From 5bf2ebbcd31255470c890e603f659f6ed78b8592 Mon Sep 17 00:00:00 2001
From: Alex Wilson <alex.wilson@digital.cabinet-office.gov.uk>
Date: Mon, 29 Nov 2021 09:01:47 +0000
Subject: [PATCH] GOVSI-1055: Grant access permissions for the signing key, not
 the alias

---
 ci/terraform/oidc/lambda-roles.tf | 2 +-
 ci/terraform/oidc/shared.tf       | 2 +-
 ci/terraform/oidc/token.tf        | 2 +-
 ci/terraform/shared/outputs.tf    | 4 ++--
 4 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/ci/terraform/oidc/lambda-roles.tf b/ci/terraform/oidc/lambda-roles.tf
index 8e50a3580b..e034462231 100644
--- a/ci/terraform/oidc/lambda-roles.tf
+++ b/ci/terraform/oidc/lambda-roles.tf
@@ -55,7 +55,7 @@ data "aws_iam_policy_document" "kms_policy_document" {
     sid       = "AllowAccessToKmsSigningKey"
     effect    = "Allow"
     actions   = ["kms:GetPublicKey"]
-    resources = [local.id_token_signing_key_alias_arn]
+    resources = [local.id_token_signing_key_arn]
   }
 }
 
diff --git a/ci/terraform/oidc/shared.tf b/ci/terraform/oidc/shared.tf
index 2c9f248529..86a620b236 100644
--- a/ci/terraform/oidc/shared.tf
+++ b/ci/terraform/oidc/shared.tf
@@ -21,7 +21,7 @@ locals {
   authentication_security_group_id       = data.terraform_remote_state.shared.outputs.authentication_security_group_id
   authentication_subnet_ids              = data.terraform_remote_state.shared.outputs.authentication_subnet_ids
   id_token_signing_key_alias_name        = data.terraform_remote_state.shared.outputs.id_token_signing_key_alias_name
-  id_token_signing_key_alias_arn         = data.terraform_remote_state.shared.outputs.id_token_signing_key_alias_arn
+  id_token_signing_key_arn               = data.terraform_remote_state.shared.outputs.id_token_signing_key_arn
   audit_signing_key_alias_name           = data.terraform_remote_state.shared.outputs.audit_signing_key_alias_name
   audit_signing_key_arn                  = data.terraform_remote_state.shared.outputs.audit_signing_key_arn
   sms_bucket_name                        = data.terraform_remote_state.shared.outputs.sms_bucket_name
diff --git a/ci/terraform/oidc/token.tf b/ci/terraform/oidc/token.tf
index cece1565bd..e9d0eac3a0 100644
--- a/ci/terraform/oidc/token.tf
+++ b/ci/terraform/oidc/token.tf
@@ -23,7 +23,7 @@ data "aws_iam_policy_document" "kms_signing_policy_document" {
       "kms:GetPublicKey",
     ]
     resources = [
-      local.id_token_signing_key_alias_arn
+      local.id_token_signing_key_arn
     ]
   }
 }
diff --git a/ci/terraform/shared/outputs.tf b/ci/terraform/shared/outputs.tf
index b640769934..0da2429a35 100644
--- a/ci/terraform/shared/outputs.tf
+++ b/ci/terraform/shared/outputs.tf
@@ -60,8 +60,8 @@ output "id_token_signing_key_alias_name" {
   value = aws_kms_alias.id_token_signing_key_alias.name
 }
 
-output "id_token_signing_key_alias_arn" {
-  value = aws_kms_alias.id_token_signing_key_alias.arn
+output "id_token_signing_key_arn" {
+  value = aws_kms_key.id_token_signing_key.arn
 }
 
 output "audit_signing_key_alias_name" {