From abb2dd17cd2848c35329a88a4cdbf0edf0425a07 Mon Sep 17 00:00:00 2001
From: Andy Boughton <abought@gmail.com>
Date: Sun, 25 Feb 2024 22:59:20 -0500
Subject: [PATCH] Add KMS re-encrypt policies that (may) be blocking start of
 new EMR clusters

---
 modules/imputation-server/main.tf | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/modules/imputation-server/main.tf b/modules/imputation-server/main.tf
index 2d46dce..509549d 100644
--- a/modules/imputation-server/main.tf
+++ b/modules/imputation-server/main.tf
@@ -57,13 +57,13 @@ resource "aws_kms_alias" "emr_kms" {
 resource "aws_kms_grant" "ec2_kms_grant" {
   key_id            = aws_kms_key.emr_kms.arn
   grantee_principal = var.ec2_role_arn
-  operations        = ["Encrypt", "Decrypt", "GenerateDataKey", "GenerateDataKeyWithoutPlaintext"]
+  operations        = ["Encrypt", "Decrypt", "ReEncryptFrom", "ReEncryptTo", "GenerateDataKey", "GenerateDataKeyWithoutPlaintext"]
 }
 
 resource "aws_kms_grant" "emr_kms_grant" {
   key_id            = aws_kms_key.emr_kms.arn
   grantee_principal = var.emr_role_arn
-  operations        = ["Encrypt", "Decrypt", "GenerateDataKey", "GenerateDataKeyWithoutPlaintext", "CreateGrant", "RetireGrant"]
+  operations        = ["Encrypt", "Decrypt", "ReEncryptFrom", "ReEncryptTo", "GenerateDataKey", "GenerateDataKeyWithoutPlaintext", "CreateGrant", "RetireGrant"]
 }
 
 # ---------------------------------------------------------------------------------------------------------------------