Skip to content

Commit

Permalink
allow eventbridge to encrypt when putting message on dlq
Browse files Browse the repository at this point in the history
  • Loading branch information
@andrewpearce-digital
andrewpearce-digital committed Nov 27, 2024
1 parent b0bac6f commit 863282d
Showing 1 changed file with 5 additions and 2 deletions.
7 changes: 5 additions & 2 deletions terraform/account/kms_key_event_received_sqs.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -41,7 +41,7 @@ data "aws_iam_policy_document" "event_recieved_sqs_kms" {
principals {
type = "AWS"
identifiers = [
local.account.account_name == "development" ? "arn:aws:iam::${data.aws_caller_identity.global.account_id}:root" : "arn:aws:iam::${data.aws_caller_identity.global.account_id}:role/event-received-${local.account.account_name}",
"events.amazonaws.com",
]
}
}
Expand Down Expand Up @@ -123,13 +123,14 @@ data "aws_iam_policy_document" "event_recieved_sqs_kms" {
}

statement {
sid = "Allow Breakglass to Decrypt"
sid = "Allow Breakglass to use key"
effect = "Allow"
resources = [
"arn:aws:kms:*:${data.aws_caller_identity.global.account_id}:key/*"
]
actions = [
"kms:Decrypt",
"kms:Encrypt*",
"kms:GenerateDataKey*",
"kms:DescribeKey",
]
Expand All @@ -155,6 +156,8 @@ data "aws_iam_policy_document" "event_recieved_sqs_kms_development_account_opera
"kms:Create*",
"kms:Describe*",
"kms:Enable*",
"kms:Encrypt",
"kms:ReEncrypt*",
"kms:List*",
"kms:Put*",
"kms:Update*",
Expand Down

0 comments on commit 863282d

Please sign in to comment.