From 8bf54ef012a4b0c92366e3b351ee9f6bdbfb579f Mon Sep 17 00:00:00 2001 From: Catalina Garcia Date: Wed, 8 Apr 2026 11:48:58 +0100 Subject: [PATCH] Allow support/readonly roles to access AWS Sustainability Forgot to include `integration` in https://github.com/alphagov/forms-deploy/pull/2075 --- .../integration/account/engineer-access.tf | 29 +++++++++++++++++-- 1 file changed, 27 insertions(+), 2 deletions(-) diff --git a/infra/deployments/integration/account/engineer-access.tf b/infra/deployments/integration/account/engineer-access.tf index ad3cf1e03..0a9b1f0c2 100644 --- a/infra/deployments/integration/account/engineer-access.tf +++ b/infra/deployments/integration/account/engineer-access.tf @@ -57,6 +57,29 @@ resource "aws_iam_policy" "lock_state_files" { }) } +resource "aws_iam_policy" "get_sustainability_data" { + name = "allow-get-sustainability_data" + path = "/" + + description = "Allow access to AWS Sustainability" + + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = [ + "sustainability:GetCarbonFootprintSummary", + "sustainability:GetEstimatedCarbonEmissions", + "sustainability:GetEstimatedCarbonEmissionsDimensionValues", + ] + Effect = "Allow" + Resource = [ + "*" + ] + } + ] + }) +} module "admin_role" { @@ -76,7 +99,8 @@ module "support_role" { email = "${each.value}@digital.cabinet-office.gov.uk" role_suffix = "support" iam_policy_arns = [ - aws_iam_policy.lock_state_files.arn + aws_iam_policy.lock_state_files.arn, + aws_iam_policy.get_sustainability_data.arn ] ip_restrictions = local.ip_restrictions } @@ -89,7 +113,8 @@ module "readonly_role" { role_suffix = "readonly" iam_policy_arns = [ "arn:aws:iam::aws:policy/ReadOnlyAccess", - aws_iam_policy.lock_state_files.arn + aws_iam_policy.lock_state_files.arn, + aws_iam_policy.get_sustainability_data.arn ] ip_restrictions = local.ip_restrictions }