CCM-9051: dedupe more iam policy statements

alexnuttall · alexnuttall · commit e5ca8419540d · 2025-06-03T16:47:19.000+01:00
diff --git a/infrastructure/terraform/modules/backend-api/module_lambda_process_proof.tf b/infrastructure/terraform/modules/backend-api/module_lambda_process_proof.tf
@@ -64,7 +64,7 @@ data "aws_iam_policy_document" "process_proof" {
   }
 
   statement {
-    sid    = "AllowKMSAccessDynamoDB"
+    sid    = "AllowKMSAccess"
     effect = "Allow"
 
     actions = [
@@ -80,20 +80,6 @@ data "aws_iam_policy_document" "process_proof" {
     ]
   }
 
-  statement {
-    sid    = "AllowKMSAccessSQSDLQ"
-    effect = "Allow"
-
-    actions = [
-      "kms:Decrypt",
-      "kms:GenerateDataKey",
-    ]
-
-    resources = [
-      var.kms_key_arn,
-    ]
-  }
-
   statement {
     sid    = "AllowS3QuarantineGetObject"
     effect = "Allow"
diff --git a/infrastructure/terraform/modules/backend-api/module_lambda_request_proof.tf b/infrastructure/terraform/modules/backend-api/module_lambda_request_proof.tf
@@ -62,7 +62,7 @@ data "aws_iam_policy_document" "request_proof_lambda_policy" {
   }
 
   statement {
-    sid    = "AllowDdbKMSAccess"
+    sid    = "AllowKMSAccess"
     effect = "Allow"
 
     actions = [
@@ -77,18 +77,4 @@ data "aws_iam_policy_document" "request_proof_lambda_policy" {
       var.kms_key_arn
     ]
   }
-
-  statement {
-    sid    = "AllowSqsKMSAccess"
-    effect = "Allow"
-
-    actions = [
-      "kms:Decrypt",
-      "kms:GenerateDataKey",
-    ]
-
-    resources = [
-      var.kms_key_arn,
-    ]
-  }
 }
diff --git a/infrastructure/terraform/modules/backend-api/module_lambda_set_letter_file_virus_scan_status_for_upload.tf b/infrastructure/terraform/modules/backend-api/module_lambda_set_letter_file_virus_scan_status_for_upload.tf
@@ -67,18 +67,4 @@ data "aws_iam_policy_document" "set_file_virus_scan_status_for_upload" {
       var.kms_key_arn
     ]
   }
-
-  statement {
-    sid    = "AllowKMSAccessSQSDLQ"
-    effect = "Allow"
-
-    actions = [
-      "kms:Decrypt",
-      "kms:GenerateDataKey",
-    ]
-
-    resources = [
-      var.kms_key_arn,
-    ]
-  }
 }

Original file line number	Diff line number	Diff line change
`@@ -67,18 +67,4 @@ data "aws_iam_policy_document" "set_file_virus_scan_status_for_upload" {`
`67`	`67`	`var.kms_key_arn`
`68`	`68`	`]`
`69`	`69`	`}`
`70`		`-`
`71`		`- statement {`
`72`		`- sid = "AllowKMSAccessSQSDLQ"`
`73`		`- effect = "Allow"`
`74`		`-`
`75`		`- actions = [`
`76`		`- "kms:Decrypt",`
`77`		`- "kms:GenerateDataKey",`
`78`		`- ]`
`79`		`-`
`80`		`- resources = [`
`81`		`- var.kms_key_arn,`
`82`		`- ]`
`83`		`- }`
`84`	`70`	`}`