From 91bf5ac109e253d5f2278f76e42d28894b024107 Mon Sep 17 00:00:00 2001
From: matt-heery <116661071+matt-heery@users.noreply.github.com>
Date: Thu, 17 Oct 2024 16:30:56 +0100
Subject: [PATCH] update permissions statement

---
 .../modules/ap_airflow_load_data_iam_role/main.tf  | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

diff --git a/terraform/environments/electronic-monitoring-data/modules/ap_airflow_load_data_iam_role/main.tf b/terraform/environments/electronic-monitoring-data/modules/ap_airflow_load_data_iam_role/main.tf
index 648c0926e38..7b11cb88c7f 100644
--- a/terraform/environments/electronic-monitoring-data/modules/ap_airflow_load_data_iam_role/main.tf
+++ b/terraform/environments/electronic-monitoring-data/modules/ap_airflow_load_data_iam_role/main.tf
@@ -7,6 +7,8 @@ data "aws_region" "current" {}
 data "aws_caller_identity" "current" {}
 
 data "aws_iam_policy_document" "load_data" {
+  #checkov:skip=CKV_AWS_356
+  #checkov:skip=CKV_AWS_111
   statement {
     sid    = "GetFiles${local.camel-sid}"
     effect = "Allow"
@@ -54,6 +56,18 @@ data "aws_iam_policy_document" "load_data" {
       "arn:aws:glue:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:table/${var.database_name}/*"
     ]
   }
+  statement {
+    sid       = "ListAccountAlias${local.camel-sid}"
+    effect    = "Allow"
+    actions   = ["iam:ListAccountAliases"]
+    resources = ["*"]
+  }
+  statement {
+    sid       = "ListAllBucket${local.camel-sid}"
+    effect    = "Allow"
+    actions   = ["s3:ListAllMyBuckets", "s3:GetBucketLocation"]
+    resources = ["*"]
+  }
 }
 
 module "load_unstructured_atrium_database" {