fix: add kms:Encrypt permission, as needed since f25a86b (#1008)

jonmcewen · web-flow · commit 2bea7bd878bc · 2023-10-13T15:52:51.000+02:00
## Description Since the [addition of KeyId](f25a86b#diff-dc46acf24afd63ef8c556b77c126ccc6e578bc87e3aa09a931f33d9bf2532fbbR18) to the SSM parameter used to store the registration token, the replacement of the parameter following a failed token verification fails. This is due to a missing Encrypt permission on the customer managed KMS key. The initial put-parameter presumably passes due to a shortcut on the encryption when the value is null, but the [subsequent overwrite attempt](https://github.com/cattle-ops/terraform-aws-gitlab-runner/blob/5100efd3445c3f06e5089d970da5a3a0341624eb/template/gitlab-runner.tftpl#L53) fails. ## Migrations required NO ## Verification Manual addition of the kms:Encrypt permission has been proved to resolve the runner start-up failure
diff --git a/policies/instance-kms-policy.json b/policies/instance-kms-policy.json
@@ -3,6 +3,7 @@
     "Statement": [
         {
             "Action": [
+                "kms:Encrypt",
                 "kms:Decrypt",
                 "kms:GenerateDataKey"
             ],

Original file line number	Diff line number	Diff line change
`@@ -3,6 +3,7 @@`
`3`	`3`	`"Statement": [`
`4`	`4`	`{`
`5`	`5`	`"Action": [`
	`6`	`+ "kms:Encrypt",`
`6`	`7`	`"kms:Decrypt",`
`7`	`8`	`"kms:GenerateDataKey"`
`8`	`9`	`],`