fix: allow iams for code deploy

chrispsheehan · chrispsheehan · commit 5a31d62b6130 · 2025-09-08T15:59:57.000+01:00
diff --git a/infra/modules/aws/lambda/data.tf b/infra/modules/aws/lambda/data.tf
@@ -44,6 +44,29 @@ data "aws_iam_policy_document" "codedeploy_lambda" {
     ]
   }
 
+  statement {
+    sid     = "ReadArtifactObject"
+    effect  = "Allow"
+    actions = ["s3:GetObject", "s3:GetObjectVersion"]
+    resources = [
+      "arn:aws:s3:::${data.aws_s3_bucket.lambda_code.bucket}/${local.lambda_code_zip_key}",
+      "arn:aws:s3:::${data.aws_s3_bucket.lambda_code.bucket}/${var.lambda_version}/*"
+    ]
+  }
+
+  # Allow listing the bucket for that prefix (some SDKs call this)
+  statement {
+    sid       = "ListArtifactPrefix"
+    effect    = "Allow"
+    actions   = ["s3:ListBucket", "s3:GetBucketLocation"]
+    resources = ["arn:aws:s3:::${data.aws_s3_bucket.lambda_code.bucket}"]
+    condition {
+      test     = "StringLike"
+      variable = "s3:prefix"
+      values   = ["${var.lambda_version}/*"]
+    }
+  }
+
   statement {
     sid       = "DescribeAlarms"
     effect    = "Allow"
diff --git a/infra/modules/aws/lambda/main.tf b/infra/modules/aws/lambda/main.tf
@@ -58,9 +58,9 @@ resource "aws_iam_role_policy" "cd_lambda" {
 }
 
 resource "aws_codedeploy_deployment_group" "dg" {
-  app_name               = aws_codedeploy_app.app.name
-  deployment_group_name  = "${local.lambda_name}-dg"
-  service_role_arn       = aws_iam_role.code_deploy_role.arn
+  app_name              = aws_codedeploy_app.app.name
+  deployment_group_name = "${local.lambda_name}-dg"
+  service_role_arn      = aws_iam_role.code_deploy_role.arn
 
   deployment_style {
     deployment_type   = "BLUE_GREEN"
