feat: add account assignement permission for Bot (#377)

gcharest · web-flow · commit 8f03bee61e43 · 2025-09-18T19:56:52.000-04:00
diff --git a/terragrunt/org_account/roles/sre_bot.tf b/terragrunt/org_account/roles/sre_bot.tf
@@ -65,6 +65,16 @@ data "aws_iam_policy_document" "sre_bot_policy" {
     ]
     resources = ["*"]
   }
+
+  statement {
+    sid    = "ManageSSOAssignments"
+    effect = "Allow"
+    actions = [
+      "sso:ListAccountAssignmentsForPrincipal",
+      "sso:CreateAccountAssignment"
+    ]
+    resources = ["*"]
+  }
 }
 
 resource "aws_iam_policy" "sre_bot_policy" {

Original file line number	Diff line number	Diff line change
`@@ -65,6 +65,16 @@ data "aws_iam_policy_document" "sre_bot_policy" {`
`65`	`65`	`]`
`66`	`66`	`resources = ["*"]`
`67`	`67`	`}`
	`68`	`+`
	`69`	`+ statement {`
	`70`	`+ sid = "ManageSSOAssignments"`
	`71`	`+ effect = "Allow"`
	`72`	`+ actions = [`
	`73`	`+ "sso:ListAccountAssignmentsForPrincipal",`
	`74`	`+ "sso:CreateAccountAssignment"`
	`75`	`+ ]`
	`76`	`+ resources = ["*"]`
	`77`	`+ }`
`68`	`78`	`}`
`69`	`79`
`70`	`80`	`resource "aws_iam_policy" "sre_bot_policy" {`