fix(codebuild): grant kms:Decrypt on state bucket KMS key

CodeBuild role needs Decrypt+GenerateDataKey to read/write the KMS-encrypted Terraform state in S3. Key ARN sourced from the AccessDenied error during tf workspace select.
CSVD · Mar 17, 2026 · 65108ba · 65108ba
1 parent 7e3890d
commit 65108ba
Show file tree

Hide file tree

Showing 2 changed files with 19 additions and 0 deletions.
diff --git a/codebuild/main.tf b/codebuild/main.tf
@@ -93,6 +93,17 @@ data "aws_iam_policy_document" "ghe_runner_deploy" {
     resources = var.tfstate_dynamodb_arns
   }
 
+  statement {
+    sid    = "TfStateKMS"
+    effect = "Allow"
+    actions = [
+      "kms:Decrypt",
+      "kms:GenerateDataKey",
+      "kms:DescribeKey",
+    ]
+    resources = var.tfstate_kms_key_arns
+  }
+
   # ── ECS ───────────────────────────────────────────────────────────────────
   statement {
     sid    = "ECS"

diff --git a/codebuild/variables.tf b/codebuild/variables.tf
@@ -98,3 +98,11 @@ variable "tfstate_dynamodb_arns" {
     "arn:aws-us-gov:dynamodb:us-gov-east-1:220615867784:table/tf_remote_state",
   ]
 }
+
+variable "tfstate_kms_key_arns" {
+  description = "ARNs of KMS keys used to encrypt Terraform state buckets. The CodeBuild role needs Decrypt/GenerateDataKey to read and write state."
+  type        = list(string)
+  default = [
+    "arn:aws-us-gov:kms:us-gov-east-1:229685449397:key/dd80db1a-1088-4f53-b930-fb2ddb739849",
+  ]
+}