Merge pull request #32 from ministryofjustice/update-combined-policy

split the combined block as it hits the aws limit

README.md

@@ -43,6 +43,7 @@ No modules.
 | [auth0_rule_config.aws_saml_provider_name](https://registry.terraform.io/providers/auth0/auth0/latest/docs/resources/rule_config) | resource |
 | [aws_iam_policy.api_gateway_for_github](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
 | [aws_iam_policy.github_access](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
+| [aws_iam_policy.github_access_2](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
 | [aws_iam_role.github_access](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
 | [aws_iam_role_policy_attachment.api_gateway_for_github](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
 | [aws_iam_role_policy_attachment.github_access](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
@@ -53,6 +54,7 @@ No modules.
 | [aws_iam_policy_document.cloudwatch_for_github](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_iam_policy_document.cognito_idp_for_github](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_iam_policy_document.combined](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [aws_iam_policy_document.combined_2](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_iam_policy_document.elasticache_for_github](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_iam_policy_document.federated_role_trust_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_iam_policy_document.iam_for_github](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |

aws.tf

@@ -39,6 +39,7 @@ resource "aws_iam_role" "github_access" {
   max_session_duration = 10 * 3600
 }
 
+#This combined policy hits the AWS IAM PolicySize 6144 limit, please use combined_2 block instead.
 data "aws_iam_policy_document" "combined" {
   source_policy_documents = [
     data.aws_iam_policy_document.cloudwatch_for_github.json,
@@ -53,6 +54,11 @@ data "aws_iam_policy_document" "combined" {
     data.aws_iam_policy_document.sqs_for_github.json,
     data.aws_iam_policy_document.vpc_for_github.json,
     data.aws_iam_policy_document.secretsmanager_for_github.json,
+  ]
+}
+
+data "aws_iam_policy_document" "combined_2" {
+  source_policy_documents = [
     data.aws_iam_policy_document.elasticache_for_github.json,
   ]
 }
@@ -65,6 +71,14 @@ resource "aws_iam_policy" "github_access" {
   }
 }
 
+resource "aws_iam_policy" "github_access_2" {
+  policy = data.aws_iam_policy_document.combined_2.json
+  name   = "access-via-github-02"
+  tags = {
+    GithubTeam = "webops"
+  }
+}
+
 resource "aws_iam_role_policy_attachment" "github_access" {
   role       = aws_iam_role.github_access.name
   policy_arn = aws_iam_policy.github_access.arn