[export-neptune-to-elasticsearch] Encrypted databases not supported

[xentripetal]

The export batch job will fail when triggered with the following error for encrypted databases:

com.amazonaws.services.neptune.model.KMSKeyNotAccessibleException: The specified KMS key [arn:aws:kms:...YOUR_KEY_ARN...] does not exist, is not enabled or you do not have permissions to access it. (Service: AmazonNeptune; Status Code: 400; Error Code: KMSKeyNotAccessibleFault; Request ID: ...; Proxy: null)

To resolve this you have to manually add a policy to the generated BatchExecutionRole and BatchJobRole.

    Version   = "2012-10-17"
    Statement = [
      {
        Effect = "Allow",
        Action = [
          "kms:Encrypt",
          "kms:Decrypt",
          "kms:GenerateDataKey",
          "kms:ReEncryptTo",
          "kms:GenerateDataKeyWithoutPlaintext",
          "kms:CreateGrant",
          "kms:ReEncryptFrom",
          "kms:DescribeKey"
        ],
        Resource = "YOUR_KMS_ARN"
      }

It would be helpful if there was a KMS arn parameter in the template that will automatically add these permissions to the roles if specified.