From cf7d2c63417514d19b9c426308528b166f9965dc Mon Sep 17 00:00:00 2001
From: Michael Collins <15347726+michaeljcollinsuk@users.noreply.github.com>
Date: Mon, 3 Jun 2024 15:48:01 +0100
Subject: [PATCH] Grant Control Panel role read policy permissions

---
 .../cluster/iam-policies.tf                              | 9 +++++++++
 .../cluster/iam-policies.tf                              | 9 +++++++++
 2 files changed, 18 insertions(+)

diff --git a/terraform/aws/analytical-platform-development/cluster/iam-policies.tf b/terraform/aws/analytical-platform-development/cluster/iam-policies.tf
index 0a55ab50a9..b7e3c4e2db 100644
--- a/terraform/aws/analytical-platform-development/cluster/iam-policies.tf
+++ b/terraform/aws/analytical-platform-development/cluster/iam-policies.tf
@@ -347,6 +347,15 @@ data "aws_iam_policy_document" "control_panel_api" {
     actions   = ["iam:DeletePolicy"]
     resources = ["arn:aws:iam::${var.account_ids["analytical-platform-development"]}:policy/${var.resource_prefix}-*"]
   }
+  statement {
+    sid    = "CanReadIAMPolicies"
+    effect = "Allow"
+    actions = [
+      "iam:GetPolicy",
+      "iam:GetPolicyVersion",
+    ]
+    resources = ["arn:aws:iam::${var.account_ids["analytical-platform-development"]}:policy/*"]
+  }
   statement {
     sid     = "CanAttachPolicies"
     effect  = "Allow"
diff --git a/terraform/aws/analytical-platform-production/cluster/iam-policies.tf b/terraform/aws/analytical-platform-production/cluster/iam-policies.tf
index 8774f4873e..a08655f287 100644
--- a/terraform/aws/analytical-platform-production/cluster/iam-policies.tf
+++ b/terraform/aws/analytical-platform-production/cluster/iam-policies.tf
@@ -74,6 +74,15 @@ data "aws_iam_policy_document" "control_panel_api" {
     actions   = ["iam:DeletePolicy"]
     resources = ["arn:aws:iam::${var.account_ids["analytical-platform-data-production"]}:policy/${var.resource_prefix}-*"]
   }
+  statement {
+    sid    = "CanReadIAMPolicies"
+    effect = "Allow"
+    actions = [
+      "iam:GetPolicy",
+      "iam:GetPolicyVersion",
+    ]
+    resources = ["arn:aws:iam::${var.account_ids["analytical-platform-data-production"]}:policy/*"]
+  }
   statement {
     sid     = "CanAttachPolicies"
     effect  = "Allow"