From 60768548ea65657839511354093fe54af790dad0 Mon Sep 17 00:00:00 2001 From: Alexander Amiri Date: Tue, 10 Mar 2026 01:01:54 +0100 Subject: [PATCH] Fix apply-gate role: add permission boundary and dependency ordering - Add permissions_boundary to apply-gate Lambda role (required by CI boundary) - Pass apply_gate_role_arn from lambdas output to iam module input - Terraform creates the role first, then updates ci_app trust with real ARN - Fixes: MalformedPolicyDocument (non-existent principal) and AccessDenied (missing boundary) --- terraform/platform/iam/main.tf | 2 +- terraform/platform/iam/variables.tf | 5 +++++ terraform/platform/lambdas/main.tf | 3 ++- terraform/platform/lambdas/outputs.tf | 5 +++++ terraform/platform/main.tf | 1 + 5 files changed, 14 insertions(+), 2 deletions(-) diff --git a/terraform/platform/iam/main.tf b/terraform/platform/iam/main.tf index 88f2337..2d31b34 100644 --- a/terraform/platform/iam/main.tf +++ b/terraform/platform/iam/main.tf @@ -182,7 +182,7 @@ resource "aws_iam_role" "ci_app" { Sid = "AllowApplyViaGateLambda" Effect = "Allow" Principal = { - AWS = "arn:aws:iam::${var.aws_account_id}:role/${var.project}-apply-gate" + AWS = var.apply_gate_role_arn } Action = "sts:AssumeRole" }, diff --git a/terraform/platform/iam/variables.tf b/terraform/platform/iam/variables.tf index 3593b43..a34ff76 100644 --- a/terraform/platform/iam/variables.tf +++ b/terraform/platform/iam/variables.tf @@ -30,3 +30,8 @@ variable "github_org" { type = string default = "javaBin" } + +variable "apply_gate_role_arn" { + description = "ARN of the apply-gate Lambda role (for ci_app trust policy)" + type = string +} diff --git a/terraform/platform/lambdas/main.tf b/terraform/platform/lambdas/main.tf index 5d4c499..80f80e6 100644 --- a/terraform/platform/lambdas/main.tf +++ b/terraform/platform/lambdas/main.tf @@ -725,7 +725,8 @@ data "archive_file" "apply_gate" { } resource "aws_iam_role" "apply_gate" { - name = "${var.project}-apply-gate" + name = "${var.project}-apply-gate" + permissions_boundary = "arn:aws:iam::${var.aws_account_id}:policy/${var.project}-developer-boundary" assume_role_policy = jsonencode({ Version = "2012-10-17" diff --git a/terraform/platform/lambdas/outputs.tf b/terraform/platform/lambdas/outputs.tf index 486f7ce..a69dddc 100644 --- a/terraform/platform/lambdas/outputs.tf +++ b/terraform/platform/lambdas/outputs.tf @@ -27,3 +27,8 @@ output "team_provisioner_function_arn" { description = "ARN of the team-provisioner Lambda function" value = aws_lambda_function.team_provisioner.arn } + +output "apply_gate_role_arn" { + description = "ARN of the apply-gate Lambda IAM role" + value = aws_iam_role.apply_gate.arn +} diff --git a/terraform/platform/main.tf b/terraform/platform/main.tf index db0666e..a9e1718 100644 --- a/terraform/platform/main.tf +++ b/terraform/platform/main.tf @@ -36,6 +36,7 @@ module "iam" { registered_app_repos = var.registered_app_repos override_approvers = var.override_approvers github_org = var.github_org + apply_gate_role_arn = module.lambdas.apply_gate_role_arn } module "compute" {