From c912e2f37abc694682d32c72d55239f7021704a1 Mon Sep 17 00:00:00 2001
From: Jay Whitwell <jay.whitwell@digital.justice.gov.uk>
Date: Fri, 10 Jan 2025 12:51:25 +0000
Subject: [PATCH] UML-3738: add kms key

---
 terraform/account/kms.tf | 15 ++++++++++++++-
 1 file changed, 14 insertions(+), 1 deletion(-)

diff --git a/terraform/account/kms.tf b/terraform/account/kms.tf
index 76a8a06c07..ac305a44f5 100644
--- a/terraform/account/kms.tf
+++ b/terraform/account/kms.tf
@@ -28,7 +28,7 @@ module "event_receiver_mrk" {
   source = "./modules/multi_region_kms"
 
   key_description         = "KMS key for received events"
-  key_alias               = "${local.environment}-event-receiver-mrk"
+  key_alias               = "event-receiver-mrk"
   key_policy              = data.aws_iam_policy_document.event_receiver_kms.json
   deletion_window_in_days = 7
 
@@ -186,4 +186,17 @@ data "aws_iam_policy_document" "event_receiver_kms" {
       ]
     }
   }
+
+  statement {
+    sid       = "Enable Root account permissions on Key"
+    effect    = "Allow"
+    actions   = ["kms:*"]
+    resources = ["*"]
+    principals {
+      type = "AWS"
+      identifiers = [
+        "arn:aws:iam::${data.aws_caller_identity.current.account_id}:root",
+      ]
+    }
+  }
 }