From 4e130012a1fc1a15476c6530c8c9db230f2dd38f Mon Sep 17 00:00:00 2001 From: soji-kainos-nhs-temp Date: Tue, 10 Mar 2026 17:15:28 +0000 Subject: [PATCH] NPT-1140 Include missing Github runner policy actions --- .../account_github_runner_compute.policy.json.tpl | 6 +++++- .../account_github_runner_data.policy.json.tpl | 2 ++ .../account_github_runner_security.policy.json.tpl | 4 ++++ .../app_github_runner_compute.policy.json.tpl | 6 +++++- .../app_github_runner_data.policy.json.tpl | 1 + .../app_github_runner_security.policy.json.tpl | 10 +++++++--- .../github_runner_role_permissions_boundary.tf | 11 +++++++++-- 7 files changed, 33 insertions(+), 7 deletions(-) diff --git a/infrastructure/stacks/github_runner/account_github_runner_compute.policy.json.tpl b/infrastructure/stacks/github_runner/account_github_runner_compute.policy.json.tpl index 72cf59fb..bf9dd08a 100644 --- a/infrastructure/stacks/github_runner/account_github_runner_compute.policy.json.tpl +++ b/infrastructure/stacks/github_runner/account_github_runner_compute.policy.json.tpl @@ -45,9 +45,11 @@ "ec2:AssociateRouteTable", "ec2:AuthorizeSecurityGroupEgress", "ec2:AuthorizeSecurityGroupIngress", + "ec2:AttachInternetGateway", "ec2:CreateFlowLogs", "ec2:CreateNetworkAcl", "ec2:CreateNetworkAclEntry", + "ec2:CreateInternetGateway", "ec2:CreateRouteTable", "ec2:CreateSecurityGroup", "ec2:CreateSubnet", @@ -60,6 +62,7 @@ "ec2:DeleteTags", "ec2:DeleteVpc", "ec2:DeleteVpcEndpoints", + "ec2:DeleteInternetGateway", "ec2:ModifyVpcAttribute", "ec2:ReplaceNetworkAclAssociation", "ec2:RevokeSecurityGroupEgress", @@ -74,7 +77,8 @@ "arn:aws:ec2:${aws_region}:${account_id}:route-table/*", "arn:aws:ec2:${aws_region}:${account_id}:network-acl/*", "arn:aws:ec2:${aws_region}:${account_id}:security-group/*", - "arn:aws:ec2:${aws_region}:${account_id}:security-group-rule/*" + "arn:aws:ec2:${aws_region}:${account_id}:security-group-rule/*", + "arn:aws:ec2:${aws_region}:${account_id}:internet-gateway/*" ] }, { diff --git a/infrastructure/stacks/github_runner/account_github_runner_data.policy.json.tpl b/infrastructure/stacks/github_runner/account_github_runner_data.policy.json.tpl index 9ebb1a10..e50dc05c 100644 --- a/infrastructure/stacks/github_runner/account_github_runner_data.policy.json.tpl +++ b/infrastructure/stacks/github_runner/account_github_runner_data.policy.json.tpl @@ -126,6 +126,7 @@ "Effect": "Allow", "Action": [ "cloudwatch:GetMetricWidgetImage", + "logs:CreateLogGroup", "logs:CreateLogDelivery", "logs:DeleteLogDelivery", "logs:DeleteResourcePolicy", @@ -224,6 +225,7 @@ "arn:aws:logs:${aws_region}:${account_id}:log-group:/aws/lambda/${resource_prefix}-*${workspace_suffix}", "arn:aws:logs:${aws_region}:${account_id}:log-group:/aws/apigateway/${resource_prefix}-*${workspace_suffix}", "arn:aws:logs:${aws_region}:${account_id}:log-group:/aws/stepfunctions/${resource_prefix}-*${workspace_suffix}", + "arn:aws:logs:${aws_region}:${account_id}:log-group:/aws/accessanalyzer/*", "arn:aws:cloudwatch:${aws_region}:${account_id}:alarm:*", "arn:aws:cloudwatch::${account_id}:dashboard/*", "arn:aws:sns:${aws_region}:${account_id}:cloudwatch*", diff --git a/infrastructure/stacks/github_runner/account_github_runner_security.policy.json.tpl b/infrastructure/stacks/github_runner/account_github_runner_security.policy.json.tpl