From 42f2279b428c5f8ba90f04375ee1aeb943d07c48 Mon Sep 17 00:00:00 2001
From: Poornima Krishnasamy <poornima.krishnasamy@digital.justice.gov.uk>
Date: Wed, 3 May 2023 17:32:21 +0100
Subject: [PATCH] Add cloudwatch logs permissions to read-only access via
 github

---
 cloudwatch.tf | 26 ++++++++++++++++++++++++--
 1 file changed, 24 insertions(+), 2 deletions(-)

diff --git a/cloudwatch.tf b/cloudwatch.tf
index d948a7a..b056789 100644
--- a/cloudwatch.tf
+++ b/cloudwatch.tf
@@ -5,7 +5,8 @@ data "aws_iam_policy_document" "cloudwatch_for_github" {
     actions = [
       "cloudwatch:ListMetric*",
       "cloudwatch:GetMetric*",
-      "cloudwatch:ListDashboards"
+      "cloudwatch:ListDashboards",
+      "logs:DescribeLogGroups",
     ]
     resources = ["*"]
   }
@@ -14,7 +15,28 @@ data "aws_iam_policy_document" "cloudwatch_for_github" {
     sid    = "AllowCloudwatchViewOwn"
     effect = "Allow"
     actions = [
-      "cloudwatch:GetDashboard"
+      "cloudwatch:GetDashboard",
+      "logs:ListTagsLogGroup",
+      "logs:DescribeQueries",
+      "logs:GetLogRecord",
+      "logs:DescribeLogGroups",
+      "logs:DescribeLogStreams",
+      "logs:DescribeSubscriptionFilters",
+      "logs:StartQuery",
+      "logs:DescribeMetricFilters",
+      "logs:StopQuery",
+      "logs:TestMetricFilter",
+      "logs:GetLogDelivery",
+      "logs:ListTagsForResource",
+      "logs:ListLogDeliveries",
+      "logs:DescribeExportTasks",
+      "logs:GetQueryResults",
+      "logs:GetLogEvents",
+      "logs:FilterLogEvents",
+      "logs:DescribeQueryDefinitions",
+      "logs:GetLogGroupFields",
+      "logs:DescribeResourcePolicies",
+      "logs:DescribeDestinations"
     ]
     resources = ["*"]
     condition {