diff --git a/terraform/account/kms_key_event_recieved_sqs.tf b/terraform/account/kms_key_event_recieved_sqs.tf index d4c38063d8..3107591215 100644 --- a/terraform/account/kms_key_event_recieved_sqs.tf +++ b/terraform/account/kms_key_event_recieved_sqs.tf @@ -1,11 +1,11 @@ -module "event_recieved_sqs_kms" { +module "event_received_sqs_kms" { source = "./modules/kms_key" encrypted_resource = "SQS" - kms_key_alias_name = "${local.default_tags.application}_event_recieved_sqs_secret_encryption_key" + kms_key_alias_name = "${local.default_tags.application}_event_received_sqs_secret_encryption_key" enable_key_rotation = true enable_multi_region = true deletion_window_in_days = 10 - kms_key_policy = local.account.account_name == "development" ? data.aws_iam_policy_document.event_recieved_sqs_kms_merged.json : data.aws_iam_policy_document.event_recieved_sqs_kms.json + kms_key_policy = local.account.account_name == "development" ? data.aws_iam_policy_document.event_received_sqs_kms_merged.json : data.aws_iam_policy_document.event_received_sqs_kms.json providers = { aws.eu_west_1 = aws.eu_west_1 aws.eu_west_2 = aws.eu_west_2 @@ -14,25 +14,39 @@ module "event_recieved_sqs_kms" { # See the following link for further information # https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html -data "aws_iam_policy_document" "event_recieved_sqs_kms_merged" { +data "aws_iam_policy_document" "event_received_sqs_kms_merged" { provider = aws.global source_policy_documents = [ data.aws_iam_policy_document.sqs_kms.json, - data.aws_iam_policy_document.event_recieved_sqs_kms_development_account_operator_admin.json + data.aws_iam_policy_document.event_received_sqs_kms_development_account_operator_admin.json ] } -data "aws_iam_policy_document" "event_recieved_sqs_kms" { +data "aws_iam_policy_document" "event_received_sqs_kms" { provider = aws.global statement { - sid = "Allow Key to be used for Encryption" + sid = "Enable IAM User Permissions" + effect = "Allow" + principals { + type = "AWS" + identifiers = ["arn:aws:iam::${data.aws_caller_identity.global.account_id}:root"] + } + actions = [ + "kms:*", + ] + resources = [ + "*", + ] + } + + statement { + sid = "Allow Encryption by IAM" effect = "Allow" resources = [ "arn:aws:kms:*:${data.aws_caller_identity.global.account_id}:key/*" ] actions = [ "kms:Encrypt", - "kms:Decrypt", "kms:ReEncrypt*", "kms:GenerateDataKey*", "kms:DescribeKey", @@ -45,9 +59,29 @@ data "aws_iam_policy_document" "event_recieved_sqs_kms" { ] } } + statement { + sid = "Allow Encryption by Service" + effect = "Allow" + resources = [ + "arn:aws:kms:*:${data.aws_caller_identity.global.account_id}:key/*" + ] + actions = [ + "kms:Encrypt", + "kms:ReEncrypt*", + "kms:GenerateDataKey*", + "kms:DescribeKey", + ] + + principals { + type = "Service" + identifiers = [ + "events.amazonaws.com", + ] + } + } statement { - sid = "Allow Key to be used for Decryption" + sid = "Allow Decryption by Service" effect = "Allow" resources = [ "arn:aws:kms:*:${data.aws_caller_identity.global.account_id}:key/*" @@ -68,6 +102,26 @@ data "aws_iam_policy_document" "event_recieved_sqs_kms" { } } + statement { + sid = "Allow Decryption by IAM" + effect = "Allow" + resources = [ + "arn:aws:kms:*:${data.aws_caller_identity.global.account_id}:key/*" + ] + actions = [ + "kms:Decrypt", + "kms:GenerateDataKey*", + "kms:DescribeKey", + ] + + principals { + type = "AWS" + identifiers = [ + local.account.account_name == "development" ? "arn:aws:iam::${data.aws_caller_identity.global.account_id}:root" : "arn:aws:iam::${data.aws_caller_identity.global.account_id}:role/event-received-${local.account.account_name}", + ] + } + } + statement { sid = "General View Access" effect = "Allow" @@ -143,7 +197,7 @@ data "aws_iam_policy_document" "event_recieved_sqs_kms" { } } -data "aws_iam_policy_document" "event_recieved_sqs_kms_development_account_operator_admin" { +data "aws_iam_policy_document" "event_received_sqs_kms_development_account_operator_admin" { provider = aws.global statement { sid = "Dev Account Key Administrator"