Merge branch 'development' into fix/allow-key-access

GemeenteNijmegen · Oct 27, 2023 · c2801e0 · c2801e0
2 parents 39c0afb + e435883
commit c2801e0
Showing 1 changed file with 5 additions and 1 deletion.
diff --git a/src/StorageStack.ts b/src/StorageStack.ts
@@ -1,5 +1,6 @@
 import { Duration, Stack, StackProps } from 'aws-cdk-lib';
 import { AttributeType, BillingMode, Table, TableEncryption } from 'aws-cdk-lib/aws-dynamodb';
+import { Effect, PolicyStatement } from 'aws-cdk-lib/aws-iam';
 import { Key } from 'aws-cdk-lib/aws-kms';
 import { Bucket, BucketEncryption, ObjectOwnership } from 'aws-cdk-lib/aws-s3';
 import { Secret } from 'aws-cdk-lib/aws-secretsmanager';
@@ -52,13 +53,16 @@ export class StorageStack extends Stack {
     this.addParameters();
   }
 
-  private key() {
+  private key(crossAccountIds?: string[]) {
+    const crossAccountPrincipalArns = this.crossAccountIdArns(crossAccountIds);
     const key = new Key(this, 'kmskey', {
       enableKeyRotation: true,
       description: 'encryption key for user data',
       alias: `${Statics.projectName}/user-data`,
     });
 
+    this.allowCrossAccountKeyAccess(crossAccountPrincipalArns, key);
+
     // Store key arn to be used in other stacks/projects
     new StringParameter(this, 'key', {
       stringValue: key.keyArn,