add policy for kms (#3143)

* add policy for kms

* refactor

* linter

* add data

* refactor

* amend kms permissions

* linter

* spelling fix

* amend key permissions

* linter

* amend kms permissions

* remove unused value

terraform/aws/analytical-platform-data-engineering-production/10ds/data.tf

@@ -13,4 +13,10 @@ data "aws_iam_session_context" "session" {
   arn = data.aws_caller_identity.session.arn
 }
 
+data "aws_iam_roles" "analytical_platform_data_engineering_sso_administrator_access_roles" {
+  name_regex  = "AWSReservedSSO_AdministratorAccess_.*"
+  path_prefix = "/aws-reserved/sso.amazonaws.com/"
+}
+
 data "aws_availability_zones" "available" {}
+

terraform/aws/analytical-platform-data-engineering-production/10ds/vpc.tf

@@ -31,8 +31,43 @@ resource "aws_flow_log" "data_engineering_vpc" {
   vpc_id          = module.vpc.vpc_id
 }
 
+data "aws_iam_policy_document" "cloudwatch_kms_key_policy" {
+
+  statement {
+    sid    = "LogGroupKMSPermissions"
+    effect = "Allow"
+    actions = [
+      "kms:Encrypt",
+      "kms:Decrypt",
+      "kms:ReEncrypt*",
+      "kms:GenerateDataKey*",
+      "kms:DescribeKey"
+    ]
+    principals {
+      type        = "Service"
+      identifiers = ["logs.amazonaws.com"]
+    }
+    resources = ["*"]
+  }
+
+  statement {
+    sid     = "AllowKeyManagement"
+    effect  = "Allow"
+    actions = ["kms:*"]
+    principals {
+      type = "AWS"
+      identifiers = concat(
+        tolist(data.aws_iam_roles.analytical_platform_data_engineering_sso_administrator_access_roles.arns),
+        ["arn:aws:iam::${var.account_ids["analytical-platform-data-engineering-production"]}:role/GlobalGitHubActionAdmin"]
+      )
+    }
+    resources = ["*"]
+  }
+}
+
 resource "aws_kms_key" "data_engineering_vpc_key" {
   description             = "KMS Key for CloudWatch Logs Encryption"
   deletion_window_in_days = 7
   enable_key_rotation     = true
+  policy                  = data.aws_iam_policy_document.cloudwatch_kms_key_policy.json
 }