AWS SSO roles requre s3 KMS key permissions

When the s3 Export buckets are encrypted all AWS SSO roles will lose access to get objects from the export buckets To allow AWS SSO role continued access where needed they will require KMS key permssions so the roles need to be passed to the KMS key policy Add the AWS SSO roles to ssm parameters so can be passsed into the KMS key permissions
nationalarchives · Oct 9, 2023 · e41b3c5 · e41b3c5
1 parent 1bfa4a5
commit e41b3c5
Showing 1 changed file with 25 additions and 0 deletions.
diff --git a/root_export_bucket_access.tf b/root_export_bucket_access.tf
@@ -0,0 +1,25 @@
+
+module "aws_sso_roles" {
+  source = "./da-terraform-modules/ssm_parameter"
+  parameters = [
+    {
+      name        = "${local.environment}/admin_role",
+      description = "AWS SSO admin role. Value to be added manually"
+      type        = "SecureString"
+      value       = "placeholder"
+    },
+    {
+      name        = "${local.environment}/developer_role",
+      description = "AWS SSO developer role. Value to be added manually"
+      type        = "SecureString"
+      value       = "placeholder"
+    },
+    {
+      name        = "${local.environment}/export_role",
+      description = "AWS SSO export role. Value to be added manually"
+      type        = "SecureString"
+      value       = "placeholder"
+    }
+  ]
+  tags = local.common_tags
+}