketRequestPayment"
353+ " s3:GetBucketLogging"
354+ " s3:GetLifecycleConfiguration"
355+ " s3:GetReplicationConfiguration"
356+ " s3:GetEncryptionConfiguration"
357+ " s3:GetBucketObjectLockConfiguration"
358+ " s3:GetBucketTagging"
359+ " s3:GetBucketPublicAccessBlock"
360+ " s3:GetObjectTagging"
361+ " s3:GetObjectVersion"
362+ ],
363+ " Resource" : [
364+ " arn:aws:s3:::*"
365+ " arn:aws:s3:::*/*"
366+ ]
367+ },
368+ {
369+ " Sid" : " CloudTrailPermissions"
370+ " Effect" : " Allow"
371+ " Action" : [
372+ " cloudtrail:GetTrail"
373+ " cloudtrail:DescribeTrails"
374+ " cloudtrail:GetTrailStatus"
375+ " cloudtrail:GetEventSelectors"
376+ " cloudtrail:ListTags"
323377 ],
324- " Resource" : " arn:aws:s3::: *"
378+ " Resource" : " *"
325379 }
326380 ]
327381 })
0 commit comments