From 4c11b0194e9c24f0f1580b4e366a1f024c136e6a Mon Sep 17 00:00:00 2001
From: Ben Larabie <ben.larabie@cds-snc.ca>
Date: Tue, 20 Aug 2024 11:07:01 -0400
Subject: [PATCH 1/2] Custom kms (#1496)

* Custom kms

* formatting
---
 aws/rds/kms.tf | 85 ++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 85 insertions(+)
 create mode 100644 aws/rds/kms.tf

diff --git a/aws/rds/kms.tf b/aws/rds/kms.tf
new file mode 100644
index 000000000..99b74e6af
--- /dev/null
+++ b/aws/rds/kms.tf
@@ -0,0 +1,85 @@
+resource "aws_kms_key" "rds_snapshot" {
+  count                   = var.env == "staging" ? 1 : 0
+  description             = "A KMS key for encrypting RDS snapshots"
+  enable_key_rotation     = true
+  deletion_window_in_days = 7
+  policy                  = <<POLICY
+{
+    "Id": "key-consolepolicy-3",
+    "Version": "2012-10-17",
+    "Statement": [
+        {
+            "Sid": "Enable IAM User Permissions",
+            "Effect": "Allow",
+            "Principal": {
+                "AWS": "arn:aws:iam::${var.account_id}:root"
+            },
+            "Action": "kms:*",
+            "Resource": "*"
+        },
+        {
+            "Sid": "Allow access for Key Administrators",
+            "Effect": "Allow",
+            "Principal": {
+                "AWS": [
+                    "arn:aws:iam::${var.account_id}:role/notification-terraform-apply",
+                    "arn:aws:iam::${var.account_id}:role/notification-terraform-plan",
+                    "arn:aws:iam::${var.account_id}:role/aws-reserved/sso.amazonaws.com/ca-central-1/AWSReservedSSO_AWSAdministratorAccess_e6e62a284c3c35fc"
+                ]
+            },
+            "Action": [
+                "kms:Create*",
+                "kms:Describe*",
+                "kms:Enable*",
+                "kms:List*",
+                "kms:Put*",
+                "kms:Update*",
+                "kms:Revoke*",
+                "kms:Disable*",
+                "kms:Get*",
+                "kms:Delete*",
+                "kms:TagResource",
+                "kms:UntagResource",
+                "kms:ScheduleKeyDeletion",
+                "kms:CancelKeyDeletion",
+                "kms:RotateKeyOnDemand"
+            ],
+            "Resource": "*"
+        },
+        {
+            "Sid": "Allow use of the key",
+            "Effect": "Allow",
+            "Principal": {
+                "AWS": "arn:aws:iam::800095993820:root"
+            },
+            "Action": [
+                "kms:Encrypt",
+                "kms:Decrypt",
+                "kms:ReEncrypt*",
+                "kms:GenerateDataKey*",
+                "kms:DescribeKey"
+            ],
+            "Resource": "*"
+        },
+        {
+            "Sid": "Allow attachment of persistent resources",
+            "Effect": "Allow",
+            "Principal": {
+                "AWS": "arn:aws:iam::800095993820:root"
+            },
+            "Action": [
+                "kms:CreateGrant",
+                "kms:ListGrants",
+                "kms:RevokeGrant"
+            ],
+            "Resource": "*",
+            "Condition": {
+                "Bool": {
+                    "kms:GrantIsForAWSResource": "true"
+                }
+            }
+        }
+    ]
+}
+    POLICY
+}
\ No newline at end of file

From e79b9f7e8c5382ced149e56217d0e9c87a5c17b4 Mon Sep 17 00:00:00 2001
From: Ben Larabie <ben.larabie@cds-snc.ca>
Date: Tue, 20 Aug 2024 11:47:23 -0400
Subject: [PATCH 2/2] fixing rds kms (#1497)

---
 aws/rds/kms.tf | 18 ++++++++++++++----
 1 file changed, 14 insertions(+), 4 deletions(-)

diff --git a/aws/rds/kms.tf b/aws/rds/kms.tf
index 99b74e6af..1f77fe45a 100644
--- a/aws/rds/kms.tf
+++ b/aws/rds/kms.tf
@@ -22,9 +22,9 @@ resource "aws_kms_key" "rds_snapshot" {
             "Effect": "Allow",
             "Principal": {
                 "AWS": [
+                    "arn:aws:iam::${var.account_id}:role/aws-reserved/sso.amazonaws.com/ca-central-1/AWSReservedSSO_AWSAdministratorAccess_4085b2fdb6f29f43",
                     "arn:aws:iam::${var.account_id}:role/notification-terraform-apply",
-                    "arn:aws:iam::${var.account_id}:role/notification-terraform-plan",
-                    "arn:aws:iam::${var.account_id}:role/aws-reserved/sso.amazonaws.com/ca-central-1/AWSReservedSSO_AWSAdministratorAccess_e6e62a284c3c35fc"
+                    "arn:aws:iam::${var.account_id}:role/notification-terraform-plan"
                 ]
             },
             "Action": [
@@ -50,7 +50,12 @@ resource "aws_kms_key" "rds_snapshot" {
             "Sid": "Allow use of the key",
             "Effect": "Allow",
             "Principal": {
-                "AWS": "arn:aws:iam::800095993820:root"
+                "AWS": [
+                    "arn:aws:iam::${var.account_id}:role/aws-reserved/sso.amazonaws.com/ca-central-1/AWSReservedSSO_AWSAdministratorAccess_4085b2fdb6f29f43",
+                    "arn:aws:iam::${var.account_id}:role/notification-terraform-apply",
+                    "arn:aws:iam::${var.account_id}:role/notification-terraform-plan",
+                    "arn:aws:iam::800095993820:root"
+                ]
             },
             "Action": [
                 "kms:Encrypt",
@@ -65,7 +70,12 @@ resource "aws_kms_key" "rds_snapshot" {
             "Sid": "Allow attachment of persistent resources",
             "Effect": "Allow",
             "Principal": {
-                "AWS": "arn:aws:iam::800095993820:root"
+                "AWS": [
+                    "arn:aws:iam::${var.account_id}:role/aws-reserved/sso.amazonaws.com/ca-central-1/AWSReservedSSO_AWSAdministratorAccess_4085b2fdb6f29f43",
+                    "arn:aws:iam::${var.account_id}:role/notification-terraform-apply",
+                    "arn:aws:iam::${var.account_id}:role/notification-terraform-plan",
+                    "arn:aws:iam::800095993820:root"
+                ]
             },
             "Action": [
                 "kms:CreateGrant",