xynova/openvpn-policy.tf

## openvpn-policy.tf
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AllowOpenvpnDnsUpdate",
            "Effect": "Allow",
            "Action": [
                "route53:ChangeResourceRecordSets"
            ],
            "Resource": [
                "arn:aws:route53:::hostedzone/<<ZONE_ID_HERE>>"
            ]
        },
        {
            "Sid": "AllowDecryptDatabasePassword",
            "Effect": "Allow",
            "Action": [
                "kms:Encrypt",
                "kms:Decrypt",
                "kms:ReEncrypt*",
                "kms:GenerateDataKey*",
                "kms:DescribeKey"
            ],
            "Resource": "arn:aws:kms:ap-southeast-2:<<ACCOUNT_ID>>:key/<<KEY_TO_DECRYPT_DATABASE_SECRET>>"
        }
    ]
}
	{
	"Version": "2012-10-17",
	"Statement": [
	{
	"Sid": "AllowOpenvpnDnsUpdate",
	"Effect": "Allow",
	"Action": [
	"route53:ChangeResourceRecordSets"
	],
	"Resource": [
	"arn:aws:route53:::hostedzone/<<ZONE_ID_HERE>>"
	]
	},
	{
	"Sid": "AllowDecryptDatabasePassword",
	"Effect": "Allow",
	"Action": [
	"kms:Encrypt",
	"kms:Decrypt",
	"kms:ReEncrypt*",
	"kms:GenerateDataKey*",
	"kms:DescribeKey"
	],
	"Resource": "arn:aws:kms:ap-southeast-2:<<ACCOUNT_ID>>:key/<<KEY_TO_DECRYPT_DATABASE_SECRET>>"
	}
	]
	}