From 89491442af7f697166c14b34187f819bfa133ab7 Mon Sep 17 00:00:00 2001
From: Sukesh <sukesh.reddygade@digital.justice.gov.uk>
Date: Wed, 20 Nov 2024 16:15:58 +0000
Subject: [PATCH] Add policy to allow OIDC role assumption for modernisation
 accounts

---
 terraform/environments/sprinkler/iam.tf | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

diff --git a/terraform/environments/sprinkler/iam.tf b/terraform/environments/sprinkler/iam.tf
index 9c5f07931..2c6f9a841 100644
--- a/terraform/environments/sprinkler/iam.tf
+++ b/terraform/environments/sprinkler/iam.tf
@@ -10,6 +10,20 @@ module "github-oidc" {
 }
 
 data "aws_iam_policy_document" "oidc_deny_specific_actions" {
+  statement {
+    sid    = "AllowOIDCToAssumeRoles"
+    effect = "Allow"
+    resources = [
+      format("arn:aws:iam::%s:role/modernisation-account-limited-read-member-access", local.environment_management.modernisation_platform_account_id),
+      format("arn:aws:iam::%s:role/modernisation-account-terraform-state-member-access", local.environment_management.modernisation_platform_account_id)
+    ]
+    condition {
+      test     = "StringEquals"
+      variable = "aws:PrincipalAccount"
+      values   = [local.environment_management.account_ids[terraform.workspace]]
+    }
+    actions = ["sts:AssumeRole"]
+  }
   statement {
     effect = "Deny"
     actions = [