fix: DBTP-972 Add IAM Permissions for Pipeline Changes (#209)

environment-pipelines/codebuild.tf

@@ -61,9 +61,10 @@ resource "aws_kms_key" "codebuild_kms_key" {
 
 resource "aws_cloudwatch_log_group" "environment_pipeline_codebuild" {
   # checkov:skip=CKV_AWS_338:Retains logs for 3 months instead of 1 year
+  # checkov:skip=CKV_AWS_158: To be reworked
   name              = "codebuild/${var.application}-${var.pipeline_name}-environment-terraform/log-group"
   retention_in_days = 90
-  kms_key_id        = aws_kms_key.codebuild_kms_key.arn
+  # kms_key_id        = aws_kms_key.codebuild_kms_key.arn
 }
 
 resource "aws_cloudwatch_log_stream" "environment_pipeline_codebuild" {

environment-pipelines/iam.tf

@@ -293,6 +293,7 @@ data "aws_iam_policy_document" "security_group" {
       "ec2:CreateSecurityGroup",
       "ec2:CreateTags",
       "ec2:RevokeSecurityGroupEgress",
+      "ec2:RevokeSecurityGroupIngress",
       "ec2:DeleteSecurityGroup",
       "ec2:AuthorizeSecurityGroupIngress",
       "ec2:AuthorizeSecurityGroupEgress"
@@ -413,7 +414,8 @@ data "aws_iam_policy_document" "logs" {
       "logs:PutSubscriptionFilter",
       "logs:DescribeSubscriptionFilters",
       "logs:DeleteSubscriptionFilter",
-      "logs:TagResource"
+      "logs:TagResource",
+      "logs:AssociateKmsKey"
     ]
     resources = [
       "arn:aws:logs:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:log-group:/aws/opensearch/*",
@@ -543,6 +545,7 @@ data "aws_iam_policy_document" "postgres" {
         "lambda:ListVersionsByFunction",
         "lambda:GetFunctionCodeSigningConfig",
         "lambda:UpdateFunctionCode",
+        "lambda:UpdateFunctionConfiguration",
         "lambda:CreateFunction"
       ]
       resources = [