From 65108bae815ca761c2ec9da37088077ea6212c2f Mon Sep 17 00:00:00 2001
From: Your Name <user@example.com>
Date: Tue, 17 Mar 2026 16:05:35 -0400
Subject: [PATCH] fix(codebuild): grant kms:Decrypt on state bucket KMS key

CodeBuild role needs Decrypt+GenerateDataKey to read/write the
KMS-encrypted Terraform state in S3. Key ARN sourced from the
AccessDenied error during tf workspace select.
---
 codebuild/main.tf      | 11 +++++++++++
 codebuild/variables.tf |  8 ++++++++
 2 files changed, 19 insertions(+)

diff --git a/codebuild/main.tf b/codebuild/main.tf
index 9f4564c..c333217 100644
--- a/codebuild/main.tf
+++ b/codebuild/main.tf
@@ -93,6 +93,17 @@ data "aws_iam_policy_document" "ghe_runner_deploy" {
     resources = var.tfstate_dynamodb_arns
   }
 
+  statement {
+    sid    = "TfStateKMS"
+    effect = "Allow"
+    actions = [
+      "kms:Decrypt",
+      "kms:GenerateDataKey",
+      "kms:DescribeKey",
+    ]
+    resources = var.tfstate_kms_key_arns
+  }
+
   # ── ECS ───────────────────────────────────────────────────────────────────
   statement {
     sid    = "ECS"
diff --git a/codebuild/variables.tf b/codebuild/variables.tf
index 4bf0822..b8696c3 100644
--- a/codebuild/variables.tf
+++ b/codebuild/variables.tf
@@ -98,3 +98,11 @@ variable "tfstate_dynamodb_arns" {
     "arn:aws-us-gov:dynamodb:us-gov-east-1:220615867784:table/tf_remote_state",
   ]
 }
+
+variable "tfstate_kms_key_arns" {
+  description = "ARNs of KMS keys used to encrypt Terraform state buckets. The CodeBuild role needs Decrypt/GenerateDataKey to read and write state."
+  type        = list(string)
+  default = [
+    "arn:aws-us-gov:kms:us-gov-east-1:229685449397:key/dd80db1a-1088-4f53-b930-fb2ddb739849",
+  ]
+}