From b82d0f545018b97a15f4dd386c924cce7c061eea Mon Sep 17 00:00:00 2001 From: Javier Castiarena Date: Wed, 15 Apr 2026 18:03:40 -0300 Subject: [PATCH] fix(agent-iam): add route53:GetChange for DNS propagation polling The default agent IAM policy already grants ChangeResourceRecordSets and the Get/List HostedZone actions, but omits route53:GetChange on `arn:aws:route53:::change/*`. The AWS Terraform provider polls GetChange while waiting for a record to reach INSYNC after creation; without it, any scope that creates DNS records (static-files, k8s with external-dns, anything with a CNAME/A record) fails with AccessDenied *after* the record is successfully created. The failure mode is confusing because the record is visible in the console but the deploy rolls back. Found while installing the static-files scope at a customer POC. Co-Authored-By: Claude Opus 4.6 (1M context) --- infrastructure/aws/iam/agent/main.tf | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/infrastructure/aws/iam/agent/main.tf b/infrastructure/aws/iam/agent/main.tf index 40b240cd..b3d88c06 100644 --- a/infrastructure/aws/iam/agent/main.tf +++ b/infrastructure/aws/iam/agent/main.tf @@ -56,6 +56,16 @@ resource "aws_iam_policy" "nullplatform_route53_policy" { # ] # } # } + }, + { + "Sid" : "Route53GetChange", + "Effect" : "Allow", + "Action" : [ + "route53:GetChange" + ], + "Resource" : [ + "arn:aws:route53:::change/*" + ] } ] })