From 73b5fd0c9b65548f967d421ba888d33d2568eec2 Mon Sep 17 00:00:00 2001 From: Alexander Amiri Date: Wed, 18 Mar 2026 00:31:51 +0100 Subject: [PATCH] Allow team roles to read platform data sources App repos use data sources to reference shared platform infrastructure (VPC, ALB, ECS cluster, execution role, SNS topics, Route53 zones). These are read-only operations but ABAC blocks them because platform resources have team=platform. Add explicit read-only statement without tag conditions for describe/get/list operations. --- terraform/platform/iam/main.tf | 30 ++++++++++++++++++++++++++++++ 1 file changed, 30 insertions(+) diff --git a/terraform/platform/iam/main.tf b/terraform/platform/iam/main.tf index 6ed47b9..4ef4e46 100644 --- a/terraform/platform/iam/main.tf +++ b/terraform/platform/iam/main.tf @@ -401,6 +401,36 @@ resource "aws_iam_role_policy" "ci_team_allow" { } } }, + { + # App repos reference shared platform infra via data sources (VPC, ALB, + # ECS cluster, IAM execution role, SNS topics, Route53 zones, etc.). + # These are read-only operations that don't modify resources, but the + # ABAC tag condition blocks them because platform resources have + # team=platform. Allow describe/get/list without tag conditions. + Sid = "AllowPlatformDataSourceReads" + Effect = "Allow" + Action = [ + "ec2:Describe*", + "elasticloadbalancing:Describe*", + "ecs:DescribeClusters", + "ecs:ListServices", + "iam:GetRole", + "iam:GetPolicy", + "iam:ListAttachedRolePolicies", + "sns:GetTopicAttributes", + "sns:ListTagsForResource", + "route53:ListHostedZones", + "route53:GetHostedZone", + "route53:ListResourceRecordSets", + "acm:ListCertificates", + "acm:DescribeCertificate", + "logs:DescribeLogGroups", + "logs:CreateLogGroup", + "logs:PutRetentionPolicy", + "ecr:GetAuthorizationToken", + ] + Resource = "*" + }, ] }) }