From 46f616a5560fab65e7d1832cd38b5bb53d03ec0c Mon Sep 17 00:00:00 2001
From: roleyfoley <roleyfoley@gmail.com>
Date: Thu, 26 Oct 2023 14:08:01 +1100
Subject: [PATCH] feat: add support for kms replication of objects

- When doing cross account replications for items that are encrypted
at rest using SSE-KMS you need to provide a new key in the S3 account
that can be used
- This update covers the extra permissions and processes that we do
---
 aws/components/s3/setup.ftl | 15 +++++++++++++--
 aws/services/kms/policy.ftl |  8 +++++++-
 aws/services/s3/policy.ftl  |  1 +
 3 files changed, 21 insertions(+), 3 deletions(-)

diff --git a/aws/components/s3/setup.ftl b/aws/components/s3/setup.ftl
index 01aa1464..84d7f90b 100644
--- a/aws/components/s3/setup.ftl
+++ b/aws/components/s3/setup.ftl
@@ -37,6 +37,7 @@
     [#local replicationCrossAccount = false ]
     [#local replicationDestinationAccountId = "" ]
     [#local replicationExternalPolicy = []]
+    [#local replicationKMSKey = ""]
 
     [#local backupTags = {} ]
 
@@ -296,9 +297,16 @@
                             [#local replicationEnabled = true]
                             [#local versioningEnabled = true]
 
-                            [#local replicationDestinationAccountId = linkTargetAttributes["ACCOUNT_ID"]!"" ]
+                            [#local replicationDestinationAccountId = (linkTargetAttributes["ACCOUNT_ID"])!"" ]
                             [#local replicationExternalPolicy +=   s3ReplicaDestinationPermission( linkTargetAttributes["ARN"] ) ]
                             [#local replicationBucket = linkTargetAttributes["ARN"]]
+                            [#local replicationKMSKey = (linkTargetAttributes["KMS_KEY_ARN"])!""]
+                            [#local replicationKMSKeyARN = (linkTargetAttributes["KMS_KEY_REGION"])!""]
+
+                            [#if replicationKMSKey?has_content ]
+                                [#local replicationExternalPolicy += s3EncryptionAllPermission(replicationKMSKey, replicationBucket, "*", replicationKMSKeyARN)]
+                            [/#if]
+
                             [#break]
 
                         [#case "save" ]
@@ -394,7 +402,10 @@
                     solution.Replication.Enabled,
                     prefix,
                     replicateEncryptedData,
-                    kmsKeyId,
+                    replicationKMSKey?has_content?then(
+                        replicationKMSKey,
+                        kmsKeyId
+                    ),
                     replicationDestinationAccountId
                 )]]
         [/#list]
diff --git a/aws/services/kms/policy.ftl b/aws/services/kms/policy.ftl
index 5cf45b2f..11f049a5 100644
--- a/aws/services/kms/policy.ftl
+++ b/aws/services/kms/policy.ftl
@@ -76,7 +76,13 @@
                 "",
                 {
                     "StringLike" : {
-                        "kms:EncryptionContext:aws:s3:arn" : "arn:aws:s3:::" + formatRelativePath(bucketName, bucketPrefix?ensure_ends_with("*") )
+                        "kms:EncryptionContext:aws:s3:arn" : formatRelativePath(
+                            bucketName?is_string?then(
+                                bucketName?ensure_starts_with("arn:aws:s3:::"),
+                                bucketName
+                            ),
+                            bucketPrefix?ensure_ends_with("*")
+                        )
                     }
                 }
             )
diff --git a/aws/services/s3/policy.ftl b/aws/services/s3/policy.ftl
index 5eadf76c..c524b90b 100644
--- a/aws/services/s3/policy.ftl
+++ b/aws/services/s3/policy.ftl
@@ -243,6 +243,7 @@
     [#return
         getS3Statement(
             [
+                "s3:PutObject",
                 "s3:ReplicateObject",
                 "s3:ReplicateDelete",
                 "s3:ObjectOwnerOverrideToBucketOwner",