From 7ba43168d06d875048594dc8b8b2dd9af4384aa9 Mon Sep 17 00:00:00 2001
From: Dominic Robinson <dominic.robinson@digital.justice.gov.uk>
Date: Thu, 22 Aug 2024 15:38:39 +0100
Subject: [PATCH] DSOS-2927: add permissions to hmpps to test LetsEncrypt
 certificate generation

---
 .../locals_preproduction.tf                   | 29 +++++++++++++++++++
 1 file changed, 29 insertions(+)

diff --git a/terraform/environments/hmpps-domain-services/locals_preproduction.tf b/terraform/environments/hmpps-domain-services/locals_preproduction.tf
index 0c403b869e7..0d0e495fd67 100644
--- a/terraform/environments/hmpps-domain-services/locals_preproduction.tf
+++ b/terraform/environments/hmpps-domain-services/locals_preproduction.tf
@@ -88,6 +88,9 @@ locals {
       pp-rds-1-a = merge(local.ec2_instances.rds, {
         config = merge(local.ec2_instances.rds.config, {
           availability_zone = "eu-west-2a"
+          instance_profile_policies = concat(local.ec2_instances.rds.config.instance_profile_policies, [
+            "Ec2PpRdsPolicy",
+          ])
         })
         tags = merge(local.ec2_instances.rds.tags, {
           description = "Remote Desktop Services for azure.hmpp.root domain"
@@ -96,6 +99,32 @@ locals {
       })
     }
 
+    iam_policies = {
+      Ec2PpRdsPolicy = {
+        description = "Permissions required for POSH-ACME Route53 Plugin"
+        statements = [
+          {
+            effect = "Allow"
+            actions = [
+              "route53:ListHostedZones",
+            ]
+            resources = ["*"]
+          },
+          {
+            effect = "Allow"
+            actions = [
+              "route53:GetHostedZone",
+              "route53:ListResourceRecordSets",
+              "route53:ChangeResourceRecordSets"
+            ]
+            resources = [
+              "arn:aws:route53:::hostedzone/*",
+            ]
+          },
+        ]
+      }
+    }
+
     lbs = {
       public = merge(local.lbs.public, {
         instance_target_groups = {