fix(webhook): grant KMS permission to decrypt wehn using EventBridge

npalm · npalm · commit ddbfb9e45f74 · 2024-10-29T19:55:14.000+01:00
diff --git a/modules/webhook/direct/webhook.tf b/modules/webhook/direct/webhook.tf
@@ -117,7 +117,15 @@ resource "aws_iam_role_policy" "webhook_sqs" {
 
   policy = templatefile("${path.module}/../policies/lambda-publish-sqs-policy.json", {
     sqs_resource_arns = jsonencode(var.config.sqs_job_queues_arns)
-    kms_key_arn       = var.config.kms_key_arn != null ? var.config.kms_key_arn : ""
+  })
+}
+
+resource "aws_iam_role_policy" "webhook_kms" {
+  name = "kms-policy"
+  role = aws_iam_role.webhook_lambda.name
+
+  policy = templatefile("${path.module}/../policies/lambda-kms.json", {
+    kms_key_arn = var.config.kms_key_arn != null ? var.config.kms_key_arn : "arn:${var.config.aws_partition}:kms:::CMK_NOT_IN_USE"
   })
 }
 
@@ -128,7 +136,6 @@ resource "aws_iam_role_policy" "webhook_workflow_job_sqs" {
 
   policy = templatefile("${path.module}/../policies/lambda-publish-sqs-policy.json", {
     sqs_resource_arns = jsonencode([var.config.sqs_workflow_job_queue.arn])
-    kms_key_arn       = var.config.kms_key_arn != null ? var.config.kms_key_arn : ""
   })
 }
 
diff --git a/modules/webhook/eventbridge/dispatcher.tf b/modules/webhook/eventbridge/dispatcher.tf
@@ -116,7 +116,15 @@ resource "aws_iam_role_policy" "dispatcher_sqs" {
 
   policy = templatefile("${path.module}/../policies/lambda-publish-sqs-policy.json", {
     sqs_resource_arns = jsonencode(var.config.sqs_job_queues_arns)
-    kms_key_arn       = var.config.kms_key_arn != null ? var.config.kms_key_arn : ""
+  })
+}
+
+resource "aws_iam_role_policy" "dispatcher_kms" {
+  name = "kms-policy"
+  role = aws_iam_role.webhook_lambda.name
+
+  policy = templatefile("${path.module}/../policies/lambda-kms.json", {
+    kms_key_arn = var.config.kms_key_arn != null ? var.config.kms_key_arn : "arn:${var.config.aws_partition}:kms:::CMK_NOT_IN_USE"
   })
 }
 
diff --git a/modules/webhook/eventbridge/webhook.tf b/modules/webhook/eventbridge/webhook.tf
@@ -127,6 +127,15 @@ resource "aws_iam_role_policy" "webhook_ssm" {
   })
 }
 
+resource "aws_iam_role_policy" "webhook_kms" {
+  name = "kms-policy"
+  role = aws_iam_role.webhook_lambda.name
+
+  policy = templatefile("${path.module}/../policies/lambda-kms.json", {
+    kms_key_arn = var.config.kms_key_arn != null ? var.config.kms_key_arn : "arn:${var.config.aws_partition}:kms:::CMK_NOT_IN_USE"
+  })
+}
+
 resource "aws_iam_role_policy" "xray" {
   count  = var.config.tracing_config.mode != null ? 1 : 0
   name   = "xray-policy"
diff --git a/modules/webhook/policies/lambda-kms.json b/modules/webhook/policies/lambda-kms.json
@@ -0,0 +1,13 @@
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+        "Effect": "Allow",
+        "Action": [
+            "kms:Decrypt",
+            "kms:GenerateDataKey"
+        ],
+        "Resource": "${kms_key_arn}"
+    }
+  ]
+}
diff --git a/modules/webhook/policies/lambda-publish-sqs-policy.json b/modules/webhook/policies/lambda-publish-sqs-policy.json
@@ -5,16 +5,6 @@
       "Effect": "Allow",
       "Action": ["sqs:SendMessage", "sqs:GetQueueAttributes"],
       "Resource": ${sqs_resource_arns}
-      %{ if kms_key_arn != "" ~}
-    },
-    {
-        "Effect": "Allow",
-        "Action": [
-            "kms:Decrypt",
-            "kms:GenerateDataKey"
-        ],
-        "Resource": "${kms_key_arn}"
-    %{ endif ~}
     }
   ]
 }

Original file line number	Diff line number	Diff line change
`@@ -5,16 +5,6 @@`
`5`	`5`	`"Effect": "Allow",`
`6`	`6`	`"Action": ["sqs:SendMessage", "sqs:GetQueueAttributes"],`
`7`	`7`	`"Resource": ${sqs_resource_arns}`
`8`		`- %{ if kms_key_arn != "" ~}`
`9`		`- },`
`10`		`- {`
`11`		`- "Effect": "Allow",`
`12`		`- "Action": [`
`13`		`- "kms:Decrypt",`
`14`		`- "kms:GenerateDataKey"`
`15`		`- ],`
`16`		`- "Resource": "${kms_key_arn}"`
`17`		`- %{ endif ~}`
`18`	`8`	`}`
`19`	`9`	`]`
`20`	`10`	`}`