feat(oonidevops-github): add ses read permissions (#41)

This fixes the missing permissions from the `oonidevops_github` user to run `terraform plan` in the gh workflow: https://github.com/ooni/devops/actions/runs/8646489668/job/23705925739?pr=40#step:8:209 --------- Co-authored-by: Arturo Filastò <[email protected]>
ooni · Apr 12, 2024 · 320ec87 · 320ec87
1 parent 3c7eed9
commit 320ec87
Show file tree

Hide file tree

Showing 2 changed files with 23 additions and 2 deletions.
diff --git a/.github/workflows/check_terraform.yml b/.github/workflows/check_terraform.yml
@@ -17,7 +17,7 @@ jobs:
   terraform:
     strategy:
       matrix:
-        environment: ["dev"]
+        environment: "dev"
 
     runs-on: ubuntu-latest
     if: ${{ !startsWith(github.event.head_commit.message, 'skip-terraform:') }}
@@ -77,7 +77,6 @@ jobs:
           echo "\$ terraform plan" >> "$GITHUB_OUTPUT"
           terraform plan -no-color | tee -a "$GITHUB_OUTPUT"
           echo "EOF" >> "$GITHUB_OUTPUT"
-        continue-on-error: true
 
       # Temporarily disabled, probably should be moved to a deploy action with stricter checks
       #- name: Terraform Apply

diff --git a/tf/modules/oonidevops_github_user/templates/oonidevops_github_policy.json b/tf/modules/oonidevops_github_user/templates/oonidevops_github_policy.json
@@ -129,6 +129,28 @@
                 "ssm:List*",
                 "ssm:GetParameter",
                 "secretsmanager:GetSecretValue",
+                "ses:ListConfigurationSets",
+				"ses:ListCustomVerificationEmailTemplates",
+				"ses:ListIdentities",
+				"ses:ListIdentityPolicies",
+				"ses:ListTemplates",
+				"ses:DescribeActiveReceiptRuleSet",
+				"ses:DescribeConfigurationSet",
+				"ses:DescribeReceiptRule",
+				"ses:DescribeReceiptRuleSet",
+				"ses:GetAccountSendingEnabled",
+				"ses:GetCustomVerificationEmailTemplate",
+				"ses:GetIdentityDkimAttributes",
+				"ses:GetIdentityMailFromDomainAttributes",
+				"ses:GetIdentityNotificationAttributes",
+				"ses:GetIdentityPolicies",
+				"ses:GetIdentityVerificationAttributes",
+				"ses:GetSendQuota",
+				"ses:GetSendStatistics",
+				"ses:GetTemplate",
+				"ses:ListReceiptFilters",
+				"ses:ListReceiptRuleSets",
+				"ses:ListVerifiedEmailAddresses",
                 "states:Describe*",
                 "states:GetExecutionHistory",
                 "states:List*",