From 764176d29558edaa53c6c57b2b043319180b9e7c Mon Sep 17 00:00:00 2001
From: Sukesh <sukesh.reddygade@digital.justice.gov.uk>
Date: Tue, 26 Nov 2024 08:53:17 +0000
Subject: [PATCH] Test

---
 terraform/environments/sprinkler/iam.tf | 26 +++++++++++++++++++++++++
 1 file changed, 26 insertions(+)

diff --git a/terraform/environments/sprinkler/iam.tf b/terraform/environments/sprinkler/iam.tf
index 2c6f9a841..468f4042b 100644
--- a/terraform/environments/sprinkler/iam.tf
+++ b/terraform/environments/sprinkler/iam.tf
@@ -24,6 +24,32 @@ data "aws_iam_policy_document" "oidc_deny_specific_actions" {
     }
     actions = ["sts:AssumeRole"]
   }
+
+  # checkov:skip=CKV_AWS_111: "Cannot restrict by KMS alias so leaving open"
+  # checkov:skip=CKV_AWS_356: "Cannot restrict by KMS alias so leaving open"
+  statement {
+    sid       = "AllowOIDCToDecryptKMS"
+    effect    = "Allow"
+    resources = ["*"]
+    actions   = ["kms:Decrypt"]
+  }
+
+  statement {
+    sid       = "AllowOIDCReadState"
+    effect    = "Allow"
+    resources = ["arn:aws:s3:::modernisation-platform-terraform-state/*", "arn:aws:s3:::modernisation-platform-terraform-state/"]
+    actions = ["s3:Get*",
+    "s3:List*"]
+  }
+
+  statement {
+    sid       = "AllowOIDCWriteState"
+    effect    = "Allow"
+    resources = ["arn:aws:s3:::modernisation-platform-terraform-state/environments/bootstrap/*"]
+    actions = ["s3:PutObject",
+    "s3:PutObjectAcl"]
+  }
+  
   statement {
     effect = "Deny"
     actions = [