CCM-10283: Remove KMS on receipt rule

Author: chris-elliott-nhsd

infrastructure/terraform/components/acct/module_sandbox_kms.tf

@@ -56,14 +56,14 @@ data "aws_iam_policy_document" "kms" {
   }
 
   statement {
-    sid    = "AllowSES"
+    sid    = "AllowS3"
     effect = "Allow"
 
     principals {
       type = "Service"
 
       identifiers = [
-        "ses.amazonaws.com",
+        "s3.amazonaws.com",
       ]
     }
 
@@ -78,15 +78,31 @@ data "aws_iam_policy_document" "kms" {
     resources = [
       "*",
     ]
+  }
 
-    condition {
-      test     = "ArnLike"
-      variable = "aws:SourceArn"
+  statement {
+    sid    = "AllowSES"
+    effect = "Allow"
 
-      values = [
-        "arn:aws:ses:${var.region}:${var.aws_account_id}:receipt-rule-set:*",
+    principals {
+      type = "Service"
+
+      identifiers = [
+        "ses.amazonaws.com",
       ]
     }
+
+    actions = [
+      "kms:Encrypt*",
+      "kms:Decrypt*",
+      "kms:ReEncrypt*",
+      "kms:GenerateDataKey*",
+      "kms:Describe*"
+    ]
+
+    resources = [
+      "*",
+    ]
   }
 
   statement {

infrastructure/terraform/modules/ses/ses_receipt_rule_set.tf

@@ -18,7 +18,6 @@ resource "aws_ses_receipt_rule" "store_email" {
     position          = 1
     bucket_name       = module.s3bucket_ses.0.id
     object_key_prefix = "emails/"
-    kms_key_arn       = var.kms_key_arn
     iam_role_arn      = aws_iam_role.ses_receipts.0.arn
   }
 }