third times a charm

nex9 · nex9 · commit d4c97dc8fabc · 2022-10-19T18:42:36.000-04:00
diff --git a/iam.tf b/iam.tf
@@ -8,18 +8,18 @@ resource "aws_iam_role" "iam_role" {
   name = "${local.namespace}-tf-assume-role"
 
   assume_role_policy = <<-EOF
-  {
-    "Version": "2021-10-17",
-    "Statement": [
-      {
-        "Action": "sts:AssumeRole",
-        "Principal": {
-          "AWS": ${jsonencode(local.principal_arns)}
-        },
-        "Effect": "Allow"
-      }
-    ]
-  }
+    {
+      "Version": "2012-10-17",
+      "Statement": [
+        {
+          "Action": "sts:AssumeRole",
+          "Principal": {
+              "AWS": ${jsonencode(local.principal_arns)}
+          },
+          "Effect": "Allow"
+        }
+      ]
+    }
   EOF
 
   tags = {
@@ -32,13 +32,15 @@ data "aws_iam_policy_document" "policy_doc" {
     actions = [
       "s3:ListBucket",
     ]
+
     resources = [
       aws_s3_bucket.s3_bucket.arn
     ]
   }
 
   statement {
-    actions = ["s3.GetObject", "s3:PutObject", "s3:DeleteObject"]
+    actions = ["s3:GetObject", "s3:PutObject", "s3:DeleteObject"]
+
     resources = [
       "${aws_s3_bucket.s3_bucket.arn}/*",
     ]
@@ -52,15 +54,23 @@ data "aws_iam_policy_document" "policy_doc" {
     ]
     resources = [aws_dynamodb_table.dynamodb_table.arn]
   }
+
+  statement {
+    actions = [
+      "kms:Decrypt",
+      "kms:GenerateDataKey"
+    ]
+    resources = [aws_kms_key.kms_key.arn]
+  }
 }
 
 resource "aws_iam_policy" "iam_policy" {
-  name = "${local.namespace}-tf-policy"
-  path = "/"
+  name   = "${local.namespace}-tf-policy"
+  path   = "/"
   policy = data.aws_iam_policy_document.policy_doc.json
 }
 
 resource "aws_iam_role_policy_attachment" "policy_attach" {
-  role = aws_iam_role.iam_role.name
+  role       = aws_iam_role.iam_role.name
   policy_arn = aws_iam_policy.iam_policy.arn
-}
+}
