From a40f3a1ababb2e9f04332ef1a5db74f9e1d345f9 Mon Sep 17 00:00:00 2001
From: Jay Whitwell <72501756+jay-whitwell@users.noreply.github.com>
Date: Wed, 8 Jan 2025 08:53:33 +0000
Subject: [PATCH] allow permissions for key (#3038)

---
 terraform/account/kms.tf | 25 ++++++-------------------
 1 file changed, 6 insertions(+), 19 deletions(-)

diff --git a/terraform/account/kms.tf b/terraform/account/kms.tf
index e0eefee349..1688494aca 100644
--- a/terraform/account/kms.tf
+++ b/terraform/account/kms.tf
@@ -206,29 +206,16 @@ data "aws_iam_policy_document" "event_receiver_kms" {
   }
 
   statement {
-    sid       = "Key Administrator"
+    sid       = "Enable Root account permissions on Key"
     effect    = "Allow"
+    actions   = ["kms:*"]
     resources = ["*"]
-    actions = [
-      "kms:Create*",
-      "kms:Describe*",
-      "kms:Enable*",
-      "kms:List*",
-      "kms:Put*",
-      "kms:Update*",
-      "kms:Revoke*",
-      "kms:Disable*",
-      "kms:Get*",
-      "kms:Delete*",
-      "kms:TagResource",
-      "kms:UntagResource",
-      "kms:ScheduleKeyDeletion",
-      "kms:CancelKeyDeletion"
-    ]
 
     principals {
-      type        = "AWS"
-      identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:role/breakglass"]
+      type = "AWS"
+      identifiers = [
+        "arn:aws:iam::${data.aws_caller_identity.current.account_id}:root",
+      ]
     }
   }
 }