From 8817030599ef7096d0ad8e195852d63c8b0904ee Mon Sep 17 00:00:00 2001
From: Aaron Robinson <aaron.robinson@digital.justice.gov.uk>
Date: Wed, 16 Oct 2024 22:38:16 +0100
Subject: [PATCH 1/3] Retrieve key arn from alias

---
 management-account/terraform/s3.tf | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/management-account/terraform/s3.tf b/management-account/terraform/s3.tf
index c290db77..a1b1dee2 100644
--- a/management-account/terraform/s3.tf
+++ b/management-account/terraform/s3.tf
@@ -194,7 +194,7 @@ module "cur_reports_s3_bucket" {
   enable_replication     = true
   replication_bucket_arn = "arn:aws:s3:::moj-cur-reports-modplatform-20240930164810837800000001"
   replication_role_arn   = module.cur_reports_s3_bucket.replication_role_arn
-  source_kms_arn         = "arn:aws:kms:*:${data.aws_caller_identity.current.account_id}:alias/aws/s3"
+  source_kms_arn         = data.aws_kms_alias.moj_cur_reports_kms_alias.target_key_arn
   destination_kms_arn    = data.aws_ssm_parameter.core_logging_kms_key_arn.value
   replication_rules = [
     {
@@ -212,6 +212,10 @@ data "aws_ssm_parameter" "core_logging_kms_key_arn" {
   name = "arn:aws:ssm:eu-west-2:${data.aws_caller_identity.current.account_id}:parameter/core-logging-kms-key"
 }
 
+data "aws_kms_alias" "moj_cur_reports_kms_alias" {
+  name     = "alias/aws/s3"
+}
+
 data "aws_iam_policy_document" "cur_reports_s3_bucket" {
   version = "2008-10-17"
 

From e92e2267a22384d2c4e69505f2d11530d2a5d143 Mon Sep 17 00:00:00 2001
From: Aaron Robinson <aaron.robinson@digital.justice.gov.uk>
Date: Wed, 16 Oct 2024 22:45:32 +0100
Subject: [PATCH 2/3] fix megalinter fmt warning

---
 management-account/terraform/s3.tf | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/management-account/terraform/s3.tf b/management-account/terraform/s3.tf
index a1b1dee2..0be87ac3 100644
--- a/management-account/terraform/s3.tf
+++ b/management-account/terraform/s3.tf
@@ -213,7 +213,7 @@ data "aws_ssm_parameter" "core_logging_kms_key_arn" {
 }
 
 data "aws_kms_alias" "moj_cur_reports_kms_alias" {
-  name     = "alias/aws/s3"
+  name = "alias/aws/s3"
 }
 
 data "aws_iam_policy_document" "cur_reports_s3_bucket" {

From 1f354f7872f0cbf125a330018e97bbb3799fcf12 Mon Sep 17 00:00:00 2001
From: Aaron Robinson <aaron.robinson@digital.justice.gov.uk>
Date: Thu, 17 Oct 2024 12:00:03 +0100
Subject: [PATCH 3/3] fix resource object

---
 modules/s3/main.tf | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/modules/s3/main.tf b/modules/s3/main.tf
index 67f0f676..f3ba0eeb 100644
--- a/modules/s3/main.tf
+++ b/modules/s3/main.tf
@@ -251,7 +251,8 @@ resource "aws_iam_role_policy" "replication" {
             "s3:ReplicateDelete"
           ],
           Resource = [
-            "arn:aws:s3:::${var.replication_bucket_arn}/*"
+            "${var.replication_bucket_arn}/*",
+            "${var.replication_bucket_arn}"
           ]
         },
         {