From 5019ff87c635375f0490d9e4098614342baeb2a7 Mon Sep 17 00:00:00 2001
From: Schparky <3172830+Schparky@users.noreply.github.com>
Date: Mon, 14 Mar 2022 13:33:18 -0600
Subject: [PATCH 1/2] new IAM permissions in response to prod deployment errors
 (temporary?)

---
 terraform/main.tf | 32 ++++++++++++++++++++++++++++++++
 1 file changed, 32 insertions(+)

diff --git a/terraform/main.tf b/terraform/main.tf
index f934fbd..27d05e2 100644
--- a/terraform/main.tf
+++ b/terraform/main.tf
@@ -9,6 +9,8 @@ module "serverless-user" {
   app_name           = "mfa-api"
   aws_region         = var.aws_region
   enable_api_gateway = true
+
+  extra_policies = [local.s3_policy]
 }
 
 output "serverless-access-key-id" {
@@ -18,3 +20,33 @@ output "serverless-secret-access-key" {
   value     = module.serverless-user.aws_secret_access_key
   sensitive = true
 }
+
+
+locals {
+  s3_policy = jsonencode({
+    "Version" : "2012-10-17",
+    "Statement" : [
+      {
+        "Effect" : "Allow",
+        "Action" : [
+          "s3:GetBucketPolicy",
+        ],
+        "Resource" : [
+          "arn:aws:s3:::mfa-api-*-serverlessdeploymentbucket*"
+        ]
+      },
+      {
+        "Effect" : "Allow",
+        "Action" : [
+          "apigateway:UpdateRestApiPolicy",
+        ],
+        "Resource" : [
+          // dev-mfa-api
+          "arn:aws:apigateway:${var.aws_region}:*:restapis/7f2jflg37i",
+          // prod-mfa-api
+          "arn:aws:apigateway:${var.aws_region}:*:restapis/7hk96xvik6",
+        ]
+      },
+    ]
+  })
+}

From 3601030a948b4264e542c00554f840843c75a18e Mon Sep 17 00:00:00 2001
From: Schparky <3172830+Schparky@users.noreply.github.com>
Date: Mon, 14 Mar 2022 13:50:04 -0600
Subject: [PATCH 2/2] split policies into two separate local variables

---
 terraform/main.tf | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/terraform/main.tf b/terraform/main.tf
index 27d05e2..4786b82 100644
--- a/terraform/main.tf
+++ b/terraform/main.tf
@@ -10,7 +10,7 @@ module "serverless-user" {
   aws_region         = var.aws_region
   enable_api_gateway = true
 
-  extra_policies = [local.s3_policy]
+  extra_policies = [local.s3_policy, local.api_gateway_policy]
 }
 
 output "serverless-access-key-id" {
@@ -32,9 +32,15 @@ locals {
           "s3:GetBucketPolicy",
         ],
         "Resource" : [
-          "arn:aws:s3:::mfa-api-*-serverlessdeploymentbucket*"
+          "arn:aws:s3:::mfa-api-*-serverlessdeploymentbucket*",
         ]
       },
+    ]
+  })
+
+  api_gateway_policy = jsonencode({
+    "Version" : "2012-10-17",
+    "Statement" : [
       {
         "Effect" : "Allow",
         "Action" : [