From 320ec87c5d9128a90b8f06434cf83cc1c403aa2e Mon Sep 17 00:00:00 2001
From: DecFox <33030671+DecFox@users.noreply.github.com>
Date: Fri, 12 Apr 2024 16:33:51 +0530
Subject: [PATCH] feat(oonidevops-github): add ses read permissions (#41)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

This fixes the missing permissions from the `oonidevops_github` user to
run `terraform plan` in the gh workflow:
https://github.com/ooni/devops/actions/runs/8646489668/job/23705925739?pr=40#step:8:209

---------

Co-authored-by: Arturo Filastò <arturo@filasto.net>
---
 .github/workflows/check_terraform.yml         |  3 +--
 .../templates/oonidevops_github_policy.json   | 22 +++++++++++++++++++
 2 files changed, 23 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/check_terraform.yml b/.github/workflows/check_terraform.yml
index c581d20b..89c65e3e 100644
--- a/.github/workflows/check_terraform.yml
+++ b/.github/workflows/check_terraform.yml
@@ -17,7 +17,7 @@ jobs:
   terraform:
     strategy:
       matrix:
-        environment: ["dev"]
+        environment: "dev"
 
     runs-on: ubuntu-latest
     if: ${{ !startsWith(github.event.head_commit.message, 'skip-terraform:') }}
@@ -77,7 +77,6 @@ jobs:
           echo "\$ terraform plan" >> "$GITHUB_OUTPUT"
           terraform plan -no-color | tee -a "$GITHUB_OUTPUT"
           echo "EOF" >> "$GITHUB_OUTPUT"
-        continue-on-error: true
 
       # Temporarily disabled, probably should be moved to a deploy action with stricter checks
       #- name: Terraform Apply
diff --git a/tf/modules/oonidevops_github_user/templates/oonidevops_github_policy.json b/tf/modules/oonidevops_github_user/templates/oonidevops_github_policy.json
index 634b0e89..db0214ce 100644
--- a/tf/modules/oonidevops_github_user/templates/oonidevops_github_policy.json
+++ b/tf/modules/oonidevops_github_user/templates/oonidevops_github_policy.json
@@ -129,6 +129,28 @@
                 "ssm:List*",
                 "ssm:GetParameter",
                 "secretsmanager:GetSecretValue",
+                "ses:ListConfigurationSets",
+				"ses:ListCustomVerificationEmailTemplates",
+				"ses:ListIdentities",
+				"ses:ListIdentityPolicies",
+				"ses:ListTemplates",
+				"ses:DescribeActiveReceiptRuleSet",
+				"ses:DescribeConfigurationSet",
+				"ses:DescribeReceiptRule",
+				"ses:DescribeReceiptRuleSet",
+				"ses:GetAccountSendingEnabled",
+				"ses:GetCustomVerificationEmailTemplate",
+				"ses:GetIdentityDkimAttributes",
+				"ses:GetIdentityMailFromDomainAttributes",
+				"ses:GetIdentityNotificationAttributes",
+				"ses:GetIdentityPolicies",
+				"ses:GetIdentityVerificationAttributes",
+				"ses:GetSendQuota",
+				"ses:GetSendStatistics",
+				"ses:GetTemplate",
+				"ses:ListReceiptFilters",
+				"ses:ListReceiptRuleSets",
+				"ses:ListVerifiedEmailAddresses",
                 "states:Describe*",
                 "states:GetExecutionHistory",
                 "states:List*",