From 496d8e4bcde6cb0c21323550e5e765f3ec79997e Mon Sep 17 00:00:00 2001
From: Jay Whitwell <jay.whitwell@digital.justice.gov.uk>
Date: Tue, 7 Jan 2025 14:30:28 +0000
Subject: [PATCH] create kms key

---
 terraform/account/kms.tf | 60 ++++++++++++++++++++++++++++++++++++++++
 1 file changed, 60 insertions(+)

diff --git a/terraform/account/kms.tf b/terraform/account/kms.tf
index b07427ecff..efd2beb4cb 100644
--- a/terraform/account/kms.tf
+++ b/terraform/account/kms.tf
@@ -146,3 +146,63 @@ data "aws_iam_policy_document" "cloudwatch_kms" {
     }
   }
 }
+
+
+module "event_receiver_mrk" {
+  source = "./modules/multi_region_kms"
+
+  key_description         = "KMS key for received events"
+  key_alias               = "${local.environment}-event-receiver-mrk"
+  key_policy              = data.aws_iam_policy_document.event_receiver_kms.json
+  deletion_window_in_days = 7
+
+  providers = {
+    aws.primary   = aws.eu_west_1
+    aws.secondary = aws.eu_west_2
+  }
+}
+
+data "aws_iam_policy_document" "event_receiver_kms" {
+  statement {
+    sid    = "Allow Encryption by Service"
+    effect = "Allow"
+    resources = [
+      "arn:aws:kms:*:${data.aws_caller_identity.current.account_id}:key/*"
+    ]
+    actions = [
+      "kms:Encrypt",
+      "kms:ReEncrypt*",
+      "kms:GenerateDataKey*",
+      "kms:DescribeKey",
+    ]
+
+    principals {
+      type = "Service"
+      identifiers = [
+        "events.amazonaws.com",
+      ]
+    }
+  }
+
+  statement {
+    sid    = "Allow Decryption by Service"
+    effect = "Allow"
+    resources = [
+      "arn:aws:kms:*:${data.aws_caller_identity.current.account_id}:key/*"
+    ]
+    actions = [
+      "kms:Decrypt",
+      "kms:GenerateDataKey*",
+      "kms:DescribeKey",
+    ]
+
+    principals {
+      type = "Service"
+      identifiers = [
+        "sqs.amazonaws.com",
+        "events.amazonaws.com",
+        "lambda.amazonaws.com",
+      ]
+    }
+  }
+}