fix: gh role permissions (#10)

Author: rehanvdm

.projenrc.ts

@@ -34,6 +34,9 @@ const project = new awscdk.AwsCdkConstructLibrary({
     },
   },
   workflowNodeVersion: '20',
+  // Need to specify for the `package:python` command to be available to be used locally. The `release.yml` GH Workflow
+  // will fail to publish as these secrets have not been set.
+  // TODO: Change the workflow to not publish to PyPi
   publishToPypi: {
     distName: 'recipes_dlz',
     module: 'recipes_dlz',

src/stacks/organization/management-stack.ts

@@ -254,7 +254,7 @@ export class ManagementStack extends DlzStack {
     const role = new iam.Role(this, this.resourceName('git-hub-deploy-role'), {
       roleName: this.resourceName('git-hub-deploy-role'),
       assumedBy: new iam.WebIdentityPrincipal(githubProvider.openIdConnectProviderArn, conditions),
-      // managedPolicies: [iam.ManagedPolicy.fromAwsManagedPolicyName('AdministratorAccess')],
+      managedPolicies: [iam.ManagedPolicy.fromAwsManagedPolicyName('AdministratorAccess')],
       inlinePolicies: {
         'cdk-assume': new iam.PolicyDocument({
           statements: [