From a3e0c4ea43b1d8edae17f1b78a6fe4723e41db3e Mon Sep 17 00:00:00 2001 From: jamesthompson26-nhs Date: Fri, 10 Apr 2026 11:00:38 +0100 Subject: [PATCH 1/4] CCM-16659: Readonly Role KMS Decrypt --- .../app/data_iam_roles_sso_readonly.tf | 4 ++++ .../terraform/components/app/module_kms.tf | 16 ++++++++++++++++ 2 files changed, 20 insertions(+) create mode 100644 infrastructure/terraform/components/app/data_iam_roles_sso_readonly.tf diff --git a/infrastructure/terraform/components/app/data_iam_roles_sso_readonly.tf b/infrastructure/terraform/components/app/data_iam_roles_sso_readonly.tf new file mode 100644 index 0000000000..7a5b2c0837 --- /dev/null +++ b/infrastructure/terraform/components/app/data_iam_roles_sso_readonly.tf @@ -0,0 +1,4 @@ +data "aws_iam_roles" "sso_readonly" { + name_regex = "AWSReservedSSO_permission_set_name_${var.project}_readonly_.*" + path_prefix = "/aws-reserved/sso.amazonaws.com/" +} diff --git a/infrastructure/terraform/components/app/module_kms.tf b/infrastructure/terraform/components/app/module_kms.tf index f9f8895f35..a460ee860a 100644 --- a/infrastructure/terraform/components/app/module_kms.tf +++ b/infrastructure/terraform/components/app/module_kms.tf @@ -112,6 +112,22 @@ data "aws_iam_policy_document" "kms" { } } + statement { + sid = "AllowSsoReadonlyDecrypt" + effect = "Allow" + + principals { + type = "AWS" + identifiers = data.aws_iam_roles.sso_readonly.arns + } + + actions = [ + "kms:Decrypt", + ] + + resources = ["*"] + } + statement { sid = "AllowEventBridgeAccessToLetterValidationQueue" effect = "Allow" From 9cc4bda9418d21dabbda86fecab8922849b58e8a Mon Sep 17 00:00:00 2001 From: jamesthompson26-nhs Date: Fri, 10 Apr 2026 11:18:05 +0100 Subject: [PATCH 2/4] CCM-16659: Readonly Role KMS Decrypt --- infrastructure/terraform/components/app/module_kms.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/infrastructure/terraform/components/app/module_kms.tf b/infrastructure/terraform/components/app/module_kms.tf index a460ee860a..5b08709c4c 100644 --- a/infrastructure/terraform/components/app/module_kms.tf +++ b/infrastructure/terraform/components/app/module_kms.tf @@ -118,7 +118,7 @@ data "aws_iam_policy_document" "kms" { principals { type = "AWS" - identifiers = data.aws_iam_roles.sso_readonly.arns + identifiers = data.aws_iam_roles.sso_readonly.arns[0] } actions = [ From 592356756c6c7f14751d15405f29abab95f05089 Mon Sep 17 00:00:00 2001 From: jamesthompson26-nhs Date: Fri, 10 Apr 2026 11:45:24 +0100 Subject: [PATCH 3/4] CCM-16659: Readonly Role KMS Decrypt --- infrastructure/terraform/components/app/module_kms.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/infrastructure/terraform/components/app/module_kms.tf b/infrastructure/terraform/components/app/module_kms.tf index 5b08709c4c..b7663669fc 100644 --- a/infrastructure/terraform/components/app/module_kms.tf +++ b/infrastructure/terraform/components/app/module_kms.tf @@ -118,7 +118,7 @@ data "aws_iam_policy_document" "kms" { principals { type = "AWS" - identifiers = data.aws_iam_roles.sso_readonly.arns[0] + identifiers = [one(data.aws_iam_roles.sso_readonly.arns)] } actions = [ From 0fae77a508ab2625781bed786206a9e24dffe67c Mon Sep 17 00:00:00 2001 From: jamesthompson26-nhs Date: Fri, 10 Apr 2026 12:02:12 +0100 Subject: [PATCH 4/4] CCM-16659: Readonly Role KMS Decrypt --- .../terraform/components/app/data_iam_roles_sso_readonly.tf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/infrastructure/terraform/components/app/data_iam_roles_sso_readonly.tf b/infrastructure/terraform/components/app/data_iam_roles_sso_readonly.tf index 7a5b2c0837..060fec1e20 100644 --- a/infrastructure/terraform/components/app/data_iam_roles_sso_readonly.tf +++ b/infrastructure/terraform/components/app/data_iam_roles_sso_readonly.tf @@ -1,4 +1,4 @@ data "aws_iam_roles" "sso_readonly" { - name_regex = "AWSReservedSSO_permission_set_name_${var.project}_readonly_.*" - path_prefix = "/aws-reserved/sso.amazonaws.com/" + name_regex = "AWSReservedSSO_${var.project}-readonly_.*" + path_prefix = "/aws-reserved/sso.amazonaws.com/${var.region}/" }