From 33cd5360afd4204b5ea43333834c13bf33a01708 Mon Sep 17 00:00:00 2001
From: John Stainsby <john.stainsby@digital.trade.gov.uk>
Date: Mon, 1 Jul 2024 13:08:37 +0100
Subject: [PATCH] fix: Missing IAM permissions for pipeline to modify database
 (#176)

---
 environment-pipelines/iam.tf | 20 ++++++++++++++++++--
 1 file changed, 18 insertions(+), 2 deletions(-)

diff --git a/environment-pipelines/iam.tf b/environment-pipelines/iam.tf
index 1af6b2ebd..7fd9fdea9 100644
--- a/environment-pipelines/iam.tf
+++ b/environment-pipelines/iam.tf
@@ -538,7 +538,9 @@ data "aws_iam_policy_document" "postgres" {
         "lambda:GetFunction",
         "lambda:InvokeFunction",
         "lambda:ListVersionsByFunction",
-        "lambda:GetFunctionCodeSigningConfig"
+        "lambda:GetFunctionCodeSigningConfig",
+        "lambda:UpdateFunctionCode",
+        "lambda:CreateFunction"
       ]
       resources = [
         "arn:aws:lambda:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:function:${var.application}-${statement.value.name}-*"
@@ -546,6 +548,18 @@ data "aws_iam_policy_document" "postgres" {
     }
   }
 
+  dynamic "statement" {
+    for_each = local.environment_config
+    content {
+      actions = [
+        "lambda:GetLayerVersion"
+      ]
+      resources = [
+        "arn:aws:lambda:eu-west-2:763451185160:layer:python-postgres:1"
+      ]
+    }
+  }
+
   dynamic "statement" {
     for_each = local.environment_config
     content {
@@ -556,7 +570,9 @@ data "aws_iam_policy_document" "postgres" {
         "rds:DescribeDBParameterGroups",
         "rds:DescribeDBParameters",
         "rds:ListTagsForResource",
-        "rds:CreateDBInstance"
+        "rds:CreateDBInstance",
+        "rds:ModifyDBInstance",
+        "rds:DeleteDBParameterGroup"
       ]
       resources = [
         "arn:aws:rds:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:pg:${var.application}-${statement.value.name}-*"