Added new kms policy for external write role (#388)

robbailiff2 · web-flow · commit 8cb7cb612fb5 · 2025-09-26T10:48:34.000+01:00
diff --git a/infrastructure/stacks/api-layer/iam_policies.tf b/infrastructure/stacks/api-layer/iam_policies.tf
@@ -504,3 +504,27 @@ resource "aws_iam_role_policy" "external_s3_read_move_policy" {
   role   = aws_iam_role.write_access_role[count.index].id
   policy = data.aws_iam_policy_document.external_s3_read_move_policy_doc.json
 }
+
+# KMS access policy for S3 audit bucket from external write role
+data "aws_iam_policy_document" "external_role_s3_audit_kms_access_policy" {
+  statement {
+    actions = [
+      "kms:Encrypt",
+      "kms:Decrypt",
+      "kms:ReEncrypt*",
+      "kms:GenerateDataKey*",
+      "kms:DescribeKey"
+    ]
+    resources = [
+      module.s3_audit_bucket.storage_bucket_kms_key_arn
+    ]
+  }
+}
+
+# Attach KMS policy to external write role
+resource "aws_iam_role_policy" "external_audit_kms_access_policy" {
+  count = length(aws_iam_role.write_access_role)
+  name   = "KMSAccessForS3Audit"
+  role   = aws_iam_role.write_access_role[count.index].id
+  policy = data.aws_iam_policy_document.external_role_s3_audit_kms_access_policy.json
+}
