CCM-9051: remove legacy KMS key (#507)

Author: alexnuttall

infrastructure/terraform/components/sandbox/module_backend_api.tf

@@ -21,7 +21,6 @@ module "backend_api" {
   letter_suppliers = var.letter_suppliers
 
   kms_key_arn          = data.aws_kms_key.sandbox.arn
-  dynamodb_kms_key_arn = data.aws_kms_key.sandbox.arn
 
   send_to_firehose = false
 }

infrastructure/terraform/modules/backend-api/README.md

@@ -14,7 +14,6 @@ No requirements.
 | <a name="input_cognito_config"></a> [cognito\_config](#input\_cognito\_config) | Cognito config | <pre>object({<br/>    USER_POOL_ID : string,<br/>    USER_POOL_CLIENT_ID : string<br/>  })</pre> | n/a | yes |
 | <a name="input_component"></a> [component](#input\_component) | The variable encapsulating the name of this component | `string` | n/a | yes |
 | <a name="input_csi"></a> [csi](#input\_csi) | CSI from the parent component | `string` | n/a | yes |
-| <a name="input_dynamodb_kms_key_arn"></a> [dynamodb\_kms\_key\_arn](#input\_dynamodb\_kms\_key\_arn) | KMS Key ARN for encrypting DynamoDB data. If not given, a key will be created. | `string` | `""` | no |
 | <a name="input_enable_backup"></a> [enable\_backup](#input\_enable\_backup) | Enable Backups for the DynamoDB table? | `bool` | `true` | no |
 | <a name="input_enable_proofing"></a> [enable\_proofing](#input\_enable\_proofing) | Enable proofing feature flag | `bool` | n/a | yes |
 | <a name="input_environment"></a> [environment](#input\_environment) | The name of the tfscaffold environment | `string` | n/a | yes |

infrastructure/terraform/modules/backend-api/dynamodb_table_templates.tf

@@ -26,7 +26,7 @@ resource "aws_dynamodb_table" "templates" {
 
   server_side_encryption {
     enabled     = true
-    kms_key_arn = local.dynamodb_kms_key_arn
+    kms_key_arn = var.kms_key_arn
   }
 
   tags = {

infrastructure/terraform/modules/backend-api/kms_key_dynamo.tf

@@ -50,8 +50,6 @@ locals {
     ENABLE_PROOFING                  = var.enable_proofing
   }
 
-  dynamodb_kms_key_arn = var.dynamodb_kms_key_arn == "" ? aws_kms_key.dynamo[0].arn : var.dynamodb_kms_key_arn
-
   mock_letter_supplier_name = "WTMMOCK"
 
   use_sftp_letter_supplier_mock = lookup(var.letter_suppliers, local.mock_letter_supplier_name, null) != null

infrastructure/terraform/modules/backend-api/locals.tf

@@ -62,7 +62,6 @@ data "aws_iam_policy_document" "create_letter_template_lambda_policy" {
     ]
 
     resources = [
-      local.dynamodb_kms_key_arn,
       var.kms_key_arn
     ]
   }

infrastructure/terraform/modules/backend-api/module_create_letter_template_lambda.tf

@@ -61,7 +61,7 @@ data "aws_iam_policy_document" "create_template_lambda_policy" {
     ]
 
     resources = [
-      local.dynamodb_kms_key_arn
+      var.kms_key_arn
     ]
   }
 }

infrastructure/terraform/modules/backend-api/module_create_template_lambda.tf

@@ -61,7 +61,7 @@ data "aws_iam_policy_document" "delete_template_lambda_policy" {
     ]
 
     resources = [
-      local.dynamodb_kms_key_arn
+      var.kms_key_arn
     ]
   }
 }

infrastructure/terraform/modules/backend-api/module_delete_template_lambda.tf

@@ -61,7 +61,7 @@ data "aws_iam_policy_document" "get_template_lambda_policy" {
     ]
 
     resources = [
-      local.dynamodb_kms_key_arn
+      var.kms_key_arn
     ]
   }
 }

infrastructure/terraform/modules/backend-api/module_get_template_lambda.tf

@@ -64,7 +64,7 @@ data "aws_iam_policy_document" "process_proof" {
   }
 
   statement {
-    sid    = "AllowKMSAccessDynamoDB"
+    sid    = "AllowKMSAccess"
     effect = "Allow"
 
     actions = [
@@ -75,20 +75,6 @@ data "aws_iam_policy_document" "process_proof" {
       "kms:ReEncrypt*",
     ]
 
-    resources = [
-      local.dynamodb_kms_key_arn,
-    ]
-  }
-
-  statement {
-    sid    = "AllowKMSAccessSQSDLQ"
-    effect = "Allow"
-
-    actions = [
-      "kms:Decrypt",
-      "kms:GenerateDataKey",
-    ]
-
     resources = [
       var.kms_key_arn,
     ]