Pulling out the getter iam actions and correcting service role arn

ministryofjustice · Jul 19, 2024 · 61685e0 · 61685e0
1 parent 38c3189
commit 61685e0
Showing 1 changed file with 11 additions and 2 deletions.
diff --git a/terraform/environments/digital-prison-reporting/policy.tf b/terraform/environments/digital-prison-reporting/policy.tf
@@ -760,13 +760,22 @@ data "aws_iam_policy_document" "analytical_platform_share_policy" {
     effect = "Allow"
     actions = [
       "iam:PutRolePolicy",
+    ]
+    resources = [
+      "arn:aws:iam::${local.current_account_id}:role/aws-service-role/lakeformation.amazonaws.com/AWSServiceRoleForLakeFormationDataAccess"
+    ]
+  }
+  # Needed for LakeFormationAdmin to check the presense of the Lake Formation Service Role
+  statement {
+    effect = "Allow"
+    actions = [
+      "iam:GetRolePolicy",
       "iam:GetRole"
     ]
     resources = [
-      "arn:aws:iam::${local.current_account_id}:role/*/AWSServiceRoleForLakeFormationDataAccess"
+      "*"
     ]
   }
-
   statement {
     effect = "Allow"
     actions = [