fix kms usecase on init (#333)

iakov-aws · web-flow · commit 86c18bd6c9b9 · 2025-04-23T14:20:06.000-07:00
diff --git a/data-collection/deploy/deploy-data-collection.yaml b/data-collection/deploy/deploy-data-collection.yaml
@@ -1,6 +1,6 @@
 # https://github.com/awslabs/cid-data-collection-framework/blob/main/data-collection/deploy/deploy-data-collection.yaml
 AWSTemplateFormatVersion: '2010-09-09'
-Description: CID Data Collection Stack v3.9.0 - AWS Solution SO9011
+Description: CID Data Collection Stack v3.9.1 - AWS Solution SO9011
 Metadata:
   AWS::CloudFormation::Interface:
     ParameterGroups:
@@ -596,6 +596,17 @@ Resources:
                   - !Sub "arn:${AWS::Partition}:glue:${AWS::Region}:${AWS::AccountId}:catalog"
                   - !Sub "arn:${AWS::Partition}:glue:${AWS::Region}:${AWS::AccountId}:database/${DatabaseName}"
                   - !Sub "arn:${AWS::Partition}:glue:${AWS::Region}:${AWS::AccountId}:table/${DatabaseName}/*"
+        - !If
+          - NeedDataBucketsKms
+          - PolicyName: "KMS"
+            PolicyDocument:
+              Version: "2012-10-17"
+              Statement:
+                - Effect: "Allow"
+                  Action:
+                    - "kms:Decrypt"
+                  Resource: !Split [ ',', !Ref DataBucketsKmsKeysArns ]
+          - !Ref AWS::NoValue
 
   KmsPolicyForCidResources:
     Type: AWS::IAM::Policy
@@ -610,7 +621,6 @@ Resources:
               - 'kms:Decrypt'
             Resource: !Split [ ',', !Ref DataBucketsKmsKeysArns ]
       Roles:
-        - !Ref LambdaInitRole
         - !Ref StepFunctionExecutionRole
         - !Ref LambdaManageGlueTableRole
         - !Ref GlueRole
diff --git a/data-collection/deploy/deploy-data-read-permissions.yaml b/data-collection/deploy/deploy-data-read-permissions.yaml
@@ -1,6 +1,6 @@
 # https://github.com/awslabs/cid-data-collection-framework/blob/main/data-collection/deploy/deploy-data-read-permissions.yaml
 AWSTemplateFormatVersion: '2010-09-09'
-Description: CID Data Collection - All-in-One for Management Account v3.9.0 - AWS Solution SO9011
+Description: CID Data Collection - All-in-One for Management Account v3.9.1 - AWS Solution SO9011
 Metadata:
   AWS::CloudFormation::Interface:
     ParameterGroups:
@@ -223,7 +223,7 @@ Resources:
   DataCollectorOrgAccountModulesReadStackSet:
     Type: AWS::CloudFormation::StackSet
     Properties:
-      Description: "StackSet in charge of deploying read roles across organization accounts v3.9.0"
+      Description: "StackSet in charge of deploying read roles across organization accounts v3.9.1"
       PermissionModel: SERVICE_MANAGED
       AutoDeployment:
         Enabled: true
diff --git a/data-collection/deploy/deploy-in-linked-account.yaml b/data-collection/deploy/deploy-in-linked-account.yaml
@@ -1,5 +1,5 @@
 AWSTemplateFormatVersion: '2010-09-09'
-Description: CID Data Collection - Role for Linked Account v3.9.0
+Description: CID Data Collection - Role for Linked Account v3.9.1
 Metadata:
   AWS::CloudFormation::Interface:
     ParameterGroups:
diff --git a/data-collection/deploy/deploy-in-management-account.yaml b/data-collection/deploy/deploy-in-management-account.yaml
@@ -1,5 +1,5 @@
 AWSTemplateFormatVersion: '2010-09-09'
-Description: CID Data Collection - Role for Management Account v3.9.0
+Description: CID Data Collection - Role for Management Account v3.9.1
 Metadata:
   AWS::CloudFormation::Interface:
     ParameterGroups:
diff --git a/data-collection/utils/version.json b/data-collection/utils/version.json
@@ -1,3 +1,3 @@
 {
-    "version": "3.9.0"
+    "version": "3.9.1"
 }

Original file line number	Diff line number	Diff line change
`@@ -1,3 +1,3 @@`
`1`	`1`	`{`
`2`		`- "version": "3.9.0"`
	`2`	`+ "version": "3.9.1"`
`3`	`3`	`}`