From e6734324d70cac3abcd70d599f480d2d6c0e5278 Mon Sep 17 00:00:00 2001
From: Andrew Pearce <andrew.pearce@digital.justice.gov.uk>
Date: Wed, 27 Nov 2024 14:10:07 +0000
Subject: [PATCH] allow role to decrypt

---
 terraform/account/kms_key_event_recieved_sqs.tf | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/terraform/account/kms_key_event_recieved_sqs.tf b/terraform/account/kms_key_event_recieved_sqs.tf
index 28d3da715e..d4c38063d8 100644
--- a/terraform/account/kms_key_event_recieved_sqs.tf
+++ b/terraform/account/kms_key_event_recieved_sqs.tf
@@ -32,6 +32,7 @@ data "aws_iam_policy_document" "event_recieved_sqs_kms" {
     ]
     actions = [
       "kms:Encrypt",
+      "kms:Decrypt",
       "kms:ReEncrypt*",
       "kms:GenerateDataKey*",
       "kms:DescribeKey",
@@ -40,7 +41,7 @@ data "aws_iam_policy_document" "event_recieved_sqs_kms" {
     principals {
       type = "AWS"
       identifiers = [
-        local.account.account_name == "development" ? "arn:aws:iam::${data.aws_caller_identity.global.account_id}:root" : "arn:aws:iam::${data.aws_caller_identity.global.account_id}:role/${local.account.account_name}-app-task-role",
+        local.account.account_name == "development" ? "arn:aws:iam::${data.aws_caller_identity.global.account_id}:root" : "arn:aws:iam::${data.aws_caller_identity.global.account_id}:role/event-received-${local.account.account_name}",
       ]
     }
   }