From 9a43c7d082b31722137338be5a1e9e4f6e05e19c Mon Sep 17 00:00:00 2001
From: Mark Boyd <mark.boyd@gsa.gov>
Date: Fri, 20 Dec 2024 15:13:27 -0500
Subject: [PATCH] Add aws broker tag log groups perm (#1813)

* add permission for tagging cloudwatch log groups for aws-broker resources

* allow tagging log groups for opensearch and RDS
---
 .../modules/iam_role_policy/aws_broker/policy.json     | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/terraform/modules/iam_role_policy/aws_broker/policy.json b/terraform/modules/iam_role_policy/aws_broker/policy.json
index f5bbb88d..bf691619 100644
--- a/terraform/modules/iam_role_policy/aws_broker/policy.json
+++ b/terraform/modules/iam_role_policy/aws_broker/policy.json
@@ -199,6 +199,16 @@
       "Resource": [
         "*"
       ]
+    },
+    {
+      "Effect": "Allow",
+      "Action": [
+        "logs:TagResource"
+      ],
+      "Resource": [
+        "arn:${aws_partition}:logs:${aws_default_region}:${account_id}:log-group:/aws/rds/instance/cg-aws-broker*/*",
+        "arn:${aws_partition}:logs:${aws_default_region}:${account_id}:log-group:/aws/OpenSearchService/domains/cg-broker*/*"
+      ]
     }
   ]
 }