chore(infra): add iam:PassRole for App Runner service-linked role

[bhagyashreewagh]

Summary

Adds a single, additive IAM statement to allow iam:PassRole for the App Runner service-linked role.
This unblocks App Runner VPC connector creation (previously failing with AccessDenied).

List of Changes

• Added infra/iam_app_runner_policy_addition.json (policy delta)
• Added infra/README.md

Related Issues

Internal deployment blocker: App Runner VPC connector creation failed due to missing PassRole.

Detailed Description

App Runner needs permission for the deploy principal to iam:PassRole the App Runner service-linked role
during VPC connector creation/attachment. We scope this safely:
Resource: "*", with Condition: iam:AWSServiceName = apprunner.amazonaws.com.

No existing statements are replaced.

How to Test the Changes

1. Admin merges this statement into the deploy user/group/role policy in IAM.

2. Re-attempt creating the VPC connector in us-west-2

3. Expect success (no AccessDenied on service-linked role).

   Screenshots

   N/A (infra policy change)

   Deployment Notes

   No code changes. Admin only needs to merge this statement into the existing deploy policy.

[coderabbitai]

Important

Review skipped

Draft detected.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[netlify]

✅ Deploy Preview for antenna-preview ready!

Name	Link
🔨 Latest commit	63e5f80
🔍 Latest deploy log	https://app.netlify.com/projects/antenna-preview/deploys/690294f7b8a68d00084c468a
😎 Deploy Preview	https://deploy-preview-1021--antenna-preview.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.
Lighthouse	1 paths audited Performance: 62 (🟢 up 31 from production) Accessibility: 80 (no change from production) Best Practices: 100 (no change from production) SEO: 92 (no change from production) PWA: 80 (no change from production) View the detailed breakdown and full score reports

---

To edit notification comments on pull requests, go to your Netlify project configuration.

[mihow]

@bhagyashreewagh this seems safe and helpful! Just one request, can we make the new infra/ folder more generic? move the policy to infra/aws/iam_app_runner_policy.json (unless it must go at the root), and update the README with a brief description of what will go in the infra/ directory. e.g. "Config files and documentation to assist with deployments of Antenna. All files must not contain sensitive information and should be generalizable for multiple organizations. Use environment variables or other means for configuration that is specific to a single deployment"

thank you!