From 863282d845421b776119ff38c14f72adab07226d Mon Sep 17 00:00:00 2001
From: Andrew Pearce <andrew.pearce@digital.justice.gov.uk>
Date: Fri, 22 Nov 2024 20:56:36 +0000
Subject: [PATCH] allow eventbridge to encrypt when putting message on dlq

---
 terraform/account/kms_key_event_received_sqs.tf | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/terraform/account/kms_key_event_received_sqs.tf b/terraform/account/kms_key_event_received_sqs.tf
index d4c38063d8..a84a492b3b 100644
--- a/terraform/account/kms_key_event_received_sqs.tf
+++ b/terraform/account/kms_key_event_received_sqs.tf
@@ -41,7 +41,7 @@ data "aws_iam_policy_document" "event_recieved_sqs_kms" {
     principals {
       type = "AWS"
       identifiers = [
-        local.account.account_name == "development" ? "arn:aws:iam::${data.aws_caller_identity.global.account_id}:root" : "arn:aws:iam::${data.aws_caller_identity.global.account_id}:role/event-received-${local.account.account_name}",
+        "events.amazonaws.com",
       ]
     }
   }
@@ -123,13 +123,14 @@ data "aws_iam_policy_document" "event_recieved_sqs_kms" {
   }
 
   statement {
-    sid    = "Allow Breakglass to Decrypt"
+    sid    = "Allow Breakglass to use key"
     effect = "Allow"
     resources = [
       "arn:aws:kms:*:${data.aws_caller_identity.global.account_id}:key/*"
     ]
     actions = [
       "kms:Decrypt",
+      "kms:Encrypt*",
       "kms:GenerateDataKey*",
       "kms:DescribeKey",
     ]
@@ -155,6 +156,8 @@ data "aws_iam_policy_document" "event_recieved_sqs_kms_development_account_opera
       "kms:Create*",
       "kms:Describe*",
       "kms:Enable*",
+      "kms:Encrypt",
+      "kms:ReEncrypt*",
       "kms:List*",
       "kms:Put*",
       "kms:Update*",