Grant Terraform Cloud role access to Access Analyzer

samsimpson1 · samsimpson1 · commit 1325d4054bf7 · 2025-05-21T13:46:27.000+01:00
This is required for TFC to manage Access Analyzer resources
diff --git a/terraform/deployments/tfc-aws-config/aws_oidc.tf b/terraform/deployments/tfc-aws-config/aws_oidc.tf
@@ -38,6 +38,7 @@ data "aws_iam_policy_document" "tfc_policy" {
   statement {
     resources = ["*"]
     actions = [
+      "access-analyzer:*",
       "acm:*",
       "apigateway:*",
       "athena:*",
@@ -130,6 +131,11 @@ data "aws_iam_policy_document" "tfc_policy" {
       "arn:aws:iam::*:user/govuk-*-fastly-logs-athena-monitoring"
     ]
   }
+  statement {
+    effect    = "Allow"
+    actions   = ["iam:CreateServiceLinkedRole"]
+    resources = ["arn:aws:iam::*:role/aws-service-role/access-analyzer.amazonaws.com/AWSServiceRoleForAccessAnalyzer"]
+  }
   statement {
     effect    = "Deny"
     resources = ["*"]
@@ -145,7 +151,6 @@ data "aws_iam_policy_document" "tfc_policy" {
       "iam:*Login*",
       "iam:*Group*",
       "iam:*PermissionsBoundary*",
-      "iam:CreateServiceLinkedRole",
     ]
   }
 }

Original file line number	Diff line number	Diff line change
`@@ -38,6 +38,7 @@ data "aws_iam_policy_document" "tfc_policy" {`
`38`	`38`	`statement {`
`39`	`39`	`resources = ["*"]`
`40`	`40`	`actions = [`
	`41`	`+ "access-analyzer:*",`
`41`	`42`	`"acm:*",`
`42`	`43`	`"apigateway:*",`
`43`	`44`	`"athena:*",`
`@@ -130,6 +131,11 @@ data "aws_iam_policy_document" "tfc_policy" {`
`130`	`131`	`"arn:aws:iam:::user/govuk--fastly-logs-athena-monitoring"`
`131`	`132`	`]`
`132`	`133`	`}`
	`134`	`+ statement {`
	`135`	`+ effect = "Allow"`
	`136`	`+ actions = ["iam:CreateServiceLinkedRole"]`
	`137`	`+ resources = ["arn:aws:iam::*:role/aws-service-role/access-analyzer.amazonaws.com/AWSServiceRoleForAccessAnalyzer"]`
	`138`	`+ }`
`133`	`139`	`statement {`
`134`	`140`	`effect = "Deny"`
`135`	`141`	`resources = ["*"]`
`@@ -145,7 +151,6 @@ data "aws_iam_policy_document" "tfc_policy" {`
`145`	`151`	`"iam:Login",`
`146`	`152`	`"iam:Group",`
`147`	`153`	`"iam:PermissionsBoundary",`
`148`		`- "iam:CreateServiceLinkedRole",`
`149`	`154`	`]`
`150`	`155`	`}`
`151`	`156`	`}`