DSOS-2927: add permissions to hmpps to test LetsEncrypt certificate g…

…eneration
ministryofjustice · Aug 22, 2024 · 7ba4316 · 7ba4316
1 parent 3214099
commit 7ba4316
Showing 1 changed file with 29 additions and 0 deletions.
diff --git a/terraform/environments/hmpps-domain-services/locals_preproduction.tf b/terraform/environments/hmpps-domain-services/locals_preproduction.tf
@@ -88,6 +88,9 @@ locals {
       pp-rds-1-a = merge(local.ec2_instances.rds, {
         config = merge(local.ec2_instances.rds.config, {
           availability_zone = "eu-west-2a"
+          instance_profile_policies = concat(local.ec2_instances.rds.config.instance_profile_policies, [
+            "Ec2PpRdsPolicy",
+          ])
         })
         tags = merge(local.ec2_instances.rds.tags, {
           description = "Remote Desktop Services for azure.hmpp.root domain"
@@ -96,6 +99,32 @@ locals {
       })
     }
 
+    iam_policies = {
+      Ec2PpRdsPolicy = {
+        description = "Permissions required for POSH-ACME Route53 Plugin"
+        statements = [
+          {
+            effect = "Allow"
+            actions = [
+              "route53:ListHostedZones",
+            ]
+            resources = ["*"]
+          },
+          {
+            effect = "Allow"
+            actions = [
+              "route53:GetHostedZone",
+              "route53:ListResourceRecordSets",
+              "route53:ChangeResourceRecordSets"
+            ]
+            resources = [
+              "arn:aws:route53:::hostedzone/*",
+            ]
+          },
+        ]
+      }
+    }
+
     lbs = {
       public = merge(local.lbs.public, {
         instance_target_groups = {