diff --git a/root_draft_metadata.tf b/root_draft_metadata.tf index 0bd8ecd..0e9a838 100644 --- a/root_draft_metadata.tf +++ b/root_draft_metadata.tf @@ -48,11 +48,22 @@ module "draft_metadata_api_gateway" { resource "aws_iam_role" "draft_metadata_api_gateway_execution_role" { name = "TDRMetadataChecksAPIGatewayExecutionRole${title(local.environment)}" assume_role_policy = templatefile("./templates/iam_policy/assume_role_policy.json.tpl", { service = "apigateway.amazonaws.com" }) +} - inline_policy { - name = "TDRMetadataChecksAPIGatewayStepFunctionExecutionPolicy${title(local.environment)}" - policy = templatefile("./templates/iam_policy/api_gateway_state_machine_policy.json.tpl", { account_id = data.aws_caller_identity.current.account_id, state_machine_arn = module.draft_metadata_checks.step_function_arn }) - } +resource "aws_iam_policy" "api_gateway_execution_policy" { + name = "TDRMetadataChecksAPIGatewayStepFunctionExecutionPolicy${title(local.environment)}" + policy = templatefile( + "./templates/iam_policy/api_gateway_state_machine_policy.json.tpl", + { + account_id = data.aws_caller_identity.current.account_id, + state_machine_arn = module.draft_metadata_checks.step_function_arn + } + ) +} + +resource "aws_iam_role_policy_attachment" "api_gateway_execution_policy" { + role = aws_iam_role.draft_metadata_api_gateway_execution_role.name + policy_arn = aws_iam_policy.api_gateway_execution_policy.arn } module "draft_metadata_bucket" { diff --git a/root_keycloak.tf b/root_keycloak.tf index 292e70a..3602279 100644 --- a/root_keycloak.tf +++ b/root_keycloak.tf @@ -166,7 +166,7 @@ module "keycloak_database_instance" { availability_zone = local.database_availability_zone common_tags = local.common_tags database_name = "keycloak" - database_version = "14.12" + database_version = local.environment == "prod" ? "14.12" : "16.3" environment = local.environment kms_key_id = module.encryption_key.kms_key_arn private_subnets = module.shared_vpc.private_subnets