index 43b45a54..ff962755 100644 --- a/infrastructure/stacks/github_runner/account_github_runner_security.policy.json.tpl +++ b/infrastructure/stacks/github_runner/account_github_runner_security.policy.json.tpl @@ -32,6 +32,7 @@ "Sid": "ManagementAccess", "Effect": "Allow", "Action": [ + "access-analyzer:CreateAnalyzer", "access-analyzer:GetAnalyzer", "access-analyzer:GetArchiveRule", "access-analyzer:GetFinding", @@ -47,6 +48,7 @@ "iam:List*", "inspector2:BatchGetAccountStatus", "inspector2:GetConfiguration", + "inspector2:Enable*", "kms:CreateAlias", "kms:CreateKey", "kms:List*", @@ -57,8 +59,10 @@ "securityhub:DescribeHub", "securityhub:GetFindings", "securityhub:GetInsights", + "securityhub:BatchEnable*", "shield:Describe*", "shield:List*", + "shield:CreateSubscription", "sts:GetCallerIdentity", "wafv2:List*" ], diff --git a/infrastructure/stacks/github_runner/app_github_runner_compute.policy.json.tpl b/infrastructure/stacks/github_runner/app_github_runner_compute.policy.json.tpl index 8f6a97b4..da9398fd 100644 --- a/infrastructure/stacks/github_runner/app_github_runner_compute.policy.json.tpl +++ b/infrastructure/stacks/github_runner/app_github_runner_compute.policy.json.tpl @@ -45,11 +45,13 @@ "ec2:AssociateRouteTable", "ec2:AuthorizeSecurityGroupEgress", "ec2:AuthorizeSecurityGroupIngress", + "ec2:AttachInternetGateway", "ec2:CreateFlowLogs", "ec2:CreateNetworkAcl", "ec2:CreateNetworkAclEntry", "ec2:CreateRouteTable", "ec2:CreateSecurityGroup", + "ec2:CreateInternetGateway", "ec2:CreateSubnet", "ec2:CreateTags", "ec2:CreateVpc", @@ -57,6 +59,7 @@ "ec2:DeleteNetworkAcl", "ec2:DeleteNetworkAclEntry", "ec2:DeleteSecurityGroup", + "ec2:DeleteInternetGateway", "ec2:DeleteTags", "ec2:DeleteVpc", "ec2:DeleteVpcEndpoints", @@ -74,7 +77,8 @@ "arn:aws:ec2:${aws_region}:${account_id}:route-table/*", "arn:aws:ec2:${aws_region}:${account_id}:network-acl/*", "arn:aws:ec2:${aws_region}:${account_id}:security-group/*", - "arn:aws:ec2:${aws_region}:${account_id}:security-group-rule/*" + "arn:aws:ec2:${aws_region}:${account_id}:security-group-rule/*", + "arn:aws:ec2:${aws_region}:${account_id}:internet-gateway/*" ] }, { diff --git a/infrastructure/stacks/github_runner/app_github_runner_data.policy.json.tpl b/infrastructure/stacks/github_runner/app_github_runner_data.policy.json.tpl index 7a33ec40..95e39bba 100644 --- a/infrastructure/stacks/github_runner/app_github_runner_data.policy.json.tpl +++ b/infrastructure/stacks/github_runner/app_github_runner_data.policy.json.tpl @@ -198,6 +198,7 @@ "arn:aws:logs:${aws_region}:${account_id}:log-group:/aws/lambda/${resource_prefix}-*${workspace_suffix}", "arn:aws:logs:${aws_region}:${account_id}:log-group:/aws/apigateway/${resource_prefix}-*${workspace_suffix}", "arn:aws:logs:${aws_region}:${account_id}:log-group:/aws/stepfunctions/${resource_prefix}-*${workspace_suffix}", + "arn:aws:logs:${aws_region}:${account_id}:log-group:/aws/accessanalyzer/*", "arn:aws:cloudwatch:${aws_region}:${account_id}:alarm:*", "arn:aws:cloudwatch::${account_id}:dashboard/*", "arn:aws:sns:${aws_region}:${account_id}:cloudwatch*", diff --git a/infrastructure/stacks/github_runner/app_github_runner_security.policy.json.tpl b/infrastructure/stacks/github_runner/app_github_runner_security.policy.json.tpl