Merge branch 'master' into VED-714-rearchitect-to-prevent-batch-race-conditions

Author: dlzhry2nhs

terraform/dps_role_creation.tf

@@ -1,5 +1,5 @@
 resource "aws_iam_role" "dynamo_s3_access_role" {
-  name = "${local.short_prefix}-dynamo-s3-access-role"
+  name = "imms-${local.resource_scope}-dynamo-s3-access-role"
   assume_role_policy = jsonencode({
     Version : "2012-10-17",
     Statement : [
@@ -14,8 +14,8 @@ resource "aws_iam_role" "dynamo_s3_access_role" {
   })
 }
 
-resource "aws_iam_role_policy" "dynamo_s3_access_policy" {
-  name = "${local.short_prefix}-dynamo_s3_access-policy"
+resource "aws_iam_role_policy" "dynamo_access_policy" {
+  name = "imms-${local.resource_scope}-dynamo-access-policy"
   role = aws_iam_role.dynamo_s3_access_role.id
   policy = jsonencode({
     Version = "2012-10-17",
@@ -35,3 +35,22 @@ resource "aws_iam_role_policy" "dynamo_s3_access_policy" {
     ]
   })
 }
+
+resource "aws_iam_role_policy" "kms_key_access_policy" {
+  name = "imms-${local.resource_scope}-kms-key-access-policy"
+  role = aws_iam_role.dynamo_s3_access_role.id
+  policy = jsonencode({
+    Version = "2012-10-17",
+    Statement = [
+      {
+        Effect = "Allow",
+        Action = [
+          "kms:Decrypt"
+        ],
+        Resource = [
+          data.aws_kms_key.existing_dynamo_encryption_key.arn
+        ]
+      }
+    ]
+  })
+}