Allow access to DB KMS key

* Now that the DB uses a custom KMS key, the role for deploying data replication resources needs access to this key.
* To keep the restrictions restrictive, any actions that would disable the key are still denied

Author: bogsi17

terraform/account/resources/iam_policy_DeployDataReplicationResources.json

@@ -22,7 +22,8 @@
       "Action": ["*"],
       "NotResource": [
         "arn:aws:s3:::nhse-mavis-terraform-state-production",
-        "arn:aws:s3:::nhse-mavis-terraform-state"
+        "arn:aws:s3:::nhse-mavis-terraform-state",
+        "arn:aws:kms:eu-west-2:*:key/*"
       ],
       "Condition": {
         "StringEquals": {
@@ -38,6 +39,16 @@
         }
       }
     },
+    {
+      "Effect": "Deny",
+      "Action": [
+        "kms:Delete*",
+        "kms:ScheduleKeyDeletion",
+        "kms:Revoke*",
+        "kms:Disable*"
+      ],
+      "Resource": "*"
+    },
     {
       "Effect": "Allow",
       "Action": [