From 2d3e9e9d6d695a863c053c9900b7166fdd74bd4c Mon Sep 17 00:00:00 2001
From: Pierre Guilleminot <pierre.guilleminot@datadoghq.com>
Date: Tue, 3 Sep 2024 10:02:00 +0200
Subject: [PATCH 1/2] Allow scanning volumes with customer-managed-key

---
 modules/scanning-delegate-role/main.tf | 12 ------------
 1 file changed, 12 deletions(-)

diff --git a/modules/scanning-delegate-role/main.tf b/modules/scanning-delegate-role/main.tf
index 1bba7024..8e7aebf6 100644
--- a/modules/scanning-delegate-role/main.tf
+++ b/modules/scanning-delegate-role/main.tf
@@ -212,12 +212,6 @@ data "aws_iam_policy_document" "scanning_orchestrator_policy_document" {
       values   = ["aws:ebs:id"]
     }
 
-    condition {
-      test     = "StringLike"
-      variable = "kms:EncryptionContext:aws:ebs:id"
-      values   = ["snap-*"]
-    }
-
     condition {
       test     = "StringLike"
       variable = "kms:ViaService"
@@ -385,12 +379,6 @@ data "aws_iam_policy_document" "scanning_worker_policy_document" {
       values   = ["aws:ebs:id"]
     }
 
-    condition {
-      test     = "StringLike"
-      variable = "kms:EncryptionContext:aws:ebs:id"
-      values   = ["snap-*"]
-    }
-
     condition {
       test     = "StringLike"
       variable = "kms:ViaService"

From 695205a75303f860cdad56c6fc9a2195edef64a2 Mon Sep 17 00:00:00 2001
From: Pierre Guilleminot <pierre.guilleminot@datadoghq.com>
Date: Tue, 3 Sep 2024 11:46:21 +0200
Subject: [PATCH 2/2] adapt comments

---
 modules/scanning-delegate-role/main.tf | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/modules/scanning-delegate-role/main.tf b/modules/scanning-delegate-role/main.tf
index 8e7aebf6..ab4abcf2 100644
--- a/modules/scanning-delegate-role/main.tf
+++ b/modules/scanning-delegate-role/main.tf
@@ -205,7 +205,7 @@ data "aws_iam_policy_document" "scanning_orchestrator_policy_document" {
     resources = ["arn:${data.aws_partition.current.partition}:kms:*:*:key/*"]
 
     // The following conditions enforce that decrypt action
-    // can only be performed on snapshots from calls by ebs API.
+    // can only be performed from calls by ebs API.
     condition {
       test     = "ForAnyValue:StringEquals"
       variable = "kms:EncryptionContextKeys"
@@ -372,7 +372,7 @@ data "aws_iam_policy_document" "scanning_worker_policy_document" {
     resources = ["arn:${data.aws_partition.current.partition}:kms:*:*:key/*"]
 
     // The following conditions enforce that decrypt action
-    // can only be performed on snapshots from calls by ebs API.
+    // can only be performed from calls by ebs API.
     condition {
       test     = "ForAnyValue:StringEquals"
       variable = "kms:EncryptionContextKeys"