CCM-10283: Add stuff from other branch to KMS policy

Author: chris-elliott-nhsd

infrastructure/terraform/components/acct/module_sandbox_kms.tf

@@ -135,4 +135,33 @@ data "aws_iam_policy_document" "kms" {
       ]
     }
   }
+
+    statement {
+    sid    = "AllowEventBridgeAccessToLetterValidationQueue"
+    effect = "Allow"
+
+    principals {
+      type        = "Service"
+      identifiers = ["events.amazonaws.com"]
+    }
+
+    actions = [
+      "kms:GenerateDataKey*",
+      "kms:Decrypt",
+    ]
+
+    resources = ["*"]
+
+    condition {
+      test     = "ArnLike"
+      variable = "kms:EncryptionContext:aws:sqs:arn"
+      values   = ["arn:aws:sqs:${var.region}:${var.aws_account_id}:*-validate-letter-template-files-queue"]
+    }
+
+    condition {
+      test     = "ArnLike"
+      variable = "aws:SourceArn"
+      values   = ["arn:aws:events:${var.region}:${var.aws_account_id}:rule/*-quarantine-scan-passed-for-upload"]
+    }
+  }
 }