DDLS-356b readd the permissions to front container (#1684)

ministryofjustice · Oct 3, 2024 · 4b9162e · 4b9162e
1 parent a8ee78e
commit 4b9162e
Showing 1 changed file with 19 additions and 0 deletions.
diff --git a/terraform/environment/region/ecs_iam_front.tf b/terraform/environment/region/ecs_iam_front.tf
@@ -100,3 +100,22 @@ resource "aws_iam_role_policy" "front_ssm" {
   policy = data.aws_iam_policy_document.front_ssm.json
   role   = aws_iam_role.front.id
 }
+
+# ======= INVOKE API GATEWAY PERMISSIONS =====
+resource "aws_iam_role_policy" "front_invoke_api_gateway" {
+  name   = "front-api-gw.${local.environment}"
+  policy = data.aws_iam_policy_document.front_invoke_api_gateway.json
+  role   = aws_iam_role.front.id
+}
+
+data "aws_iam_policy_document" "front_invoke_api_gateway" {
+  statement {
+    sid    = "AllowInvokeOnDeputyReportingGateway"
+    effect = "Allow"
+    actions = [
+      "execute-api:Invoke",
+      "execute-api:ManageConnections"
+    ]
+    resources = ["arn:aws:execute-api:eu-west-1:${var.account.sirius_api_account}:*"]
+  }
+}