From 4eb89f2fdc2fdd4718bc7c42965dc69e27d7d195 Mon Sep 17 00:00:00 2001
From: Edd Almond <edd.almond1@nhs.net>
Date: Fri, 6 Jun 2025 09:44:47 +0100
Subject: [PATCH] eli-238 - bugfix - adding additional permissions for Github
 account to be able to deploy the stack, and fixing KMS key permissions for
 Cloudwatch + Lambda

---
 infrastructure/modules/lambda/kms.tf          | 19 ++++++++++++++++++-
 .../github_actions_policies.tf                | 10 +++++++++-
 2 files changed, 27 insertions(+), 2 deletions(-)

diff --git a/infrastructure/modules/lambda/kms.tf b/infrastructure/modules/lambda/kms.tf
index e9ebdc983..7a963a9ae 100644
--- a/infrastructure/modules/lambda/kms.tf
+++ b/infrastructure/modules/lambda/kms.tf
@@ -18,7 +18,7 @@ resource "aws_kms_key_policy" "lambda_cmk" {
 
 data "aws_iam_policy_document" "lambda_cmk" {
   statement {
-    sid    = "Enable IAM User Permissions for s3 buckets"
+    sid    = "Enable IAM User Permissions for Lambda CMK"
     effect = "Allow"
     principals {
       type        = "AWS"
@@ -27,4 +27,21 @@ data "aws_iam_policy_document" "lambda_cmk" {
     actions   = ["kms:*"]
     resources = [aws_kms_key.lambda_cmk.arn]
   }
+
+  statement {
+    sid    = "AllowCloudWatchLogsUseOfTheKey"
+    effect = "Allow"
+    principals {
+      type        = "Service"
+      identifiers = ["logs.${var.region}.amazonaws.com"]
+    }
+    actions = [
+      "kms:Encrypt",
+      "kms:Decrypt",
+      "kms:ReEncrypt*",
+      "kms:GenerateDataKey*",
+      "kms:DescribeKey"
+    ]
+    resources = [aws_kms_key.lambda_cmk.arn]
+  }
 }
diff --git a/infrastructure/stacks/iams-developer-roles/github_actions_policies.tf b/infrastructure/stacks/iams-developer-roles/github_actions_policies.tf
index 8a7066a83..ad521c848 100644
--- a/infrastructure/stacks/iams-developer-roles/github_actions_policies.tf
+++ b/infrastructure/stacks/iams-developer-roles/github_actions_policies.tf
@@ -72,15 +72,23 @@ resource "aws_iam_policy" "api_infrastructure" {
           "kms:UpdateKeyDescription",
           "kms:CreateGrant",
           "kms:CreateAlias",
-
+          "kms:TagResource",
+          "kms:CreateKey",
+          "kms:EnableKeyRotation",
+          "kms:ScheduleKeyDeletion",
+          "kms:PutKeyPolicy",
+          "kms:Encrypt",
 
           # Cloudwatch permissions
           "logs:Describe*",
           "logs:ListTagsForResource",
+          "logs:PutRetentionPolicy",
+          "logs:AssociateKmsKey",
 
           #EC2 permissions
           "ec2:Describe*",
           "ec2:CreateTags",
+          "ec2:CreateNetworkAclEntry",
 
           # IAM permissions (scoped to resources with specific path prefix)
           "iam:Get*",