From d16768f995aab425ded4347bae3e6bd57fd1eeae Mon Sep 17 00:00:00 2001
From: Darwin Chowdary <darchow@amazon.com>
Date: Fri, 17 Nov 2023 12:13:29 -0800
Subject: [PATCH] chore: update CFN stack to add managed policies to ci and
 release role

---
 cfn/ci_cd.yml | 55 +++++++++++++++++++++++++++++++++++++++++++++++++--
 1 file changed, 53 insertions(+), 2 deletions(-)

diff --git a/cfn/ci_cd.yml b/cfn/ci_cd.yml
index 73331d03b..d6c3a79f8 100644
--- a/cfn/ci_cd.yml
+++ b/cfn/ci_cd.yml
@@ -141,6 +141,7 @@ Resources:
         - !Ref SecretsManagerPolicyCI
         - !Ref ParameterStorePolicy
         - !Ref CodeBuildBasePolicyCI
+        - !Ref HierarchicalKeyringTestTableUsage
         - "arn:aws:iam::aws:policy/AWSCodeArtifactReadOnlyAccess"
         - "arn:aws:iam::aws:policy/AWSCodeArtifactAdminAccess"
 
@@ -159,6 +160,7 @@ Resources:
         - !Ref CodeBuildBasePolicy
         - !Ref SecretsManagerPolicyRelease
         - !Ref ParameterStorePolicy
+        - !Ref HierarchicalKeyringTestTableUsage
         - "arn:aws:iam::aws:policy/AWSCodeArtifactReadOnlyAccess"
         - "arn:aws:iam::aws:policy/AWSCodeArtifactAdminAccess"
 
@@ -382,17 +384,66 @@ Resources:
               "Effect": "Allow",
               "Resource": [
                 "arn:aws:kms:*:658956600833:key/*",
-                "arn:aws:kms:*:658956600833:alias/*"
+                "arn:aws:kms:*:658956600833:alias/*",
+                "arn:aws:kms:*:370957321024:key/*",
+                "arn:aws:kms:*:370957321024:alias/*"
               ],
               "Action": [
                 "kms:Encrypt",
                 "kms:Decrypt",
-                "kms:GenerateDataKey"
+                "kms:ReEncrypt*",
+                "kms:Generate*",
+                "kms:GetPublicKey",
+                "kms:DescribeKey"
               ]
             }
           ]
         }
 
+  HierarchicalKeyringTestTableUsage:
+    Type: "AWS::IAM::ManagedPolicy"
+    Properties:
+      Description: "Allow Read, Write, and Delete of Items in HierarchicalKeyringTestTable"
+      ManagedPolicyName: !Sub "${ProjectName}-DDB-ReadWriteDelete-${AWS::Region}"
+      PolicyDocument:
+        Version: '2012-10-17'
+        Statement:
+          - Effect: Allow
+            Action:
+              - dynamodb:PutItem
+              - dynamodb:DeleteItem
+              - dynamodb:GetItem
+              - dynamodb:Query
+            Resource:
+              - "arn:aws:dynamodb:us-west-2:370957321024:table/HierarchicalKeyringTestTable"
+              - "arn:aws:dynamodb:us-west-2:370957321024:table/HierarchicalKeyringTestTable/index/*"
+          - Effect: Allow
+            Action:
+              - dynamodb:DescribeTable
+              - dynamodb:CreateTable
+              - dynamodb:PutItem
+              - dynamodb:DeleteItem
+              - dynamodb:GetItem
+              - dynamodb:Query
+              - dynamodb:ConditionCheckItem
+              - dynamodb:UpdateItem
+            Resource:
+              - "arn:aws:dynamodb:us-west-2:370957321024:table/KeyStoreTestTable"
+              - "arn:aws:dynamodb:us-west-2:370957321024:table/KeyStoreTestTable/index/*"
+          - Effect: Allow
+            Action:
+              - dynamodb:DescribeTable
+              - dynamodb:CreateTable
+              - dynamodb:PutItem
+              - dynamodb:DeleteItem
+              - dynamodb:GetItem
+              - dynamodb:Query
+              - dynamodb:ConditionCheckItem
+              - dynamodb:UpdateItem
+            Resource:
+              - "arn:aws:dynamodb:us-west-2:370957321024:table/KeyStoreDdbTable"
+              - "arn:aws:dynamodb:us-west-2:370957321024:table/KeyStoreDdbTable/index/*"
+
   ParameterStorePolicy:
     Type: "AWS::IAM::ManagedPolicy"
     Properties: