From 34927dc5f297a4f59c47b66abdfc5ddf64f2518c Mon Sep 17 00:00:00 2001
From: Dominic Robinson <dominic.robinson@digital.justice.gov.uk>
Date: Mon, 17 Jun 2024 10:23:55 +0100
Subject: [PATCH] DSOS: grant athena access to instance-access and
 instance-management roles

---
 terraform/environments/bootstrap/single-sign-on/policies.tf | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/terraform/environments/bootstrap/single-sign-on/policies.tf b/terraform/environments/bootstrap/single-sign-on/policies.tf
index 706f827cb..4a4867a6e 100644
--- a/terraform/environments/bootstrap/single-sign-on/policies.tf
+++ b/terraform/environments/bootstrap/single-sign-on/policies.tf
@@ -655,6 +655,8 @@ data "aws_iam_policy_document" "instance-access-document" {
     sid    = "InstanceAccess"
     effect = "Allow"
     actions = [
+      "athena:StartQueryExecution",
+      "athena:StopQueryExecution",
       "ec2:GetPasswordData",
       "kms:Decrypt*",
       "kms:Encrypt",
@@ -801,6 +803,8 @@ data "aws_iam_policy_document" "instance-management-document" {
     effect = "Allow"
     actions = [
       "application-autoscaling:ListTagsForResource",
+      "athena:StartQueryExecution",
+      "athena:StopQueryExecution",
       "autoscaling:StartInstanceRefresh",
       "autoscaling:UpdateAutoScalingGroup",
       "autoscaling:SetDesiredCapacity",