diff --git a/README.md b/README.md
index 65ea9a9..03ce3f4 100644
--- a/README.md
+++ b/README.md
@@ -76,6 +76,7 @@ for dxw's Dalmatian hosting platform.
| [cloudtrail\_log\_retention](#input\_cloudtrail\_log\_retention) | Cloudtrail log retention in days. Set to 0 to keep all logs. | `number` | n/a | yes |
| [cloudwatch\_opsgenie\_alerts\_sns\_endpoint](#input\_cloudwatch\_opsgenie\_alerts\_sns\_endpoint) | The Opsgenie SNS endpoint. https://support.atlassian.com/opsgenie/docs/integrate-opsgenie-with-incoming-amazon-sns/ | `string` | n/a | yes |
| [cloudwatch\_opsgenie\_alerts\_sns\_kms\_encryption](#input\_cloudwatch\_opsgenie\_alerts\_sns\_kms\_encryption) | Use KMS encryption with the Opsgenie Alerts SNS topic | `bool` | n/a | yes |
+| [cloudwatch\_opsgenie\_alerts\_sns\_kms\_key\_additional\_principles\_allow](#input\_cloudwatch\_opsgenie\_alerts\_sns\_kms\_key\_additional\_principles\_allow) | Add additional principles to allow full access to the key that is created for the Opsgenie Alerts SNS topic key | `list(string)` | n/a | yes |
| [cloudwatch\_slack\_alerts\_channel](#input\_cloudwatch\_slack\_alerts\_channel) | The Slack channel for CloudWatch alerts | `string` | n/a | yes |
| [cloudwatch\_slack\_alerts\_hook\_url](#input\_cloudwatch\_slack\_alerts\_hook\_url) | The Slack webhook URL for CloudWatch alerts | `string` | n/a | yes |
| [enable\_cloudtrail](#input\_enable\_cloudtrail) | Enable Cloudtrail | `bool` | n/a | yes |
diff --git a/cloudwatch-opsgenie-alerts-sns.tf b/cloudwatch-opsgenie-alerts-sns.tf
index 3107ae6..5e3a3b0 100644
--- a/cloudwatch-opsgenie-alerts-sns.tf
+++ b/cloudwatch-opsgenie-alerts-sns.tf
@@ -10,6 +10,7 @@ resource "aws_kms_key" "cloudwatch_opsgenie_alerts_sns" {
{
services = jsonencode(["cloudwatch.amazonaws.com"]),
sns_topic_arn = "arn:aws:sns:${local.aws_region}:${local.aws_account_id}:${local.project_name}-cloudwatch-opsgenie-alerts"
+ additional_principle_allow = jsonencode(local.cloudwatch_opsgenie_alerts_sns_kms_key_additional_principles_allow)
}
)
}
@@ -42,6 +43,7 @@ resource "aws_kms_key" "cloudwatch_opsgenie_alerts_sns_us_east_1" {
{
services = jsonencode(["cloudwatch.amazonaws.com"]),
sns_topic_arn = "arn:aws:sns:us-east-1:${local.aws_account_id}:${local.project_name}-cloudwatch-opsgenie-alerts"
+ additional_principle_allow = jsonencode(local.cloudwatch_opsgenie_alerts_sns_kms_key_additional_principles_allow)
}
)
}
diff --git a/locals.tf b/locals.tf
index 130881a..58d479b 100644
--- a/locals.tf
+++ b/locals.tf
@@ -18,9 +18,10 @@ locals {
cloudwatch_slack_alerts_hook_url = var.cloudwatch_slack_alerts_hook_url
cloudwatch_slack_alerts_channel = var.cloudwatch_slack_alerts_channel
- enable_cloudwatch_opsgenie_alerts = var.enable_cloudwatch_opsgenie_alerts
- cloudwatch_opsgenie_alerts_sns_kms_encryption = var.cloudwatch_opsgenie_alerts_sns_kms_encryption && local.enable_cloudwatch_opsgenie_alerts
- cloudwatch_opsgenie_alerts_sns_endpoint = var.cloudwatch_opsgenie_alerts_sns_endpoint
+ enable_cloudwatch_opsgenie_alerts = var.enable_cloudwatch_opsgenie_alerts
+ cloudwatch_opsgenie_alerts_sns_kms_encryption = var.cloudwatch_opsgenie_alerts_sns_kms_encryption && local.enable_cloudwatch_opsgenie_alerts
+ cloudwatch_opsgenie_alerts_sns_kms_key_additional_principles_allow = var.cloudwatch_opsgenie_alerts_sns_kms_key_additional_principles_allow
+ cloudwatch_opsgenie_alerts_sns_endpoint = var.cloudwatch_opsgenie_alerts_sns_endpoint
default_tags = {
Project = local.project_name,
diff --git a/policies/kms-key-policy-sns-topic.json.tpl b/policies/kms-key-policy-sns-topic.json.tpl
index db2e6cb..30a4d8a 100644
--- a/policies/kms-key-policy-sns-topic.json.tpl
+++ b/policies/kms-key-policy-sns-topic.json.tpl
@@ -25,6 +25,15 @@
},
"Action": "kms:*",
"Resource": "*"
+ }%{ if additional_principle_allow != "[]" },
+ {
+ "Effect": "Allow",
+ "Principal": {
+ "AWS": ${additional_principle_allow}
+ },
+ "Action": "kms:*",
+ "Resource": "*"
}
+ %{~ endif }
]
}
diff --git a/variables.tf b/variables.tf
index 21155e5..a76eb7a 100644
--- a/variables.tf
+++ b/variables.tf
@@ -87,3 +87,8 @@ variable "cloudwatch_opsgenie_alerts_sns_kms_encryption" {
description = "Use KMS encryption with the Opsgenie Alerts SNS topic"
type = bool
}
+
+variable "cloudwatch_opsgenie_alerts_sns_kms_key_additional_principles_allow" {
+ description = "Add additional principles to allow full access to the key that is created for the Opsgenie Alerts SNS topic key"
+ type = list(string)
+}