Merge pull request #72 from manics/deployment-instance-iam

Add permissions to deployment instance role for CDK
HicResearch · Jun 8, 2022 · 4fb3ab0 · 4fb3ab0
2 parents 6a24240 + 6eb4d89
commit 4fb3ab0
Showing 1 changed file with 16 additions and 0 deletions.
diff --git a/src/deployment/DeploymentInstance-Cfn.yaml b/src/deployment/DeploymentInstance-Cfn.yaml
@@ -276,6 +276,19 @@ Resources:
                   - cloudformation:DescribeStackEvents
                 Effect: Allow
                 Resource: "*"
+        - PolicyName: CdkDeploy
+          PolicyDocument:
+            Statement:
+              # In addition to CloudFormationAccess
+              - Action:
+                  - cloudformation:CreateChangeSet
+                  - cloudformation:DescribeChangeSet
+                  - cloudformation:ExecuteChangeSet
+                  - ecr:CreateRepository
+                  - ecr:SetRepositoryPolicy
+                  - ecr:DescribeRepositories
+                Effect: Allow
+                Resource: "*"
         - PolicyName: LogsAccess
           PolicyDocument:
             Statement:
@@ -405,6 +418,9 @@ Resources:
                   - lambda:RemovePermission
                   - lambda:DeleteFunction
                   - lambda:UpdateFunctionCode
+                  # Needed for subsequent updates to deployment
+                  - lambda:UpdateFunctionConfiguration
+                  - lambda:ListTags
                 Resource: "*"
         - PolicyName: SMWorkflowPolicy
           PolicyDocument: