From e41b3c54c54369dd4ac0124ed041c4bbd47c2473 Mon Sep 17 00:00:00 2001
From: TomJKing <tom.king@nationalarchives.gov.uk>
Date: Mon, 9 Oct 2023 14:31:02 +0100
Subject: [PATCH] AWS SSO roles requre s3 KMS key permissions

When the s3 Export buckets are encrypted all AWS SSO roles will lose access to get objects from the export buckets

To allow AWS SSO role continued access where needed they will require KMS key permssions so the roles need to be passed to the KMS key policy

Add the AWS SSO roles to ssm parameters so can be passsed into the KMS key permissions
---
 root_export_bucket_access.tf | 25 +++++++++++++++++++++++++
 1 file changed, 25 insertions(+)
 create mode 100644 root_export_bucket_access.tf

diff --git a/root_export_bucket_access.tf b/root_export_bucket_access.tf
new file mode 100644
index 00000000..37f43275
--- /dev/null
+++ b/root_export_bucket_access.tf
@@ -0,0 +1,25 @@
+
+module "aws_sso_roles" {
+  source = "./da-terraform-modules/ssm_parameter"
+  parameters = [
+    {
+      name        = "${local.environment}/admin_role",
+      description = "AWS SSO admin role. Value to be added manually"
+      type        = "SecureString"
+      value       = "placeholder"
+    },
+    {
+      name        = "${local.environment}/developer_role",
+      description = "AWS SSO developer role. Value to be added manually"
+      type        = "SecureString"
+      value       = "placeholder"
+    },
+    {
+      name        = "${local.environment}/export_role",
+      description = "AWS SSO export role. Value to be added manually"
+      type        = "SecureString"
+      value       = "placeholder"
+    }
+  ]
+  tags = local.common_tags
+}