From 284c716b44928662ebcd26d75946ebbaa8ce6051 Mon Sep 17 00:00:00 2001
From: Michael Foley <roleyfoley@gmail.com>
Date: Thu, 30 Nov 2023 16:20:50 +1100
Subject: [PATCH] fix(topic): kms permissions (#791)

- Adds decrypt permissions to the topic permissions policy
when encryption at rest is enabled
---
 aws/components/topic/state.ftl | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/aws/components/topic/state.ftl b/aws/components/topic/state.ftl
index 4108b2ae..bf6d49c3 100644
--- a/aws/components/topic/state.ftl
+++ b/aws/components/topic/state.ftl
@@ -40,7 +40,10 @@
                     "publish" : [snsPublishPermission(topicId)] +
                                 (solution.Encrypted)?then(
                                     snsEncryptionStatement(
-                                        [ "kms:GenerateDataKey*" ],
+                                        [
+                                            "kms:GenerateDataKey*",
+                                            "kms:Decrypt"
+                                        ],
                                         (baselineIds["Encryption"])!"",
                                         getExistingReference(topicId, REGION_ATTRIBUTE_TYPE)
                                     ),