Merge pull request #1660 from ministryofjustice/MLPAB-2613-fix-er-sqs…

…-cmk MLPAB-2613 - Fix event received SQS KMC CMK permissions
ministryofjustice · Dec 3, 2024 · 9eddc9d · 9eddc9d
2 parents b1fe391 + 7fcba0e
commit 9eddc9d
Showing 1 changed file with 64 additions and 10 deletions.
diff --git a/terraform/account/kms_key_event_recieved_sqs.tf b/terraform/account/kms_key_event_recieved_sqs.tf
@@ -1,11 +1,11 @@
-module "event_recieved_sqs_kms" {
+module "event_received_sqs_kms" {
   source                  = "./modules/kms_key"
   encrypted_resource      = "SQS"
-  kms_key_alias_name      = "${local.default_tags.application}_event_recieved_sqs_secret_encryption_key"
+  kms_key_alias_name      = "${local.default_tags.application}_event_received_sqs_secret_encryption_key"
   enable_key_rotation     = true
   enable_multi_region     = true
   deletion_window_in_days = 10
-  kms_key_policy          = local.account.account_name == "development" ? data.aws_iam_policy_document.event_recieved_sqs_kms_merged.json : data.aws_iam_policy_document.event_recieved_sqs_kms.json
+  kms_key_policy          = local.account.account_name == "development" ? data.aws_iam_policy_document.event_received_sqs_kms_merged.json : data.aws_iam_policy_document.event_received_sqs_kms.json
   providers = {
     aws.eu_west_1 = aws.eu_west_1
     aws.eu_west_2 = aws.eu_west_2
@@ -14,25 +14,39 @@ module "event_recieved_sqs_kms" {
 
 # See the following link for further information
 # https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html
-data "aws_iam_policy_document" "event_recieved_sqs_kms_merged" {
+data "aws_iam_policy_document" "event_received_sqs_kms_merged" {
   provider = aws.global
   source_policy_documents = [
     data.aws_iam_policy_document.sqs_kms.json,
-    data.aws_iam_policy_document.event_recieved_sqs_kms_development_account_operator_admin.json
+    data.aws_iam_policy_document.event_received_sqs_kms_development_account_operator_admin.json
   ]
 }
 
-data "aws_iam_policy_document" "event_recieved_sqs_kms" {
+data "aws_iam_policy_document" "event_received_sqs_kms" {
   provider = aws.global
   statement {
-    sid    = "Allow Key to be used for Encryption"
+    sid    = "Enable IAM User Permissions"
+    effect = "Allow"
+    principals {
+      type        = "AWS"
+      identifiers = ["arn:aws:iam::${data.aws_caller_identity.global.account_id}:root"]
+    }
+    actions = [
+      "kms:*",
+    ]
+    resources = [
+      "*",
+    ]
+  }
+
+  statement {
+    sid    = "Allow Encryption by IAM"
     effect = "Allow"
     resources = [
       "arn:aws:kms:*:${data.aws_caller_identity.global.account_id}:key/*"
     ]
     actions = [
       "kms:Encrypt",
-      "kms:Decrypt",
       "kms:ReEncrypt*",
       "kms:GenerateDataKey*",
       "kms:DescribeKey",
@@ -45,9 +59,29 @@ data "aws_iam_policy_document" "event_recieved_sqs_kms" {
       ]
     }
   }
+  statement {
+    sid    = "Allow Encryption by Service"
+    effect = "Allow"
+    resources = [
+      "arn:aws:kms:*:${data.aws_caller_identity.global.account_id}:key/*"
+    ]
+    actions = [
+      "kms:Encrypt",
+      "kms:ReEncrypt*",
+      "kms:GenerateDataKey*",
+      "kms:DescribeKey",
+    ]
+
+    principals {
+      type = "Service"
+      identifiers = [
+        "events.amazonaws.com",
+      ]
+    }
+  }
 
   statement {
-    sid    = "Allow Key to be used for Decryption"
+    sid    = "Allow Decryption by Service"
     effect = "Allow"
     resources = [
       "arn:aws:kms:*:${data.aws_caller_identity.global.account_id}:key/*"
@@ -68,6 +102,26 @@ data "aws_iam_policy_document" "event_recieved_sqs_kms" {
     }
   }
 
+  statement {
+    sid    = "Allow Decryption by IAM"
+    effect = "Allow"
+    resources = [
+      "arn:aws:kms:*:${data.aws_caller_identity.global.account_id}:key/*"
+    ]
+    actions = [
+      "kms:Decrypt",
+      "kms:GenerateDataKey*",
+      "kms:DescribeKey",
+    ]
+
+    principals {
+      type = "AWS"
+      identifiers = [
+        local.account.account_name == "development" ? "arn:aws:iam::${data.aws_caller_identity.global.account_id}:root" : "arn:aws:iam::${data.aws_caller_identity.global.account_id}:role/event-received-${local.account.account_name}",
+      ]
+    }
+  }
+
   statement {
     sid    = "General View Access"
     effect = "Allow"
@@ -143,7 +197,7 @@ data "aws_iam_policy_document" "event_recieved_sqs_kms" {
   }
 }
 
-data "aws_iam_policy_document" "event_recieved_sqs_kms_development_account_operator_admin" {
+data "aws_iam_policy_document" "event_received_sqs_kms_development_account_operator_admin" {
   provider = aws.global
   statement {
     sid    = "Dev Account Key Administrator"