From 2ce4fa8f40697e8f255de1f4d8044b9e52fa7bb3 Mon Sep 17 00:00:00 2001
From: ScriptSmith <ScriptSmith@users.noreply.github.com>
Date: Wed, 4 Oct 2023 12:41:14 +1000
Subject: [PATCH] Allow reading from parameter store in any region

---
 deployment/lib/github-stack.ts | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/deployment/lib/github-stack.ts b/deployment/lib/github-stack.ts
index 6dbe14f..9ea361a 100644
--- a/deployment/lib/github-stack.ts
+++ b/deployment/lib/github-stack.ts
@@ -104,7 +104,7 @@ export class GitHubStack extends cdk.Stack {
     const ssmPolicy = new iam.PolicyStatement({
       effect: iam.Effect.ALLOW,
       actions: ["ssm:GetParameter"],
-      resources: [`arn:aws:ssm:${cdk.Aws.REGION}:${cdk.Aws.ACCOUNT_ID}:parameter/app/${props.envName}/${props.repo}/env`]
+      resources: [`arn:aws:ssm:*:${cdk.Aws.ACCOUNT_ID}:parameter/app/${props.envName}/${props.repo}/env`]
     });
 
     const deployRole = new iam.Role(this, "deploy-role", {