From ed724936bd9ad00f842cda278531b0d98c93ebee Mon Sep 17 00:00:00 2001
From: Chris Park <chris.park@aligent.com.au>
Date: Thu, 27 Jun 2024 15:53:18 +0930
Subject: [PATCH] add iam:CreateServiceLinkedRole to allow API GW custom domain
 creation

---
 packages/serverless-deploy-iam/bin/app.ts | 12 +++++++++++-
 1 file changed, 11 insertions(+), 1 deletion(-)

diff --git a/packages/serverless-deploy-iam/bin/app.ts b/packages/serverless-deploy-iam/bin/app.ts
index 3ed7edc..d6a2ab9 100755
--- a/packages/serverless-deploy-iam/bin/app.ts
+++ b/packages/serverless-deploy-iam/bin/app.ts
@@ -481,7 +481,17 @@ export class ServiceDeployIAM extends cdk.Stack {
         {
           name: "IAM",
           resources: [(serviceRole.type as Role).roleArn],
-          actions: ["iam:PassRole"],
+          actions: [
+            "iam:PassRole", 
+          ],
+        },
+        {
+          name: "IAM",
+          prefix: `arn:aws:iam::${accountId}:role`,
+          qualifiers: ["*"],
+          actions: [
+            "iam:CreateServiceLinkedRole"
+          ],
         },
         {
           name: "S3",