ELI-545 - corrected the permission boundary location

Karthikeyannhs · Karthikeyannhs · commit 690ea6dde4f5 · 2026-03-16T16:25:09.000Z
diff --git a/infrastructure/stacks/iams-developer-roles/iams_permissions_boundary.tf b/infrastructure/stacks/iams-developer-roles/iams_permissions_boundary.tf
@@ -297,6 +297,27 @@ data "aws_iam_policy_document" "permissions_boundary" {
     actions   = ["iam:*"]
     resources = ["arn:aws:iam::*:role/${upper(var.project_name)}-*"]
   }
+
+  # Specific management for Tableau Athena Service Account
+  statement {
+    sid    = "AllowTableauServiceAccountManagement"
+    effect = "Allow"
+    actions = [
+      "iam:CreateAccessKey",
+      "iam:DeleteAccessKey",
+      "iam:UpdateAccessKey",
+      "iam:PutUserPolicy",
+      "iam:DeleteUserPolicy",
+      "iam:GetUserPolicy",
+      "iam:TagUser",
+      "iam:UntagUser",
+      "iam:GetUser"
+    ]
+    resources = [
+      "arn:aws:iam::${data.aws_caller_identity.current.account_id}:user/tableau-athena-service-account"
+    ]
+  }
+
 }
 
 # Permissions Boundary policy
@@ -366,26 +387,6 @@ data "aws_iam_policy_document" "iam_bootstrap_permissions_boundary" {
     ]
   }
 
-  # Specific management for Tableau Athena Service Account
-  statement {
-    sid    = "AllowTableauServiceAccountManagement"
-    effect = "Allow"
-    actions = [
-      "iam:CreateAccessKey",
-      "iam:DeleteAccessKey",
-      "iam:UpdateAccessKey",
-      "iam:PutUserPolicy",
-      "iam:DeleteUserPolicy",
-      "iam:GetUserPolicy",
-      "iam:TagUser",
-      "iam:UntagUser",
-      "iam:GetUser"
-    ]
-    resources = [
-      "arn:aws:iam::${data.aws_caller_identity.current.account_id}:user/tableau-athena-service-account"
-    ]
-  }
-
   # Allow read-only IAM access for Terraform plan/state discovery
   statement {
     sid    = "AllowIamReadAccess"
