cleanup and give some IAM permissions to actions

beggers · Jun 25, 2024 · 41f9def · 41f9def
1 parent 7b0bd68
commit 41f9def
Showing 1 changed file with 2 additions and 29 deletions.
diff --git a/terraform/github_actions.tf b/terraform/github_actions.tf
@@ -31,40 +31,13 @@ resource "aws_iam_role" "github_actions" {
 }
 
 data "aws_iam_policy_document" "github_actions_policy" {
-  statement {
-    actions = [
-      "s3:*",
-    ]
-    effect = "Allow"
-    resources = [
-      "*",
-    ]
-  }
-  statement {
-    actions = [
-      "s3:PutObject",
-      "s3:GetObject",
-      "s3:ListBucket"
-    ]
-    effect = "Allow"
-    resources = [
-      "${aws_s3_bucket.terraform_state.arn}",
-      "${aws_s3_bucket.terraform_state.arn}/*"
-    ]
-  }
   statement {
     actions = [
       "cloudfront:GetCloudFrontOriginAccessIdentity",
       "cloudfront:CreateInvalidation",
-    ]
-    effect = "Allow"
-    resources = [
-      "*",
-    ]
-  }
-  statement {
-    actions = [
+      "iam:GetOpenIDConnectProvider",
       "route53:*",
+      "s3:*",
     ]
     effect = "Allow"
     resources = [