adding kms policy for dynamo external write

TOEL2 · TOEL2 · commit 295bcdfd8803 · 2025-07-10T14:47:46.000+01:00
diff --git a/infrastructure/stacks/api-layer/iam_policies.tf b/infrastructure/stacks/api-layer/iam_policies.tf
@@ -21,6 +21,20 @@ data "aws_iam_policy_document" "dynamodb_write_policy_doc" {
   }
 }
 
+# Specific Dynamo resource KMS access policy
+data "aws_iam_policy_document" "dynamo_kms_access_policy_doc" {
+  statement {
+    actions = [
+      "kms:Encrypt",
+      "kms:Decrypt",
+      "kms:GenerateDataKey"
+    ]
+    resources = [
+      module.eligibility_status_table.dynamodb_kms_key_arn
+    ]
+  }
+}
+
 # Attach dynamoDB write policy to external write role
 resource "aws_iam_role_policy" "external_dynamodb_write_policy" {
   count  = length(aws_iam_role.write_access_role)
@@ -29,6 +43,14 @@ resource "aws_iam_role_policy" "external_dynamodb_write_policy" {
   policy = data.aws_iam_policy_document.dynamodb_write_policy_doc.json
 }
 
+# Attach dynamo KMS policy to external write role
+resource "aws_iam_role_policy" "external_kms_access_policy" {
+  count  = length(aws_iam_role.write_access_role)
+  name   = "KMSAccessForDynamoDB"
+  role   = aws_iam_role.write_access_role[count.index].id
+  policy = data.aws_iam_policy_document.dynamo_kms_access_policy_doc.json
+}
+
 # Policy doc for S3 Rules bucket
 data "aws_iam_policy_document" "s3_rules_bucket_policy" {
   statement {
