Update permissions

- Handle production trust policy for multiple repositories
- Include lambda functions into deploy

Author: TheOneFromNorway

terraform/account/deployment_permissions.tf

@@ -52,7 +52,8 @@ resource "aws_iam_role" "data_replication_snapshot" {
   name        = "DatabaseSnapshotRole"
   description = "Role to be assumed by the data replication workflow for taking on-demand DB snapshots"
   assume_role_policy = templatefile("resources/iam_role_github_trust_policy_${var.environment}.json.tftpl", {
-    account_id = var.account_id
+    account_id      = var.account_id
+    repository_list = ["repo:nhsuk/manage-vaccinations-in-schools:*"]
   })
 }
 

terraform/account/resources/iam_policy_DeployMavisResources.json

@@ -142,6 +142,12 @@
         "ssm:DeleteParameter",
         "ssm:DeleteParameters",
         "ssm:PutParameter",
+        "lambda:InvokeFunction",
+        "lambda:DeleteFunction",
+        "lambda:CreateFunction",
+        "lambda:CreateAlias",
+        "lambda:DeleteAlias",
+        "lambda:UpdateAlias",
         "elasticache:CreateCacheParameterGroup",
         "elasticache:AuthorizeCacheSecurityGroupIngress",
         "elasticache:CreateReplicationGroup",

terraform/account/resources/iam_role_github_trust_policy_production.json.tftpl

@@ -10,8 +10,8 @@
       "Condition": {
         "StringEquals": {
           "token.actions.githubusercontent.com:sub": [
-            "repo:nhsuk/manage-vaccinations-in-schools:ref:refs/heads/main",
-            "repo:nhsuk/manage-vaccinations-in-schools:environment:production"
+            "repo:${repository}:ref:refs/heads/main",
+            "repo:${repository}:environment:production"
           ],
           "token.actions.githubusercontent.com:aud": "sts.amazonaws.com"
         }