fix: Add additional permissions required to deploy. (#43)

jamesiarmes · web-flow · commit c9bf7e03d4c4 · 2025-10-22T11:47:51.000-04:00
diff --git a/.github/workflows/tflint.yaml b/.github/workflows/tflint.yaml
@@ -24,20 +24,28 @@ jobs:
         with:
           path: ~/.tflint.d/plugins
           key: tflint-${{ hashFiles('.tflint.hcl') }}
-      - uses: terraform-linters/setup-tflint@v5
+      - uses: terraform-linters/setup-tflint@v6
         name: Setup TFLint
       - name: Show version
         run: tflint --version
       - name: Init TFLint
         run: tflint --init
       - name: Run TFLint
-        run: tflint --format sarif --recursive --config "$GITHUB_WORKSPACE/.tflint.hcl" > tflint-results.sarif
+        # Run TFLint, outputting the results to a SARIF file. We use `tee` so
+        # that we can still see the output in the logs, and capture the exit
+        # code properly with `pipefail`.
+        run: |
+          set -o pipefail
+          tflint --format sarif --recursive \
+            --config "$GITHUB_WORKSPACE/.tflint.hcl" \
+            | tee tflint-results.sarif
+          exit "${PIPESTATUS[0]}"
       - name: Parse SARIF file for annotations
         if: always()
-        uses: Miragon/sarif-report-parse@v1.0.4
+        uses: jontyms/sarif-annotations@v0.0.3
         with:
-          severity-level: low
           sarif-file: tflint-results.sarif
+          annotation-level: notice
       # When run on main, if SARIF uploads are available, we want to upload the
       # SARIF file to GitHub.
       - name: Upload SARIF result
diff --git a/tofu/modules/deployment/main.tf b/tofu/modules/deployment/main.tf
@@ -21,3 +21,25 @@ resource "aws_iam_role_policy" "deployment" {
     system_environment : local.system_environment
   })))
 }
+
+# Create a separate policy for state access to avoid size limits on the main
+# policy.
+resource "aws_iam_policy" "state" {
+  name        = "${var.project}-${local.system_environment}-state-policy"
+  description = "Allow access to S3 bucket and DynamoDB table for Terraform state."
+
+  policy = jsonencode(yamldecode(templatefile("${path.module}/templates/state-policy.yaml.tftpl", {
+    account_id : data.aws_caller_identity.identity.account_id
+    environment : var.environment
+    region : data.aws_region.current.region
+    partition : data.aws_partition.current.partition
+    project : var.project
+  })))
+
+  tags = var.tags
+}
+
+resource "aws_iam_role_policy_attachments_exclusive" "attach" {
+  role_name = aws_iam_role.deployment.name
+  policy_arns = [aws_iam_policy.state.arn]
+}
diff --git a/tofu/modules/deployment/templates/iam-policy.yaml.tftpl b/tofu/modules/deployment/templates/iam-policy.yaml.tftpl
@@ -1,30 +1,5 @@
 Version: "2012-10-17"
 Statement:
-  - Sid: InfraStateAccess
-    Effect: Allow
-    Action:
-      - s3:CreateBucket
-      - s3:ListBucket
-      - s3:GetBucketLocation
-      - s3:GetObject
-      - s3:PutObject
-      - s3:DeleteObject
-    Resource:
-      - arn:${partition}:s3:::${project}-${environment}-tfstate
-      - arn:${partition}:s3:::${project}-${environment}-tfstate/*
-  - Sid: InfraLockAccess
-    Effect: Allow
-    Action:
-      - dynamodb:CreateTable
-      - dynamodb:DescribeTable
-      - dynamodb:DeleteTable
-      - dynamodb:UpdateTable
-      - dynamodb:GetItem
-      - dynamodb:PutItem
-      - dynamodb:DeleteItem
-    Resource:
-      - arn:${partition}:dynamodb:${region}:${account_id}:table/${environment}.tfstate
-
   - Sid: GlobalActions
     Effect: Allow
     Action:
@@ -171,6 +146,21 @@ Statement:
       - arn:${partition}:ecs:${region}:${account_id}:task/${project}-${system_environment}-*
       - arn:${partition}:ecs:${region}:${account_id}:task-definition/${project}-${system_environment}-*
 
+  - Sid: EventBridgeAccess
+    Effect: Allow
+    Action:
+      - events:DeleteRule
+      - events:DescribeRule
+      - events:ListTagsForResource
+      - events:ListTargetsByRule
+      - events:PutRule
+      - events:PutTargets
+      - events:RemoveTargets
+      - events:TagResource
+      - events:UntagResource
+    Resource:
+      - arn:${partition}:events:${region}:${account_id}:rule/${project}-${system_environment}-*
+
   - Sid: IAMAccess
     Effect: Allow
     Action:
diff --git a/tofu/modules/deployment/templates/state-policy.yaml.tftpl b/tofu/modules/deployment/templates/state-policy.yaml.tftpl
@@ -0,0 +1,26 @@
+Version: "2012-10-17"
+Statement:
+  - Sid: InfraStateAccess
+    Effect: Allow
+    Action:
+      - s3:CreateBucket
+      - s3:ListBucket
+      - s3:GetBucketLocation
+      - s3:GetObject
+      - s3:PutObject
+      - s3:DeleteObject
+    Resource:
+      - arn:${partition}:s3:::${project}-${environment}-tfstate
+      - arn:${partition}:s3:::${project}-${environment}-tfstate/*
+  - Sid: InfraLockAccess
+    Effect: Allow
+    Action:
+      - dynamodb:CreateTable
+      - dynamodb:DescribeTable
+      - dynamodb:DeleteTable
+      - dynamodb:UpdateTable
+      - dynamodb:GetItem
+      - dynamodb:PutItem
+      - dynamodb:DeleteItem
+    Resource:
+      - arn:${partition}:dynamodb:${region}:${account_id}:table/${environment}.tfstate
