fix: Environment pipeline permissions (#299)

uktrade · Dec 4, 2024 · 7eb1a63 · 7eb1a63
1 parent 759a5c2
commit 7eb1a63
Showing 1 changed file with 12 additions and 3 deletions.
diff --git a/environment-pipelines/iam.tf b/environment-pipelines/iam.tf
@@ -501,7 +501,7 @@ data "aws_iam_policy_document" "kms_key" {
         "kms:DeleteAlias"
       ]
       resources = [
-        "arn:aws:kms:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:alias/${var.application}-${statement.value.name}-*-key"
+        "arn:aws:kms:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:alias/${var.application}-${statement.value.name}-*",
       ]
     }
   }
@@ -744,16 +744,25 @@ data "aws_iam_policy_document" "ecs" {
   }
 
   statement {
-    sid = "AllowRegisterAndDeregister"
+    sid = "AllowRegister"
     actions = [
-      "ecs:DeregisterTaskDefinition",
       "ecs:RegisterTaskDefinition",
     ]
     resources = [
       "arn:aws:ecs:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:task-definition/*",
       "arn:aws:ecs:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:task-definition/"
     ]
   }
+
+  statement {
+    sid = "AllowDeregister"
+    actions = [
+      "ecs:DeregisterTaskDefinition"
+    ]
+    resources = [
+      "*"
+    ]
+  }
 }
 
 resource "aws_iam_policy" "ecs" {