fix(ci-lease): add s3vectors:* to CIDeployRole + capture CFN events on failure

chrisns · chrisns · commit 02be78ca9044 · 2026-05-22T10:18:29.000+01:00
Council-chatbot CFN deploy failed silently because:
1. CIDeployRole missing s3vectors:* permission. Council-chatbot uses
   AWS::S3Vectors::VectorBucket + AWS::S3Vectors::Index (newer service,
   separate IAM namespace from s3:*). Without this permission, those
   resources fail to create, the stack rolls back, and CFN deploy
   returns a generic 'Failed to create/update the stack'.
2. The Capture CFN events step was skipped because the deploy step set
   stack_name to GITHUB_OUTPUT AFTER the deploy command — but the
   command errored before reaching the echo, so the output stayed empty
   and the gated Capture step never ran. Moved the echo to BEFORE the
   deploy command so events get captured even on failure.

Add s3vectors:* to ScenarioResourceManagement. Future scenarios that
use other newer/specialised services will need similar additions.
diff --git a/.github/workflows/scenario-ci.yml b/.github/workflows/scenario-ci.yml
@@ -121,6 +121,10 @@ jobs:
         run: |
           set -euo pipefail
           STACK_NAME="ndx-try-${SCENARIO}"
+          # Emit the stack name to GITHUB_OUTPUT FIRST so the Capture
+          # CFN events step (gated on stack_name) runs even if deploy
+          # fails — without the events we can't debug the failure.
+          echo "stack_name=$STACK_NAME" >> "$GITHUB_OUTPUT"
           # CFN requires templates >51KB to be staged in S3. Several
           # scenarios (council-chatbot, simply-readable, ai-contact-centre)
           # exceed this. Create a per-account staging bucket on demand —
@@ -143,7 +147,6 @@ jobs:
             --capabilities CAPABILITY_IAM CAPABILITY_NAMED_IAM CAPABILITY_AUTO_EXPAND \
             --no-fail-on-empty-changeset \
             --tags Project=ndx-try Scenario="$SCENARIO" RunId="${{ github.run_id }}"
-          echo "stack_name=$STACK_NAME" >> "$GITHUB_OUTPUT"
 
       - name: Run scenario smoke spec
         env:
diff --git a/cloudformation/isb-hub-orgmgmt/ci-deploy-role-stackset/template.yaml b/cloudformation/isb-hub-orgmgmt/ci-deploy-role-stackset/template.yaml
@@ -188,6 +188,7 @@ Resources:
                       - Effect: Allow
                         Action:
                           - 's3:*'
+                          - 's3vectors:*'
                           - 'lambda:*'
                           - 'apigateway:*'
                           - 'dynamodb:*'
