This PR adds the cloudwatch:TagResource permission to the "ProvisionAssessment" policy.
π Motivation and context
Previously, this permission was not necessary, but it is now needed to successfully create CloudWatch alarms.
Without this change, we were seeing errors like this:
β Error: creating CloudWatch Metric Alarm (ec2_cpu_utilization_i-1234567890abcdef): AccessDenied:
User: arn:aws:sts::123456789012:assumed-role/ProvisionAccount/admin is not authorized to perform:
cloudwatch:TagResource on resource:
arn:aws:cloudwatch:us-east-1:123456789012:alarm:ec2_cpu_utilization_i-1234567890abcdef
because no identity-based policy allows the cloudwatch:TagResource action
Thanks @adevine31 for bringing this to my attention! π
π§ͺ Testing
@adevine31 confirmed that he was able to successfully apply the Terraform in this repository using the changes in this PR.
β Pre-approval checklist
[x] This PR has an informative and human-readable title.
[x] Changes are limited to a single goal - eschew scope creep!
[x] All relevant type-of-change labels have been added.
π£ Description
This PR adds the
cloudwatch:TagResourcepermission to the "ProvisionAssessment" policy.π Motivation and context
Previously, this permission was not necessary, but it is now needed to successfully create CloudWatch alarms.
Without this change, we were seeing errors like this:
Thanks @adevine31 for bringing this to my attention! π
π§ͺ Testing
@adevine31 confirmed that he was able to successfully apply the Terraform in this repository using the changes in this PR.
β Pre-approval checklist