feat(etl-ods): FTRS-3181 use newly created CMK with the etl scheduler

mabe13 · mabe13 · commit 92e339bb6596 · 2026-02-20T12:35:53.000Z
diff --git a/infrastructure/stacks/etl_ods/data.tf b/infrastructure/stacks/etl_ods/data.tf
@@ -156,17 +156,6 @@ data "aws_iam_policy_document" "ods_etl_scheduler_invoke_policy" {
       module.extractor_lambda.lambda_function_arn
     ]
   }
-
-  statement {
-    effect = "Allow"
-    actions = [
-      "kms:Decrypt",
-      "kms:DescribeKey",
-      "kms:CreateGrant",
-      "kms:ReEncrypt"
-    ]
-    resources = [data.aws_kms_key.scheduler_kms_key.arn]
-  }
 }
 
 data "aws_kms_key" "sqs_kms_alias" {
diff --git a/infrastructure/stacks/etl_ods/iam.tf b/infrastructure/stacks/etl_ods/iam.tf
@@ -11,6 +11,19 @@ resource "aws_iam_role" "ods_etl_scheduler_invoke_role" {
           Service = "scheduler.amazonaws.com"
         }
         Action = "sts:AssumeRole"
+      },
+      {
+        Effect = "Allow"
+        Principal = {
+          Service = "s3.amazonaws.com"
+        },
+        Actions = [
+          "kms:Decrypt",
+          "kms:DescribeKey",
+          "kms:CreateGrant",
+          "kms:ReEncrypt"
+        ]
+        resources = [data.aws_kms_key.scheduler_kms_key.arn]
       }
     ]
   })

Original file line number	Diff line number	Diff line change
`@@ -156,17 +156,6 @@ data "aws_iam_policy_document" "ods_etl_scheduler_invoke_policy" {`
`156`	`156`	`module.extractor_lambda.lambda_function_arn`
`157`	`157`	`]`
`158`	`158`	`}`
`159`		`-`
`160`		`- statement {`
`161`		`- effect = "Allow"`
`162`		`- actions = [`
`163`		`- "kms:Decrypt",`
`164`		`- "kms:DescribeKey",`
`165`		`- "kms:CreateGrant",`
`166`		`- "kms:ReEncrypt"`
`167`		`- ]`
`168`		`- resources = [data.aws_kms_key.scheduler_kms_key.arn]`
`169`		`- }`
`170`	`159`	`}`
`171`	`160`
`172`	`161`	`data "aws_kms_key" "sqs_kms_alias" {`