From ae5f8fadce252e8fa00609f88c2dc5c76a684bf5 Mon Sep 17 00:00:00 2001
From: DecFox <33030671+DecFox@users.noreply.github.com>
Date: Fri, 15 Mar 2024 02:38:18 +0530
Subject: [PATCH] feat: reduce dynamodb permission scope to state table (#23)

This diff reduces the `dynamodb:*` permissions to the terraform state
table:
`arn:aws:dynamodb:eu-central-1:905418398257:table/oonidevops-dev-terraform-state-lock`

Related to: #21
---
 .../templates/oonidevops_github_policy.json               | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/tf/modules/oonidevops_github_user/templates/oonidevops_github_policy.json b/tf/modules/oonidevops_github_user/templates/oonidevops_github_policy.json
index d5c45a7b..634b0e89 100644
--- a/tf/modules/oonidevops_github_user/templates/oonidevops_github_policy.json
+++ b/tf/modules/oonidevops_github_user/templates/oonidevops_github_policy.json
@@ -51,7 +51,6 @@
                 "codestar-notifications:listNotificationRules",
                 "codestar-notifications:listTagsForResource",
                 "codestar-notifications:ListTargets",
-                "dynamodb:*",
                 "ec2:Describe*",
                 "ec2:Get*",
                 "ec2:ListImagesInRecycleBin",
@@ -156,6 +155,13 @@
             ],
             "Effect": "Allow",
             "Resource": "*"
+        }, 
+        {
+            "Action": [
+                "dynamodb:*"
+            ],
+            "Effect": "Allow",
+            "Resource": "arn:aws:dynamodb:eu-central-1:905418398257:table/oonidevops-dev-terraform-state-lock"           
         }
     ],
     "Version": "2012-10-17"