From a59104bc810bb01e99abe49a6e3b7d4615068eab Mon Sep 17 00:00:00 2001
From: Mikkel Oscar Lyderik Larsen <mikkel.larsen@zalando.de>
Date: Mon, 30 Oct 2023 16:09:12 +0100
Subject: [PATCH] Add new okta based Administrator role to KMS keys

Signed-off-by: Mikkel Oscar Lyderik Larsen <mikkel.larsen@zalando.de>
---
 cluster/cluster.yaml | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/cluster/cluster.yaml b/cluster/cluster.yaml
index 3a68872cde..34bea71bae 100644
--- a/cluster/cluster.yaml
+++ b/cluster/cluster.yaml
@@ -815,6 +815,7 @@ Resources:
 {{- end }}
                   - !Sub "arn:aws:iam::${AWS::AccountId}:role/cluster-lifecycle-manager-entrypoint"
                   - !Sub "arn:aws:iam::${AWS::AccountId}:role/Shibboleth-Administrator"
+                  - !Sub "arn:aws:iam::${AWS::AccountId}:role/Administrator"
   DeploymentControllerRole:
     Type: AWS::IAM::Role
     Properties:
@@ -1992,6 +1993,7 @@ Resources:
               AWS:
                 - !Sub "arn:aws:iam::${AWS::AccountId}:role/cluster-lifecycle-manager-entrypoint"
                 - !Sub "arn:aws:iam::${AWS::AccountId}:role/Shibboleth-Administrator"
+                - !Sub "arn:aws:iam::${AWS::AccountId}:role/Administrator"
             Action:
             - "kms:*"
             - "tag:TagResources"
@@ -2027,7 +2029,9 @@ Resources:
           - Sid: "Allow Administrator to manage and use this key"
             Effect: "Allow"
             Principal:
-              AWS: !Sub "arn:aws:iam::${AWS::AccountId}:role/Shibboleth-Administrator"
+              AWS:
+              - !Sub "arn:aws:iam::${AWS::AccountId}:role/Shibboleth-Administrator"
+              - !Sub "arn:aws:iam::${AWS::AccountId}:role/Administrator"
             Action:
             - "kms:*"
             - "tag:TagResources"
@@ -2065,6 +2069,7 @@ Resources:
               AWS:
                 - !Sub "arn:aws:iam::${AWS::AccountId}:role/cluster-lifecycle-manager-entrypoint"
                 - !Sub "arn:aws:iam::${AWS::AccountId}:role/Shibboleth-Administrator"
+                - !Sub "arn:aws:iam::${AWS::AccountId}:role/Administrator"
             Action:
             - "kms:*"
             - "tag:TagResources"
@@ -2101,6 +2106,7 @@ Resources:
               AWS:
                 - !Sub "arn:aws:iam::${AWS::AccountId}:role/cluster-lifecycle-manager-entrypoint"
                 - !Sub "arn:aws:iam::${AWS::AccountId}:role/Shibboleth-Administrator"
+                - !Sub "arn:aws:iam::${AWS::AccountId}:role/Administrator"
             Action:
             - "kms:*"
             - "tag:TagResources"