allow updated key policy (#3037)

ministryofjustice · Jan 7, 2025 · fb0b3c7 · fb0b3c7
1 parent fc40124
commit fb0b3c7
Showing 1 changed file with 27 additions and 1 deletion.
diff --git a/terraform/account/kms.tf b/terraform/account/kms.tf
@@ -147,7 +147,6 @@ data "aws_iam_policy_document" "cloudwatch_kms" {
   }
 }
 
-
 module "event_receiver_mrk" {
   source = "./modules/multi_region_kms"
 
@@ -205,4 +204,31 @@ data "aws_iam_policy_document" "event_receiver_kms" {
       ]
     }
   }
+
+  statement {
+    sid       = "Key Administrator"
+    effect    = "Allow"
+    resources = ["*"]
+    actions = [
+      "kms:Create*",
+      "kms:Describe*",
+      "kms:Enable*",
+      "kms:List*",
+      "kms:Put*",
+      "kms:Update*",
+      "kms:Revoke*",
+      "kms:Disable*",
+      "kms:Get*",
+      "kms:Delete*",
+      "kms:TagResource",
+      "kms:UntagResource",
+      "kms:ScheduleKeyDeletion",
+      "kms:CancelKeyDeletion"
+    ]
+
+    principals {
+      type        = "AWS"
+      identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:role/breakglass"]
+    }
+  }
 }