kms:decrypt

nhsdevws · nhsdevws · commit 5dbd01c07c46 · 2025-07-31T23:12:44.000+01:00
diff --git a/terraform/id_sync_lambda.tf b/terraform/id_sync_lambda.tf
@@ -224,7 +224,15 @@ resource "aws_iam_policy" "id_sync_lambda_kms_access_policy" {
         Resource = [
           data.aws_kms_key.existing_s3_encryption_key.arn,
         ]
-      }
+      },
+	  {
+		Effect = "Allow"
+		Action = [
+		  "kms:Decrypt",
+		  "kms:GenerateDataKey*"
+		]
+		Resource = data.aws_kms_key.existing_dynamo_encryption_key.arn
+	  }
     ]
   })
 }

Original file line number	Diff line number	Diff line change
`@@ -224,7 +224,15 @@ resource "aws_iam_policy" "id_sync_lambda_kms_access_policy" {`
`224`	`224`	`Resource = [`
`225`	`225`	`data.aws_kms_key.existing_s3_encryption_key.arn,`
`226`	`226`	`]`
`227`		`- }`
	`227`	`+ },`
	`228`	`+ {`
	`229`	`+ Effect = "Allow"`
	`230`	`+ Action = [`
	`231`	`+ "kms:Decrypt",`
	`232`	`+ "kms:GenerateDataKey*"`
	`233`	`+ ]`
	`234`	`+ Resource = data.aws_kms_key.existing_dynamo_encryption_key.arn`
	`235`	`+ }`
`228`	`236`	`]`
`229`	`237`	`})`
`230`	`238`	`}`