Merge pull request #134 from NHSDigital/bugfix/eja-eli-238-fixing-permissions-and-lambda-cloudwatch-kms

eli-238 - bugfix - fixing github and cloudwatch permissions

Author: eddalmond1

infrastructure/modules/lambda/kms.tf

@@ -18,7 +18,7 @@ resource "aws_kms_key_policy" "lambda_cmk" {
 
 data "aws_iam_policy_document" "lambda_cmk" {
   statement {
-    sid    = "Enable IAM User Permissions for s3 buckets"
+    sid    = "Enable IAM User Permissions for Lambda CMK"
     effect = "Allow"
     principals {
       type        = "AWS"
@@ -27,4 +27,21 @@ data "aws_iam_policy_document" "lambda_cmk" {
     actions   = ["kms:*"]
     resources = [aws_kms_key.lambda_cmk.arn]
   }
+
+  statement {
+    sid    = "AllowCloudWatchLogsUseOfTheKey"
+    effect = "Allow"
+    principals {
+      type        = "Service"
+      identifiers = ["logs.${var.region}.amazonaws.com"]
+    }
+    actions = [
+      "kms:Encrypt",
+      "kms:Decrypt",
+      "kms:ReEncrypt*",
+      "kms:GenerateDataKey*",
+      "kms:DescribeKey"
+    ]
+    resources = [aws_kms_key.lambda_cmk.arn]
+  }
 }

infrastructure/stacks/iams-developer-roles/github_actions_policies.tf

@@ -72,15 +72,23 @@ resource "aws_iam_policy" "api_infrastructure" {
           "kms:UpdateKeyDescription",
           "kms:CreateGrant",
           "kms:CreateAlias",
-
+          "kms:TagResource",
+          "kms:CreateKey",
+          "kms:EnableKeyRotation",
+          "kms:ScheduleKeyDeletion",
+          "kms:PutKeyPolicy",
+          "kms:Encrypt",
 
           # Cloudwatch permissions
           "logs:Describe*",
           "logs:ListTagsForResource",
+          "logs:PutRetentionPolicy",
+          "logs:AssociateKmsKey",
 
           #EC2 permissions
           "ec2:Describe*",
           "ec2:CreateTags",
+          "ec2:CreateNetworkAclEntry",
 
           # IAM permissions (scoped to resources with specific path prefix)
           "iam:Get*",