Merge pull request #181 from uktrade/feat/external-kms-keys

feat: allow Airflow teams to use external KMS keys
uktrade · Dec 11, 2024 · e43b87c · e43b87c
2 parents 4d15297 + cf03d5f
commit e43b87c
Show file tree

Hide file tree

Showing 2 changed files with 16 additions and 1 deletion.
diff --git a/infra/airflow_dag_processor.tf b/infra/airflow_dag_processor.tf
@@ -224,6 +224,16 @@ data "aws_iam_policy_document" "airflow_team" {
     }
   }
 
+  dynamic "statement" {
+    for_each = length(var.airflow_dag_processors[count.index].keys) > 0 ? [1] : []
+    content {
+      actions = [
+        "kms:Decrypt",
+      ]
+      resources = var.airflow_dag_processors[count.index].keys
+    }
+  }
+
   statement {
     actions = [
       "logs:CreateLogGroup"

diff --git a/infra/main.tf b/infra/main.tf
@@ -180,7 +180,12 @@ variable "airflow_on" {
 variable "airflow_db_instance_class" {}
 variable "airflow_domain" {}
 variable "airflow_dag_processors" {
-  type    = list(object({ name = string, assume_roles = list(string), buckets = list(string) }))
+  type = list(object({
+    name         = string,
+    assume_roles = list(string),
+    buckets      = list(string),
+    keys         = list(string),
+  }))
   default = []
 }
 variable "airflow_bucket_infix" {}