File tree Expand file tree Collapse file tree 3 files changed +48
-0
lines changed
Expand file tree Collapse file tree 3 files changed +48
-0
lines changed Original file line number Diff line number Diff line change @@ -5,3 +5,12 @@ output "arn" {
55output "table_name" {
66 value = . dynamodb_table . name
77}
8+
9+ output "dynamodb_kms_key_arn" {
10+ value = . dynamodb_cmk . arn
11+ }
12+
13+ output "dynamodb_kms_key_id" {
14+ value = . dynamodb_cmk . id
15+ }
16+
Original file line number Diff line number Diff line change 11output "aws_lambda_function_id" {
22 value = . eligibility_signposting_lambda . id
33}
4+ output "aws_lambda_function_arn" {
5+ value = . eligibility_signposting_lambda . arn
6+ }
Original file line number Diff line number Diff line change @@ -125,4 +125,40 @@ resource "aws_iam_role_policy" "external_s3_write_policy" {
125125 policy = . aws_iam_policy_document . s3_audit_bucket_policy . json
126126}
127127
128+ # # KMS
129+ data "aws_iam_policy_document" "kms_key_policy" {
130+ statement {
131+ sid = " EnableIamUserPermissions"
132+ effect = " Allow"
133+ principals {
134+ type = " AWS"
135+ identifiers = " arn:aws:iam::${ data . aws_caller_identity . current . account_id } :root"
136+ }
137+ actions = " kms:*"
138+ resources = " *"
139+ }
140+ statement {
141+ sid = " Allow lambda role"
142+ effect = " Allow"
143+ principals {
144+ type = " AWS"
145+ identifiers =
146+ aws_iam_role . eligibility_lambda_role . arn
147+ ]
148+ }
149+ actions =
150+ " kms:Decrypt"
151+ ]
152+ resources =
153+ module . eligibility_status_table . dynamodb_kms_key_arn
154+ ]
155+ }
156+ }
157+
158+ # attach kms decrypt policy kms key
159+ resource "aws_kms_key_policy" "kms_key" {
160+ key_id = . eligibility_status_table . dynamodb_kms_key_id
161+ policy = . aws_iam_policy_document . kms_key_policy . json
162+ }
163+
128164
You can’t perform that action at this time.
0 commit comments