From d1da0267cbf6c4bfb3ef8cb4ef6548113488055d Mon Sep 17 00:00:00 2001
From: Your Name <user@example.com>
Date: Wed, 18 Mar 2026 14:14:48 -0400
Subject: [PATCH] fix(codebuild): add secretsmanager:GetResourcePolicy to
 CodeBuild role

---
 codebuild/main.tf | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/codebuild/main.tf b/codebuild/main.tf
index 2c40dbc..bc37e87 100644
--- a/codebuild/main.tf
+++ b/codebuild/main.tf
@@ -57,6 +57,9 @@ data "aws_iam_policy_document" "ghe_runner_deploy" {
       "secretsmanager:UpdateSecret",
       "secretsmanager:DeleteSecret",
       "secretsmanager:TagResource",
+      "secretsmanager:GetResourcePolicy",
+      "secretsmanager:PutResourcePolicy",
+      "secretsmanager:DeleteResourcePolicy",
     ]
     # The ghe-runner module stores tokens under this prefix
     resources = [