From 938d25e3847a1a74cab9a006c36c36b2931faf97 Mon Sep 17 00:00:00 2001
From: Mitchell Alessio <5306896+malessi@users.noreply.github.com>
Date: Tue, 14 Jan 2025 16:28:43 -0500
Subject: [PATCH] BFD-3819: GitHub Actions IAM Role lacks permissions to manage
 IAM policies and KMS key policies (#2522)

---
 ops/terraform/env/mgmt/github-actions-iam.tf | 11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

diff --git a/ops/terraform/env/mgmt/github-actions-iam.tf b/ops/terraform/env/mgmt/github-actions-iam.tf
index a2faab859f..02aa145ebb 100644
--- a/ops/terraform/env/mgmt/github-actions-iam.tf
+++ b/ops/terraform/env/mgmt/github-actions-iam.tf
@@ -403,6 +403,14 @@ resource "aws_iam_policy" "github_actions_ci_ops" {
           ]
           Resource = "*"
         },
+        {
+          Sid    = "AllowPolicyManagementOfAllKeys"
+          Effect = "Allow"
+          Action = [
+            "kms:PutKeyPolicy",
+          ]
+          Resource = "*"
+        },
         {
           Sid    = "AllowSNS"
           Effect = "Allow"
@@ -427,7 +435,8 @@ resource "aws_iam_policy" "github_actions_ci_ops" {
           Action = [
             "iam:Get*",
             "iam:List*",
-            "iam:DeletePolicyVersion"
+            "iam:DeletePolicyVersion",
+            "iam:CreatePolicyVersion"
           ]
           Resource = "*"
         },