Update storage module configuration for Bedrock service principal access

laurencegoolsby · laurencegoolsby · commit 25d4928d662d · 2026-02-13T10:14:43.000-05:00
diff --git a/infra/app-flask/service/document_data_extraction.tf b/infra/app-flask/service/document_data_extraction.tf
@@ -33,23 +33,23 @@ module "dde_input_bucket" {
     aws = aws.dde
   }
 
-  count                      = local.document_data_extraction_config != null ? 1 : 0
-  source                     = "../../modules/storage"
-  name                       = "${local.prefix}${local.document_data_extraction_config.input_bucket_name}"
-  is_temporary               = local.is_temporary
-  use_aws_managed_encryption = true
+  count                          = local.document_data_extraction_config != null ? 1 : 0
+  source                         = "../../modules/storage"
+  name                           = "${local.prefix}${local.document_data_extraction_config.input_bucket_name}"
+  is_temporary                   = local.is_temporary
+  service_principals_with_access = ["bedrock.amazonaws.com"]
 }
 
 module "dde_output_bucket" {
   providers = {
     aws = aws.dde
   }
 
-  count                      = local.document_data_extraction_config != null ? 1 : 0
-  source                     = "../../modules/storage"
-  name                       = "${local.prefix}${local.document_data_extraction_config.output_bucket_name}"
-  is_temporary               = local.is_temporary
-  use_aws_managed_encryption = true
+  count                          = local.document_data_extraction_config != null ? 1 : 0
+  source                         = "../../modules/storage"
+  name                           = "${local.prefix}${local.document_data_extraction_config.output_bucket_name}"
+  is_temporary                   = local.is_temporary
+  service_principals_with_access = ["bedrock.amazonaws.com"]
 }
 
 module "dde" {
diff --git a/infra/modules/storage/encryption.tf b/infra/modules/storage/encryption.tf
@@ -50,8 +50,6 @@ data "aws_iam_policy_document" "kms_key_policy" {
 }
 
 resource "aws_kms_key" "storage" {
-  count = var.use_aws_managed_encryption ? 0 : 1
-
   description = "KMS key for bucket ${var.name}"
   # The waiting period, specified in number of days. After the waiting period ends, AWS KMS deletes the KMS key.
   deletion_window_in_days = "10"
@@ -65,9 +63,9 @@ resource "aws_s3_bucket_server_side_encryption_configuration" "storage" {
   bucket = aws_s3_bucket.storage.id
   rule {
     apply_server_side_encryption_by_default {
-      kms_master_key_id = var.use_aws_managed_encryption ? null : aws_kms_key.storage[0].arn
-      sse_algorithm     = var.use_aws_managed_encryption ? "AES256" : "aws:kms"
+      kms_master_key_id = aws_kms_key.storage.arn
+      sse_algorithm     = "aws:kms"
     }
-    bucket_key_enabled = var.use_aws_managed_encryption ? null : true
+    bucket_key_enabled = true
   }
 }
diff --git a/infra/modules/storage/main.tf b/infra/modules/storage/main.tf
@@ -9,5 +9,4 @@ resource "aws_s3_bucket" "storage" {
   # checkov:skip=CKV_AWS_144:Cross region replication not required by default
   # checkov:skip=CKV2_AWS_62:S3 bucket does not need notifications enabled
   # checkov:skip=CKV_AWS_21:Bucket versioning is not needed
-  # checkov:skip=CKV_AWS_145:AWS-managed encryption (AES256) used when use_aws_managed_encryption=true
 }

Original file line number	Diff line number	Diff line change
`@@ -50,8 +50,6 @@ data "aws_iam_policy_document" "kms_key_policy" {`
`50`	`50`	`}`
`51`	`51`
`52`	`52`	`resource "aws_kms_key" "storage" {`
`53`		`- count = var.use_aws_managed_encryption ? 0 : 1`
`54`		`-`
`55`	`53`	`description = "KMS key for bucket ${var.name}"`
`56`	`54`	`# The waiting period, specified in number of days. After the waiting period ends, AWS KMS deletes the KMS key.`
`57`	`55`	`deletion_window_in_days = "10"`
`@@ -65,9 +63,9 @@ resource "aws_s3_bucket_server_side_encryption_configuration" "storage" {`
`65`	`63`	`bucket = aws_s3_bucket.storage.id`
`66`	`64`	`rule {`
`67`	`65`	`apply_server_side_encryption_by_default {`
`68`		`- kms_master_key_id = var.use_aws_managed_encryption ? null : aws_kms_key.storage[0].arn`
`69`		`- sse_algorithm = var.use_aws_managed_encryption ? "AES256" : "aws:kms"`
	`66`	`+ kms_master_key_id = aws_kms_key.storage.arn`
	`67`	`+ sse_algorithm = "aws:kms"`
`70`	`68`	`}`
`71`		`- bucket_key_enabled = var.use_aws_managed_encryption ? null : true`
	`69`	`+ bucket_key_enabled = true`
`72`	`70`	`}`
`73`	`71`	`}`
Original file line number	Diff line number	Diff line change
`@@ -9,5 +9,4 @@ resource "aws_s3_bucket" "storage" {`
`9`	`9`	`# checkov:skip=CKV_AWS_144:Cross region replication not required by default`
`10`	`10`	`# checkov:skip=CKV2_AWS_62:S3 bucket does not need notifications enabled`
`11`	`11`	`# checkov:skip=CKV_AWS_21:Bucket versioning is not needed`
`12`		`- # checkov:skip=CKV_AWS_145:AWS-managed encryption (AES256) used when use_aws_managed_encryption=true`
`13`	`12`	`}`