index 52e8ec61..6fb107e2 100644 --- a/infrastructure/stacks/github_runner/app_github_runner_security.policy.json.tpl +++ b/infrastructure/stacks/github_runner/app_github_runner_security.policy.json.tpl @@ -133,6 +133,7 @@ "Sid": "IAMAccessAnalyzerReadOnly", "Effect": "Allow", "Action": [ + "access-analyzer:CreateAnalyzer", "access-analyzer:GetAnalyzer", "access-analyzer:GetArchiveRule", "access-analyzer:GetFinding", @@ -234,7 +235,8 @@ "Effect": "Allow", "Action": [ "shield:Describe*", - "shield:List*" + "shield:List*", + "shield:CreateSubscription" ], "Resource": "*" }, @@ -245,7 +247,8 @@ "securityhub:GetEnabledStandards", "securityhub:DescribeHub", "securityhub:GetFindings", - "securityhub:GetInsights" + "securityhub:GetInsights", + "securityhub:BatchEnable*" ], "Resource": "*" }, @@ -254,7 +257,8 @@ "Effect": "Allow", "Action": [ "inspector2:BatchGetAccountStatus", - "inspector2:GetConfiguration" + "inspector2:GetConfiguration", + "inspector2:Enable*" ], "Resource": "*" } diff --git a/infrastructure/stacks/github_runner/github_runner_role_permissions_boundary.tf b/infrastructure/stacks/github_runner/github_runner_role_permissions_boundary.tf index bbd7b6bc..dddf8716 100644 --- a/infrastructure/stacks/github_runner/github_runner_role_permissions_boundary.tf +++ b/infrastructure/stacks/github_runner/github_runner_role_permissions_boundary.tf @@ -8,6 +8,7 @@ data "aws_iam_policy_document" "permissions_boundary" { "access-analyzer:Get*", "access-analyzer:List*", "access-analyzer:Tag*", + "access-analyzer:Create*", "apigateway:CreateRestApi", "apigateway:Delete*", "apigateway:Get*", @@ -53,14 +54,17 @@ data "aws_iam_policy_document" "permissions_boundary" { "ec2:DeleteVpc", "ec2:DeleteVpcEndpoints", "ec2:CreateRouteTable", + "ec2:CreateInternetGateway", "ec2:CreateSubnet", "ec2:RevokeSecurityGroupIngress", "ec2:CreateSecurityGroup", "ec2:RevokeSecurityGroupEgress", + "ec2:AttachInternetGateway", "ec2:AuthorizeSecurityGroup*", "ec2:CreateFlowLogs", "ec2:ReplaceNetworkAclAssociation", "ec2:DeleteSecurityGroup", + "ec2:DeleteInternetGateway", "ec2:UpdateSecurityGroupRuleDescriptionsEgress", "events:PutRule", "events:PutTargets", @@ -84,6 +88,7 @@ data "aws_iam_policy_document" "permissions_boundary" { "inspector2:List*", "inspector2:Get*", "inspector2:BatchGetAccountStatus", + "inspector2:Enable*", "kms:CreateKey", "kms:Describe*", "kms:CreateAlias", @@ -121,12 +126,12 @@ data "aws_iam_policy_document" "permissions_boundary" { "logs:DeleteLogGroup", "logs:Describe*", "logs:List*", + "logs:Put*", "logs:Tag*", "logs:Untag*", - "logs:CreateLogStream", + "logs:Create*", "logs:DeleteLogStream", "logs:PutRetentionPolicy", - "logs:CreateExportTask", "s3:PutLifecycleConfiguration", "s3:PutEncryptionConfiguration", "s3:List*", @@ -139,6 +144,7 @@ data "aws_iam_policy_document" "permissions_boundary" { "securityhub:Get*", "securityhub:BatchImportFindings", "securityhub:BatchUpdateFindings", + "securityhub:BatchEnable*", "securityhub:Describe*", "secretsmanager:CreateSecret", "secretsmanager:DeleteSecret", @@ -245,6 +251,7 @@ data "aws_iam_policy_document" "permissions_boundary" { "route53domains:ListDomains", "shield:List*", "shield:Describe*", + "shield:Create*", "sts:AssumeRole", "sts:AssumeRoleWithWebIdentity", "sts:GetCallerIdentity",