From 2c1dd425c910ebe69e6e2d237cc8e82f4d937ce1 Mon Sep 17 00:00:00 2001
From: Jeremy Michael Cerda <cerda.jeremy@epa.gov>
Date: Fri, 6 Oct 2023 13:09:53 -0400
Subject: [PATCH] Added new block to define Cloudfront permissions.

---
 terraform/infrastructure/drupal_iam_task.tf | 28 +++++++++++++++++++++
 1 file changed, 28 insertions(+)

diff --git a/terraform/infrastructure/drupal_iam_task.tf b/terraform/infrastructure/drupal_iam_task.tf
index d3f7309d8b..08a7ac0dec 100644
--- a/terraform/infrastructure/drupal_iam_task.tf
+++ b/terraform/infrastructure/drupal_iam_task.tf
@@ -117,6 +117,34 @@ resource "aws_iam_role_policy_attachment" "drupal_publish_metrics" {
   policy_arn = aws_iam_policy.drupal_publish_metrics.arn
 }
 
+# EPA-2906_Terraform-changes-for-CloudFront-Invalidation-privilege-en-es
+data "aws_iam_policy_document" "cloudfront_permissions" {
+  version = "2012-10-17"
+
+  statement {
+    sid       = "cloudfrontPermissions"
+    effect    = "Allow"
+    actions   = ["cloudfront:CreateInvalidation"]
+    resources = ["arn:aws:cloudfront::687001500421:distribution/*"]
+  }
+}
+
+resource "aws_iam_policy" "cloudfront_permissions" {
+  name        = "${var.iam_prefix}-${var.aws_region}-${var.environment}-cloudfrontPermissions"
+  description = "Contains Cloudfront permissions"
+
+  policy = data.aws_iam_policy_document.cloudfront_permissions.json
+}
+
+resource "aws_iam_role_policy_attachment" "cloudfront_permissions" {
+  for_each = local.sites
+
+  role       = aws_iam_role.drupal_task[each.key].name
+  policy_arn = aws_iam_policy.cloudfront_permissions.arn
+}
+# end EPA-2906_Terraform-changes-for-CloudFront-Invalidation-privilege-en-esw
+
+
 # Grant the Drupal container permissions to Cloudwatch to create a log stream
 # and publish log events.
 data "aws_iam_policy_document" "drupal_put_logs" {