diff --git a/app/stacks/cumulus/iam.tf b/app/stacks/cumulus/iam.tf index d8fad38..5918510 100644 --- a/app/stacks/cumulus/iam.tf +++ b/app/stacks/cumulus/iam.tf @@ -130,6 +130,34 @@ resource "null_resource" "attach_system_bucket_policy" { } } +#------------------------------------------------------------------------------- +# Additional permissions to allow use of MCP customer-managed key +#------------------------------------------------------------------------------- + +data "aws_iam_policy_document" "allow_use_mcp_key" { + statement { + effect = "Allow" + actions = [ + "kms:Encrypt", + "kms:Decrypt", + "kms:ReEncrypt*", + "kms:GenerateDataKey*", + "kms:DescribeKey" + ] + resources = ["arn:aws:kms:us-west-2:${data.ssm_parameters.mcp_account_id}:*"] + } +} + +resource "aws_iam_policy" "allow_use_mcp_key" { + name = "${var.prefix}-mcp-key-policy" + policy = data.aws_iam_policy_document.allow_use_mcp_key.json +} + +resource "aws_iam_role_policy_attachment" "allow_use_mcp_key" { + role = module.cumulus.lambda_processing_role_name + policy_arn = aws_iam_policy.allow_use_mcp_key.arn +} + #------------------------------------------------------------------------------- # Temporary workaround for dashboard permissions issue #------------------------------------------------------------------------------- diff --git a/app/stacks/cumulus/ssm_parameters.tf b/app/stacks/cumulus/ssm_parameters.tf index 270c068..c5e0443 100644 --- a/app/stacks/cumulus/ssm_parameters.tf +++ b/app/stacks/cumulus/ssm_parameters.tf @@ -81,6 +81,12 @@ data "aws_ssm_parameter" "orca_s3_secret_key" { name = "/shared/cumulus/orca/dr/s3-secret-key" } +# MCP Account ID + +data "aws_ssm_parameter" "mcp_account_id" { + name = "/shared/cumulus/mcp-account-id" +} + #------------------------------------------------------------------------------- # SSM Parameters required across ONLY non-sandbox (non-dev) environments #-------------------------------------------------------------------------------