CCL-438 Policy addition to KMS key

UKHomeOffice · Sep 9, 2024 · 9cd10a7 · 9cd10a7
1 parent cf01cc4
commit 9cd10a7
Showing 1 changed file with 41 additions and 0 deletions.
diff --git a/modules/products/static-site/kms.tf b/modules/products/static-site/kms.tf
@@ -2,3 +2,44 @@ resource "aws_kms_key" "static_site_kms" {
   enable_key_rotation = true
   tags                = local.common_tags
 }
+
+resource "aws_kms_key_policy" "static_site_kms_policy" {  
+  key_id = aws_kms_key.static_site_kms.id  
+  policy = jsonencode({
+    Version = "2012-10-17"
+    Id = "static_site_kms_policy"
+    Statement = [
+      {
+        Sid      = "EnableIAMUserPermissions"
+        Action   = "kms:*"
+        Effect   = "Allow"
+        Principal = {
+          AWS = "arn:aws:iam::${local.account_id}:root"
+        }
+        Resource = ["*"]     
+      },
+    ]
+    Statement = [
+      {
+        Sid      = "CloudFrontServiceKmsPolicy"
+        Action = [
+          "kms:Decrypt",
+          "kms:Encrypt",
+          "kms:GenerateDataKey*"
+        ]
+        Effect = "Allow"
+        Principal = {
+          type        = "Service"
+          identifiers = ["cloudfront.amazonaws.com"]
+        }
+        Resource = ["*"]  
+        condition = {
+            test     = "StringEquals"
+            variable = "aws:SourceArn"
+            values   = [aws_cloudfront_distribution.static_site_distribution.arn]
+          }
+      },
+    ]    
+  })
+}
+