add CMK policy on lambda role to enable Cumulus use of encrypted MCP …

…topics // TODO: use alias/ARN + condition instead of all MCP KMS resources
NASA-IMPACT · Dec 2, 2024 · b412881 · b412881
1 parent fc45f5c
commit b412881
Show file tree

Hide file tree

Showing 2 changed files with 34 additions and 0 deletions.
diff --git a/app/stacks/cumulus/iam.tf b/app/stacks/cumulus/iam.tf
@@ -130,6 +130,34 @@ resource "null_resource" "attach_system_bucket_policy" {
   }
 }
 
+#-------------------------------------------------------------------------------
+# Additional permissions to allow use of MCP customer-managed key
+#-------------------------------------------------------------------------------
+
+data "aws_iam_policy_document" "allow_use_mcp_key" {
+  statement {
+    effect = "Allow"
+    actions = [
+      "kms:Encrypt",
+      "kms:Decrypt",
+      "kms:ReEncrypt*",
+      "kms:GenerateDataKey*",
+      "kms:DescribeKey"
+    ]
+    resources = ["arn:aws:kms:us-west-2:${data.ssm_parameters.mcp_account_id}:*"]
+  }
+}
+
+resource "aws_iam_policy" "allow_use_mcp_key" {
+  name   = "${var.prefix}-mcp-key-policy"
+  policy = data.aws_iam_policy_document.allow_use_mcp_key.json
+}
+
+resource "aws_iam_role_policy_attachment" "allow_use_mcp_key" {
+  role       = module.cumulus.lambda_processing_role_name
+  policy_arn = aws_iam_policy.allow_use_mcp_key.arn
+}
+
 #-------------------------------------------------------------------------------
 # Temporary workaround for dashboard permissions issue
 #-------------------------------------------------------------------------------

diff --git a/app/stacks/cumulus/ssm_parameters.tf b/app/stacks/cumulus/ssm_parameters.tf
@@ -81,6 +81,12 @@ data "aws_ssm_parameter" "orca_s3_secret_key" {
   name = "/shared/cumulus/orca/dr/s3-secret-key"
 }
 
+# MCP Account ID
+
+data "aws_ssm_parameter" "mcp_account_id" {
+  name = "/shared/cumulus/mcp-account-id"
+}
+
 #-------------------------------------------------------------------------------
 # SSM Parameters required across ONLY non-sandbox (non-dev) environments
 #-------------------------------------------------------------------------------